Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: OpenBSD IPSec "Backdoor" - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
OpenBSD IPSec "Backdoor"

We received plenty of e-mail alerting us of a mailing list post [1] alleging a backdoor in the Open BSD IPSec code. The story is too good to pass up and repeated on twitter and other media. However, aside from the mailing list post, there is little if any hard evidence of such a backdoor. The code in question is 10 years old. Since then, it has been changed, extended, patched and copied many times. I personally do not have the time nor the skill to audit code of the complexity found in modern crypto implementations. But my gut feeling is that this is FUD if not an outright fraud.

Keep using VPNs, if you are worried, limit the crypto algorithms used to more modern once. It is always a good idea to build additional defensive layers and review configurations from time to time. But at some point, you have to decide who you trust in this game and how paranoid you can afford to be.

[1] http://marc.info/?l=openbsd-tech&m=129236621626462&w=2

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

I will be teaching next: Defending Web Applications Security Essentials - SANS Brussels September 2019

Johannes

3603 Posts
ISC Handler
Does this mean I can stop worrying about Kernighan's C compiler backdoor?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!