[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

[Openvpn-users] Re: sesion hijacking


  • Subject: [Openvpn-users] Re: sesion hijacking
  • From: Charles Duffy <cduffy@xxxxxxxxxxx>
  • Date: Tue, 04 Apr 2006 08:16:52 -0500

Ed Wallig wrote:
Maybe a better question: If an OpenVPN configuration includes client and server certificates, tls-auth, and uses w AES encryption, can a session hijack readily take place and if so, how would OpenVPN react?

A session hijack is not possible under these circumstances. A system taking over the stream would be unaware of the session key currently in use and thus unable to encrypt or decrypt any data.


The only exception is where one endpoint is *severely* compromised -- ie. where an attacker can halt the OpenVPN process on one endpoint and read the relevant bits of its state out of memory. If you have an endpoint that severely compromised, you have much worse problems than session hijack attacks.


____________________________________________ Openvpn-users mailing list Openvpn-users@xxxxxxxxxxxxxxxxxxxxx https://lists.sourceforge.net/lists/listinfo/openvpn-users