Comments

Etienne September 30, 2021 2:17 PM

What the world needs is an IPv6 only VPN for the unwashed.

My IPv4 connection is saturated by probes and scans, while my IPv6 network is as quiet as a mouse.

I’m thinking of suing the ISP because I shouldn’t have to pay for this bandwidth consumption.

Donc:

Public network IPv4 should be declared a weapon of mass destruction (WMD), and banned by the world courts, and the UN.

bobbrucet September 30, 2021 3:23 PM

…what the great mass of unwashed folks needs is a reliable advisory agency that carefully evaluates available VPN’s and then states which ones meet these government ‘hardening’ specifications. (kinda like the “Consumer Reports” approach)

This VPN stuff gets very technical and beyond the practical comprehension of most PC users.
Even professiona Network Administrators likely struggle to keep current on everything.

anonymous mouse September 30, 2021 4:24 PM

@Etienne

When word switches completely over to IPv6, you will be oversaturated with scans over IPv6 then.

Everything boils down to usage percentage. Years and years ago MacOS users bragged that they don’t have any viruses and malware. Now when user base is far higher you see what the result is? They are not bragging any more. They are quiet and doesn’t laugh towards Windows users any more.

Same thing goes with your precious IPv6.

Lyin Kebs September 30, 2021 4:32 PM

Document suggests avoiding sketchy SSL VPN hackery. It also suggests “Top hardening recommendations include using tested and validated VPN products on the National Information Assurance Partnership (NIAP) Product Compliant List”.

But despite that, AnyConnect and FortiGate are on the Product Compliance List list. Amazing

Huh September 30, 2021 6:58 PM

Why is my knee-jerk reaction that if the NSA is for it I’m against it? It makes me never want to use a VPN again (not that I normally use one).

JonKnowsNothing September 30, 2021 9:43 PM

@Huh

re: It makes me never want to use ….

As in many of the topics on this blog, if you are not 100% in-the-know and are relying on Marketing-Slime or other Assertions of Security and Privacy, you maybe best served by not using those products.

Knowing that nearly every aspect of what “end users” expect in the way of security, privacy, data usage, is not even close to what’s really happening down the bit-tracks, maybe the best defense you are going to get anytime soon.

The last Chancellor of Germany (since 2005 until recently), Angela Merkel had a spat with the NSA-types about them hacking her “handy” (local lingo for smartphone) when she was chatting with her Mum.

It’s not safe out there…. for a lot of reasons… some less safe than others…

Drive-by September 30, 2021 9:47 PM

Frustrating that the NSA suggestions ignore the last 5 years or so of VPN advances. Neither wireguard nor Chacha / Poly are recommended according to these recommendations.

Weather September 30, 2021 11:54 PM

@driveby
Chichic is recommended, but they are still working on that by the sound of things.
Remembered its just one network to another, and the other is the whole inet.
No new update.

MrC October 1, 2021 1:42 AM

Agreed with Drive-by that the omission of wireguard is odd/disappointing. Compared to the rest of the VPN space, it’s very nearly the perfect specimen. One can really only legitimately criticize it on two points: (1) ECDH isn’t post-quantum. (2) The lack of “second-best, backup primitives” means that the whole thing breaks and stays broken a long time if one of the crypto primitives ever breaks.

A cynical read of the recommendation makes me wonder:
(1) Is IPSEC being recommended because implementations are huge and complex as hell, creating lots of room for exploitable bugs to creep in, some of which the NSA has already weaponized?
(2) Isn’t the recommendation against self-signed server certificates equivalent to asking VPN operators to trust some third-party CA’s root certificate, with the accompanying risk of getting MitM’ed if someone (NSA) can suborn that CA?

SpaceLifeForm October 1, 2021 1:46 AM

Stones and Glass Houses

cnss is Committee on National Security Systems.

See what your browser tells you about

hxtps://www.cnss.gov/

hxtps://www.ssllabs.com/ssltest/analyze.html?d=www.cnss.gov

Maybe there are other things the US Government should be concerned about besides VPN implementations.

Peter A. October 1, 2021 5:12 AM

@Etienne: in my corner of the woods it’s the other way round – the IPv6 counters show more than twice as many packets that IPv4 even if I use IPv4 almost exclusively for actually useful stuff. Lots of spurious RAs and other useless packets that only get dropped by my system. Probably just ISP’s incompetence.

Petre Peter October 1, 2021 6:53 AM

Not sure how trustworthy this is. Maybe if it was released by Snowden or OWASP. At least they left out the bad guy with a hoodie typing at a keyboard.

NombreNoImportane' October 1, 2021 7:20 AM

@Drive-by and @MrC: It’s almost like this was written pre-Snowden, put on a shelf, until that whole thing cooled off, and now submitted.

