Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.

OpenVPN isn't bad

[Sycraft-fu]

It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.

However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.

It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.

Re:Oh get double-stuffed!

[Kjella]

Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

Bullshit. Message transport has nothing to do with security, doesn't matter if you send a PGP message over SMTP (decentralized) or Facebook (centralized) as long as the cryptography is sound. And the clients are open source, the cryptography is vetted and all that. And if you don't want their servers recording any metadata the server code is open source too, with minor modifications you have your own Signal protocol network. Federation is mainly just a messy hybrid of client to server and server to server communication, either go full P2P and deal with all those routing/discovery/web-of-trust/revocation/denial-of-service/spam complications or just run one central server.

The main reason to use it over PGP is that Signal gives you backwards secrecy, the algorithm is constantly upgrading the keys meaning even if you record messages and compromise a device later you can't decrypt anything other than the most recent ones. If you manage to get a private PGP key, you can decrypt every message sent to that key from the dawn of time. It doesn't do 90% of what PGP tries to do, but it does the last 10% much, much better. And most of all, simpler. Most people don't check Signal's MITM protection and doesn't care when they're notified of key changes, but the same people are not likely to use PGP at all. But since a few will check doing bulk surveillance would be discovered, while everyone intentionally or unintentionally in the middle can wiretap plaintext email all day long.