Announcement

**zamroni111** · 14 October 2020, 01:55 AM

Originally posted by Jakobson View Post

Encrypting compressed data is typically not good idea at all in security point of view.

You have wrong understanding. If so, the text data of your internet banking website shouldn't be encrypted?
the bad one are compressible encryption.

http compress text data then https encrypts them, which is secure as long as it uses strong ciphers.

**abcde** · 14 October 2020, 03:05 AM

Last I was aware, none of the major corporate VPN vendors have announced performant wireguard support, which might even require a hardware silicon rev, for enterprise scale VPN servers. Until those vendors have done so, corporations are likely not going to even consider wireguard. So look to your Cisco's, your Fortigate's, your Juniper's (etc.) vendors announcements.

There is another thing that is missing. Support for existing authentication mechanisms. Corporations are very likely to run Active Directory (or other form of LDAP).

**bemerk** · 14 October 2020, 03:26 AM

it would also be interesting to see newer kernels faster in android. Graphic chips and socs are being worked on constantly.

**bug77** · 14 October 2020, 03:26 AM

Originally posted by NateHubbard View Post

When have corporate environments ever adopted something good in a reasonable amount of time though?

True, but in this particular case enterprise is arguably the biggest client

**piotrj3** · 14 October 2020, 03:32 AM

Originally posted by intelfx View Post

This is a completely theoretical threat for absolute majority of deployments and use-cases out there.

Absolutly false, and I myself could make working attack on something of this sort in short amount of time. You can literally byte by byte (or character by character) decode entire sensitive information like that due to that most compressions are dictionary based.

**intelfx** · 14 October 2020, 04:54 AM

Originally posted by piotrj3 View Post

Absolutly false, and I myself could make working attack on something of this sort in short amount of time. You can literally byte by byte (or character by character) decode entire sensitive information like that due to that most compressions are dictionary based.

What are prerequisites for this attack?

First, this is a repeated chosen-plaintext attack. You need to have fine-grained control over the encrypted traffic and eavesdrop/MITM at the same time. This is already far outside of the typical threat model. Second, padding. Third, PFS.

**piotrj3** · 14 October 2020, 05:46 AM

Originally posted by intelfx View Post

What are prerequisites for this attack?

First, this is a repeated chosen-plaintext attack. You need to have fine-grained control over the encrypted traffic and eavesdrop/MITM at the same time. This is already far outside of the typical threat model. Second, padding. Third, PFS.

You would have to read about CRIME or BREACH attacks. on VPN it is of course harder to perform, but one of the reasons you want to use VPN is to be NOT vulnerable to potential MITM. This is one of the main VPN selling points that you don't care whenever you use internet from McDonalds wi-fi or from shady ISP or through Chinese firewall, making it weaker is absolutly not acceptable for VPN. This is reason why you need VPN to access some protected resources at for example corporate network.

**intelfx** · 14 October 2020, 05:58 AM

Originally posted by piotrj3 View Post

You would have to read about CRIME or BREACH attacks. on VPN it is of course harder to perform, but one of the reasons you want to use VPN is to be NOT vulnerable to potential MITM. This is one of the main VPN selling points that you don't care whenever you use internet from McDonalds wi-fi or from shady ISP or through Chinese firewall, making it weaker is absolutly not acceptable for VPN. This is reason why you need VPN to access some protected resources at for example corporate network.

You keep replying with generic words without actually responding to what I said in substance.

**edwaleni** · 14 October 2020, 09:27 AM

There are many, many benefits to Wireguard, but also some limitations that preclude its potential use cases.

- Only supports UDP
- Financial Institutions will never use it as PCI has only certified TLS to pass transactions
- Some companies will restrict Wireguard use in the server images for security purposes, to stop undocumented VPN's inside the corporate network
- It is not native in Windows like it is in Linux, and many companies still use Windows Server
- Might need a LTM helper to maintain state if connection needs persistence

Some other people have been complaining about the use of stream ciphers and such. Since Wireguard is modular, it would be nice to see some extended options in the future.

There is a commercial implementation of Wireguard, developed by some dude from Google:

Tailscale · Best VPN Service for Secure Networks

https://tailscale.com/

Tailscale is a zero config VPN for building secure networks. Install on any device in minutes. Remote access from any network or physical location.

**aspen** · 14 October 2020, 10:54 AM

Originally posted by zamroni111 View Post

Wire guard insists to solely using chacha and doesn't support aes encryption, which is power efficient hardware accelerated, in many android phones including low end ones

A simpler protocol is better. CC20 will be fast anyways, as it's based around basic bitshifts, which any processor can do effeciently anyways.

Announcement

Android 12 Appears To Support Using WireGuard

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment