[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: sesion hijacking


  • Subject: Re: [Openvpn-users] Re: sesion hijacking
  • From: Ed Wallig <ilinktech@xxxxxxxxx>
  • Date: Tue, 4 Apr 2006 06:56:19 -0700 (PDT)

Thanks, that's what I thought but its good to hear it from someone else.

Charles Duffy <cduffy@xxxxxxxxxxx> wrote:
Ed Wallig wrote:
> Maybe a better question: If an OpenVPN configuration includes client and
> server certificates, tls-auth, and uses w AES encryption, can a session
> hijack readily take place and if so, how would OpenVPN react?

A session hijack is not possible under these circumstances. A system
taking over the stream would be unaware of the session key currently in
use and thus unable to encrypt or decrypt any data.

The only exception is where one endpoint is *severely* compromised --
ie. where an attacker can halt the OpenVPN process on one endpoint and
read the relevant bits of its state out of memory. If you have an
endpoint that severely compromised, you have much worse
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.