User interface, security, and "simplicity"
Thor Lancelot Simon
tls at rek.tjls.com
Thu May 1 13:50:09 EDT 2008
It's fashionable in some circles (including, it seems, this one) to bash
IPsec (particularly IKE) and tout SSL VPNs (particularly OpenVPN) on what
are basically user interface grounds.
I cannot help repeatedly noting that -- I believe more so than with actual
IPsec deployments, whether with or without IKE -- OpenVPN deployments are
often configured in hideously insecure ways. This is no more the fault of
OpenVPN's designers, of course, than the ghastly configuration interfaces
imposed by many IKE impledmentations are the fault of IPsec's designers.
See, for example, http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN
which is the official documentation from the popular "pfsense"
firewall/NAT/VPN package on configuring OpenVPN for use with clients. Of
particular note:
1) It is not possible to configure a list of expected identities
of users; rather, just a CA which must sign for all users.
2) No CRL is configured, nor do the instructions say to do so,
though it is possible.
3) The client and server certificates come from the same CA,
and both client and server get configured with *only the CA
certificate*, not the subject name of the expected peer.
This is, of course, a serious security hole all of its
own, since it allows any client to conduct an MITM
attack and impersonate the server.
4) Instructions are given for using a package called "EasyRSA"
to set up a CA and create and sign keys. These instructions
have several severe flaws of their own:
a) They generate client public and private keys *on the
CA* rather than using client generation and proper
certificate signing requests. This poses a needless
risk of private key compromise, which is, in fact,
particularly likely, since
b) The instructions mention only in passing that oh, by
the way, one might want to encrypt the client's new
private key, and that one _could_ do so -- but the
example does not, in fact, encrypt the key.
Anecdotally I have heard of a few users of this
combination of software packages (OpenVPN/pfsense/
EasyRSA) who bother to encrypt the private keys
they send to users -- but quite a few more who just
ship them around plaintext, since the example does
so.
c) No documentation at all is given of how to revoke a
key, nor why one would want to do so.
5) No explanation whatsoever is given of the compromises made in
the process of "simplifying" the configuration of this VPN
software -- which are significant and have major security
consequences.
The upshot is that, indeed, at least as shown here, this particular
configuration frontend to OpenVPN is very easy to configure -- if you
are willing to settle for much less security than OpenVPN was designed
to provide, and much less than, if you're naive about cryptography, you
probably think you're getting.
Gee, that's funny, that's one of the problems with IPsec implementations
that people always cite when they tout SSL VPNs (the other is that some
firewalls can't be configured to pass IP protocol 50 for ESP -- but, of
course, ESP can be tunneled in UDP, in a standard way, and that's been
true for years now).
I am left with the strong suspicion that SSL VPNs are "easier to configure
and use" because a large percentage of their user population simply is not
very sensitive to how much security is actually provided. Someone said
"have a firewall", they set up a firewall. Someone says "I can't get in
through the firewall, set up a VPN", they set up a VPN. For their purposes
IP over DNS might serve just as well -- and if enough other people said it
was secure, they'd probably get all defensive if you said it wasn't, at
least not how they'd configured it.
One could think of it, I suppose, as a combination of drinking the Kool
Aid and buying the snake oil -- drinking the snake oil? Whatever one calls
it one should be very careful of its effects on the popular consciousness
when trying to understand what user preferences for this security product
over that one actually mean.
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list