Home Messages Index
[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index

Re: [News] Microsoft 'Extends' VPN Protocol

Roy Schestowitz wrote:

> Microsoft readies new VPN protocol
> 
> ,----[ Quote ]
> | Microsoft currently has no plans to seek standardization for SSTP.
> `----
> 
> http://arstechnica.com/journals/microsoft.ars/2007/1/21/6698
> 
> 
> Yet another case of breaking protocols. Extend to extinguish.
> 
> The Microsoft Zombie Army will force Samba out of the Enterprise
> 
> ,----[ Quote ]
> | Vista is to ship with a new version of SMB, called SMB2. At
> | minute 40 in this FLOSS Weekly podcast, Jeremy Allison of
> | Samba talks of behavior that will flood the network with
> | 1500 packets just to do a network file delete. This will
> | turn Vista computers into a DOS (Denial of Service) attack
> | upon Samba based computers on the network.
> `----
> 
> http://www.twit.tv/floww14

Message to MS.

"Microsoft believes that SSTP will help to eliminate issues where current
VPN protocols are blocked by firewalls, routers, and web proxies. "

Firewalls, routers and proxies are *supposed* to block unwanted traffic,
until you tell them that it *is* wanted. This isn't a problem, it's correct
behaviour. 

"Client authentication at the PPP layer, not at the HTTPS layer".

Why MS? The point here is that at https the authentication is already
handled, from login-comms-logout. We have had encryped login at ppp for a
long time, but it wasn't the best way to deal with anything but short
bursts of secure communications, that is why we went ssl proper.

Ok, so MS are going to use ssl at this level. But how will the user know if
they are in secure communications?
        http:www.yourbank.com

What is it in that address that is telling the user that his comms are safe?
How does he distinguish between a secure site and a plain text site? Oh I
know, it will be a little icon in the status bar. Unfortunately it is
really really easy to stick an icon in the status bar.

"Application independent"

What part of ssl is application dependant? The tunnel is not and never has
been the application, it is just a tunnel.

I wonder if MS realise that a tunnel once opened is open, it doesn't matter
how secure the communications themselves are if the device at either end is
unsafe then they is no safety. It's like the channel tunnel, no one can get
in through the side walls, but they can very easily get in from the French
side, because it isn't well protected.

MS's proposal of putting all comms onto the ppp system isn't a clever new
invention, it's a system that we moved away from because they are better
ways to do it. In fact it could very easily be argued that they are going
the wrong direction, i.e. that all of the internet comms should head for
ssl of some kind, to improve tracing of spammers/hackers and other rogues. 



[Date Prev][Date Next][Thread Prev][Thread Next]
Author IndexDate IndexThread Index