I think that what's being referred to here is that a VPN service with
multiple independent clients could have one nefarious client who used a
valid client key/cert to establish a session, then used that session plus
this vulnerability to compromise the server's private key, plus usernames,
passwords, and session keys of other clients of that VPN service.
On Tue, Apr 8, 2014 at 8:10 AM, Jakob Curdes <j...@info-systems.de> wrote:
>
>
> > Thank you James. I reached the same conclusion myself. I've been
> > working on it since early this morning.
> >
> > This means that most consumer VPN services are at least vulnerable to
> > getting their private TLS key stolen, and also usernames, passwords,
> > session keys and so on. As you pointed out, tls-auth is irrelevant if
> > the attacker knows the key, which is the case for consumer VPNs.
> Wait, I do not think that this is true. The Attacker has the key for
> TLS-Auth only if he previously gained access to the client system in
> another way [which probably means he has access to the unencrypted
> network traffic anyway]. If he just has the network stream he will not
> be able to decipher the TLS communication without the key which is never
> transferred via the network (unless it has been transferred via network
> when installing it... ).
>
> Another interesting question: everybody is talking about Perfect Forward
> Secercy to avoid deciphering past communications; are we sure OpenVPN
> implements this?
> I do not think this is a configurable item !?
>
> Best regards,
> Jakob Curdes
>
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
