Domain: openswan.org
Stories and comments across the archive that link to openswan.org.
Comments · 24
-
Re:Out of Curiosity...
The easiest way to do it is set up your own VPN on AWS. OpenSwan comes highly recommended, but it's not hard to do tunneling through SSH, either. It'll cost ~$5 a month if you leave it up all the time.
To answer your question, you absolutely should not trust a VPN provider. -
Re:Steganography
The problems you describe cover the specific current implementation of Freenet. I do not know much about it, but it sounds like they consider the performance issues important and have improved the performance.
Of course, Freenet is an extreme example. With privacy on the internet, often increasing privacy requires some decrease in speed/efficiency.
Opportunistic encryption is essentially free and protects against passive eavesdropping. Once DNSSEC is in place, even active attacks against simple opportunistic encryption with DNS for key exchange. (This is not purely theoretical. Openswan implements such a protocol.)
For common communications, people can use self-signed HTTPS, e-mail encryption, and IM encryption -- but that requires extra work on the part of the user. None of those have particularly friendly or easy-to-use interfaces. Asking people to deal with keys/authentication is unreasonable for most people -- and I have yet to see a user-friendly solution for key exchange.
For plausible deniability, there's Tor, but it still reveals that you are doing something, it is relatively slow, and it is not encrypted at the other end (except for internal sites which are sorta like Freenet sites). Currently using Tor, as you say, will probably get the secret police to assume you have something to hide. A system that encrypted everything -- like opportunistic encryption -- would be much better for that reason.
The technology is there, but it is missing polish, network effects, and actually giving people a reason to use it. Security/privacy is not visible. Most people are not aware of it or just don't care until something happens (see: NSA wiretapping). I use IM encryption (OTR) with some of my friends, but most people are not going to be bothered to install it if it is not default, and I have been given the reason that people may care if people they know can read their IMs/e-mails(/Facebook messages), but the theoretical attacker in the cloud [almost certainly] doesn't know them so it doesn't matter to them if that person learns personal trivia about them.
-
IPSEC?
Doesn't this problem already have a solution?
-
Psiphon looks good...
...and here are some more softwares and guides related to privacy, pseudo/ano-nymity and security:
tor.eff.orgonion routing anonymizer
www.i2p.netsecure/anonymous interactive network
freenetproject.orgsecure/anonymous distributed file system
www.turtle4privacy.orgf2f peer network
gnunet.orgsecure p2p infrastructure
www.cspace.insecure p2p infrastructure
www.openswan.orgVPN with opportunistic encryption
silcnet.orgsecure internet live chat
ihu.sourceforge.netp2p VoIP with crypto
wiki.noreply.orgHow to give anonymous talks
azureus.sourceforge.netazureus over p2p
cryptnet.netguerrilla software development how to -
Openswan released updateOpenswan has an announcement about this, and comments:
Versions of openswan-1 are (apparently) not vulnerable to this attack.
Versions of openswan-2 are (apparently) vulnerable to a Denial Of Service attack in two known cases.
One involves a crafted packet using 3DES with an invalid key length. One other is still unknown to us because no more information was provided. These two cases cannot be used to obtain elevated priviledges, since it is not possible to use these bugs to execute arbitrary code. These attacks are caught within our "assertion fail" verification code.
Today we have released openswan-2.4.2. This release fixes the 3DES related Denial Of Service attack.
We STRONGLY encourage CERT-FI and/or NISCC to give us access to the test kit if they are concerned about the second vulnerability and the impact of this advisory on the wide install base of Openswan-2 if those systems are left vulnerable to a DOS attack. -
Openswan project directly affected
The Openswan project is directly affected by this this month. We were contacted by an agency and asked to sign a non-disclosure agreement, following which they would tell us of a possible vulnerability in our code. This non-disclosure would prevent us to release details of the vulnerability until such time as the rest of the "group" would be ready for it to be announced.
In the case of an Open Source product, we cannot even do a "stealth" fix; we have to describe what each patch does when we commit it to CVS. That would make the vulnerability public and would be a no-no to this agency.
In essence, the agency could decide which bug we could fix and which ones we could not.
I see this as the equivalent to blackmail: Sign our non-disclosure and we will give you a possible vulnerability; don't sign it and you will look bad when the vulnerability is made public.
