Version: 2008
  • On GameSpot: So-called 'Halo killer' gets 23 to life

Comments on: Flaw found in VPN crypto security

Problem in a popular encryption technology could let hackers intercept communications between remote workers and a company network.

Add a Comment (Log in or register) (8 Comments)
  • prev
  • 1
  • next
Need a little more
by Marcus Westrup May 13, 2005 1:31 AM PDT
Not much detail in this report - it implies that All IPsec is at risk despite the numerous implementations and protocols available. I find it hard to believe that this flaw affects all vendors.
So where is the real story?.
Reply to this comment
I Agree
by May 13, 2005 5:49 AM PDT
Where's the beef?

This sounds like a potentially far-reaching issue. More details would be appreciated.
The real story isn't as sensational
by May 13, 2005 10:32 AM PDT
If you read the NISCC advisory, you'll see this only applies to ESP packets that don't have an accompanying integrity check such as MD5 or SHA-1. I haven't seen any IPsec device that doesn't make use of integrity checks, but there are probably poorly designed implementations out there that make this mistake.

I would say that if you see MD5 or SHA-1 in your IPsec policy then you have nothing to worry about.
Need a little more
by Marcus Westrup May 13, 2005 1:31 AM PDT
Not much detail in this report - it implies that All IPsec is at risk despite the numerous implementations and protocols available. I find it hard to believe that this flaw affects all vendors.
So where is the real story?.
Reply to this comment
I Agree
by May 13, 2005 5:49 AM PDT
Where's the beef?

This sounds like a potentially far-reaching issue. More details would be appreciated.
The real story isn't as sensational
by May 13, 2005 10:32 AM PDT
If you read the NISCC advisory, you'll see this only applies to ESP packets that don't have an accompanying integrity check such as MD5 or SHA-1. I haven't seen any IPsec device that doesn't make use of integrity checks, but there are probably poorly designed implementations out there that make this mistake.

I would say that if you see MD5 or SHA-1 in your IPsec policy then you have nothing to worry about.
no story
by May 13, 2005 10:46 AM PDT
there is no story.
The substance of the warning is: "If you misconfigure your VPN, it might not work"

the real story is that CERT and NISCC have so little of relevance to do with themselves, that they are issuing garbage like this.

Probably what happened is that someone important (therefore too important to actually read the documentation) made a stupid mistake, put his entire organization at risk, and is now forcing CERT to issue a warning. There are perhaps three people like that: someone at Homeland insecurity, someone at MI5, or someone at CERT.
Reply to this comment
no story
by May 13, 2005 10:46 AM PDT
there is no story.
The substance of the warning is: "If you misconfigure your VPN, it might not work"

the real story is that CERT and NISCC have so little of relevance to do with themselves, that they are issuing garbage like this.

Probably what happened is that someone important (therefore too important to actually read the documentation) made a stupid mistake, put his entire organization at risk, and is now forcing CERT to issue a warning. There are perhaps three people like that: someone at Homeland insecurity, someone at MI5, or someone at CERT.
Reply to this comment
(8 Comments)
  • prev
  • 1
  • next
advertisement

Latest tech news headlines

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

advertisement
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
Dell
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET