Hi Kevin, On 20/12/16 01:10, Kevin Long wrote: > I was just browsing the Mastering OpenVPN book and a paragraph jumped out at > me which basically said that using OpenVPN on port 443 is a common way people > try to duck firewalls. Indeed, this is what I do. My clients are all over > the place, airports, hotels, different countries etc, and we do seem to have > better luck on port 443 tcp than 1194 tcp or udp. > > But the book states, as I have just learned just recently coincidentally, > that OpenVPN traffic (even running on TCP) does not really look like normal > browser TLS traffic. > > > I saw in the release notes I believe, that the new tls-crypt feature helps > prevent metadata about auth certificates from being exposed, as well as > blocking deep-packet inspections of the traffic. > > Could anyone possibly elaborate on this? Will this in practice help do > mitigate OpenVPN blocking on port 443 in cases where normal TLS 443 traffic > is permitted? as author of that part of the book, I feel obliged to respond ;)
the new tls-crypt feature adds some extra hiding of OpenVPN traffic from someone snooping the network. It does *NOT*, however, result in OpenVPN traffic looking the same as regular TLS/HTTPS traffic. If you scan an OpenVPN network connection using tcpdump/wireshark then you can see that it's different from a regular HTTPS connection start. Advanced firewalls can detect this difference and can/will block OpenVPN traffic based on it. Currently, there's little that can be done about this. > Also, could anyone elaborate on tis-crypt being “poor man’s quantum” > protection > > when/if a working quantum computer is available then the current key exchange mechanisms such as RSA, DSA and even Elliptic Curves no longer offer protection: a quantum computer can supposedly break this key exchange within seconds. A quantum computer cannot break encryption itself (supposedly), only the initial ephemeral key exchange. With those keys, however, encryption can also be broken. By adding something like 'tls-crypt' we add an extra preshared secret, which a quantum computer cannot break so easily, thereby adding what we like to call "poor man's quantum protection". Whether it holds in the future (or is even effective at all) remains to be see when quantum computers and quantum computer algorithms develop. HTH, JJK ------------------------------------------------------------------------------ Developer Access Program for Intel Xeon Phi Processors Access to Intel Xeon Phi processor-based developer platforms. With one year of Intel Parallel Studio XE. Training and support from Colfax. Order your platform today.http://sdm.link/intel _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
