Changes between Version 3 and Version 4 of VORACLE
- Timestamp:
- 10/03/18 23:31:55 (6 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
VORACLE
v3 v4 3 3 == Background == 4 4 5 Security researcher Ahamed Nafeez has [https://speakerdeck.com/skepticfx/voracle-compression-oracle-attacks-on-vpn-tunnels presented a new attack vector] which targets VPN tunnels which utilizes compression, named **VORACLE**. The attack vector b ares similarities to the CRIME and BREACH attacks, which hit especially HTTPS based connections.5 Security researcher Ahamed Nafeez has [https://speakerdeck.com/skepticfx/voracle-compression-oracle-attacks-on-vpn-tunnels presented a new attack vector] which targets VPN tunnels which utilizes compression, named **VORACLE**. The attack vector bears similarities to the CRIME and BREACH attacks, which hit especially HTTPS based connections. 6 6 7 7 The crux of this attack is the compression feature OpenVPN has had support for since the early OpenVPN v1.x days, in various ways. The compression feature is being enabled when you use one of the following configuration options: … … 35 35 == Mitigation == 36 36 37 The compression feature in OpenVPN is dynamic and by using the `--compress` or `--comp-lzo` options, the wire protocol used between the OpenVPN clients and server changes slightly, to encapsulate packets in what is referred to a _compression frame_. This does not mean data this frame carries is always compressed, but it *might* be compressed, all depending on a flag in the frame header.37 The compression feature in OpenVPN is dynamic and by using the `--compress` or `--comp-lzo` options, the wire protocol used between the OpenVPN clients and server changes slightly, to encapsulate packets in what is referred to a ''compression frame''. This does not mean data this frame carries is always compressed, but it *might* be compressed, all depending on a flag in the frame header. 38 38 39 39 It is important to remember that `--comp-lzo` or `--compress` must be used on both the local and the remote side. If only one side uses any of these options, it will not be a functional VPN tunnel. Further, `--comp-lzo` and `--compress` have overlapping feature support, meaning that `--compress lzo` is identical to `--comp-lzo yes`or `--comp-lzo adaptive`. … … 53 53 54 54 On the client side: 55 The client side configuration' compressionneeds to match the server configuration (either explicit with the right `compress`/`comp-lzo` config option or implicit through pushed option). A client side mitigation is therefore currently not possible in all scenarios without upgrading the client.55 Compression on the client side needs to match the server configuration (either explicit with the right `compress`/`comp-lzo` config option or implicit through pushed option). A client side mitigation is therefore currently not possible in all scenarios without upgrading the client. 56 56 57 57 - OpenVPN 2.4.0 and newer, and server respecting client capabilities: … … 73 73 The compression feature is enabled by default. It can be disabled under Advanced VPN, "Default Compression Settings" setting. 74 74 75 The same can be achieve via the command line:75 The same can be achieved via the command line: 76 76 77 77 {{{