> Thank you James. I reached the same conclusion myself. I've been > working on it since early this morning. > > This means that most consumer VPN services are at least vulnerable to > getting their private TLS key stolen, and also usernames, passwords, > session keys and so on. As you pointed out, tls-auth is irrelevant if > the attacker knows the key, which is the case for consumer VPNs. Wait, I do not think that this is true. The Attacker has the key for TLS-Auth only if he previously gained access to the client system in another way [which probably means he has access to the unencrypted network traffic anyway]. If he just has the network stream he will not be able to decipher the TLS communication without the key which is never transferred via the network (unless it has been transferred via network when installing it... ).
Another interesting question: everybody is talking about Perfect Forward Secercy to avoid deciphering past communications; are we sure OpenVPN implements this? I do not think this is a configurable item !? Best regards, Jakob Curdes ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
