From owner-freebsd-questions@freebsd.org Fri Nov 27 18:09:48 2015 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5FA18A3A34F for ; Fri, 27 Nov 2015 18:09:48 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: from mail-yk0-x230.google.com (mail-yk0-x230.google.com [IPv6:2607:f8b0:4002:c07::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1953A1BDB for ; Fri, 27 Nov 2015 18:09:48 +0000 (UTC) (envelope-from kudzu@tenebras.com) Received: by ykdv3 with SMTP id v3so125025096ykd.0 for ; Fri, 27 Nov 2015 10:09:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tenebras-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=dYGBFrEsUrfiq7ynoiHIrLXJX0WTukFFjBfbAhKyiNA=; b=ASe4HgTngnn2oHGJnsstDtcBBi4EMlDnTxFsecl27fhgKyYxbIKo7zvPL3r4V3MT84 scc3i47+hP711yWRD6tWJDC9YsKQS4sYQydVYiTCnXd8oPRLX9isKMc2FxwkovdJoQ35 RMMWovP71owFyJ8Qqu+XMZmvWlZhYd0hR0nCrShGo19dF1AAFMz6EmeRPnmwWbd8+jO9 Qdwpl/Lr0RmIQJ+V5fCUvMW8IlyUng3nHdkttCsAiKmoCW6BdnlsGhtFiD/e8RFviTds dEwP+Jk4Nuqpzqfe4zOMfQUdDnelOgxWXXauTdK4QDZRBh0kOQK81Jfx4pzkqh3nRT+C c88Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:content-type; bh=dYGBFrEsUrfiq7ynoiHIrLXJX0WTukFFjBfbAhKyiNA=; b=ld4VvXvAv1GuD2kNOYB0uvGX0oij00Lie1TX5PCJTAzlCIXTjkCw59DRaq+mjNtiZx QmEO7yFebsJsYfOBA8HQUdKIUQcSTNoMeEh3nGkBlu9C1nUIrNoq8PgYFTS5Kb2mf/KW gfcBb/jgnwv7ACBG2CHVPrTsFqskK/dARfit0XXom0CrNbSrLUNfCmshouwU1YFou3LP awdO4r18yZp4I2lA6LICHBUVz6TM34cYSoEkbIaFAEe4fYuBHG291ZbBBDoDQShHhwas kB/zT3Ijexg/cTEdJwYGuvZtJMl1sEMBkclma3cG9SO1c5IN4K3fj6gAJOFvee1JXubm gD5g== X-Gm-Message-State: ALoCoQlIkb2jWpLpz6kIQNEc+mgIA4VWTbLr3d8cJIOQL9UKn2I4QyHYQUUh+Lkb+MWufKv/vHQx MIME-Version: 1.0 X-Received: by 10.13.245.134 with SMTP id e128mr47231130ywf.86.1448647787151; Fri, 27 Nov 2015 10:09:47 -0800 (PST) Received: by 10.37.63.132 with HTTP; Fri, 27 Nov 2015 10:09:47 -0800 (PST) In-Reply-To: <63A85255-F131-406C-998D-AD9FB3670E4C@elde.net> References: <20151127104401.7fdfd5fd@Papi> <63A85255-F131-406C-998D-AD9FB3670E4C@elde.net> Date: Fri, 27 Nov 2015 10:09:47 -0800 Message-ID: Subject: Re: VPN security breach From: Michael Sierchio To: FreeBSD Questions Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.20 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Nov 2015 18:09:48 -0000 On Fri, Nov 27, 2015 at 8:01 AM, Terje Elde wrote: > In order for it to work, you depend on letting attackers "book" port mappings on the same IP that other customers "dial in" to. "Dial in" and "exit" IPs needs to be the same. > > That's such a broken concept that any serious service couldn't possible come up with it. In fact, in order to do that, you more or less have to take extra precautions towards making sure you fail. There are plenty of commercial VPN (Internet proxy) services, and the conditions described for the leak aren't too hard to create. The problem is that any VPN server that supports UPnP or any other form of port mapping has already compromised security such that it cannot be taken seriously. User want these things for convenience, but... no. - M