[Ach] OpenVPN and ACH
Aaron Zauner
azet at azet.org
Thu Feb 19 16:26:00 CET 2015
Hi,
L. Aaron Kaplan wrote:
>
> No, I disagree. Not mentioning OpenVPN and the issues you are seeing
> makes the guide *weaker* than having it in there with *clear* warnings.
> Why? Because people will use OpenVPN *anyway*.
> No matter if you remove the OpenVPN section or not.
> Better to have a clear message on this.
>
Ok. So how does our guide exactly help people that use OpenVPN anyway?
Nothing in this document improves the default security as shipped with
OpenVPN.
I'm fine with a statement on OpenVPN security in there, but it should
clearly state that it does not conform to our security recommendations
in any way. Feel free to commit such a change. I've removed it because
apparently nobody noticed that this is an issue, neither I nor others
seem to have reviewed the addition of OpenVPN to the document, the only
concern was: how to use the IANA syntax for our cipherstring with OpenVPN.
I do see OpenVPN as a security concern, and have for quite some time.
There are better alternatives and until this patch is merged I consider
it utterly broken from a cryptographic point of view - but that's just
my opinion.
Current issues with CBC mode in TLS:
*) Lucky13
*) POODLE
*) implementation issues in various software stacks (bleichenbacher)
*) BEAST (pretty much HTTP specific but still)
..that's BTW the reason why CBC mode is going to be dropped in TLS 1.3
(only AEAD modes).
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/adc74859/attachment.sig>
More information about the Ach
mailing list