Docker's LinuxKit Launches Kernel Security Efforts, Including Next-Generation VPN

darthcamaro writes: Back in April, when Docker announced its LinuxKit effort, the primary focus appeared to just be [tools for] building a container-optimized Linux distribution. As it turns out, security is also a core focus -- with LinuxKit now incubating multiple efforts to help boost Linux kernel security. Among those efforts is the Wireguard next generation VPN that could one day replace IPsec. "Wireguard is a new VPN for Linux using the cryptography that is behind some of the really good secure messaging apps like Signal," said Nathan McCauley, Director of Security at Docker Inc.
According to the article, Docker also has several full-time employees looking at ways to reduce the risk of memory corruption in the kernel, and is also developing a new Linux Security Module with more flexible access control policies for processes.

Linux is behind yet again

As usual, Windows is more secure than Linux and doesn't need these upgrades. Everything is half-assed and amateurish with Linux

Linux VPN support sucks

[AaronW]

Something needs to happen.

Last night I tried to get pptp to work with our corporate VPN and it failed miserably. I ran Wireshark to figure out what the problem is and the Linux PPP stack just can't handle the options that it was being sent (bug opened on pppd). Next I tried to connect to my home firewall VPN which used to work and again this failed miserably because the Linux PPP stack refused to turn off the async char map negotiation (which isn't used for PPTP).

I've also struggled to get ipsec in any form to work (no success) nor have I been able to get openvpn to work, requiring all the generation of certs and whatnot. PPTP, despite being quite insecure, at least used to work before the modern PPP brokeness.

The problem with VPNs is that the solutions are overly complicated with a bazillion different options.

IPSec + L2TP!?!?! This is insane. PPTP is just plain broken as well.

I want something as simple as how PPTP used to work but without all the broken security (i.e. MD5 password hashes) and get rid of PPP.

Re:Linux VPN support sucks

[decep]

Linux VPN support is actually very good. You just should not be using PPTP. OpenVPN or some of the other user space type VPNs are great for connecting remote users.

I agree that L2TP is insane for individual user VPNs, but for site-to-site VPNs, IPSec is the only option you should trust. The problem with a lot of user space VPN solutions, like OpenVPN, is once you have authenticated, it just kind of acts like a router for packets. You have to use a secondary controls like a firewall to control access. This is usually fine for allowing access for end users.

IPSec is the the solution you need when you want to create a site-to-site connection with a 3rd party you do not implicitly trust. Every aspect of the VPN must be agreed by both sides of the tunnel before the tunnel can be established. 6 months later if someone tries to change the tunnel parameters on one side without informing the other party, the whole thing stops.

OpenVPN isn't bad

[Sycraft-fu]

It is fairly easy to set up and supports new protocols. Linux seems to support it reasonably well and its Windows implementation isn't totally retarded.

However really, it is worth your while to invest time and effort in learning IPSec. I know it is a pain in the ass, I've done a ton with it. However it is powerful. The reason it is complex is that it can be used for basically everything. It is a general purpose encryption and authentication method for IP. It is also a mandatory part of the IPv6 spec so going forward it is just going to be a thing that all systems will have.

It also has the benefit of being widely supported. While not a lot talks OpenVPN, nearly everything already talked IPSec.

Re:Oh get double-stuffed!

[Kjella]

Exactly. Signal is as secure as WhatsApp, meaning "who knows"? Signals servers are run by a single corporation. They go on about how "federated messaging" is stuck in the 90s, but that is complete bullshit.

Bullshit. Message transport has nothing to do with security, doesn't matter if you send a PGP message over SMTP (decentralized) or Facebook (centralized) as long as the cryptography is sound. And the clients are open source, the cryptography is vetted and all that. And if you don't want their servers recording any metadata the server code is open source too, with minor modifications you have your own Signal protocol network. Federation is mainly just a messy hybrid of client to server and server to server communication, either go full P2P and deal with all those routing/discovery/web-of-trust/revocation/denial-of-service/spam complications or just run one central server.

The main reason to use it over PGP is that Signal gives you backwards secrecy, the algorithm is constantly upgrading the keys meaning even if you record messages and compromise a device later you can't decrypt anything other than the most recent ones. If you manage to get a private PGP key, you can decrypt every message sent to that key from the dawn of time. It doesn't do 90% of what PGP tries to do, but it does the last 10% much, much better. And most of all, simpler. Most people don't check Signal's MITM protection and doesn't care when they're notified of key changes, but the same people are not likely to use PGP at all. But since a few will check doing bulk surveillance would be discovered, while everyone intentionally or unintentionally in the middle can wiretap plaintext email all day long.