Hi On Tue, Aug 13, 2024 at 12:57:49PM +0200, Jakob Curdes wrote: > The original seccuvera article states that OpenVPN (I assume they mean the > Windows client) is "vulnerable" to this weakness and leaves data like > emails, passwords and 2FA codes in the main memory after the program is > closed. I have not tested this myself so I canot say if that is true.
Whether or not OpenVPN retains information used to log into the server
depends on the "--auth-nocache" setting. There is no "correct" solution
here - you want to reauth frequently to renegotiate new session keys, and
if you do not want to re-enter your username + password every time, it
needs to be cached... (in-memory-encryption could be used, but if OpenVPN
can decrypt it, a process that can read OpenVPN's memory can do so as
well).
On Program *close*, this data should be cleared (as well as "the OS
needs to clear the memory and make it inaccessible"), but it's not clear
what the researchers did here - they logged off, but depending on the
way they started OpenVPN, it might still be running in the background
(and in which case, these credentials will still be there).
(OpenVPN will, of course, never retain "emails" passing through the VPN
- I understand the article to mean "the e-mail address used as username
for logging into the VPN server")
gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress
Gert Doering - Munich, Germany g...@greenie.muc.de
signature.asc
Description: PGP signature
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
