Declan, your story on Microsoft's IPSEC security missed the point.
Or rather, buried it in paragraph 8!
==> If you configure the machines to use 3DES, they will silently use DES.
That's the problem.
The Linux IPSEC software only supports 3DES. It does not support DES.
People complain about this periodically. We don't care -- it prevents
this sort of security problem from happening. Microsoft didn't care
about the actual security they provide their users ("Having at least
some encryption is better than nothing" is wrong and dangerous,
leading to a false sense of security when you are actually
vulnerable). The Linux group, freeswan.org, which I lead, has real
security as its top priority. There's no point in going to all the
trouble to configure it, unless it actually delivers what it promises.
If a Microsoft user configures 3DES protection and tries to connect it
a Linux FreeS/WAN box, the negotiation will fail -- with at least the
Linux side reporting that they couldn't agree.
There have been allegations that NSA influenced Microsoft's encryption
support (one reason that NSA could afford to relax export controls
could be that they've already subverted the highest volume US
products). It's pretty well acknowledged that NSA did this to Crypto
AG's hardware products decades ago, and has been reading the traffic
of those who depended on those products. An eavesdropper doesn't need
to break the encryption if they can break the user interface and make
it lie about whether it is really encrypting.
John
