[Ach] OpenVPN and ACH

Daniel Kahn Gillmor dkg at fifthhorseman.net
Fri Feb 20 21:36:17 CET 2015


On Thu 2015-02-19 15:07:24 -0500, Aaron Zauner wrote:
> Reed Loden wrote:
>>> # Enable compression on the VPN link.
>>> # If you enable it here, you must also
>>> # enable it in the client config file.
>>> comp-lzo
>> 
>> Why are you enabling compression on an SSL link? That possibly makes you
>> vulnerable to things like CRIME.
>
> That's what I just stated, right?
>
>> 
>> Again, another reason why ACH needs a thoroughly-researched OpenVPN
>> hardening section and not just ignoring it because it doesn't support
>> AEAD. People will do the wrong thing, so let's give them the best
>> possible options/config to use in OpenVPN's current state.
>>
>
> Some of the CBC attacks are actually more worrisome than CRIME-like
> attacks. I agree that this needs to be done properly, which is why I've
> removed the current section, since it's obviously identical to upstream,
> does not enhance security in any way and is not well tested nor researched.
>
> In any case upstream AEAD support is something we should push for.

Please push for AEAD support upstream, maybe even offering to patch or
test if you have the bandwidth for that:

  https://community.openvpn.net/openvpn/ticket/301

I've just let them know this is on our radar here.

Regards,

     --dkg



More information about the Ach mailing list