On 9-4-2014 10:49, Илья Шипицин wrote: > I did not say "nobind protects from everything", but I did mean that > clients with "nobind" are more protected in case of non patched > openssl library shipped with (old) openvpn windows installer. > > > if server is patched (what is rather easy thing comparing to hundreds > windows users), nobody can steal server ssl cert, sniffering traffic > is useless in that case. mitm type attack is also useless when you > have no server cert. the only thing you can attack is client, and if > he uses "nobind", it looks rather good. > > 2014-04-09 14:44 GMT+06:00 Arne Schwabe <a...@rfc2549.org>: >> Am 09.04.14 10:32, schrieb Илья Шипицин: >>> I used to think that client without "nobind" option binds to 1194/udp >>> (we encountered that issue with multiple openvpn connection on the >>> same machine), so, "nobind" tells openvpn instance not to bind to >>> udp/1194, and so, only openvpn server can exploit heartbleed >>> vulnerability, but not any attacker. >>> >> Yes the server can attack you. Or any man in the middle attack including >> ARP spoofing/DNS spoofing etc. >> >> If you see nobind that as protection basically you don't need a VPN. >> >> Arne >> I don't see the difference between nobind and bind. As soon as you connect to the server, a MITM attack or an attack by the server is possible.
Adriaan
