Hi,
On Wed, 07 Mar 2012 09:00:04 +1300, Jason Haar wrote:
Your comments on rogue servers is certainly worth discussing too.
What can a rogue openvpn server push back to a client? Routes
obviously - but
other than screwing the client, is there any new risk?
if you expect the server to be rouge, openvpn client has to be careful
with input data validation - for example when running an ifconfig, you
could try some injection into the run commands. (Or within the up/down
scripts.)
If you don't expect the server to be rouge, SSL on client side would
prevent most attacks.
As far as I can see, push/pull is already limited for security reasons.
Regards,
M. Braun