Clive Robinson October 1, 2021 8:13 AM

@ NombreNoImportane’,

Pref to IPSEC vs TLS based VPN’s… Sure… I think NOT.

IPSEC something that even SWAN could not save.

For those that do not remember IPSEC was and still is an unmitigated security disaster.

In theory if you knew everything about IPSEC you could make it secure… but most could not get their head around it. So they ended up using “manufacturer specific” or other “canned recipes” with all the problems that created (blind following the blind etc).

Then stories started that IPSEC was the way it was to make it extreamly fragile and that the NSA had been behind it.

It was not long after that, a story arose that the OpenBSD IPv6 network code had been got at by the NSA through the FBI.

It started back at the end of 2010 when a letter from Gregory Perry was received by OpenBSD lead developer Theo de Raadt, who made it public. It contained certain alegations that the FBI had backdoored the OpenBSD network stack and others quickly pointed out that the FBI did not have the technical chops so it must be the NSA using the FBI as the tools many thought them to be.

This was pre-Snowden so most people believed what was said in the way of denials. Although there have been several suggestions as to what could have been done –log-jam for instance– as far as I am aware no actual evidence has been found to support Gregory Perry’s claims. Likewise however I’m unaware of any evidence that shows them to be false.

Since then there have been ways shown to attack the IPSEC and SSL protocols by using various pre-computation attacks.

So “Pays your money, makes your choice”.

Mine is to use a very very very long pole with all overly complex network security especially VPN’s.

Simply because there are better and more secure ways to do specific things, that I’ve mentioned before.

Whilst I can not prove it my gut has always told me that the sheer imposibility of the IPv6 addons like IPSEC has caused people to avoid IPv6 as just to much trouble to be worth it…

Which kind of brings us to,

It’s almost like this was written pre-Snowden, put on a shelf, until that whole thing cooled off

Let’s just say some of it reads that way, and also it would not be an unreasonable assumption given what went on back in 2010, and what we know know about other areas the NSA has been caught with it’s fingers in the proverbial…

Clive Robinson October 1, 2021 3:14 PM

@ Unwashed,

As one of the “unwashed”, can I even trust anything NSA says?

Well the CIA motto is supposadly,

“In God We Trust”

With the unoficial rider of,

“All others we polygraph”

So I’d return the favour by applying the same methodology in reverse.

A Nonny Bunny October 2, 2021 2:00 PM

@anonymous mouse

When word switches completely over to IPv6, you will be oversaturated with scans over IPv6 then.

Isn’t IPv6’s range impractically large to scan?

Random Commenter October 2, 2021 3:38 PM

If the NSA are suggesting it, one can only take from that they have broken it and it is in fact insecure.

Why everyone would start to trust to the NSA again after what we know and also knowing that their remit has not changed at all, totally baffles my simple mind.

Denton Scratch October 3, 2021 5:12 AM

@anonymouse mouse:

When word switches completely over to IPv6, you will be oversaturated with scans over IPv6 then.

Good luck saturating the IPV6 address-space with scans and probes.

IPSEC: I can see that IPSEC provides well-understood (by security experts!) mechanisms for constructing a VPN. I don’t really understand the objection to tunneling over TLS; but I haven’t studied it or thought about it. But isn’t IPSEC widely scorned for being overweight and over-complicated?

Winston Smith October 3, 2021 8:03 PM

Here is a link to what was once a reasonable review and list of VPN services:

https://github.com/BitWrecker/Archived-VPN-Comparison-Spreadsheet

Apparently, the single individual who maintained it has since sold out to a “review factory” that populates pseudo-content with affiliate links, never to be trusted, of course.

Mullvad VPN service tends to get high ratings for no-log policies, accepting cash payments, and having a rather unique “no email address required” feature to own an account which, in theory, is a huge advantage for protecting privacy. Downside: it’s so clever and useful, it makes one wonder if it’s simply a honeypot, especially given that the company’s jurisdiction is Sweden.

The only way to win this game is not to play, sadly. OTP, cans and string, wear Mylar in the backwoods, and live underground.

Alex October 4, 2021 9:20 PM

eh…can we get a real security expert to comment on this? Given the NSA’s purpose and history, I’m half tempted to think they’re telling us what would make THEIR job easier.

Mac October 14, 2021 8:28 AM

@Alex, LOL that sort of thing came to my mind too. If they ever would actually try to be the good guys, no one would trust them.

Funny side note: I was using Kaspesrky VPN (connected through their server in Miami) and navigated to that ipleak.net site (linked by Bruce in his other post). The test showed that I had 73 DNS servers, all but one located in Washington DC (one was in Virginia). Not sure if that is even normal.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.