How about sniffing the network traffic and decrypting it + later by physically grabbing the Mandos client and using its + key?

=== modified file 'TODO' --- TODO 2014-12-21 12:54:46 +0000 +++ TODO 2015-03-10 18:03:38 +0000 @@ -88,6 +88,7 @@ ** TODO Error handling on error parsing config files ** TODO init.d script error handling ** TODO D-Bus server properties; address, port, interface, etc. :2: +** TODO [#C] In Python 3.3, use shlex.quote() instead of re.escape() * mandos.xml ** Add mandos contact info in manual pages === modified file 'intro.xml' --- intro.xml 2014-06-22 02:19:30 +0000 +++ intro.xml 2015-03-10 18:03:38 +0000 @@ -1,7 +1,7 @@ + %common; ]> @@ -197,6 +197,16 @@ + + How about sniffing the network traffic and decrypting it + later by physically grabbing the Mandos client and using its + key? + + We only use PFS (Perfect Forward Security) + key exchange algorithms in TLS, which protects against this. + + + Physically grabbing the Mandos server computer? === modified file 'mandos' --- mandos 2014-12-21 12:54:46 +0000 +++ mandos 2015-03-10 18:03:38 +0000 @@ -2356,7 +2356,8 @@ "port": "", "debug": "False", "priority": - "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224:+SIGN-RSA-RMD160", + "SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA" + ":+SIGN-RSA-SHA224:+SIGN-RSA-RMD160", "servicename": "Mandos", "use_dbus": "True", "use_ipv6": "True", === modified file 'mandos-options.xml' --- mandos-options.xml 2014-06-15 02:48:49 +0000 +++ mandos-options.xml 2015-03-10 18:03:38 +0000 @@ -49,25 +49,28 @@ GnuTLS priority string for the TLS handshake. The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:+SIGN-RSA-SHA224: - +SIGN-RSA-RMD160. + >SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA + :+SIGN-RSA-SHA224:+SIGN-RSA-RMD160. See gnutls_priority_init 3 for the syntax. Warning: changing this may make the TLS handshake fail, making server-client - communication impossible. + communication impossible. Changing this option may also make the + network traffic decryptable by an attacker. GnuTLS priority string for the TLS handshake. The default is SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP. See - gnutls_priority_init + >SECURE256:!CTYPE-X.509:+CTYPE-OPENPGP:!RSA. + See gnutls_priority_init 3 for the syntax. Warning: changing this may make the TLS handshake fail, making server-client - communication impossible. + communication impossible. Changing this option may also make the + network traffic decryptable by an attacker. === modified file 'plugins.d/mandos-client.c' --- plugins.d/mandos-client.c 2014-08-20 21:46:38 +0000 +++ plugins.d/mandos-client.c 2015-03-10 18:03:38 +0000 @@ -1902,7 +1902,7 @@ int main(int argc, char *argv[]){ mandos_context mc = { .server = NULL, .dh_bits = 1024, .priority = "SECURE256:!CTYPE-X.509:" - "+CTYPE-OPENPGP", .current_server = NULL, + "+CTYPE-OPENPGP:!RSA", .current_server = NULL, .interfaces = NULL, .interfaces_size = 0 }; AvahiSServiceBrowser *sb = NULL; error_t ret_errno;