| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 May 2006 22:07:03 -0600 From: "Kurt Seifried" <bt@...fried.org> To: "Joachim Schipper" <j.schipper@...h.uu.nl>, <bugtraq@...urityfocus.com> Subject: Re: OpenVPN 2.0.7 and below: Remote OpenVPN Management Interface Flaw > While this is arguably a misfeature, it's not like anyone reading the > documentation wouldn't know about it, and you have to explicitly enable > it. It does not seem too much of a problem to me. > > Joachim "Secure by default" is not just a catch phrase. it's a really good idea. By making the default behaviour to be insecure (once enabled) the result will be many more insecure sites than if it was secured (i.e. authentication required) and had to be made insecure by design. Unfortunately although they have disabled it by default, once enabled it presents a huge security hole that most people would not expect. I would not expect an administrative service to be completely lacking in security once enabled, I suspect others are in the same boat. As a developer: If you disable it by default And you make it use strong encryption such as TLS/SSL by default (linking to OpenSSL isn't to terribly hard) And you require a user account to be created and passworded, or provide the ability to use PAM for example and require that a user belong to a specific group (openvpnadmin for example) Then you make it much more difficult for people to end up with an insecure system. -Kurt
Powered by blists - more mailing lists