Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted?
----- Forwarded message from Giles Coochey <giles@coochey.net> ----- Date: Thu, 10 Oct 2013 14:50:41 +0100 From: Giles Coochey <giles@coochey.net> To: list@lists.pfsense.org Subject: Re: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: <5256B0B1.2050501@coochey.net> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 Reply-To: pfSense support and discussion <list@lists.pfsense.org> Trying to get this back on-topic, I will change the subject however, to alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am also top-posting on purpose as I believe the conversation below has near to no relevance to my questions, but simply is an argument as to whether these questions should be asked, to which I believe in the affirmative). I have various questions to offer for discussion which have been bothering me since various security related issues that have appeared in the media recently: (see: https://www.schneier.com/crypto-gram-1309.html) Clearly, at the moment, open source security tools ought to have an advantage over closed-source tools. However, peer review of open-source code is not always complete, and there have been questions whether even algorithms have been subverted. 1. The random number generator - As pfSense uses FreeBSD this may well be a FreeBSD specific question, however, are there any ways within pfsense that we can improve the entropy pool that the random number gets its randomness from? Has anyone had any experience of implementing an external entropy source (e.g. http://www.entropykey.co.uk/) in pfsense? 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust the math' don't always mean much to us, given the reports in the media, what is considered a safe cypher? I recently switched from AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. Could that be considered overkill? What Cipher's are others using? Have any of you, who have been made recently aware of the media coverage recently, also changed your cipher selection? What kind of changes did you make? 3. pfSense - In general do you consider pfsense secure?? As we are apparently told, asking whether the NSA has inserted or influenced the code in any way either in the pfsense code, or the upstream base (FreeBSD) is a question that we can't ask, as if it were the case then the NSA would have instructed someone in the know, to answer in the no. On 10/10/2013 12:33, Rüdiger G. Biernat wrote:
This discussion about security/NSA/encryption IS important. Please go on.
Von Samsung Mobile gesendet
-------- Ursprüngliche Nachricht -------- Von: Giles Coochey Datum:10.10.2013 11:39 (GMT+01:00) An: list@lists.pfsense.org Betreff: Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others?
On 10/10/2013 09:38, Thinker Rix wrote:
On 2013-10-10 01:13, Przemys?aw Pawe?czyk wrote:
On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix <thinkerix@rocketmail.com> wrote:
Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified.
Thank you!
BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some.
Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically.
I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users "virtually joined" to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening.
Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA.
Thank you for showing your support openly!
I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. There are many on-topic things to discuss here: 1. Which Ciphers & Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software & configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources.
This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy.
-- Regards,
Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles@coochey.net
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
-- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles@coochey.net _______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
On 2013-10-11 00:39, Eugen Leitl wrote:
----- Forwarded message from Giles Coochey <giles@coochey.net> ----- 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust the math' don't always mean much to us, given the reports in the media, what is considered a safe cypher? I recently switched from AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. Could that be considered overkill? What Cipher's are others using? Have any of you, who have been made recently aware of the media coverage recently, also changed your cipher selection? What kind of changes did you make?
Overkill is a rational and appropriate response to recent revelations. NIST is actually out to get you, so you might as well put on a tinfoil hat to be on the safe side. Yes, there really is a gigantic government conspiracy, no kidding. While I am pretty sure AES and SHA 256 is perfectly safe, in view of recent events, I would follow the lead of the highly competent cryptographer Jon Callas, http://www.mail-archive.com/infowarrior@attrition.org/msg10926.html and use non NIST algorithms: Use Twofish in place of AES if convenient to do so, and Skein hash in place of SHA hash.
participants (2)
-
Eugen Leitl -
James A. Donald