Thread: Maemo 5 as a vulnerability / "hacking" victim
View Single Post
fasza2's Avatar
fasza2 is offline fasza2
2011-06-16 , 13:51
Posts: 187 | Thanked: 96 times | Joined on Sep 2010 @ London, UK
#33
Originally Posted by momcilo View Post
I would not go for static key mode, since in this case the same keys are reused on each connection.
You must have misunderstood me on this one, let me call openvpn.net to help explain what I meant:

'Hardening OpenVPN Security

One of the often-repeated maxims of network security is that one should never place so much trust in a single security component that its failure causes a catastrophic security breach. OpenVPN provides several mechanisms to add additional security layers to hedge against such an outcome.
tls-auth

The tls-auth directive adds an additional HMAC signature to all SSL/TLS handshake packets for integrity verification. Any UDP packet not bearing the correct HMAC signature can be dropped without further processing. The tls-auth HMAC signature provides an additional level of security above and beyond that provided by SSL/TLS. It can protect against:

* DoS attacks or port flooding on the OpenVPN UDP port.
* Port scanning to determine which server UDP ports are in a listening state.
* Buffer overflow vulnerabilities in the SSL/TLS implementation.
* SSL/TLS handshake initiations from unauthorized machines (while such handshakes would ultimately fail to authenticate, tls-auth can cut them off at a much earlier point).

Using tls-auth requires that you generate a shared-secret key that is used in addition to the standard RSA certificate/key:

openvpn --genkey --secret ta.key'

To my current understanding this option uses a SHA1 hash of secret ta.key file and the packet data to verify that packet comes from source and that it hasn't been tempered with and places this hash in the packet header. I think it also gets encrypted with the cypher of your choice, but that I can't tell for sure.

Originally Posted by momcilo View Post
It is better to use SSL based mode, SSL itself enforces the generation of shared secret each time. Thus created secure channel is used to exchange the keying material which is used to dynamically generate shared secrets.
That is indeed correct, and I wouldn't have it any other way

Originally Posted by momcilo View Post
Yes you may do that, in addition you can isolate clients within VPN.
Thanks, the latter is done via the client-to-client option

Originally Posted by momcilo View Post
The possible intrusion vector may be the built-in browser. I don't know which version of Gecko is used, but I am pretty sure the there were severe problems with firefox pre-3.6 versions.
That I am also worried about and we are not likely to recive any security updates for MicroB, unless in CSSU. I don't even know wether MicroB is open. It would be a good thing if some of our 'seasoned' members looked into this.

Originally Posted by momcilo View Post
Closed-source Flash might also be interesting for poking around.
Probably the weakest link as there is no way we can apply updates to that.

Please note that I am no way an expert in either networking nor security, I just have a genuine interest in these areas. I just started reading up on both very recently. I have some knowledge of ITC from my past, but I wasn't very interested until I actually joined this community. So that being said any positive criticism is hugely welcome.
 

The Following 2 Users Say Thank You to fasza2 For This Useful Post: