From: IT Superhack <itsuperhack@web.de>
To: development@lists.ipfire.org
Subject: Re: OpenVPN/IPsec - Sweet32: Birthday attacks
Date: Tue, 30 Aug 2016 06:11:00 +0000 [thread overview]
Message-ID: <41c77c9b-60fe-c86a-3cff-9a1d03db7ebc@web.de> (raw)
In-Reply-To: <4A108ED6-A3B6-464A-9952-07BD7226059E@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 1368 bytes --]
Hello Erik,
as far as I am concerned, removing ciphers from any software is
always a bit problematic.
For security reasons, it is always better to disable broken or
weak ciphers such as RC4, MD5 or similar. But this may cause
trouble if there are many legacy clients around.
In this case, mainly Windows XP-systems are affected since 3DES
was the only "safe" cipher suite they are able to use. Others
(RC4, DES) went down the drain a long time ago.
With Sweet32, it became impossible to use such a system for _any_
secure connection, no matter if its HTTPS, VPN or something else.
Back to the VPN: It seems like there is a similar problem here,
because the (at least in Germany) very popular Fritz!Box by AVM
cannot handle IPSec VPNs with AES ciphers (source:
http://wiki.ipfire.org/en/configuration/services/ipsec/avm-fritzbox).
In my humble opinion, removing the 3DES cipher is better. First
because it improves the transport security situation, although it
cannot be easily exploited. Second, the more weak techniques and broken ciphers
a legacy system supports are disabled on the majority of the servers,
the sooner people throw the old systems away.
Nevertheless, it should be mentioned in the release notes that
some clients might not work anymore, so users can prepare for this scenario.
Best regards,
Timmothy Wilson
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
next prev parent reply other threads:[~2016-08-30 6:11 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-29 15:50 ummeegge
2016-08-30 6:11 ` IT Superhack [this message]
[not found] <90CA43F8-EDD0-4D1B-963F-5E66CCBD3212@ipfire.org>
2016-09-01 19:29 ` R. W. Rodolico
[not found] <EC575481-4F11-4DB6-800E-E2E46E3A1AD0@ipfire.org>
2016-09-10 6:49 ` R. W. Rodolico
2016-09-13 15:00 ` Michael Tremer
2016-09-14 19:04 ` IT Superhack
2016-09-15 11:06 ` Michael Tremer
[not found] <79F11CDE-1805-4EE3-8CF2-44A37BA39AE4@ipfire.org>
2016-09-15 11:13 ` Michael Tremer
2016-09-16 9:55 ` ummeegge
2016-11-12 10:04 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41c77c9b-60fe-c86a-3cff-9a1d03db7ebc@web.de \
--to=itsuperhack@web.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox