OpenVPN: VORACLE attack

Is default openVPN via foris vulnerable?

1 Like

I found
comp-lzo
in openvpn config provided by foris. related to https://en.wikipedia.org/wiki/Lempel–Ziv–Oberhumer

EDIT: https://speakerdeck.com/skepticfx/voracle-compression-oracle-attacks-on-vpn-tunnels?slide=24 more info here. it was first published on Black Hat

Those reports neglect to mention that TLS 1.3 removes compression and thereby mitigates attack vectors of this sort.

Thus once implemented in OpenVPN and such updated package published to TO users this would be history.

what is the benefit of waiting x years for tls1.3 to maybe land in turrisos vs. just changing a config variable now?