4 Apr
2012
4 Apr
'12
3:49 a.m.
Hello Jason,
The passwords are weakly encrypted using a mechanism that is basically an XOR of the password and an MD5 hash of the request authenticator and the shared secret.
thanks for the thorough explanation, I'll go with IPSEC or openvpn. I recall reading in Bruce Schneiers book 'Secret and lies' that xor is only secure if you use the key only once, so it is very easy to break it if you see enough traffic, probably also with different usernames. Cheers, Thomas