I can't stand anyone who thinks that they are better than everyone else
just because they have the tag "expert"... However...
What bothers me is that I can read both:
repeatedly one after the other, and come away thinking that I have
missed something in both...
I should look at the source, I've been meaning to help out for a while
now but I haven't gotten around to it... My real question is: if we
look past his childish attitude, does he have any real concerns?
And if so, is there anything we can do to fix them?
From what I can tell, his points are:
* integrity protection for data is weak,
* weak protection against message insertion or deletion. This is
acknowledged as weak protection against replays in the protocol
* keys can be modified in transit, allowing an attacker to pick certain
* an attacker can manipulate the key exchange process.
So the questions are:
- Are any of these considered "fixed" or not-an-issue by the developers?
(For example, replay attacks against most systems will be not-an-issue
because of the tunneled protocol...)
- Are any of these under development ATM? are they known todos?
- Are they anything we should be considering as issues?
And finally, Is there anything I can do to help??
PS: I'm otherwise a satisfied user...
On Tue, 23 Sep 2003 13:54, you wrote:
> yeah, pissed me off too. But you hit the nail on the head with
> infantile in the same paragraph with Gutmann. Rant away....
> Russell Berry
> Berrex Computer Solutions
> ----- Original Message -----
> From: "Damion Wilson" <dwilson,AT,ibl,DOT,bm>
> To: "Groups" <groups,AT,hasely,DOT,com>
> Cc: <cipe-l,AT,inka,DOT,de>
> Sent: Monday, September 22, 2003 11:20 PM
> Subject: Re: What do you guys think about this?
> > Alright. I've just seen this on Slashdot and a few things pissed me
> > off:
> > 1. CIPE has apparently been declared a "dead" project.
> > 2. The cursory analysis by Peter Gutmann appears to have missed
> > subtle
> > For instance, CIPE primarily using Blowfish (and not IDEA).
> > 3. The apparent zeal with which all non IPSec or SSL
> > implementations are attacked as basically infantile and not worth
> > entertaining smacks of patronising.
> > 4. Some issues are stated as being known "years ago" and ignored. I
> > don't recall the issues he raises as having crossed my 5 year
> > participation on
> > list, the "man in the middle" vulnerability notwithstanding. We
> > appear to have voted for simplicity in this regard, correct me if
> > I'm wrong. It's easier to believe that your ISP isn't out to get
> > you.
> > If Mr. Gutmann had bothered to peruse the mailing list archives
> > (the link
> > right on the same page as the protocol description), He might have
> > had the chance to determine what was important to the userbase and,
> > instead of declaring CIPE, Tinc, OpenVPN, et al. "dead", He might
> > have realised what
> > important enough to them to specifically eschew IPSec, etc in
> > choosing our specific flavours of VPN.
> > He deems us stupid and foolhardy for making the decision to use
> > these products, develop for them, and show loyalty to them in the
> > face of
> > and techniques that he prefers. Apparently, we're all a bunch of
> > idiots
> > it only took him a 30 minute or more analysis for him to determine
> > it, and the other projects weren't as lucky. Let's all remember the
> > Andrew
> > v Linus Torvalds "discussion" over the relative technical merits of
> > Minix over Linux.
> > I'm still pissed. I need to rant some more later
> > I'd like to know if Olaf has anything to say about it, though.
> > Peter
> > apparently attempted to contact him.
> > DKW
> > On Monday 22 September 2003 08:57 pm, Groups wrote:
> > > I've been using CIPE for over a year now, and my boss just
> > > forwarded
> > > link, http://www.mit.edu:8008/bloom-picayune/crypto/14238, to a
> > > posting about the security of CIPE. Does anyone have any
> > > arguments that may
> > > me out?
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive:
> > > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > Other commands available with "help" in body to the same address.
> > CIPE info and list archive:
Stobor Pty Ltd
Mobile: + 61 414 470 392