Re: [Openvpn-devel] [PATCH] Fix 'compress migrate' for 2.2 clients.

Fri, 02 Apr 2021 17:44:25 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256




Sent with ProtonMail Secure Email.

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, 2 April 2021 19:35, Simon Matter <simon.mat...@invoca.ch> wrote:

> > Commit 8fa8a17528c001a introduces "compress migrate" to move old clients
> > that have "compress" or "comp-lzo" in their config towards a connection
> > without compression. This is done by looking at incoming OCC strings
> > to see if the client has compression enabled, and at incoming IV_
> > strings to see whether it can do "compress stub-v2" or needs to be sent
> > "comp-lzo no".
>
> Hi,
>
> What I'm still wondering is why is compression so dangerous with OpenVPN
> but not so with things like SSH or SCP?
>

Simon, I believe the detail which you have over-looked is this:

A lot of people use openvpn as a client to VPN service providers believing
things which are not true.  They then surf the web with over-confidence.

In such a scenario, while pulling off such an attack on a compressed VPN
stream may seem remote, when you have such a vast number of victims to
potentially abuse, the temptation to do so and potential success rate
increase dramatically.

But i believe you need to have access to both the compressed VPN data
and the uncompressed https packets to exploit such an attack.

Still, it was shown to be a genuine attack vector none-the-less.

--
Regards
R
-----BEGIN PGP SIGNATURE-----
Version: ProtonMail

wsBzBAEBCAAGBQJgZ7oZACEJEE+XnPZrkLidFiEECbw9RGejjXJ5xVVVT5ec
9muQuJ2Qzwf9GFUFmJrJv4ny2uvbLUWKHAGsFKsD12I5YeJLQArsAsP39w7k
H4chac7T/XLA2nBYLxIizioc3fiFqPTrlyx2AdwIuTpWhqf4FuU+pXt9JhqJ
spI6j907aSN/G1jDjWhzltrWrjhJg/a6VQvtuTzAcBx3h1AA3WwKvRCUVhm6
r0/jqRpb5OhA05Ux6JG0uqlCfG5zTURSaFdjwhEotvHpuzg9IpzEIBx42dnU
EgS+aoJPdxYSCldYbdwj9EWus1+MzNHd+JjZsxadqiGarC+I+r5q2fHC9bBA
EPdlbWGIdPcASeB0edWSI9uOO18UBpuaOnU4aBN/SXQJE4wApq1wUQ==
=LhbH
-----END PGP SIGNATURE-----

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc
Description: application/pgp-keys

Attachment: publickey - tincantech@protonmail.com - 0x09BC3D44.asc.sig
Description: PGP signature

_______________________________________________
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
























					Reply via email to