[Sussex] VPN attitudes

[Steven Dobson]

Nic

On Tue, 2006-08-29 at 14:36 +0100, Nic James Ferrier wrote:
> Steven Dobson <steve at dobson.org> writes:
> 
> > Isn't the whole point of a VPN that it is private - that is what the 'P'
> > stands for after all.  If you (or your company) are providing the VPN
> > then it can't be private as you are involved in setting it up and
> > therefore know the keys.
> >
> > For example:  Lets just say that I use our VPN between my laptop and
> > home when I am out in the field.  If the government came to you and
> > (with all the correct paper work signed by a judge) asked for the keys
> > you would, of course, hand them over.  However, if I was in total
> > control then the government would have to come to me and ask me for the
> > keys.  I would then know I was under investigation.
> 
> It depends which way you establish the tunnel. 
> 
> A simple linux based VPN can be done with SSH and PPP. You run PPP
> with an SSH command to connect from one machine to another. The PPP
> protocol can then be used to establish a network over the tty
> that SSH provides.
> 
> In that example one machine is the client and the other is the
> server. The client has a private key and sends it's public pair to the
> server. The server does not know the client's private key.

There are serveral handshakes between client and server to establish a
session key that is then used to encrypt that session.  I can't remember
it off the top of my head, but it is done in such a way that someone
snooping can't find out the session key.

> Note that if I provide a service to you and the Government wants to
> snoop on it, it doesn't need VPN keys. It can just demand that I send
> them a copy of the traffic arriving on the VPN end point.

Which is my point.  Unless I control both ends, which includes the keys,
of both client and server then the VPN can not be garenteed private.

Steve