Browse code
man: add security considerations to --compress section
As Ahamed Nafeez reported to the OpenVPN security team, we did not
sufficiently inform our users about the risks of combining encryption
and compression. This patch adds a "Security Considerations" paragraph
to the --compress section of the manpage to point the risks out to our
users.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1528020718-12721-1-git-send-email-steffan@karger.me>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg16919.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Steffan Karger authored on 2018/06/03 19:11:56Showing 1 changed files
| ... | ... |
@@ -2516,6 +2516,16 @@ If the |
| 2516 | 2516 |
parameter is empty, compression will be turned off, but the packet |
| 2517 | 2517 |
framing for compression will still be enabled, allowing a different |
| 2518 | 2518 |
setting to be pushed later. |
| 2519 |
+ |
|
| 2520 |
+.B Security Considerations |
|
| 2521 |
+ |
|
| 2522 |
+Compression and encryption is a tricky combination. If an attacker knows or is |
|
| 2523 |
+able to control (parts of) the plaintext of packets that contain secrets, the |
|
| 2524 |
+attacker might be able to extract the secret if compression is enabled. See |
|
| 2525 |
+e.g. the CRIME and BREACH attacks on TLS which also leverage compression to |
|
| 2526 |
+break encryption. If you are not entirely sure that the above does not apply |
|
| 2527 |
+to your traffic, you are advised to *not* enable compression. |
|
| 2528 |
+ |
|
| 2519 | 2529 |
.\"********************************************************* |
| 2520 | 2530 |
.TP |
| 2521 | 2531 |
.B \-\-comp\-lzo [mode] |