b) There are no claims about downgrade resistance. The manual specifies the new transport protocol is used if both clients support it and both have changed their configs to enable experimental mode. Can an attacker still force them to connect with legacy mode?
c) Users have to ensure every single config on every client has the correct setting.
d) It still doesn't have the identity hiding features of Wireguard. (Someone observing your network traffic can see which servers you are talking to from the transmitted signatures)
Huh, interesting... I am definitely going to be doing some reading about this one. I wonder what the logic of the project maintainers, whom seem to maintain it, have in keeping with this method of encryption.
https://www.tinc-vpn.org/documentation/Security.html#Securit...
The default cipher is from 1993 and its creator recommends everyone updates.
32 bit MACs are hilariously tiny.
Home rolled authentication based around RSA.
Their own documentation even states: ”tinc’s security is not as strong as TLS or IPsec."
DO NOT USE tinc!