Good progress by @trailofbits on resolving the MITM threat model gap in algo VPN. http://bit.ly/2iuRPNb
-
-
Replying to @evahlis
I think you're misreading, that issue has to do with a server being compromised and its keys being stolen. You're f'd either way.
2 replies 0 retweets 0 likes -
Replying to @dguido
then if the server private key is compromised you're screwed. Never storing the private key seems promising
1 reply 0 retweets 0 likes -
Replying to @evahlis
Compromising the server private key requires compromising the entire server. Even if you protect the key, you're still fucked.
1 reply 0 retweets 0 likes -
Replying to @dguido
does the server use the private key? If it does then i get it
1 reply 0 retweets 0 likes -
Replying to @evahlis
It's only needed to gen certs for new users. Today: if you don't use that feature, then it'll never be decrypted and exposed.
2 replies 0 retweets 0 likes -
Replying to @dguido
that's what I thought re being used for user creation. I'd say having a compromised root CA is worse than someone controlling VPS
1 reply 0 retweets 0 likes -
bad CA means non-pinned certs can now be faked. Arguably you shouldn't trust your VPS too much anyway since 3rd party controls it
1 reply 0 retweets 0 likes -
Replying to @evahlis
But you do trust your VPS, it serves all your traffic through the VPN. It's an easy hop from VPS to Desktop RCE even w/o HTTPS.
2 replies 0 retweets 0 likes
Either way, this issue was resolved for most people with a pw-protected CA key back in mid-Dec. Further enhancements soon.
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.