[nycbug-talk] OpenVPN (was MD5 stuff)

Dan Langille dan at langille.org
Wed Jan 7 14:29:11 EST 2009 

On Jan 7, 2009, at 2:17 PM, Isaac Levy wrote:

> On Jan 7, 2009, at 1:59 PM, Dan Langille wrote:
>> On Dec 31, 2008, at 6:44 PM, Isaac Levy wrote:
>>> On Dec 31, 2008, at 2:45 AM, Miles Nordin wrote:
>>>
>>>> I think it would be funny if these guys made a real CA cert with
>>>> their
>>>> exploit and started selling certs signed by their fake key for $2
>>>> each
>>>> or something.  not illegitimate certs, like, email-contact-verified
>>>> certs, the regular legitimate kind, just cheaper.  Why not?  It's
>>>> probably even legal in some jurisdiction if not in most.  and most
>>>> webmasters just want to turn the browser bar green.  It works now,
>>>> so
>>>> for $2 why not?  I'd buy one.  If it starts turning browser bars  
>>>> red
>>>> some day, buy a more expensive cert _some day_, not now. The whole
>>>> cert thing was such a racket to begin with, i wish they'd start
>>>> selling fake ones.
>>>
>>> Insanely great idea, IMHO- I mean, why not?  It's like creating a  
>>> new
>>> currency (backed by insecurity).
>>>
>>> --
>>> Sidenote- everyone here who's dismissed OpenVPN, it almost goes
>>> without saying that this is yet another rock in that bucket...
>>
>> That's a nice turn of phrase.  Never heard it before.
>>
>> Really?  People dismiss OpenVPN?  Seems to be an OK solution to me.
>> Mind you, it doesn't matter what you pick, someone will dismiss it.
>>
>> It's been working flawlessly for my needs for the past month or so.
>
> I do not use OpenVPN, (IPSec holds much more interest for me based on
> it's scope...), and with that, I have only a cursory understanding of
> it's mechanics.

I have used IPsec in the past.  It may have been suitable for what I'm  
doing
now, but hadn't considered it.

> With that, I stand corrected by Miles and csnyeder:
>
> On Jan 6, 2009, at 9:55 AM, csnyder wrote:
>> It's amazing just how helpless we are against the dumbing-down of TLS
>> by browser vendors.
>
> Indeed.  It seems, with a closer look, that OpenVPN would only be to
> the recent md5 based SSL attack if it was configured to use public/
> auto-signing CA's.  I have no idea how likely this is out in the wild,
> but...

OpenVPN advises against using public CAs.

  http://openvpn.net/index.php/documentation/howto.html#pki

So FWIW, I am guessing few people are using public CAs with OpenVPN.

-- 
Dan Langille
http://langille.org/

More information about the talk mailing list