Re: [Openvpn-users] Fwd: --no-iv option deprecation

Mon, 31 Jul 2017 04:30:48 -0700 

2017-07-31 16:19 GMT+05:00 Yevgeny Kosarzhevsky <phao...@gmail.com>:

> For some reasons I don't need secure connection, it's enough that the
> connection isn't plain text.
> As I understand --cipher none does not imply --no-iv one one hand, and the
> default cipher with --no-iv and --auth none gives non-plaintext connection
> and reduces packet size which is ok for my needs.
> This is the reason I am asking why --no-iv gets deprecated while no other
> option gives this functionality
>
>
as far, as I understand, you can still specify "--no-iv", the fact it is
deprecated only means some warning, which is not fatal.


> On 31 July 2017 at 17:56, Steffan Karger <stef...@karger.me> wrote:
>
>> Hi,
>>
>> On 31 July 2017 at 11:00, Yevgeny Kosarzhevsky <phao...@gmail.com> wrote:
>> > On 31 July 2017 at 15:49, Gert Doering <g...@greenie.muc.de> wrote:
>> >>
>> >> Using crypto with --no-iv is only marginally better than using
>> "--cipher
>> >> none"
>> >> - so, if you want no encryption, make it explicit with "cipher none",
>> >> instead of pretending to have strong crypto which it isn't.
>> >>
>> >> Why are you using --no-iv?
>> >
>> > I use it to reduce packet size on tunnels with --secret option together
>> with
>> > --auth none.
>> > I am aware of the fact that this less secure option however I believe
>> it's
>> > still provides encryption and is safe enough unless the key is revealed
>> to
>> > 3rd party.
>> > Please correct me if I am mistaken.
>>
>> You are mistaken.  CBC requires an unpredictable IV, so --no-iv breaks
>> the CBC security.  Using --auth none is plainly insecure against any
>> man-in-the-middle attacker.  Don't use either of those if you want a
>> secure connection.
>>
>> If you want to understand why, I can recommend
>> https://www.coursera.org/learn/crypto.
>>
>> -Steffan
>>
>
>
>
> --
> Regards,
> Yevgeny
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openvpn-users
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to