{"id":6243,"date":"2016-09-08T07:20:46","date_gmt":"2016-09-07T23:20:46","guid":{"rendered":"http:\/\/rmohan.com\/?p=6243"},"modified":"2016-09-08T07:21:53","modified_gmt":"2016-09-07T23:21:53","slug":"a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=6243","title":{"rendered":"A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix"},"content":{"rendered":"<header class=\"entry-header\">\n<h1 class=\"entry-title\">A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix<\/h1>\n<\/header>\n<div class=\"entry-content\">\n<p>If you are running\u00a0Linux kernel 3.6 or newer,\u00a0anyone in the world on a network that allows IP spoofing can hijack your encrypted communications in less than a minute, with a success rate of 90%.<\/p>\n<p>Here is how to fix it.<\/p>\n<p>Step 1. Open \/etc\/sysctl.conf in\u00a0an editor.<\/p>\n<p>Step 2. Add\u00a0the line:<\/p>\n<pre>net.ipv4.tcp_challenge_ack_limit = 999999999<\/pre>\n<p>and save the file.<\/p>\n<p>Step 3. At the prompt,\u00a0use the\u00a0shell command:<\/p>\n<pre>sysctl -p<\/pre>\n<p>This will\u00a0update your\u00a0configuration.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p><a href=\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/TCP_flaw-760x360.png\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6245\" src=\"http:\/\/rmohan.com\/wp-content\/uploads\/2016\/09\/TCP_flaw-760x360.png\" alt=\"TCP_flaw-760x360\" width=\"760\" height=\"360\" srcset=\"https:\/\/mohan.sg\/wp-content\/uploads\/2016\/09\/TCP_flaw-760x360.png 760w, https:\/\/mohan.sg\/wp-content\/uploads\/2016\/09\/TCP_flaw-760x360-300x142.png 300w, https:\/\/mohan.sg\/wp-content\/uploads\/2016\/09\/TCP_flaw-760x360-150x71.png 150w, https:\/\/mohan.sg\/wp-content\/uploads\/2016\/09\/TCP_flaw-760x360-400x189.png 400w\" sizes=\"(max-width: 760px) 100vw, 760px\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p> A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix <\/p>\n<p>If you are running Linux kernel 3.6 or newer, anyone in the world on a network that allows IP spoofing can hijack your encrypted communications in less than a minute, with a success rate of 90%.<\/p>\n<p>Here is how to [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6243"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=6243"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6243\/revisions"}],"predecessor-version":[{"id":6247,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/6243\/revisions\/6247"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=6243"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=6243"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=6243"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}