Slashdot Mirror
Opportunistic Encryption of IP traffic: FreeS/WAN 2.0
Russ Nelson writes "Since 1996, John Gilmore has
dreamed of an Internet where all traffic between cooperating sites is
encrypted. He has supported the FreeS/WAN project which uses IPSEC to encrypt IP traffic on
an opportunistic encrypting basis. The team has released Linux
FreeS/WAN 2.00, their first release optimized for Opportunistic
Encryption (OE). After installation, ZERO host configuration is
required for OE! A Linux box running 2.00 will encrypt all IP packets
to other OE capable boxes whenever possible, provided you publish a
key and IPsec gateway information in DNS." Nice.
A chain is as strong as its weakest link.
This applies to cryptography as well.
In the Oppertunistic Encryption scenario, DNS is probably the weakest link. Spoof KEY records and you can launch a man-in-the-middle attack.
I was wondering... would this have application for wireless, either between a workgroup bridge (like the Ciso one) or a single pci/pcmcia card and an AP or mesh of APs? Seems like it could be better than WEP, especially if it was just as easy to implement on a small scale non-DNS based solution (hosts file, ssid, hard coded ip range, etc.)
Don't blame me, I voted for Kodos
I think this idea of a "meta-SSL" is a really good one--not only can we encrypt the data stream, but also the headers. Of course, we'd still need to deal with session keys and the problem of "known response" attacks, but assuming we can fix that, this looks really promising.
(And of course, it would be best if we could implment this on the hardware of the routers themselves, rather than rely on the OS...*cough* M$ *cough*).
Q: "Why do sound techs say 'check 1, 2'?"
A: "Cause if they could count any higher they'd be lighting techs."
Anyway, this will never work - there's too many clueless administrators out there who will think it's just someone attacking their core routers or overloading their DNS server, or something else equally inane, and they won't bother to check what the port really is.
But of course it's nice to see this getting more exposure. The problem with IPSEC has always been the hassle of setting it up. Having encryption kick in "automagically", is a good thing to have.
Wonder if I could just tell my email server to only accept encrypted connections from trusted sources to stop spam. This would definately work for seperate corporate mailservers that need to connect to eachother across the internet eliminating the need to maintain them on a private network.
I mean, you install this thing, and you'll have some random connections be encrypted. But it would still be foolish to 'trust' any regular internet connections. This type of technology might give people a false sense of security.
I realize the point is just to get more encrypted data out on the net, but this just seems pointless to me.
autopr0n is like, down and stuff.
Tell those ISPs to go fsck themselves.
IPSec traffic OFTEN looks like "hack" attacks - weird, short packets, protocol 50 and (sometimes 51), streams of UDP 500, etc. Because it's all binary, its more likely to trigger the "shellcode" sort of alerts. An IDS will see the binary stream "F00F" in your payloads and assume you're doing a DoS attack or something. Trust me, I know - I helped build the first version of Guardent'sIDS solution.
I want to delete my account but Slashdot doesn't allow it.
Some time ago a mailing list on a controversial subject was running on my home machine. One of the rules was that no criminal activity could be discussed or facilitated via postings to the list.
As a matter of policy, while that list was running all traffic both on the list and to and from the machine was UNencrypted.
The reasoning:
- Someone unhappy with the subject matter of the list, with being kicked off it for misbehavior, or just mad at the list operators for unrelated reasons, might file a tip with a police agency claiming illegal activity.
- Due to the list's subject matter, the tip might be considered credible.
- If the traffic to the site was UNencrypted, they could obtain a wiretap warrant and examine it offsite (and would prefer to do it this way).
- If any of the traffic to the site was encrypted, they would have to sieze and examine the machine to satisfy their investigation, causing considerable disruption. (And they might also take encrypted traffic as a confirmation of the tip.)
The list administrator says it well: Leave it unencrypted and they get to bore themselves to tears.
The list was retired (and a successor started at another site) before I needed to do encrypted traffic between home and work.
That was quite some time back, and encrypted traffic was uncommon then except for security agencies, a very few businesses, a few experimenters, and a few crooks. At this point encryption is far more common - what with VPN, SSH, and IPSec. And with ready-for-primetime FreeSWAN it will become still more comomn.
But the core of the original risk is still there: If you're using world-class encryption, and the government gets a bee in its bonnet about you doing something undesirable, they'll need to physically search your machine for evidence or keys, or plant an onsite bug such as a keyboard monitor, to find out what you're up to. (Or they'll find it less expensive to do it that way than try to crack your encryption from outside.)
Fortunately, a sudden widespread deployment of encryption can get us "over the hump" - going past the point where it is rare enough that security agencies can target people who use it, to the point where wiretapping is pointless and searches on only suspicion-plus-encryption are too expensive.
That would create an economic incentive to avoid fishing expeditions and mostly search only on credible evidence of wrongdoing (plus an occasional governmental rape of a political enemy or other terrorist action against an outgroup or annoyance-to-cops).
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way