forked from dcmcand/leap.se
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathindex.xml
174 lines (163 loc) · 13.4 KB
/
index.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
<?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>LEAP Encryption Access Project</title>
<link>https://chuckmcandrew.com/leap.se/</link>
<atom:link href="https://chuckmcandrew.com/leap.se/index.xml" rel="self" type="application/rss+xml" />
<description>LEAP Encryption Access Project</description>
<generator>Source Themes Academic (https://sourcethemes.com/academic/)</generator><language>en-us</language><copyright>(c) LEAP 2020 - all rights reversed</copyright><lastBuildDate>Thu, 19 Nov 2020 00:00:00 +0100</lastBuildDate>
<image>
<url>https://chuckmcandrew.com/leap.se/images/icon_hu0b7a4cb9992c9ac0e91bd28ffd38dd00_9727_512x512_fill_lanczos_center_2.png</url>
<title>LEAP Encryption Access Project</title>
<link>https://chuckmcandrew.com/leap.se/</link>
</image>
<item>
<title>On wireguard</title>
<link>https://chuckmcandrew.com/leap.se/post/2020_07_wireguard/</link>
<pubDate>Wed, 01 Jul 2020 00:00:00 +0000</pubDate>
<guid>https://chuckmcandrew.com/leap.se/post/2020_07_wireguard/</guid>
<description><p>Our VPN is built on top of
<a href="https://openvpn.net/" target="_blank" rel="noopener">OpenVPN</a>, a well tested and
widely used technology that has been around for almost two decades. As most
software with enough history it has grown with a lot of features and code
complexity. This is great as it has everything that we need to provide a stable
service, but at the same time it brings now and then security issues. The
OpenVPN team has been really good at handling them in a timely manner and in
LEAP we&rsquo;ve been lucky to have designed our VPN in a way that prevented us from
being affected by most of the ones that have appeared in the last years.</p>
<p>Since a few years there is a newcomer to the free software VPNs:
<a href="https://wireguard.com/" target="_blank" rel="noopener">WireGuard</a>. WireGuard uses nice modern cryptography
primitives, a pretty simple protocol and has a small code base. This makes it a
very fast VPN and probably less prone to security issues.</p>
<p>If WireGuard is so great why don&rsquo;t we ditch OpenVPN and use WireGuard instead?
WireGuard is great, but (yes, there is always a &ldquo;but&rdquo;) it wasn&rsquo;t designed for
our use cases and it is not trivial to make it work for us.</p>
<p>WireGuard uses UDP, which is great for speed. But many of our users are in
networks that don&rsquo;t allow UDP traffic and for them to be able to connect we
need the VPN to support TCP. We are currently using OpenVPN on TCP mode, but
our plan for the future is to dynamically use UDP if available and if not to
fall back to TCP.</p>
<p>Some time ago there was a discussion about
<a href="https://lists.zx2c4.com/pipermail/wireguard/2018-March/002496.html" target="_blank" rel="noopener">TCP support in the wireguard
mailing
list</a>, with
proposed solutions like using
<a href="https://github.com/securesocketfunneling/ssf" target="_blank" rel="noopener">ssf</a>,
<a href="http://www.dest-unreach.org/socat/" target="_blank" rel="noopener">socat</a> or
<a href="http://www1.cs.columbia.edu/~lennox/udptunnel/" target="_blank" rel="noopener">udptunnel</a>. All of them sound
a bit hacky, one extra moving piece that can break.</p>
<p>Another problem is that WireGuard doesn&rsquo;t provide dynamic IP allocation. We
don&rsquo;t know in advance who will be connected to assign static IPs to each
client. We rely on OpenVPN to do it dynamically each time a client connects.
In WireGuard we would need to build some tooling around to do all this IP
assignment without the service operators getting the possibility to correlate
users and clients to IPs.</p>
<p>Besides all these technical issues there is a security issue, the
authentication protocol of WireGuard is not Forward Secret. That means an
observer recording all conversations only need to wait until the server long
term secret key gets compromised to be able to figure out which client produced
each connection. Let me remark, this doesn&rsquo;t mean that the attacker can decrypt
the traffic, they only see the authentication key, so they can pinpoint a
client being the same in different connections.</p>
<p>While this is a flaw, it is clearly an improvement over TLS 1.2 with client
certificates, which we are currently using with OpenVPN. Previously to TLS 1.3
(the latest version) if you authenticate the clients using a cert, which we use
to avoid having a list of users, the cert is sent unencrypted. That means that
currently an observer does not even need a compromised server private key to
track the users. We do minimize that by rotating the cert frequently and we are
preparing a migration to TLS 1.3, that solves this problem by transferring the
cert over a forward secret channel.</p>
<p>The dynamic IP allocation and the lack of forward secrecy for client
identifiers are being worked on in a separate tool named
<a href="https://git.zx2c4.com/wg-dynamic/about/docs/idea.md" target="_blank" rel="noopener">wg-dynamic</a> which does
handle the IP allocation and rotates the client identifier. So maybe in the
future those will be solved when wg-dynamic becomes more mature.</p>
<p>Right now for us adopting WireGuard would require a lot of development work to
get around those issues and to get a new technology stable enough to be used in
production. We already have our hands full maintaining the existing service and
prefer to prioritize our energies on providing a more stable and smooth VPN.</p>
