Linux Crypto Packages Demolished

SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"

CIPE

[dnoyeb]

When I investigated CIPE for the first time two days ago, I read somewhere on the site that it didn't work yet, or that it provided no security. How can you critize a package for being insecure when they tell you it is?

Did I miss something?

Re:CIPE

[cmowire]

The CIPE FAQ claims that CIPE is "Industry Strength".

So use a Linux IPSEC implementation instead

[whoever57]

FreeS/WAN

Re:What a great Quote

[stinkfoot]

it's a reference to an episode of "The Brass Eye" by Chris Morris, brilliant comedian and media hacker. here's a transcript:

http://www.glgarden.org/foreverman/brasseye.html

(if you're impatient, click "page 2" and search for "sound wave".)

Debian to the rescue! (Re:GPG is also a disas...)

Package: libgpgme11
Description: GPGME - GnuPG Made Easy
GPGME is a wrapper library which provides a C API to access some of the GnuPG functions, such as encrypt, decrypt, sign, verify, ...

Can I hump your skull now?

Re:What a great Quote

[David+Gerard]

Ah, no, it was coined by makali, in a LiveJournal reply to said post.

I think I see why these haven't been fixed.

[RealAlaskan]

From Freshmeat: CIPE
Rating: 8.35/10.00 (Rank N/A)
Vitality: 0.01% (Rank 4941)
Popularity: 2.72% (Rank 1001)

VTUN
Rating: 8.55/10.00 (Rank N/A)
Vitality: 0.02% (Rank 2787)
Popularity: 2.69% (Rank 1017)

Neither of these projects are dead, quite, but neither is terribly active, either. Sourceforge shows one developer for CIPE, for example.

As an earlier post said, crypto demands skills which aren't generally available, in an unusual combination. Many competent eyes make bugs shallow. Many competent coders make bugfixes quick. It looks as if those packages haven't drawn the competent eyes and coders yet.

Maybe Mr. Gutman's post will draw some good folks who are able to do the work to these projects. Or maybe it will inspire the maintainers to simply let them fade away. Either way, we're better off for his efforts.

A third possibility is that folks will just not care. Gutman tells us:

- These programs have been around for years (CIPE goes back to 1996 and vtun to 1998) and (apparently) have quite sizeable user communities without anyone having noticed (or caring, after flaws were pointed out) that they have security problems.

This kind of thing needs to be fixed or abandoned; bad security is worse than no security

False

[malaba]

VTun has been updated
in 2002 and 2003.
Check their homepage:

http://vtun.sourceforge.net/

Maybe only small update.

Re:Debian to the rescue! (Re:GPG is also a disas..

[tqbf]

GPGME is a wrapper library... Can I hump your skull now?

No, because GPGME is GPL, not LGPL, and all it does is make calls to the (GPL) GPG binary.

Re:Arm chair security experts

[Halo-]

Peter Gutmann is a serious expert. I write security code for a living. (For IBM) Peter Gutmann has writen a few seminal papers such as "A Layman's Guide to ASN.1" which is required reading for anyone coming on the team.