> >> >> To me it seems like you can of course build a scenario where compression >> _could_ be a problem some how, but there are certainly many use cases >> where it can be considered almost impossible to have your security >> weakaned by compression. I mean, there is also the SSH VPN mode with c<n >> be used with compression and I've never heard someone saying it's less >> secure with compression. > > That will be also affected by VORACLE style attacks. But SSH VPN and SSH > is also by no mean safe against these kind of attacks. They might be > harder to pull off but the underlying attacks still apply. > >> In our case where we connect several subnets via OpenVPN and there goes >> a >> lot of different traffic from dozens of hosts in every location, I still >> fail to understand how our security would be impacted by compression? > > The attacks are not that easy to understand. So not to patronise you but > if you if you don't understand it, then it might be better to err on the > safe side? > >> In the end my only question is is it worth to remove compression from >> OpenVPN in the long run, or is this not planned? >> > > Attacks are becoming better and better if there is a vector to attack. > But Beast/Crime/VORACLE have shown that these attacks are possible, so > enabling compression by default is no longer safe.
I'm not asking to enable it by default or even compile it by default. I'm only asking to keep the code in so those who know what they are doing can enable it as a compile time option or expert mode option or something like that. Simon _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
