Jan Harkes <jaharkes_at_cs.cmu.edu> writes:

> On Thu, May 05, 2016 at 10:49:19AM -0400, Greg Troxel wrote:
>> Last I looked, there was the possibility of some fs data to travel
>> unencrypted if it was not associated with a logged-in user.  This is in
>> my view totally not ok.
>
> It is encrypted but there is no shared secret between the client and the
> server during the connection setup handshake, so the session key is
> encrypted with a commonly known 'null key'. If you capture the INIT2
> packet from the server to the client you can trivially decrypt it and
> get the session key.
>
> But.. why would anybody go through that amount of trouble if he can
> connect to the server without authentication himself and get those same
> files anyway? Clearly their ACL must allow System:AnyUser access,
> otherwise the user would have had to be logged-in.

Perhaps.  But my security model involves the notion of limiting access
entirely to an authorized set, and I'd like that to be super clear.
Perhaps that a coda config setting that denies all unauthenticated
access.