> Hi, > > On Fri, Apr 02, 2021 at 08:35:36PM +0200, Simon Matter wrote: >> What I'm still wondering is why is compression so dangerous with OpenVPN >> but not so with things like SSH or SCP? > > The problem is adversary-controlled traffic in a VPN tunnel, like > "you surf on a web site, and there is java script that makes your > browser send carefully crafted requests while someone looks at your > VPN tunnel from the outside". > > If compression is active, an attacker can see if "the parts of the > header that he can not see" are similar to "the parts that the java > script creates", due to compression making the resulting packets > smaller if sequences are identical. > > Supposedly you can use this to steal stuff like session cookies, > which java script would normally not be able to see. > > > Now, I personally find this all a bit unrealistic in practice - it's > quite a number of "ifs", and even then, it's unclear if possible in > practice, or even interesting enough, given the myriard of easier to > exploit attack vectors. > > But it *is* a possible attack, and if weighting "is this a good feature?" > against maintenance effort and possible security effects, compression > starts drifting towards the negative side (because most traffic inside > VPNs is already compressed or encrypted anyway today, so compression won't > have a big effect). > > > Now, in ssh, you copy files of your own choice. Compression is useful > there, if the files are not already compressed. An attacker won't be > able to manipulate just *part* of one file, to see if the neighbouring > 100 bytes are "similar"... so this class of attacks does not exist. >
To me it seems like you can of course build a scenario where compression _could_ be a problem some how, but there are certainly many use cases where it can be considered almost impossible to have your security weakaned by compression. I mean, there is also the SSH VPN mode with c<n be used with compression and I've never heard someone saying it's less secure with compression. In our case where we connect several subnets via OpenVPN and there goes a lot of different traffic from dozens of hosts in every location, I still fail to understand how our security would be impacted by compression? In the end my only question is is it worth to remove compression from OpenVPN in the long run, or is this not planned? Thanks, Simon _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
