Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    FBI back door in IPSec implementation of OpenBSD?

    IPsec
    6
    9
    4283
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eazydor last edited by

      http://www.h-online.com/security/news/item/FBI-back-door-in-IPSec-implementation-of-OpenBSD-1153297.html

      http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

      what about the pfsense-implementation?

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        The pfSense ipsec code comes from ipsec-tools, which these days is from NetBSD, not OpenBSD.

        I'm not sure if they share anything inside, but given the history of BSDs sharing things, it may be possible. Though nobody knows for certain if there is any real flaw, and if so, it may have been fixed or it may not have carried over to other projects that (if any did) borrowed code.

        If in doubt, use OpenVPN. Unless they backdoored that too. :-)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • C
          cmb last edited by

          The chance of that having any truth is extremely minimal. FreeBSD's IPsec is partially based on OpenBSD's, ipsec-tools only handles keying and related things. Even if it were true 10 years ago, it's likely changed enough in the mean time that it's no longer effective, if even enough bits were brought over from OpenBSD to FreeBSD for it to carry over anyway. Comments from a FreeBSD developer:
          http://maycontaintracesofbolts.blogspot.com/2010/12/openbsd-ipsec-backdoor-allegations.html

          The crypto code wasn't written by anyone from the US anyway per OpenBSD policy, so it's expected the side channel would be in the network stack or elsewhere, where the probability of carry-over to FreeBSD is much smaller.
          http://marc.info/?l=openbsd-tech&m=129237675106730&w=2

          There is extensive re-auditing of the code happening, and I expect it won't turn up anything, but we'll definitely keep an eye on the situation. The chance of that being true of OpenBSD is exceptionally remote, and even less likely there would be carry-over to FreeBSD.

          1 Reply Last reply Reply Quote 0
          • X
            XIII last edited by

            the fact that the NDA expired wouldnt happen, or thats what they want you to think…

            the NSA/FBI is due to audit their OS code and hence this story, they are getting the community to do it for them, and for free.

            -Chris Stutzman
            Sys0:2.0.1: AMD Sempron 140 @2.7 1024M RAM 100GHD
            Sys1:2.0.1: Intel P4 @2.66 1024M RAM 40GHD
            freedns.afraid.org - Free DNS dynamic DNS subdomain and domain hosting.
            Check out the pfSense Wiki

            1 Reply Last reply Reply Quote 0
            • S
              singerie last edited by

              I hope they will find something … i will be able to sleep again.  ;D

              1 Reply Last reply Reply Quote 0
              • jimp
                jimp Rebel Alliance Developer Netgate last edited by

                They'll probably find a few bugs, and no matter how minor or accidental I'm sure they'll all be labeled malicious. :)

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • Cry Havok
                  Cry Havok last edited by

                  Nothing has been found because, according to at least one of those named as having done the deed, nothing was done.

                  1 Reply Last reply Reply Quote 0
                  • E
                    eazydor last edited by

                    no doubts at all, just interest and like jim said, who knows for certain and anyway, to me this doesnt seem like a major thread..

                    i do use openvpn whereever i can, just for iphone´s it´s nicer than pptp.

                    completely besides of that, i feel that the creators of pfsense (so i believe you too, jim?!?) really do have many many years of networking expirience and that pfsense is a project with special focus on quality. i first read about you guys in an german issue of "the H", called originally heise security, and they too stated pfsense highest reputation "in the scene".
                    i´m not and possibly will never be in the position to judge story´s like these, but i feel really well advised with the "pfsense way".
                    so thank you (all), not just for answering my question(s).

                    1 Reply Last reply Reply Quote 0
                    • S
                      singerie last edited by

                      Apparently they found 2 bug in the cryptographic code. They don't know yet if those bug could be dangerous, but they will hopfully fix those bug  :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post