User interface, security, and "simplicity"

Perry E. Metzger perry at piermont.com
Sun May 4 20:05:28 EDT 2008 

Thor Lancelot Simon <tls at rek.tjls.com> writes:
> On Sat, May 03, 2008 at 07:50:01PM -0400, Perry E. Metzger wrote:
>> I disagree. Fundamentally, OpenVPN isn't doing anything IPSEC couldn't
>> do, and yet is is fairly easy to configure.
>
> And yet there's no underlying technical reason why it is any easier to
> configure than IPsec is;

Absolutely. There is no reason one couldn't build an easy to configure
IPSec. Indeed, OpenVPN could simply use IPSec if its authors wanted
to.

No one has created the easy to configure IPSec, however, so I don't
use IPSec for my own needs.

> I find it amusing (but somewhat sad) that in fact one can find basically
> the same set of flaws in each, but they're considered damning in IPsec
> while they're handwaved away or overlooked in SSL VPNs.

Myself, I don't handwave away said flaws. I don't recommend that
clients use OpenVPN, for example. On the other hand, most of my
clients can afford to pay admins to spend lots of time on this, and I
couldn't afford to spend the time myself.

> And, in fact, most VPN software of any type fails this test.  My concern
> is that an excessive focus on "how hard is it to set this thing up?" can
> seriously obscure the important second half of the question "and if you
> set it up in the easiest possible way, is it safe?"

Well, it is pretty easy to configure SSH safely. Set it to only use
public keys, copy your private key to the remote host in the
authorized_keys file, and you're more or less done. There is no reason
all the defaults can't be set up for a nice easy to use IPSec based
package in such a way that it requires a deliberate effort to make the
thing unsafe and it is more or less that easy to use.

Unfortunately, people just don't spend nearly the amount of time on
the UI for their IPSec systems that they do on the crypto, so they
spoil all the hard work they've done making the implementation sound
by making it impossible for ordinary people to understand.


-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list