Linux Crypto Packages Demolished

SiliconEntity writes "Cryptographer and security expert Peter Gutmann has demolished several Linux security software packages in a recent posting to the cryptography mailing list. He says, 'It's possible to create insecure 'security' products just as readily with open-source as with closed-source software. CIPE and vtun must be the OSS community's answer to Microsoft's PPTP implementation. What's even worse is that some of the flaws were pointed out nearly two years ago, but despite the hype about open-source products being quicker with security fixes, some of the protocols still haven't been fixed.'"

thank you captin obvious

he points to CIPE, a tool which hasent been updated since jun 02 and Vtun since aug. 2001. he says TINC was just as bad but was fixed when users complained. I think the obvious conclusion is that if people use the software and email the person who maintains it, it will get fixed. if the project goes stagnent because the author doesnt maintain it or people dont use it then of corse it will be vunerable after time as more flaws are discovered and not patched.

vtun and ssh

[nilsjuergens]

Vtun is still far from being useless.
Just turn off vtun encryption and use it via a ssh tunnel. That works very well (i use it for securing wifi) and uses a proven protocol.

I also believe this is good practice and should be a widely accepted policy - re-use of good and proven software is not lame - it is crucial for easy, fun and secure software development. There really is no need for re-inventing the wheel.

Now if only ssl were so integrated into the operating system that i could use select() on a ssl-socket created with socket(), and thus making writing of ssl-enabled apps as easy as non-ssl-enabled ones, that would be great!

Re:Well...

[Abcd1234]

Of course it'll have a similar number of holes. After all, there's nothing about OSS that makes the software fundamentally more secure. BUT:

1) These holes are far less likely to be in the base operating system implementation, as the OSS mantra is generally to put as much logic in user-space as possible.

2) These holes won't be covered up and released only after the vendor has decided to let us know about them.

3) These holes will be fixed up very quickly (in general, anyway), in individual patches or point releases, without onerous licenses attached to them, and without fear that the release might break the rest of my operating system.

4) Because OSS products use open standards, if one particular package is simply too insecure, at least I can change to another product and have things interoperate (eg, switching from Sendmail to Qmail/Postfix/MTA-de-jour).

Re:Well then, fix it!

[katre]

Instead of making yourself look so great by "demolishing the security," why not offer the fixes?

If you read the article, his advice is almost every case is "Scrap this, go learn basic crypto, and try again." I don't know crypto at all, but I'm willing to bet that's good advice. And if so, why on earth should he take the job of re-writing CIPE? I think it's great that he's getting the word out that it's insecure. These are the things that should be public knowledge.

Re:GPG is also a disaster and other rants

[stevenj]

Be under a BSD-ish license, so it could be linked in to commercial and non-commercial products. Be a LIBRARY, not a stand-alone executable, so it can be linked into anything at all.

Right, that's why no one has succeeded in making GPG-encryption plugins for Mozilla, Eudora, Evolution, Outlook, and so on.

Those GNU folks are just evil; that's why they would never agree with something like the Vorbis BSD license.

Or it could be that most people don't really understand the need for encryption, are hopelessly confused by key management, and won't use it until it is bundled with their computer and employed by default in their email program.