I am a CISSP, and quite willing to hold on the patch until others can fix their code if the allowed time is reasonable, but the non-disclosure is broad and has no time limitations... So what the heck should we do ?
-
No sane IPsec implementation id vulnerable
Response from the Openswan team: Not vulnerable
-
Re:Linksys
The native IPsec in the Linksys is based on Linux as well, but it is outdated and buggy and possibly insecure.
-
Re:OpenVPN
Erm -- No, Openvpn is an entirely different project, a cross platform SSL vpn, FreeS/Wan is an IPSec VPN solution, which halted development at 2.06 -- it has been succeeded by http://www.openswan.org/ and http://www.strongswan.org/
-
A couple of options
PPP tunnelled over SSH is simple, quick to set up, and works without a hitch. I've used it to connect 20+ locations, and it's just as good as having a dedicated frame link between the sites.
IPSEC (using openeswan or similar) work well, but are in my experience more complicated and harder to maintain than using the PPPoverSSH method.
Both of these are free.
-
Umm, 'scuse me mr. reporter, its "VPN" ..
.. not 'shadow internet'.
Virtual Private Network.
The oh-so subtle difference between positions (shadow internet vs. VPN) is that if someone does a google for VPN, they'll realize just how damn easy it is.
"Shadow Internet"-way just sounds comic-book super-hero, and as we all know thats as literary as most peoples thoughts go, it won't be obvious that 'any joe can build their own private and secret Internet on top of the Internet'.
(Not just 'elite techno-psycho-fascist' types hell-bent on destroying 'systems'. *Anyone*.)
Obscure, eh? -
Re:By its nature...
There are alternatives.
-
We know who can stand against Microsoft
That in turn is a large part of the popularity of the GPL. Microsoft can't appropriate GPL'ed code. They can distribute it, just like anyone else can, and they do. But they can't kill the organization that actually produces it. They can't prevent users from extending it.
In the long run, open source can outlive its original owner. The current controversy over X and the FreeS/WAN transition to Openswan both illustrate that. -
Re:Nice project but documentation is lacking...
Hi,
I was the maintainer of Super FreeS/WAN, and am now the release manager of Openswan.
We're currently working on a whole new set of documentation, in DocBook/XML format to boot. It's slow, since we all know how much developers love to write documentation, but it's coming. For now, you can see The Wiki which will probably get slashdotted.
Ken -
Re:OpenWRT
Re: VPN
We have Openswan ipkg's now for the WRT stuff.
See the announcement here for details on obtaining/installing it. -
Re:MS is ahead of Open Source on encryption
- Loop-back encryption is kinda clunky. dm-crypt looks to be a cleaner way to do encrypted devices. And pam_mount can mount encrypted home directories on login.
- As for doing encryption in the filsystem, several people are at working at it.
- Your notion that OpenSSH only creates a tunnel while the "console" is open, is little more than FUD. Oh no! The console!. That's the whole point. SSH is largely interactive by its very nature.
- It's quite easy to setup OpenSSL in inetd mode for SSL'd services.
- Encrypted executables? Are you joking? WTF would that achieve? If someone has physical access to your machine, you're screwed anyway. And if someone has broken into your machine remotely then your executables are probably the last thing to worry about. On Unix/Linux systems you need root access to write to system executables. If an intruder has root access, they can do anything and don't need to modify your executable to screw around. This is a straw-man argument.
- Linux is very good as a VPN router. Not only do we have IPsec/IPV6 from the KAME project, there's also the (abandoned) FreeS/WAN project and the spin-off Openswan. But don't forget OpenVPN (available for quite a few platforms, not just Unix/Linux). If you're really desperate, you can always combine SSH and PPP to make a VPN.
- Tokens? You have heard of Kerberos haven't you?
BTW, here's a good LDAPv3+SASL+KerberosV HowTo
My god you are a troll. Oh, and as others have pointed out, encryption does not instantly make something secure.
-
Re:Call them "Evil Doers" next...
