Date: Fri, 27 Nov 2015 10:09:47 -0800 From: Michael Sierchio <kudzu@tenebras.com> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: VPN security breach Message-ID: <CAHu1Y72StMYSsP2vVdtWBaMf%2B3DS%2BOUs87M8MSnpL_nUg=c8fw@mail.gmail.com> In-Reply-To: <63A85255-F131-406C-998D-AD9FB3670E4C@elde.net> References: <20151127104401.7fdfd5fd@Papi> <63A85255-F131-406C-998D-AD9FB3670E4C@elde.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Nov 27, 2015 at 8:01 AM, Terje Elde <terje@elde.net> wrote: > In order for it to work, you depend on letting attackers "book" port mappings on the same IP that other customers "dial in" to. "Dial in" and "exit" IPs needs to be the same. > > That's such a broken concept that any serious service couldn't possible come up with it. In fact, in order to do that, you more or less have to take extra precautions towards making sure you fail. There are plenty of commercial VPN (Internet proxy) services, and the conditions described for the leak aren't too hard to create. The problem is that any VPN server that supports UPnP or any other form of port mapping has already compromised security such that it cannot be taken seriously. User want these things for convenience, but... no. - M
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAHu1Y72StMYSsP2vVdtWBaMf%2B3DS%2BOUs87M8MSnpL_nUg=c8fw>