Changes between Version 3 and Version 4 of VORACLE


Ignore:
Timestamp:
10/03/18 23:31:55 (6 years ago)
Author:
tct
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • VORACLE

    v3 v4  
    33== Background ==
    44
    5 Security researcher Ahamed Nafeez has [https://speakerdeck.com/skepticfx/voracle-compression-oracle-attacks-on-vpn-tunnels presented a new attack vector] which targets VPN tunnels which utilizes compression, named **VORACLE**.  The attack vector bares similarities to the CRIME and BREACH attacks, which hit especially HTTPS based connections.
     5Security researcher Ahamed Nafeez has [https://speakerdeck.com/skepticfx/voracle-compression-oracle-attacks-on-vpn-tunnels presented a new attack vector] which targets VPN tunnels which utilizes compression, named **VORACLE**.  The attack vector bears similarities to the CRIME and BREACH attacks, which hit especially HTTPS based connections.
    66
    77The crux of this attack is the compression feature OpenVPN has had support for since the early OpenVPN v1.x days, in various ways.  The compression feature is being enabled when you use one of the following configuration options:
     
    3535== Mitigation ==
    3636
    37 The compression feature in OpenVPN is dynamic and by using the `--compress` or `--comp-lzo` options, the wire protocol used between the OpenVPN clients and server changes slightly, to encapsulate packets in what is referred to a _compression frame_.  This does not mean data this frame carries is always compressed, but it *might* be compressed, all depending on a flag in the frame header.
     37The compression feature in OpenVPN is dynamic and by using the `--compress` or `--comp-lzo` options, the wire protocol used between the OpenVPN clients and server changes slightly, to encapsulate packets in what is referred to a ''compression frame''.  This does not mean data this frame carries is always compressed, but it *might* be compressed, all depending on a flag in the frame header.
    3838
    3939It is important to remember that `--comp-lzo` or `--compress` must be used on both the local and the remote side.  If only one side uses any of these options, it will not be a functional VPN tunnel.  Further, `--comp-lzo` and `--compress` have overlapping feature support, meaning that `--compress lzo` is identical to `--comp-lzo yes`or `--comp-lzo adaptive`.
     
    5353
    5454On the client side:
    55 The client side configuration' compression needs to match the server configuration (either explicit with the right `compress`/`comp-lzo` config option or implicit through pushed option). A client side mitigation is therefore currently not possible in all scenarios without upgrading the client.
     55Compression on the client side needs to match the server configuration (either explicit with the right `compress`/`comp-lzo` config option or implicit through pushed option). A client side mitigation is therefore currently not possible in all scenarios without upgrading the client.
    5656
    5757   - OpenVPN 2.4.0 and newer, and server respecting client capabilities:
     
    7373The compression feature is enabled by default. It can be disabled under Advanced VPN, "Default Compression Settings" setting.
    7474
    75 The same can be achieve via the command line:
     75The same can be achieved via the command line:
    7676
    7777{{{