a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge
What this is saying is that in a secure cryptosystem all you need to secure is the key.
Curve 25519 is, for the time being, considered a secure cryptosystem. It’s likely that in the future it will become obsolete, but we’re not there yet. When we get there WG will port to a new cipher that is more secure.
Even if you set your configs to not negotiate, just the fact that the stack COULD negotiate opens you up to downgrade attacks. Also, anybody trying to connect would get some kind of hello/response traffic that would broadcast your (non negotiable) configs, so what do you gain from being able to choose, except the ability to make mistakes?
Well, I did think the “security through obscurity” line would come up. But that’s really something that should be reserved for people making their own “triple XOR” crypto implementations closed source and hoping that protects them.
The “obscurity” if it’s the term we want to use here in my use case isn’t hiding using closed source to provide a perception of security. It’s just giving a choice of crypto, but not adding to the protocol with negotiation.
My thinking is this, and we’ll look at say ssh. We can choose between multiple key types and lengths for that. Now let’s say for example ed25519 is compromised (in real terms I think the only likely compromise for any of the ssh key based auth options would be deriving a private key from the public key, so the “scanning” I talk about is a fantasy. But I’m going with it!). For ssh, there will for sure be bots hunting the internet for vulnerable ssh servers very soon after. Automating the process of getting in, installing whatever nefarious tools they want and moving on. But, crucially they will only get those that have used ed25519 for their auth key login. However they might well get every single wireguard vpn.
I’m really just advocating for the same option really. The option to not use the same as everyone else. With no reduction in security for anyone else and no need to negotiate, the onus would entirely be on the operator to ensure the same stack is configured on client and server. Of course with the understanding that using any other stack is at your own risk. E.g. “triple XOR” security might not be the best, for example :P
Oh and as I said, I doubt I would use it. I use wireguard as it is, I like wireguard as it is. But, I feel like having options is not a bad thing, provided the default is the “best” option currently known.
I think your example of SSH is actually the perfect counterpoint to your position!
SSH is versatile but there’s SO many ways to configure it in an insecure way. It’s important for SSH to be versatile because of how many different devices need it, but that also means it’s really easy to have a config that supports crappy ciphers (3DES, RC4, etc), or enabling root login, or pick any other hundred problems that are either due to user misconfigs or just inherent vulnerabilities in a cipher or key exchange method. Its versatility is the core of its weaknesses.
For ssh, there will for sure be bots hunting the internet for vulnerable ssh servers very soon after. Automating the process of getting in
This already happens right now. If you have 22 open, your firewall is getting hammered with bots trying to get in, regardless of what cipher you’re using, trying to exploit known weaknesses.
WG was never meant to be a swiss army knife, even though it is also versatile. It’s designed to be fast, secure, and as dummy proof as possible.
giving a choice of crypto, but not adding to the protocol with negotiation.
I’m not sure how you’d achieve this. If you have a mechanism to change cipher modes then there would be part of the codebase and handshake that validates settings in some way, which adds potential attack vector.
History shows that every cipher mode eventually will be vulnerable to new computing power, I don’t think that’s avoidable. Quantum computing is the next big event on the horizon, which is why quantum resistant ciphers, even old ones that never really got adopted, are getting a lot of attention if they’re deemed to be quantum resistant.
The important thing is that if, not when, it’s reported that the cipher is vulnerable that people harden their networks in other ways until a new cipher mode is implemented. That’s just how it works IMO. Edge security cannot and should not be your only security method anyways.
Overlay VPNs like tailscale and zerotier are interesting to me because you don’t have to open any ports. I’m sure they have their own inherent vulnerabilities also but they don’t make you punch holes in your firewall, which makes them less vulnerable to random attackers trying to scan your network edge.
This already happens right now. If you have 22 open, your firewall is getting hammered with bots trying to get in, regardless of what cipher you’re using, trying to exploit known weaknesses.
I know, except they’re only ever trying lame user/password pairs that only an idiot would have on their luggage. Same as on asterisk and the bots trying to exploit decades old exploits on wordpress etc. Regardless of whether the site you host is even remotely like wordpress.
I’m not sure how you’d achieve this. If you have a mechanism to change cipher modes then there would be part of the codebase and handshake that validates settings in some way, which adds potential attack vector.
Doesn’t need to change the handshake. If the server is mine, and run by me and I decide I was to change say, just the key exchange part of the process. It could be changed without negotiation. I just need to make sure all clients are configured the same way. My point being there wouldn’t be a negotiation. If you try to connect to wireguard on my server, you’d need to have the key exchange setup in the same way, with the same parameters too. Yes, it should be entirely optional and require specific configuration changes on both client and server to achieve. So long as server and client are configured with the same parameters there’s no negotiation to make. The channel can be setup and if the configuration is wrong it just won’t work.
