[Sussex] VPN attitudes

Steven Dobson steve at dobson.org
Tue Aug 29 14:52:13 UTC 2006


On Tue, 2006-08-29 at 15:24 +0100, Nic James Ferrier wrote:
> Steven Dobson <steve at dobson.org> writes:
> >> Note that if I provide a service to you and the Government wants to
> >> snoop on it, it doesn't need VPN keys. It can just demand that I send
> >> them a copy of the traffic arriving on the VPN end point.
> >
> > Which is my point.  Unless I control both ends, which includes the keys,
> > of both client and server then the VPN can not be garenteed private.
> 
> But it's got nothing to do with the keys Steve. The keys are
> irrelevant. If I gave you a piece of wire that connected you directly
> to me I could provide the Government with the data that comes into
> me from you.

But they are.  If I control both end, but not the keys, then someone who
has access to the keys too can snoop the handshaking at gain access to
the session key.

> With a VPN you either provide your public key or you grant access
> based on someone else's public key.

Not necessary.  You can create a session key based on some sheared
secret known only to the two endpoints.

> But none of that is relevant to the snooping situation. As soon as you
> have a circuit between two parties there is a risk that the other
> party might snoop on your data without you knowing.

As the other party is supposed to see that data I would say they can't
snoop.  You can't snoop what you are allowed to view.

At the start of this thread you stated that you would be creating VPNs
without saying between whom and for what purpose.  I get the impression
now that these VPNs run between you (as an ISP) and your clients.  I
guess that is to provide a secure network to any colos you have
installed at your facilities.

However, at the being I was under the impression that these VPNs were
for any use and could be used to connect a company laptop back with
base.  My point is, and always has been, that for the VPN to be secure
only the two end points can know the secerts used to establish it.  If a
third party (you here) has knowledge then it isn't secure.

    "When three people know a secret it isn't a secret any more."

Steve




More information about the Sussex mailing list