[nycbug-talk] OpenVPN (was MD5 stuff)
dan at langille.org
Wed Jan 7 14:29:11 EST 2009
On Jan 7, 2009, at 2:17 PM, Isaac Levy wrote:
> On Jan 7, 2009, at 1:59 PM, Dan Langille wrote:
>> On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote:
>>> On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote:
>>>> I think it would be funny if these guys made a real CA cert with
>>>> exploit and started selling certs signed by their fake key for $2
>>>> or something. not illegitimate certs, like, email-contact-verified
>>>> certs, the regular legitimate kind, just cheaper. Why not? It's
>>>> probably even legal in some jurisdiction if not in most. and most
>>>> webmasters just want to turn the browser bar green. It works now,
>>>> for $2 why not? I'd buy one. If it starts turning browser bars
>>>> some day, buy a more expensive cert _some day_, not now. The whole
>>>> cert thing was such a racket to begin with, i wish they'd start
>>>> selling fake ones.
>>> Insanely great idea, IMHO- I mean, why not? It's like creating a
>>> currency (backed by insecurity).
>>> Sidenote- everyone here who's dismissed OpenVPN, it almost goes
>>> without saying that this is yet another rock in that bucket...
>> That's a nice turn of phrase. Never heard it before.
>> Really? People dismiss OpenVPN? Seems to be an OK solution to me.
>> Mind you, it doesn't matter what you pick, someone will dismiss it.
>> It's been working flawlessly for my needs for the past month or so.
> I do not use OpenVPN, (IPSec holds much more interest for me based on
> it's scope...), and with that, I have only a cursory understanding of
> it's mechanics.
I have used IPsec in the past. It may have been suitable for what I'm
now, but hadn't considered it.
> With that, I stand corrected by Miles and csnyeder:
> On Jan 6, 2009, at 9:55 AM, csnyder wrote:
>> It's amazing just how helpless we are against the dumbing-down of TLS
>> by browser vendors.
> Indeed. It seems, with a closer look, that OpenVPN would only be to
> the recent md5 based SSL attack if it was configured to use public/
> auto-signing CA's. I have no idea how likely this is out in the wild,
OpenVPN advises against using public CAs.
So FWIW, I am guessing few people are using public CAs with OpenVPN.
More information about the talk