It sounds as if you’re falling prey to the allure of security through obscurity.
I’d like to remind you of Kerckhoff’s Principle.
a cryptosystem should be secure, even if everything about the system, except the key, is public knowledge
What this is saying is that in a secure cryptosystem all you need to secure is the key.
Curve 25519 is, for the time being, considered a secure cryptosystem. It’s likely that in the future it will become obsolete, but we’re not there yet. When we get there WG will port to a new cipher that is more secure.
Even if you set your configs to not negotiate, just the fact that the stack COULD negotiate opens you up to downgrade attacks. Also, anybody trying to connect would get some kind of hello/response traffic that would broadcast your (non negotiable) configs, so what do you gain from being able to choose, except the ability to make mistakes?
Well, I did think the “security through obscurity” line would come up. But that’s really something that should be reserved for people making their own “triple XOR” crypto implementations closed source and hoping that protects them.
The “obscurity” if it’s the term we want to use here in my use case isn’t hiding using closed source to provide a perception of security. It’s just giving a choice of crypto, but not adding to the protocol with negotiation.
My thinking is this, and we’ll look at say ssh. We can choose between multiple key types and lengths for that. Now let’s say for example ed25519 is compromised (in real terms I think the only likely compromise for any of the ssh key based auth options would be deriving a private key from the public key, so the “scanning” I talk about is a fantasy. But I’m going with it!). For ssh, there will for sure be bots hunting the internet for vulnerable ssh servers very soon after. Automating the process of getting in, installing whatever nefarious tools they want and moving on. But, crucially they will only get those that have used ed25519 for their auth key login. However they might well get every single wireguard vpn.
I’m really just advocating for the same option really. The option to not use the same as everyone else. With no reduction in security for anyone else and no need to negotiate, the onus would entirely be on the operator to ensure the same stack is configured on client and server. Of course with the understanding that using any other stack is at your own risk. E.g. “triple XOR” security might not be the best, for example :P
Oh and as I said, I doubt I would use it. I use wireguard as it is, I like wireguard as it is. But, I feel like having options is not a bad thing, provided the default is the “best” option currently known.
I think your example of SSH is actually the perfect counterpoint to your position!
SSH is versatile but there’s SO many ways to configure it in an insecure way. It’s important for SSH to be versatile because of how many different devices need it, but that also means it’s really easy to have a config that supports crappy ciphers (3DES, RC4, etc), or enabling root login, or pick any other hundred problems that are either due to user misconfigs or just inherent vulnerabilities in a cipher or key exchange method. Its versatility is the core of its weaknesses.
This already happens right now. If you have 22 open, your firewall is getting hammered with bots trying to get in, regardless of what cipher you’re using, trying to exploit known weaknesses.
WG was never meant to be a swiss army knife, even though it is also versatile. It’s designed to be fast, secure, and as dummy proof as possible.
I’m not sure how you’d achieve this. If you have a mechanism to change cipher modes then there would be part of the codebase and handshake that validates settings in some way, which adds potential attack vector.
History shows that every cipher mode eventually will be vulnerable to new computing power, I don’t think that’s avoidable. Quantum computing is the next big event on the horizon, which is why quantum resistant ciphers, even old ones that never really got adopted, are getting a lot of attention if they’re deemed to be quantum resistant.
The important thing is that if, not when, it’s reported that the cipher is vulnerable that people harden their networks in other ways until a new cipher mode is implemented. That’s just how it works IMO. Edge security cannot and should not be your only security method anyways.
Overlay VPNs like tailscale and zerotier are interesting to me because you don’t have to open any ports. I’m sure they have their own inherent vulnerabilities also but they don’t make you punch holes in your firewall, which makes them less vulnerable to random attackers trying to scan your network edge.
I know, except they’re only ever trying lame user/password pairs that only an idiot would have on their luggage. Same as on asterisk and the bots trying to exploit decades old exploits on wordpress etc. Regardless of whether the site you host is even remotely like wordpress.
Doesn’t need to change the handshake. If the server is mine, and run by me and I decide I was to change say, just the key exchange part of the process. It could be changed without negotiation. I just need to make sure all clients are configured the same way. My point being there wouldn’t be a negotiation. If you try to connect to wireguard on my server, you’d need to have the key exchange setup in the same way, with the same parameters too. Yes, it should be entirely optional and require specific configuration changes on both client and server to achieve. So long as server and client are configured with the same parameters there’s no negotiation to make. The channel can be setup and if the configuration is wrong it just won’t work.