| Message ID | 1528020718-12721-1-git-send-email-steffan@karger.me |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [Openvpn-devel,1/3] man: add security considerations to --compress section | expand |
This makes sense. Whatever else we do, explaining the *why* parts is helping users make an educated choice. Acked-By: Gert Doering <gert@greenie.muc.de> Your patch has been applied to the master and release/2.4 branch. commit a59fd1475089eda4c89942d345070bb942180223 (master) commit 6795a5f3d55f658fc1a28eb9f3b11d1217e3329c (release/2.4) Author: Steffan Karger Date: Sun Jun 3 12:11:56 2018 +0200 man: add security considerations to --compress section Signed-off-by: Steffan Karger <steffan@karger.me> Acked-by: Gert Doering <gert@greenie.muc.de> Message-Id: <1528020718-12721-1-git-send-email-steffan@karger.me> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16919.html Signed-off-by: Gert Doering <gert@greenie.muc.de> -- kind regards, Gert Doering ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
diff --git a/doc/openvpn.8 b/doc/openvpn.8 index 4114f40..0e5d467 100644 --- a/doc/openvpn.8 +++ b/doc/openvpn.8 @@ -2516,6 +2516,16 @@ If the parameter is empty, compression will be turned off, but the packet framing for compression will still be enabled, allowing a different setting to be pushed later. + +.B Security Considerations + +Compression and encryption is a tricky combination. If an attacker knows or is +able to control (parts of) the plaintext of packets that contain secrets, the +attacker might be able to extract the secret if compression is enabled. See +e.g. the CRIME and BREACH attacks on TLS which also leverage compression to +break encryption. If you are not entirely sure that the above does not apply +to your traffic, you are advised to *not* enable compression. + .\"********************************************************* .TP .B \-\-comp\-lzo [mode]
As Ahamed Nafeez reported to the OpenVPN security team, we did not sufficiently inform our users about the risks of combining encryption and compression. This patch adds a "Security Considerations" paragraph to the --compress section of the manpage to point the risks out to our users. Signed-off-by: Steffan Karger <steffan@karger.me> --- doc/openvpn.8 | 10 ++++++++++ 1 file changed, 10 insertions(+)