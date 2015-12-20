from the gotta-keep-em-separated dept.
OpenBSD user Lari Huttunen has a blog post in which he dives into using OpenBSD's rdomain(4) feature to sort work VPNs into separate kernel-level routing tables. This segregates the network traffic in such a way as to prevent traffic in separate routing tables from interacting. With many working from home, insecure work networks have begun to intrude into the home LANs via work-related VPNs. By adding the home network to a work VPN, the LAN becomes merged with work's internal network, usually quite insecure at that. His goal is to keep his personal home devices, especially the IoT items, separate from the now mandatory work-related VPNs on his small-office / home-office network. That way, the work networks can no longer access his appliances.
Problem Statement
Over the years, companies and corporations have become ever more hungry for everything related to their users' geolocation, telemetry, demography, relationsip with one another, interests, convictions, social preferences - you name it. At the same time, users wanting to consume digital services meet a lot of ridiculous restrictions depending on where they live and how they access the Internet. Ecojails, in one form or another are created by multi-national corporations in order to capitalize everything about their users' behavior. In 2020, this has all been exacerbated by everyone suddenly working from home if possible.
Motivation
This is why I wanted to research how identity-based routing could enhance users' privacy in a totally transparent way. I've never been a big fan of VPNs as a security solution, but have come to realize that they have a role to play in privacy. Since soon everything needs to be online to function from a vacuum cleaner to dish washer to toaster, it is increasingly difficult to keep the Internet of Targets at bay. Moreover, our personal telemetry devices feed out a constant stream of information to the ecojail masters, be they Apple, Google, Microsoft, Amazon, Alibaba or Netflix. Taking back control will not be easy and one will evidently need to compromise along the way, but realization is the first step to recovery.
Lari's solution works from tools provided by OpenBSD's base system.
What has been planned for a long time now, prior to the infamous heartbleed fiasco of OpenSSL (which does not affect SSH at all), is now officially a reality - with the help of some recently adopted crypto from DJ Bernstein. OpenSSH now finally has a compile-time option to no longer depend on OpenSSL, the option `make OPENSSL=no` has now been introduced for a reduced-configuration OpenSSH to be built without OpenSSL.
The result would leave you with no legacy SSH-1 baggage at all, and on the SSH-2 front with only AES-CTR and chacha20+poly1305 ciphers, ECDH/curve25519 key exchange and Ed25519 public keys.
[Editor's Note: This appears to be very much a Work-in-Progress, so might not be available for your distro or via standard repositories.]
Submitted via IRC for chromas
Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move
The Dutch National Cyber Security Centre (NCSC) explains how DNS-monitoring will get more difficult as modern encrypted DNS transport protocols are getting more popular in a fact sheet published this week.
The fact sheet's audience is represented by system or network admins and security officers who want to move to DNS over TLS (DoT) and DNS over HTTPS (DoH) DNS encryptions protocols that offer increased security and confidentiality.
Both DoH and DoT are designed to allow DNS resolution over encrypted HTTPS connections instead of using the currently common plain text DNS lookups.
Google and Mozilla are both running DoH trials for their browsers, with Chrome to upgrade to a provider's DoH server if it present on a pre-defined whitelist or to a shortlist of fallback providers (i.e., Cleanbrowsing, Cloudflare, DNS.SB, Google, OpenDNS, Quad9) if not.
By only upgrading the DNS resolution to DoH if the users' current DNS provider is supported, Google believes that the users' DNS resolution experience will stay the same.
Mozilla's DoH experiments have already been met with criticism from network admins and Linux distro maintainers after the decision to enable DoH by default and using Cloudflare's DoH server rather than a user's existing DNS provider.
Senior scalability engineer Kristian Köhntopp said that Mozilla is "about to break DNS" seeing that Cloudflare will be used for DNS resolution over the default server assigned by system administrators, leading to leaking visited website addresses inside corporate environments to Cloudflare.
Peter Hessler, an OpenBSD developer, tweeted at the time that OpenBSD disabled DoH in their Firefox package in the current releases and will also disabled it in future ones since "sending all DNS traffic to Cloudflare by default is not a good idea."
On June 21, 2019, support for SSH key shielding was introduced into the OpenBSD tree, from which the OpenSSH releases are derived. SSH key shielding is a measure intended to protect private keys in RAM against attacks that abuse bugs in speculative execution that current CPUs exhibit.[0] This functionality has been part of OpenSSH since the 8.1 release. SSH private keys are now being held in memory in a shielded form; keys are only unshielded when they are used and re‐shielded as soon as they are no longer in active use. When a key is shielded, it is encrypted in memory with AES‐256‐CTR; this is how it works: [...]
https://xorhash.gitlab.io/xhblog/0010.html
http://undeadly.org/cgi?action=article;sid=20200622052207
The WireGuard VPN protocol has been available on OpenBSD as a port for a while, first as the wireguard-go implementation in Go, but later also as the wiresep port in C, both using tun(4) devices, much like OpenVPN and others, which incurs a slight penalty for crossing the kernel/userspace border for each packet.
WireGuard is a layer3 tunnel that can be run in passive mode, only sending packets when something needs to reach the other side (unless you enable heartbeats). It only allows selected modern crypto algorithms and hashes, chosen to be performant on CPUs which lack crypto accelerators, while still being secure. WireGuard packets are sent over UDP, and can run over and transport both IPv4 and IPv6. It handles NAT/port redirects and endpoints changing IP addresses, which is very nice when changing from wired to wifi or vice versa.