From mboxrd@z Thu Jan 1 00:00:00 1970 From: IT Superhack To: development@lists.ipfire.org Subject: Re: OpenVPN/IPsec - Sweet32: Birthday attacks Date: Tue, 30 Aug 2016 06:11:00 +0000 Message-ID: <41c77c9b-60fe-c86a-3cff-9a1d03db7ebc@web.de> In-Reply-To: <4A108ED6-A3B6-464A-9952-07BD7226059E@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7579435287970822271==" List-Id: --===============7579435287970822271== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello Erik, as far as I am concerned, removing ciphers from any software is always a bit problematic. For security reasons, it is always better to disable broken or weak ciphers such as RC4, MD5 or similar. But this may cause trouble if there are many legacy clients around. In this case, mainly Windows XP-systems are affected since 3DES was the only "safe" cipher suite they are able to use. Others (RC4, DES) went down the drain a long time ago. With Sweet32, it became impossible to use such a system for _any_ secure connection, no matter if its HTTPS, VPN or something else. Back to the VPN: It seems like there is a similar problem here, because the (at least in Germany) very popular Fritz!Box by AVM cannot handle IPSec VPNs with AES ciphers (source: http://wiki.ipfire.org/en/configuration/services/ipsec/avm-fritzbox). In my humble opinion, removing the 3DES cipher is better. First because it improves the transport security situation, although it cannot be easily exploited. Second, the more weak techniques and broken ciphe= rs a legacy system supports are disabled on the majority of the servers, the sooner people throw the old systems away. Nevertheless, it should be mentioned in the release notes that some clients might not work anymore, so users can prepare for this scenario. Best regards, Timmothy Wilson --===============7579435287970822271== Content-Type: application/pgp-signature Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="signature.asc" MIME-Version: 1.0 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KCmlRRWNCQUVCQ2dBR0JRSlh4U09oQUFvSkVP eUxhMUM1RWF6cllNY0lBSVNNMTQvUTJjTE9wc3hvL2hSQ2oyRGEKaWVHdVZ3R1kvOHpDQzhKcFZO SWordFpZVDlIbEtQcG1URUZFNk9kUnZ3aVlQTVd2djBLdktYU2toeHRiV1BOYwp4alU1d3BJbW80 VUlhTUJpampHdk4weG5PNEIyVmlvNkx3Nzd6YWdaN28xN2gwSG1UVFUyb0doblRYSWxXVXlnCnVP alBBUlZuQ0ZtdHdwU2oyMCtlK1lCTmlQSGx5UlUveFh6V3BmT1F1UmdpMTE4blNxUi9QV3JUMVUx OUdmc3QKNVcvdmlXRElCVklnV0g2WWhhQlFOOGVVdXpZUGZUMzkrZG45NUR0MDRvQ250M3I4R2xS TFIzSlU3VU1JT1VDYwp0dXpBWk5zbXJEd3FiVld1MkNmYzNwMWlDRjVrREJuZHBQSStSU3ZXUVVm azRzY0oyOEpxakkvRk8rWUYwK289Cj1UaWtoCi0tLS0tRU5EIFBHUCBTSUdOQVRVUkUtLS0tLQo= --===============7579435287970822271==--