[Ach] OpenVPN and ACH
Aaron Zauner
azet at azet.org
Thu Feb 19 17:05:11 CET 2015
L. Aaron Kaplan wrote:
> On Feb 19, 2015, at 4:53 PM, Alexander Wuerstlein <arw at cs.fau.de> wrote:
>
>> On 2015-02-19T16:26, Aaron Zauner <azet at azet.org> wrote:
>>> Hi,
>>>
>>> L. Aaron Kaplan wrote:
>>>> No, I disagree. Not mentioning OpenVPN and the issues you are seeing
>>>> makes the guide *weaker* than having it in there with *clear* warnings.
>>>> Why? Because people will use OpenVPN *anyway*.
>>>> No matter if you remove the OpenVPN section or not.
>>>> Better to have a clear message on this.
>>> [...]
>>> I do see OpenVPN as a security concern, and have for quite some time.
>>> There are better alternatives [...]
>> There are better alternatives to OpenVPN? I'm currently unaware of any
>> usable OpenSource software that would do the same (i.e. routed VPN via
>> plain TCP or UDP connections).
>
> +1
>
> Please enlighten us, azet, in case you know something so widely deployed, superior in daily operations and compatible and flexible.
>
Only because something is widely deployed doesn't make it superior.
Windows ships with 0-days only known to NSA not disclosed by microsoft
(snowden documents). SSLv3 is still widely used but completely broken -
as is TLS 1.0. At some point in time we need to urge upstream developers
to take action or deprecate.
Again; I have no problem with a statement on OpenVPN in our guide. I
just did not have time to write one, and the stuff we currently have in
there makes no sense to me from a security point of view. If you feel
different please explain why (see previous emails about the shipped
config. being identical to upstream).
Aaron
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/9f88503f/attachment.sig>
More information about the Ach
mailing list