[prev in list] [next in list] [prev in thread] [next in thread]
List: wireguard
Subject: Re: WireGuard deployment considerations for improved privacy
From: Fredrik_Strömberg <stromberg () mullvad ! net>
Date: 2019-01-18 8:19:42
Message-ID: CANTUoedKsjKTU8a+R82ay4XsU9vcfZy2dyTHogbAPfL+brnNHQ () mail ! gmail ! com
[Download RAW message or body]
On Wed, Jan 16, 2019 at 5:34 PM Jose Marinez <jedi_papi@yahoo.com> wrote:
> I appreciate this proposition as well as your summary for the current state of \
> Wireguard for this particular case. I agree with you wholeheartedly that before the \
> mass adoption of Wireguard happens these use cases should be addressed properly. \
> I'd love to hear what Jason has to say about this and what he proposes.
I agree. Let's see what Jason says.
> I too have been thinking about all the edge cases for Wireguard. My approach has \
> been to look at it from a penetration test perspective. Reality is that Wireguard \
> doesn't live in isolation. As a system - hardware, OS and all it's settings + \
> Wireguard - connected to the Internet and a user(s) presents many hostile dynamics. \
> Ultimately, whatever solution emerges needs to supplement the goals and features \
> of Wireguard, otherwise it deafts the purpose.
> Would it make sense to create a small group to tackle this and other use cases - \
> scaling, simplicity, etc? On my end, I'm not a cryptologist, but I can write \
> software that would test the security of any system. I'm sure other members of this \
> list have a ton of skills and experience to bring to this.
> Here's a list of things I'd like to see and would be willing to participate/create \
> if they don't exist yet:
> 1. A honeypot server with public logs for a small team to gather and record \
> real-time traffic as an authorized user of the server - root. 2. A test suite that \
> goes through all the domain specific scenarios from the results of #1 and provides \
> a verification at the end once completed. 3. Provide feedback from all this back to \
> Jason for enhancements, etc. in upstream Wireguard.
Honestly I'm very focused on the two issues I brought up. Those are
the most important things we don't see a clear solution to yet.
Well, we'd also like userspace to be notified of new handshakes, and
be able to reply to the kernel module whether it's a known pubkey or
not. Or something. That's a different discussion though.
Cheers,
Fredrik
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic