Post reply

Warning: this topic has not been posted in for at least 120 days.
Unless you're sure you want to reply, please consider starting a new topic.
Message icon:

Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
[Anti-Spam] Type "three" as a number:

shortcuts: hit alt+s to submit/post or alt+p to preview

Topic Summary

Posted by: yDecode
« on: June 22, 2010, 08:30:40 PM »

yDecode 1.72 has been released.

This version brings support for updated SSL libraries and it is recommended you upgrade if you use SSL-enabled news server.

A problem with the SSL protocol has been identified and marked as CVE-2009-3555. In short, it enables man-in-the-middle attacker to insert data into SSL sessions by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context. In other words - it enables third person to position himself between you and your secured news server possibly compromising the data transferred between the server and your computer.

Furthermore, TLS extension has been developed and marked as RFC 5746 which fixes this issue and introduces new, secure renegotiation.

yDecode implements these by disabling older renegotiation method and implements the new, secure one. At the moment, not all the servers support RFC 5746 extension but eventually all of them will be updated. But with yDecode you already have a fix for this issue today which also means yDecode is the only secure yEnc decoder available at the moment.

Also, we made a small improvement in activation which should affect only a minor number of users.

Note: Updated SSL libraries are in the demo version installation file (ydec172.exe) so you have to update the demo as well before installing full version.

Download demo on download page and full version on registered user page.

Changes since last release:

yDecode 1.72:

  • SSL update - fixes renegotiation security issue (CVE-2009-3555) and implements new secure renegotiation based on RFC5746
  • improvements in activation (now capable of detecting proxy issues) and informative error message