[Ach] OpenVPN and ACH

Aaron Zauner azet at azet.org
Thu Feb 19 16:26:00 CET 2015


L. Aaron Kaplan wrote:
> No, I disagree. Not mentioning OpenVPN and the issues you are seeing 
> makes the guide *weaker* than having it in there with *clear* warnings.
> Why? Because people will use OpenVPN *anyway*.
> No matter if you remove the OpenVPN section or not.
> Better to have a clear message on this.

Ok. So how does our guide exactly help people that use OpenVPN anyway?
Nothing in this document improves the default security as shipped with

I'm fine with a statement on OpenVPN security in there, but it should
clearly state that it does not conform to our security recommendations
in any way. Feel free to commit such a change. I've removed it because
apparently nobody noticed that this is an issue, neither I nor others
seem to have reviewed the addition of OpenVPN to the document, the only
concern was: how to use the IANA syntax for our cipherstring with OpenVPN.

I do see OpenVPN as a security concern, and have for quite some time.
There are better alternatives and until this patch is merged I consider
it utterly broken from a cryptographic point of view - but that's just
my opinion.

Current issues with CBC mode in TLS:
 *) Lucky13
 *) implementation issues in various software stacks (bleichenbacher)
 *) BEAST (pretty much HTTP specific but still)

..that's BTW the reason why CBC mode is going to be dropped in TLS 1.3
(only AEAD modes).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/adc74859/attachment.sig>

More information about the Ach mailing list