{"id":1248,"date":"2016-08-12T19:06:21","date_gmt":"2016-08-13T03:06:21","guid":{"rendered":"https:\/\/www.cloudinsidr.com\/content\/?p=1248"},"modified":"2016-09-21T12:23:52","modified_gmt":"2016-09-21T20:23:52","slug":"a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix","status":"publish","type":"post","link":"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/","title":{"rendered":"A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix"},"content":{"rendered":"<p>If you are running\u00a0Linux kernel 3.6 or newer,\u00a0anyone in the world on a network that allows IP spoofing can hijack your encrypted communications in less than a minute, with a success rate of 90%.<\/p>\n<p>Here is how to fix it.<\/p>\n<p><!--more--><\/p>\n<p>Step 1. Open \/etc\/sysctl.conf in\u00a0an editor.<\/p>\n<p>Step 2. Add\u00a0the line:<\/p>\n<pre>net.ipv4.tcp_challenge_ack_limit = 999999999<\/pre>\n<p>and save the file.<\/p>\n<p>Step 3. At the prompt,\u00a0use the\u00a0shell command:<\/p>\n<pre>sysctl -p<\/pre>\n<p>This will\u00a0update your\u00a0configuration.<\/p>\n<figure id=\"attachment_1250\" aria-describedby=\"caption-attachment-1250\" style=\"width: 1131px\" class=\"wp-caption alignnone\"><a href=\"https:\/\/www.cloudinsidr.com\/content\/?attachment_id=1250\" rel=\"attachment wp-att-1249\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-1250 size-full\" src=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw.png\" alt=\"The TCP flaw: here's the fix\" width=\"1131\" height=\"412\" srcset=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw.png 1131w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw-600x219.png 600w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw-300x109.png 300w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw-768x280.png 768w, https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw-1024x373.png 1024w\" sizes=\"(max-width: 1131px) 100vw, 1131px\" \/><\/a><figcaption id=\"caption-attachment-1250\" class=\"wp-caption-text\">The TCP flaw: here&#8217;s the fix<\/figcaption><\/figure>\n<p>Sources:<\/p>\n<p style=\"padding-left: 30px;\"><a href=\"http:\/\/www.cs.ucr.edu\/~zhiyunq\/pub\/sec16_TCP_pure_offpath.pdf\">http:\/\/www.cs.ucr.edu\/~zhiyunq\/pub\/sec16_TCP_pure_offpath.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you are running\u00a0Linux kernel 3.6 or newer,\u00a0anyone in the world on a network that allows IP spoofing can hijack your encrypted communications in less than a minute, with a success rate of 90%. Here is how to fix it.<\/p>\n","protected":false},"author":1,"featured_media":1253,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[131,17,33,111,143],"tags":[140,28,156],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix - CloudInsidr<\/title>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix - CloudInsidr\" \/>\n<meta property=\"og:description\" content=\"If you are running\u00a0Linux kernel 3.6 or newer,\u00a0anyone in the world on a network that allows IP spoofing can hijack your encrypted communications in less than a minute, with a success rate of 90%. Here is how to fix it.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/\" \/>\n<meta property=\"og:site_name\" content=\"CloudInsidr\" \/>\n<meta property=\"article:published_time\" content=\"2016-08-13T03:06:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2016-09-21T20:23:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw-featured_image2.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1131\" \/>\n\t<meta property=\"og:image:height\" content=\"412\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/\",\"name\":\"CloudInsidr\",\"description\":\"Cyber security, infotech\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/www.cloudinsidr.com\/content\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/wp-content\/uploads\/2016\/08\/TCP_flaw-featured_image2.png\",\"width\":1131,\"height\":412},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/#webpage\",\"url\":\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/\",\"name\":\"A fatal flaw in TCP on Linux hijacks HTTPS connections. Here is the fix - CloudInsidr\",\"isPartOf\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/#primaryimage\"},\"datePublished\":\"2016-08-13T03:06:21+00:00\",\"dateModified\":\"2016-09-21T20:23:52+00:00\",\"author\":{\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.cloudinsidr.com\/content\/a-fatal-flaw-in-tcp-on-linux-hijacks-https-connections-here-is-the-fix\/\"]}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#\/schema\/person\/dd6ee9cb21cf05763fd7cff3d6f11b2b\",\"name\":\"Cloud Insidr\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/www.cloudinsidr.com\/content\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/8b2fa1415b3d573b97d818b8f8f83b7c?s=96&d=mm&r=g\",\"caption\":\"Cloud Insidr\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1248"}],"collection":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/comments?post=1248"}],"version-history":[{"count":2,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1248\/revisions"}],"predecessor-version":[{"id":1292,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/posts\/1248\/revisions\/1292"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media\/1253"}],"wp:attachment":[{"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/media?parent=1248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/categories?post=1248"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.cloudinsidr.com\/content\/wp-json\/wp\/v2\/tags?post=1248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}