Hi I subscribe to a commercial VPN service.
My operating system is Ubuntu and I use OpenVPN 2.4.6 (community edition). I asked the staff of the VPN service why they had enabled comp-lzo for all their servers. Below is their reply that I quote verbatim: [Quote] But you should not worry too much about the VORACLE attack since much more than a compressed VPN is needed to exploit this: 1) The attacker needs to be on the same network as the victim. This means the vulnerability cannot be exploited from the Internet without additional exploits/attacks. 2) It only works with HTTP sites - almost all critical websites now enforce HTTPS where the VORACLE attack does not work. 3) The attacker needs to trick the victim to visit a website that is under his control. If the attacker is able to do that, he has a myriad of possibilities to try to exploit the victim, VORACLE certainly isn't the one users should worry about here. 4) If you are using Chrome, you are not affected by this vulnerability. For these reasons we have decided not to jump to drastic measuers and deactivate compression for everyone since it gives various advantages (like less needed bandwidth effectively resulting in faster speeds). [/Quote] Based on their above four statements, how accurate are the staff's assessments of the VORACLE attack? I appreciate your input and clarifications. Regards. Javier _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
