<< | Thread Index | >> ]    [ << | Date Index | >> ]

To: cipe-l <cipe-l,AT,inka,DOT,de>
Subject: Re: What do you guys think about this?
From: Mr Allwyn Fernandes <af+cipel,AT,stobor,DOT,net>
Date: Tue, 23 Sep 2003 14:57:34 +1000
In-reply-to: <09bb01c38186$5e6d2d80$1401010a@berrex.com>
References: <3F6F8C81.2080202@hasely.com> <200309230020.54867.dwilson@ibl.bm> <09bb01c38186$5e6d2d80$1401010a@berrex.com>

I can't stand anyone who thinks that they are better than everyone else 
just because they have the tag "expert"... However...

What bothers me is that I can read both:
http://sites.inka.de/sites/bigred/devel/CIPE-Protocol.txt
and:
http://www.mit.edu:8008/bloom-picayune/crypto/14238
repeatedly one after the other, and come away thinking that I have 
missed something in both...

I should look at the source, I've been meaning to help out for a while 
now but I haven't gotten around to it... My real question is: if we 
look past his childish attitude, does he have any real concerns?
And if so, is there anything we can do to fix them? 

From what I can tell, his points are:
* integrity protection for data is weak,
* weak protection against message insertion or deletion. This is 
acknowledged as weak protection against replays in the protocol 
description,
* keys can be modified in transit, allowing an attacker to pick certain 
keys, and
* an attacker can manipulate the key exchange process.

So the questions are:
- Are any of these considered "fixed" or not-an-issue by the developers?
(For example, replay attacks against most systems will be not-an-issue 
because of the tunneled protocol...)
- Are any of these under development ATM? are they known todos?
- Are they anything we should be considering as issues?

And finally, Is there anything I can do to help??

Cheers,

Allwyn.

PS: I'm otherwise a satisfied user... 

On Tue, 23 Sep 2003 13:54, you wrote:
> yeah, pissed me off too.  But you hit the nail on the head with
> infantile in the same paragraph with Gutmann.  Rant away....
>
> ---russ
>
> Russell Berry
> Berrex Computer Solutions
> http://www.berrex.com
> Russ,AT,berrex,DOT,com
> 1-877-558-9507
> ----- Original Message -----
> From: "Damion Wilson" <dwilson,AT,ibl,DOT,bm>
> To: "Groups" <groups,AT,hasely,DOT,com>
> Cc: <cipe-l,AT,inka,DOT,de>
> Sent: Monday, September 22, 2003 11:20 PM
> Subject: Re: What do you guys think about this?
>
> > Alright. I've just seen this on Slashdot and a few things pissed me
> > off:
> >
> > 1. CIPE has apparently been declared a "dead" project.
> >
> > 2. The cursory analysis by Peter Gutmann appears to have missed
> > subtle
>
> things.
>
> > For instance, CIPE primarily using Blowfish (and not IDEA).
> >
> > 3. The apparent zeal with which all non IPSec or SSL
> > implementations are attacked as basically infantile and not worth
> > entertaining smacks of patronising.
> >
> > 4. Some issues are stated as being known "years ago" and ignored. I
> > don't recall the issues he raises as having crossed my 5 year
> > participation on
>
> this
>
> > list, the "man in the middle" vulnerability notwithstanding. We
> > appear to have voted for simplicity in this regard, correct me if
> > I'm wrong. It's easier to believe that your ISP isn't out to get
> > you.
> >
> > If Mr. Gutmann had bothered to peruse the mailing list archives
> > (the link
>
> was
>
> > right on the same page as the protocol description), He might have
> > had the chance to determine what was important to the userbase and,
> > instead of declaring CIPE, Tinc, OpenVPN, et al. "dead", He might
> > have realised what
>
> was
>
> > important enough to them to specifically eschew IPSec, etc in
> > choosing our specific flavours of VPN.
> >
> > He deems us stupid and foolhardy for making the decision to use
> > these products, develop for them, and show loyalty to them in the
> > face of
>
> software
>
> > and techniques that he prefers. Apparently, we're all a bunch of
> > idiots
>
> and
>
> > it only took him a 30 minute or more analysis for him to determine
> > it, and the other projects weren't as lucky. Let's all remember the
> > Andrew
>
> Tanenbaum
>
> > v Linus Torvalds "discussion" over the relative technical merits of
> > Minix over Linux.
> >
> > I'm still pissed. I need to rant some more later
> >
> > I'd like to know if Olaf has anything to say about it, though.
> > Peter
>
> Gutmann
>
> > apparently attempted to contact him.
> >
> > DKW
> >
> > On Monday 22 September 2003 08:57 pm, Groups wrote:
> > > I've been using CIPE for over a year now, and my boss just
> > > forwarded
>
> this
>
> > > link, http://www.mit.edu:8008/bloom-picayune/crypto/14238, to a
> > > posting about the security of CIPE.  Does anyone have any
> > > arguments that may
>
> help
>
> > > me out?
> > >
> > >
> > >
> > >
> > >
> > > --
> > > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > > Other commands available with "help" in body to the same address.
> > > CIPE info and list archive:
> > > <URL:http://sites.inka.de/~bigred/devel/cipe.html>
> >
> > --
> > Message sent by the cipe-l,AT,inka,DOT,de mailing list.
> > Unsubscribe: mail majordomo,AT,inka,DOT,de, "unsubscribe cipe-l" in body
> > Other commands available with "help" in body to the same address.
> > CIPE info and list archive:
>
> <URL:http://sites.inka.de/~bigred/devel/cipe.html>

-- 
Allwyn Fernandes
Director
Stobor Pty Ltd

Mobile: + 61 414 470 392
Email: af+cipel,AT,stobor,DOT,net


<< | Thread Index | >> ]    [ << | Date Index | >> ]