Jump to content
Not connected, Your IP: 3.236.98.81
Casper31

Wireguard + post-quantum cryptography

Recommended Posts

Guest

With due respect to all tech savvy folks in our forum, I have few comments. I subscribe to IVPN in addition to Air. Recently, IVPN started providing wireguard servers (10 servers) in multiple platforms (Windows not yet available). To my knowledge, they are providing this option after Mullvad and Azirevpn. I have also seen that vpn.ac and Torguard are planning to bring some wireguard servers, but the timeline is not known. IVPN clearly indicated "WireGuard is a new VPN protocol that promises better security and faster speeds compared to existing solutions like OpenVPN or IPSec.Please be aware that this protocol is still in development and we only recommend using it for testing purposes and in situations where security is not critical."

 

Well, now we have a list of VPN's of whom never to trust, and I'd consider them compromised for daring to deploy software that has not had the scrutiny OpenVPN has over the last 20 years. Sure, WG is less LoC, but really, who cares? What we care about first and foremost is how secure the software is.

 

It's a matter of who you trust: Staff have outlined a number of points about the weaknesses in the protocol and how it's basically not ready for deployment, yet certain providers do it anyway? If that's how they operate their business (deploy shiny new thing without due care) then maybe it's worth reconsidering just how seriously they take your security.

 

I'd cancel Air if they dared deploy Wireguard for many years before it's actually ready and fully tested. The other big name provider (PIA) has also not deployed Wireguard, which is the only and correct course of action.

 

This thread should be locked, the discussion is meaningless; Wireguard isn't touching Air for a long time to come.

Share this post


Link to post
Guest

 

Please read this

 

Whilst Wireguard itself may be around 4000 LoC, it still adds a bunch of crypto which will need a thorougher indepth review. You seem to be another simpleton whose jumped on the "omg Torvalds finds it fantastic we must deploy it today" bandwagon. He may *like* the code, but there's much more to it than that.

 

In comparison, OpenVPN has 100k lines + 500k lines of OpenSSL, or StrongSwan, which is 400k lines + XFRM (IPSec) at 13k lines. Even with the crypto code attached it's still tiny. OpenVPN is overwhelmingly complex, with large attack surfaces, using mostly cryptographic designs from the 90's. I do hope the 'simpleton' comment made you feel better, though. I'm sure you need it.

 

So let's get this right. You'd rather trust something unproven, untested, without any real world use cases to speak of against something that's been developed over the last 20 years? Without the little bug fixes here and there, or the casual security issue that gets patched over time?

 

Who's to say what starts as 4k/20k LoC won't spiral into 100k also within the next 20 years? As if that's a metric we can actually use to judge how secure something is. I'm guessing there must be a fixed Integer where a single LoC over makes it 'insecure' by default.

 

OpenVPN is trusted, proven technology. You claim it has a 'large attack surface' but you haven't substantiated those claims.

 

18 years later and this blog post still holds true today, I suggest reading it and understanding newer isn't always better.

 

"When you throw away code and start from scratch, you are throwing away all that knowledge. All those collected bug fixes. Years of programming work." - Someone actually sensible, circa 2000.

Share this post


Link to post

I'm not a tech user, but search in trying to understand. I read, and wished I copied the URL's, on various blogs that:

- wireguard lists IP addresses of users on the server in the clear while connected, one of the current providers claimed to have asked Jason to code soft to counter that apparently.

- wireguard needs logs on the server linking IP to user credentials, permanently, for it to work. Err, how you do no longs on that? This could be solved by client software registering credentials anew every time a connection establishes, and allow for this to only be of temporary nature (while the connection lasts) But, that requires a client soft and adaptation to the server, so I read.

- wireguard does not allow any random server selection, credentials are server specific.

 

Credentials could be the same for all servers, imagine service providers like avpn assigning some 15000 IP addresses, one to each individual user, and then telling each of their servers IP X is user Y. Alternatively pre-allocate 15000 ip's each on 90 servers, do the match ... and do it dynamically between soft and server while the thing originally is not programmed to do that ...

 

No thanks.

 

I did try wireguard, and have to say on low level routers where openvpn gives lousy performance wireguard maxed out the connection speed and improved the connection stability, even when compared to no tunnel. That makes it very alluring, the rest is stay away from it.


_____________________________________

A moat does not protect against pigeons!

Share this post


Link to post
Guest
This topic is now closed to further replies.

×
×
  • Create New...