8:33pm up 2 days, 22:20, 1 user, load average: 0.00, 0.00, 0.00
37 processes: 35 sleeping, 2 running, 0 zombie, 0 stopped
CPU states: 0.0% user, 7.0% system, 0.0% nice, 93.0% idle
Mem: 2582324K av, 353544K used, 2228780K free, 0K shrd, 82364K buff
Swap: 1073016K av, 0K used, 1073016K free 90972K cached
[root@somewhere]# ipsec eroute | wc -l
393Dedicated Hpaq Proliant DL380 G3 server, Xeon 2.8Ghz CPU, 2+GB RAM. Multiple site-to-site tunnels up to about 130 sites across WAN links of varying speed, but mostly between 3-8Mbit/s. Handles about 1.2GB of 3DES/MD5 encrypted/authenticated traffic per day. Runs like a champ, the box barely notices the encryption overhead, it just takes a while (2-3 minutes) to rebuild all the tunnels when you restart FreeS/WAN.
Only headache is deciding which open-source VPN/ipv6 software to use now that FreeS/WAN is at end-of-life.
-
Re:Debian packages now avalible for freeswan
There's a discussion about which type of linux is best for running it here on the mailing list. They like both Debian and SuSe.
That said, it should work well enough on most things-from their site, "Standards Compliant: Openswan conforms to nearly all IPsec + IKE RFCs, and has one of the based interoperability track records of any IPsec implementation. It is compatible with products from Microsoft, Cisco, Nortel, Netscreen, Checkpoint, and many others vendors."
And "Platforms: x86, IA64, PPC, PPC64, MIPS, Alpha, StrongArm"
Openswan should work for just about anyone who isn't satisfied with KAME or Racoon (though it might be hard to set up, see this thread...
The front page summary makes it sound like the company they're starting exists solely for openswan, but it's worth noting Xelerance is producing some other stuff including freeRadius, think about your breathing-you have to manually control your breathing or suffocate, DNSSec, and Asterisk. The changeover will likely mean an increase in the quality of support available for (paying) swan users, since they provide an array of consulting services.
That also gives them an incentive to spread adoption. Unlike FreeS/WAN-one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. According to their FAQ, "As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods." For example, they went out of their way to avoid allowing any handling of single DES.
And if you've got any more questions about openswan, the guy to ask is on slashdot with user id #11! He'll probably be posting in here when it's morning in that part of the world.
Who would win? Flying Shark or Flying Croc?? Croc all the way, fools! -
Re:Debian packages now avalible for freeswan
There's a discussion about which type of linux is best for running it here on the mailing list. They like both Debian and SuSe.
That said, it should work well enough on most things-from their site, "Standards Compliant: Openswan conforms to nearly all IPsec + IKE RFCs, and has one of the based interoperability track records of any IPsec implementation. It is compatible with products from Microsoft, Cisco, Nortel, Netscreen, Checkpoint, and many others vendors."
And "Platforms: x86, IA64, PPC, PPC64, MIPS, Alpha, StrongArm"
Openswan should work for just about anyone who isn't satisfied with KAME or Racoon (though it might be hard to set up, see this thread...
The front page summary makes it sound like the company they're starting exists solely for openswan, but it's worth noting Xelerance is producing some other stuff including freeRadius, think about your breathing-you have to manually control your breathing or suffocate, DNSSec, and Asterisk. The changeover will likely mean an increase in the quality of support available for (paying) swan users, since they provide an array of consulting services.
That also gives them an incentive to spread adoption. Unlike FreeS/WAN-one of the problems with FreeS/WAN was that it would not work with low-bit encryption. This was done to promote their political goal. But it also had the side effect of inhibiting adoption at the places where for whatever reason people had to interoperate with low-bit encryption applications or setups. According to their FAQ, "As we see it, it is more important to deliver real security than to comply with a standard which has been subverted into allowing use of inadequate methods." For example, they went out of their way to avoid allowing any handling of single DES.
And if you've got any more questions about openswan, the guy to ask is on slashdot with user id #11! He'll probably be posting in here when it's morning in that part of the world.
Who would win? Flying Shark or Flying Croc?? Croc all the way, fools! -
Re:corporation
-
Re:corporation
-
Re:Ouch. This is going to hurt.
-
Re:corporation
I've taken my Super FreeS/WAN tree, and formed a company with some other ex-FreeS/WAN folks.
Openswan is new name of the project, you can already get code from www.openswan.org.
Commercial support + services from us via Xelerance
Ken -
OpenSwan
Openswan is an Open Source implementation of IPsec for the Linux operating system. Is it a code fork of the FreeS/WAN project, started by a few of the developers who were growing frustrated with the politics surrounding the FreeS/WAN project.