Announcement

Collapse
No announcement yet.

Android 12 Appears To Support Using WireGuard

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Originally posted by Jakobson View Post

    Encrypting compressed data is typically not good idea at all in security point of view.
    You have wrong understanding. If so, the text data of your internet banking website shouldn't be encrypted?
    the bad one are compressible encryption.

    http compress text data then https encrypts them, which is secure as long as it uses strong ciphers.

    Comment


    • #12
      Last I was aware, none of the major corporate VPN vendors have announced performant wireguard support, which might even require a hardware silicon rev, for enterprise scale VPN servers. Until those vendors have done so, corporations are likely not going to even consider wireguard. So look to your Cisco's, your Fortigate's, your Juniper's (etc.) vendors announcements.
      There is another thing that is missing. Support for existing authentication mechanisms. Corporations are very likely to run Active Directory (or other form of LDAP).

      Comment


      • #13
        it would also be interesting to see newer kernels faster in android. Graphic chips and socs are being worked on constantly.

        Comment


        • #14
          Originally posted by NateHubbard View Post

          When have corporate environments ever adopted something good in a reasonable amount of time though?
          True, but in this particular case enterprise is arguably the biggest client

          Comment


          • #15
            Originally posted by intelfx View Post

            This is a completely theoretical threat for absolute majority of deployments and use-cases out there.
            Absolutly false, and I myself could make working attack on something of this sort in short amount of time. You can literally byte by byte (or character by character) decode entire sensitive information like that due to that most compressions are dictionary based.

            Comment


            • #16
              Originally posted by piotrj3 View Post

              Absolutly false, and I myself could make working attack on something of this sort in short amount of time. You can literally byte by byte (or character by character) decode entire sensitive information like that due to that most compressions are dictionary based.
              What are prerequisites for this attack?

              First, this is a repeated chosen-plaintext attack. You need to have fine-grained control over the encrypted traffic and eavesdrop/MITM at the same time. This is already far outside of the typical threat model. Second, padding. Third, PFS.
              Last edited by intelfx; 14 October 2020, 04:56 AM.

              Comment


              • #17
                Originally posted by intelfx View Post

                What are prerequisites for this attack?

                First, this is a repeated chosen-plaintext attack. You need to have fine-grained control over the encrypted traffic and eavesdrop/MITM at the same time. This is already far outside of the typical threat model. Second, padding. Third, PFS.
                You would have to read about CRIME or BREACH attacks. on VPN it is of course harder to perform, but one of the reasons you want to use VPN is to be NOT vulnerable to potential MITM. This is one of the main VPN selling points that you don't care whenever you use internet from McDonalds wi-fi or from shady ISP or through Chinese firewall, making it weaker is absolutly not acceptable for VPN. This is reason why you need VPN to access some protected resources at for example corporate network.

                Comment


                • #18
                  Originally posted by piotrj3 View Post

                  You would have to read about CRIME or BREACH attacks. on VPN it is of course harder to perform, but one of the reasons you want to use VPN is to be NOT vulnerable to potential MITM. This is one of the main VPN selling points that you don't care whenever you use internet from McDonalds wi-fi or from shady ISP or through Chinese firewall, making it weaker is absolutly not acceptable for VPN. This is reason why you need VPN to access some protected resources at for example corporate network.
                  You keep replying with generic words without actually responding to what I said in substance.

                  Comment


                  • #19
                    There are many, many benefits to Wireguard, but also some limitations that preclude its potential use cases.

                    - Only supports UDP
                    - Financial Institutions will never use it as PCI has only certified TLS to pass transactions
                    - Some companies will restrict Wireguard use in the server images for security purposes, to stop undocumented VPN's inside the corporate network
                    - It is not native in Windows like it is in Linux, and many companies still use Windows Server
                    - Might need a LTM helper to maintain state if connection needs persistence

                    Some other people have been complaining about the use of stream ciphers and such. Since Wireguard is modular, it would be nice to see some extended options in the future.

                    There is a commercial implementation of Wireguard, developed by some dude from Google:

                    https://tailscale.com/

                    Comment


                    • #20
                      Originally posted by zamroni111 View Post
                      Wire guard insists to solely using chacha and doesn't support aes encryption, which is power efficient hardware accelerated, in many android phones including low end ones
                      A simpler protocol is better. CC20 will be fast anyways, as it's based around basic bitshifts, which any processor can do effeciently anyways.

                      Comment

                      Working...
                      X