Posted: 2011-04-02 22:54
When reconnecting to a server after the connection goes down, WinSCP does not seem authenticate the server's key. Thus a man-in-the-middle attack is possible!
The specifics of my case: I was SCPing into my laptop, which was on wireless. I suspended said laptop, when I reopened it and tried to reconnect my IP address has changed, so WinSCP tried to connect to a different computer, which happened to also run SSH deamon, thus compromising my pw. This happened with WinSCP 4.1.8, so it could be that this issue was fixed, but I didn't see it posted anywhere.
Location: Prague, Czechia
Looks unlikely to me. But anyway, are you able to reproduce this?
You can post new topics in this forum
And it's free!