On 17/10/13 10:32, Les Mikesell wrote: > Yes, but if someone can MTM the https ssl, why couldn't they do the > same for openvpn's ssl?
Because the IT group responsible for pushing out VPN client onto laptops wouldn't allow the entire validation component of SSL to be subverted. That is the fundamental difference: browsers rely on *users* doing the right thing, whereas VPN's relies on *IT groups* doing the right thing. You are correct that both VPNs and HTTPS approach the same level of functionality in terms of protection - but in practice that does not happen. ie I hear about hackers stealing money from bank accounts, I don't hear about hackers breaking into VPN tunnels, and using that to steal money from bank accounts. I guess it does happen - but it would be 99.999% browsers/0.001% VPNs? > Is there more than the obscurity of using an unexpected port for the > traffic? And, on the flip side, if the user is really paranoid, why > should he trust the VPN host to not do the same, since they become > another point that can intercept both sides of the conversation? Sorry, I don't get the "unexpected port" comment If you are vpn-ing into an organization, that implies some form of trust - certainly more than anyone should have for any Starbucks Wifi connection (especially with that chap with a laptop in the corner with the "w00t!" tee shirt). I certainly assumed the original poster represents an *organization* trying to protect *the organization's* laptops and users -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
