Hi Javier, At one of the meetings with developpers this issue was also raised... View was, that the vpn is not the proper place (and TIME) to do data-compression. Reasoning? Most traffic through the vpn, is often ssh, https, ica, and those are encrypted by themselves, so trying to compress encrypted data is counter-productive. It might do something (is it even measurable?) with old-fashioned telnet or http, but how much, probably not that much to bear the costs (cpu-clycles & latency)
Hans -----Original Message----- From: Javier Santos [mailto:[email protected]] Sent: zondag 4 november 2018 18:06 To: [email protected] Subject: [Openvpn-users] VORACLE attack can only take place when three conditions are met? I asked the staff of the VPN service why they had enabled comp-lzo for all their servers. Below is their reply that I quote verbatim: [Quote] But you should not worry too much about the VORACLE attack since much more than a compressed VPN is needed to exploit this: 1) The attacker needs to be on the same network as the victim. This means the vulnerability cannot be exploited from the Internet without additional exploits/attacks. 2) It only works with HTTP sites - almost all critical websites now enforce HTTPS where the VORACLE attack does not work. 3) The attacker needs to trick the victim to visit a website that is under his control. If the attacker is able to do that, he has a myriad of possibilities to try to exploit the victim, VORACLE certainly isn't the one users should worry about here. 4) If you are using Chrome, you are not affected by this vulnerability. For these reasons we have decided not to jump to drastic measuers and deactivate compression for everyone since it gives various advantages (like less needed bandwidth effectively resulting in faster speeds). [/Quote] Based on their above four statements, how accurate are the staff's assessments of the VORACLE attack? I appreciate your input and clarifications. _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
