RE: Long message - thoughts on Gutmann response|
David Brodbeck <DavidB,AT,mail,DOT,interclean,DOT,com>|
Wed, 24 Sep 2003 16:43:16 -0400|
> "Whenever someone thinks that they can replace SSL/SSH with
> something much
> better that they designed this morning over coffee, their
> computer speakers
> should generate some sort of penis-shaped sound wave and
> plunge it repeatedly
> into their skulls until they achieve enlightenment."
Of course, some things are left unsaid.
- I have yet to see an SSH/SSL-derived VPN system that's suitable for
production use. The only ones I know of are PPP-over-SSH or PPP-over-SSL.
These will always be horribly broken because they tunnel TCP over TCP, which
is Considered Harmful due to retry timer issues. They work until you start
getting dropped packets, but then they succumb to spiralling death syndrome.
- PPTP is already known to be insecure, so that pretty much leaves IPSec as
the only protocol that would be acceptable in Gutmann's eyes. Fine, except
that in my (limited, admittedly) experience, IPSec simply does not
interoperate between platforms. Just enough is left up to the individual
implementation that it seems to be more a collection of proprietary
protocols than an actual standard.