[Ach] OpenVPN and ACH

Thomas Preissler thomas at preissler.co.uk
Wed Feb 18 20:11:22 CET 2015


On Wed, Feb 18, 2015 at 07:48:21PM +0100, Aaron Zauner wrote:
> Hi,
> 
> https://github.com/BetterCrypto/Applied-Crypto-Hardening/pull/91
> 
> I've since removed (commented-out) the OpenVPN section in our document
> in commit 7b6fd17814acdbb2304ca3e84e99b02fe919abe6.
> 
> If anybody is interested in maintaining and reviewing this, please speak
> up. To the best of my knowledge OpenVPN is not suitable for our document
> -- CBC-only support (not as a fallback) is a real threat to the
> transport security. Hence I would not recommend using it myself and have
> thus removed it from our document for the time being.

Considering that more and more people will use this document to
'securely' configure their server, but an increasing number of those
won't necessarily understand the implications why certain services are
configured that way.

For example, I read somewhere that quite a number of people just use
certain 'recommendations' somewhere to configure their webserver, then
go off to SSLlabs and when they get at least an A rating, they are
happy - admitting they have no clue, what they have just reconfigured.

I believe that this should go in there, as it is not secure. And you
gave good reasons why it cannot be secure.
In general, I think it is not a matter of configuring encryption
securely, it is also about getting the message out that certain services
are inherently insecure. How else would they stop using it when they
don't know about it? You could also see this as a wakeup-call for
developers, maybe to work more closely with cryptographers.
You also have now a note on SHA-1 in it...

Otherwise people will assume, OpenVPN default's are 'secure',
configure it themselves with some random tutorial they found somewhere,
or worse, use some exciting DES encryption - because that's what they
remember.


Kind Regards

Thomas

-- 
www.preissler.co.uk | Twitter: @module0x90 | PGP-Key: 75889415
GPG Fingerprint:  CCBD 153A D257 CA7E A217  FDF7 5928 03D1 7588 9415



More information about the Ach mailing list