On Wed, Oct 16, 2013 at 8:00 PM, Jason Haar <jason_h...@trimble.com> wrote: > On 17/10/13 10:32, Les Mikesell wrote: >> Yes, but if someone can MTM the https ssl, why couldn't they do the >> same for openvpn's ssl? > > Because the IT group responsible for pushing out VPN client onto laptops > wouldn't allow the entire validation component of SSL to be subverted.
I thought a true man-in-the-middle attack could intercept the certificates in both directions and thus be invisible at the endpoints. Is that not possible? > That is the fundamental difference: browsers rely on *users* doing the > right thing, whereas VPN's relies on *IT groups* doing the right thing. And if you are talking about DNS spoofing or phishing attempts that get the user./browser to connect to a target impersonating the real one, I don't see how having part of the path tunneled helps much. > You are correct that both VPNs and HTTPS approach the same level of > functionality in terms of protection - but in practice that does not > happen. ie I hear about hackers stealing money from bank accounts, I > don't hear about hackers breaking into VPN tunnels, and using that to > steal money from bank accounts. I guess it does happen - but it would be > 99.999% browsers/0.001% VPNs? So things like this: https://www.schneier.com/blog/archives/2011/10/full_extent_of.html don't happen? Or they are just typically kept quiet? Also, I believe that the US govt. has stated that simply using encryption is enough reason to justify NSA surveillance since the communication "might" be foreign. But back to the 'redirect gateway' issue: one thing you typically want to avoid is setting up a potential route between the internet at large and your protected vpn cloud that bypasses your own firewalls. Any client with routes that don't go through the vpn have the ability to do this. -- Les Mikesell lesmikes...@gmail.com ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
