upvote

points

by elevation6 hours ago |
comments
upvoteby dmbche6 hours ago|
next
[-]
> fractal layers of ossified cruft

Someone got a thesaurus in their coffee today! (Not a jab)

reply
upvoteby LtWorf6 hours ago|
prev|
next
[-]
but wolfssl is in the business of selling FIPS compliance so…
reply
upvoteby alfanick6 hours ago|
parent|
[-]
And they do it fast, thankfully Compliant Static Code Analyser catches issues like https://github.com/wolfSSL/wolfGuard/commit/fa21e06f26de201b...
reply
upvoteby johnisgood5 hours ago|
parent|
[-]
Holy shit. Those are rookie mistakes[1], that could end up being SEVERE.

[1] Not referring to the fixes.

reply
upvoteby dietsche4 hours ago|
parent|
[-]
looks like AI to me. It’s always making rookie mistakes that look plausible!
reply
upvoteby johnisgood4 hours ago|
parent|
[-]
No, I mean, for example uninitialized pointers are a huge red flag, so seeing one not set to NULL is honestly shocking, especially in crypto code where a stray pointer can lead to crashes or subtle security issues.
reply
upvoteby jmclnx6 hours ago|
prev|
[-]
Yes, but be aware, openvpn is much better if you live in a Country like China, Russia and a few others. That is due to a known design issue with wireguard.

For most people, wireguard is fine.

Edit: I should have said "choice" instead of "issue", but Firefox 140 is failing on this site so I could not correct the txt. I was able to edit this after reverting back to Firefox 128.

reply
upvoteby LunaSea6 hours ago|
parent|
[-]
Could you expand on the design flaw in question?
reply
upvoteby eptcyka6 hours ago|
parent|
next
[-]
OpenVPN looks like a regular tls stream - difficult to distinguish between that and a HTTPS connection. WireGuard looks like WireGuard. But you can wrap WireGuard in whatever headers you might want to obfuscate it and the perf will still be better.
reply
upvoteby tptacek5 hours ago|
parent|
next
[-]
It's trivial to make WireGuard look like a regular TLS stream. It's probably not worth a 15 year regression in security characteristics just to get that attribute; just write the proxy for it and be done with it. It was a 1 day project for us (we learned the hard way that a double digit percentage of our users simply couldn't speak UDP and had to fix that).
reply
upvoteby eptcyka4 hours ago|
parent|
next
[-]
It is, we did the same. It is a shame that only Linux supports proper fake TCP though.
reply
upvoteby coppsilgold4 hours ago|
parent|
[-]
Doesn't the Chinese firewall perform sophisticated filtering? Fake TCP should not be difficult to catch. I recall reading how the firewall uses proxies to initiate connections just to see whats up.
reply
upvoteby eptcyka4 hours ago|
parent|
[-]
You can host a decoy on the server side.
reply
upvoteby mmooss4 hours ago|
parent|
prev|
[-]
I don't suppose you'd release it, please?
reply
upvoteby tptacek4 hours ago|
parent|
[-]
It's part of `flyctl`, which is open source.
reply
upvoteby gruez5 hours ago|
parent|
prev|
next
[-]
>OpenVPN looks like a regular tls stream - difficult to distinguish between that and a HTTPS connection.

I thought openvpn had some weird wrapper on top of TLS that makes it easily detectable? Also to bypass state of the art firewalls (eg. China's gfw), it's not sufficient to be just "tls". Doing TLS-in-TLS produces telltale statistical signatures that are easily detectable, so even simpler protocols like http CONNECT proxy over TLS can be detected.

reply
upvoteby cyberax4 hours ago|
parent|
prev|
next
[-]
Raw OpenVPN is very easy to distinguish, its handshake signature is very different from the regular TLS.

OpenVPN is fine if you want to tunnel through a hotel network that blocks UDP, but it's useless if you want to defeat the Great China Firewall or similar blocks.

reply
upvoteby jmclnx6 hours ago|
parent|
prev|
[-]
It is not a design flaw, but a design choice.

>OpenVPN does not store any of your private data, including IP addresses, on VPN servers, which is ideal.

https://www.pcmag.com/comparisons/openvpn-vs-wireguard-which...

reply