[Ach] OpenVPN and ACH

Aaron Zauner azet at azet.org
Thu Feb 19 17:05:11 CET 2015

L. Aaron Kaplan wrote:
> On Feb 19, 2015, at 4:53 PM, Alexander Wuerstlein <arw at cs.fau.de> wrote:
>> On 2015-02-19T16:26, Aaron Zauner <azet at azet.org> wrote:
>>> Hi,
>>> L. Aaron Kaplan wrote:
>>>> No, I disagree. Not mentioning OpenVPN and the issues you are seeing 
>>>> makes the guide *weaker* than having it in there with *clear* warnings.
>>>> Why? Because people will use OpenVPN *anyway*.
>>>> No matter if you remove the OpenVPN section or not.
>>>> Better to have a clear message on this.
>>> [...]
>>> I do see OpenVPN as a security concern, and have for quite some time.
>>> There are better alternatives [...]
>> There are better alternatives to OpenVPN? I'm currently unaware of any
>> usable OpenSource software that would do the same (i.e. routed VPN via
>> plain TCP or UDP connections).
> +1
> Please enlighten us, azet, in case you know something so widely deployed, superior in daily operations and compatible and flexible.

Only because something is widely deployed doesn't make it superior.
Windows ships with 0-days only known to NSA not disclosed by microsoft
(snowden documents). SSLv3 is still widely used but completely broken -
as is TLS 1.0. At some point in time we need to urge upstream developers
to take action or deprecate.

Again; I have no problem with a statement on OpenVPN in our guide. I
just did not have time to write one, and the stuff we currently have in
there makes no sense to me from a security point of view. If you feel
different please explain why (see previous emails about the shipped
config. being identical to upstream).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20150219/9f88503f/attachment.sig>

More information about the Ach mailing list