About attacks on the voucher system
-
pfSense is mentioned as an example of "odd RSA implementation" that provides questionable security, in a paper at iacr.
References:
http://eprint.iacr.org/2012/588
http://doc.pfsense.org/index.php/Captive_Portal_Vouchers"In particular users of the pfSense voucher system are urgently recommended to choose the
magic number employed in generating and verifying the voucher codes (see [4]) at random,
keep it secret and change it regularly in order to prevent the known-plaintext attack described
above."CU
-
In 2.0.2 and newer versions that are going to be release the problem has mitigated presented on that paper.