From: "Fredrik Strömberg" <stromberg@mullvad.net>
To: WireGuard mailing list <wireguard@lists.zx2c4.com>
Subject: Re: WireGuard deployment considerations for improved privacy
Date: Fri, 18 Jan 2019 09:19:42 +0100 [thread overview]
Message-ID: <CANTUoedKsjKTU8a+R82ay4XsU9vcfZy2dyTHogbAPfL+brnNHQ@mail.gmail.com> (raw)
In-Reply-To: <470369034.543038.1547656460486@mail.yahoo.com>
On Wed, Jan 16, 2019 at 5:34 PM Jose Marinez <jedi_papi@yahoo.com> wrote:
> I appreciate this proposition as well as your summary for the current state of Wireguard for this particular case. I agree with you wholeheartedly that before the mass adoption of Wireguard happens these use cases should be addressed properly. I'd love to hear what Jason has to say about this and what he proposes.
>
I agree. Let's see what Jason says.
> I too have been thinking about all the edge cases for Wireguard. My approach has been to look at it from a penetration test perspective. Reality is that Wireguard doesn't live in isolation. As a system - hardware, OS and all it's settings + Wireguard - connected to the Internet and a user(s) presents many hostile dynamics.
>
> Ultimately, whatever solution emerges needs to supplement the goals and features of Wireguard, otherwise it deafts the purpose.
>
> Would it make sense to create a small group to tackle this and other use cases - scaling, simplicity, etc? On my end, I'm not a cryptologist, but I can write software that would test the security of any system. I'm sure other members of this list have a ton of skills and experience to bring to this.
>
> Here's a list of things I'd like to see and would be willing to participate/create if they don't exist yet:
>
> 1. A honeypot server with public logs for a small team to gather and record real-time traffic as an authorized user of the server - root.
> 2. A test suite that goes through all the domain specific scenarios from the results of #1 and provides a verification at the end once completed.
> 3. Provide feedback from all this back to Jason for enhancements, etc. in upstream Wireguard.
>
Honestly I'm very focused on the two issues I brought up. Those are
the most important things we don't see a clear solution to yet.
Well, we'd also like userspace to be notified of new handshakes, and
be able to reply to the kernel module whether it's a known pubkey or
not. Or something. That's a different discussion though.
Cheers,
Fredrik
_______________________________________________
WireGuard mailing list
WireGuard@lists.zx2c4.com
https://lists.zx2c4.com/mailman/listinfo/wireguard
prev parent reply other threads:[~2019-01-18 8:20 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-14 10:23 WireGuard deployment considerations for improved privacy Fredrik Strömberg
2019-01-14 12:53 ` Matthias Urlichs
[not found] ` <CAOAVeL0Hv343JWU1m06p-WaspsNFpB6Tnw6EdYr=LdMVQLM0AQ@mail.gmail.com>
2019-01-15 10:56 ` Fredrik Strömberg
[not found] ` <CAOAVeL32OBbhyzrJ-z6nLYMUUJsOFOSVNpbo4wdQN3zV=6yndw@mail.gmail.com>
2019-01-15 14:27 ` Fredrik Strömberg
2019-01-16 16:34 ` Jose Marinez
2019-01-18 8:19 ` Fredrik Strömberg [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANTUoedKsjKTU8a+R82ay4XsU9vcfZy2dyTHogbAPfL+brnNHQ@mail.gmail.com \
--to=stromberg@mullvad.net \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.