For some reasons I don't need secure connection, it's enough that the
connection isn't plain text.
As I understand --cipher none does not imply --no-iv one one hand, and the
default cipher with --no-iv and --auth none gives non-plaintext connection
and reduces packet size which is ok for my needs.
This is the reason I am asking why --no-iv gets deprecated while no other
option gives this functionality
On 31 July 2017 at 17:56, Steffan Karger <stef...@karger.me> wrote:
> Hi,
>
> On 31 July 2017 at 11:00, Yevgeny Kosarzhevsky <phao...@gmail.com> wrote:
> > On 31 July 2017 at 15:49, Gert Doering <g...@greenie.muc.de> wrote:
> >>
> >> Using crypto with --no-iv is only marginally better than using "--cipher
> >> none"
> >> - so, if you want no encryption, make it explicit with "cipher none",
> >> instead of pretending to have strong crypto which it isn't.
> >>
> >> Why are you using --no-iv?
> >
> > I use it to reduce packet size on tunnels with --secret option together
> with
> > --auth none.
> > I am aware of the fact that this less secure option however I believe
> it's
> > still provides encryption and is safe enough unless the key is revealed
> to
> > 3rd party.
> > Please correct me if I am mistaken.
>
> You are mistaken. CBC requires an unpredictable IV, so --no-iv breaks
> the CBC security. Using --auth none is plainly insecure against any
> man-in-the-middle attacker. Don't use either of those if you want a
> secure connection.
>
> If you want to understand why, I can recommend
> https://www.coursera.org/learn/crypto.
>
> -Steffan
>
--
Regards,
Yevgeny
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