</description>
</item>
<item>
<title>Packaging in GNU/Linux</title>
<link>https://chuckmcandrew.com/leap.se/post/2020_06_linux_packaging/</link>
<pubDate>Thu, 18 Jun 2020 00:00:00 +0000</pubDate>
<guid>https://chuckmcandrew.com/leap.se/post/2020_06_linux_packaging/</guid>
<description><p>We get frequently asked why we don&rsquo;t do flatpack or appimage or arch packages
or&hellip; for our VPN. There are many distros and many package managers in GNU/Linux. Sadly our
time is limited and we have to decide what we focus our energies on. And
currently in GNU/Linux we are focusing our work on
<a href="https://snapcraft.io/riseup-vpn" target="_blank" rel="noopener">snap
packages</a>.</p>
<p>We know, snap has many problems. Packages often don&rsquo;t work well in distros not
based on debian (
<a href="https://0xacab.org/leap/bitmask-vpn/-/issues/272" target="_blank" rel="noopener">#272</a>,
<a href="https://0xacab.org/leap/bitmask-vpn/-/issues/77" target="_blank" rel="noopener">#77</a>). It&rsquo;s a centralized
platform, controlled by one commercial entity and
<a href="https://jatan.blog/2020/05/02/ubuntu-snap-obsession-has-snapped-me-off-of-it/" target="_blank" rel="noopener">not everybody agrees with
their decisions</a>.</p>
<p>Our primary target audience has always been the less computer-savvy users. In
GNU/Linux most of them use ubuntu. That has been our main reason to focus
our energies on supporting ubuntu first. And snap makes it very easy to include
software in ubuntu which is convenient too. Also the most used
distros around are debian based, and snap usually works well on those.</p>
<p>Knowing that not everybody likes snap, we produce
<a href="https://riseup.net/en/vpn/linux#package-installation" target="_blank" rel="noopener">.deb
packages</a> as well and we
do our best to keep them up to date.</p>
<p>One of the other options we have explored is flatpack. I think its architecture
is great, its security is really nice and it solves some of the problems of snap
(it&rsquo;s not centralized, the control is in the users, &hellip;). But flatpack is designed
to containerize the applications, making it impossible to package something like a
VPN, because it needs to modify the network configuration and the firewall
which is by design not allowed by flatpack. So flatpack is not an option for us.</p>
<p>Snap does containerize as well, but this is something that you can disable when
you make the snap by using the &lsquo;classic&rsquo; mode. We do that to be able to package
a VPN into snap.</p>
<p>From the core team we might not have the time in the near future to work on any
other packages. But we will welcome any contributors. If you would like to
package the VPN for your favourite package manager we&rsquo;ll be really happy to
help. Don&rsquo;t hesitate to
<a href="https://0xacab.org/leap/bitmask-vpn/-/issues/new" target="_blank" rel="noopener">open an
issue</a> to discuss it there,
pass by on
<a href="https://kiwiirc.com/client/irc.freenode.net:&#43;6697/?nick=guest?#leap" target="_blank" rel="noopener">irc</a> or
write to our
<a href="[email protected]">mailing list</a>.</p>
</description>
</item>
<item>
<title>Smack the Virus!</title>
<link>https://chuckmcandrew.com/leap.se/post/2020_04_smack_the_virus/</link>
<pubDate>Fri, 10 Apr 2020 00:00:00 +0000</pubDate>
<guid>https://chuckmcandrew.com/leap.se/post/2020_04_smack_the_virus/</guid>
<description><p>First things first: we&rsquo;re alive and kicking, staying healthy and physically distant. In fact, we are keeping our physical distance at a minimum of 450kms (that&rsquo;s 280 miles)!</p>
<p>If you are a Windows user, and you have tried to install or download
<a href="https://riseup.net/en/vpn" target="_blank" rel="noopener">RiseupVPN</a> and ran into one of those big, red warnings?</p>
<p>It might not come as a big surprise to you, but virus and malware detection isn&rsquo;t a very precise or exact science. The heuristics used vary, but they somehow have to figure out what malware or a virus is and if they fail to detect one, no one will want to use them again. In practice this means that there are many false positives and alas, it has been happening too often with our software, even though we&rsquo;re doing our very best to keep you safe, sometimes it feels like a lottery!</p>
<p>We&rsquo;ve been working hard to make this go away, and we think that the latest release makes some very significant progress. It is a painful process, sometimes very manual as we have to file disputes with the malware organizations. Have you tried the new version?</p>
<p>Remember kids, when Windows asks: &ldquo;Possible virus! Do you want to report this?&rdquo; think twice, you could be re-inforcing a false report and making our job harder!</p>
<p>Don&rsquo;t forget to stay safe from your ISP (or neigbor/partner/family/&hellip;) and use a trusted VPN provider like
<a href="https://calyxinstitute.org/" target="_blank" rel="noopener">the Calyx Institute</a> or
<a href="https://riseup.net/" target="_blank" rel="noopener">Riseup</a>.</p>
<p>If you want to read more about this:</p>
<ul>
<li><a href="https://0xacab.org/leap/bitmask-vpn/-/issues/222">https://0xacab.org/leap/bitmask-vpn/-/issues/222</a></li>
<li><a href="https://en.wikipedia.org/wiki/Rogue_security_software">https://en.wikipedia.org/wiki/Rogue_security_software</a></li>
<li><a href="https://en.wikipedia.org/wiki/Antivirus_software#Issues_of_concern">https://en.wikipedia.org/wiki/Antivirus_software#Issues_of_concern</a></li>
</ul>
<p>When you want to help out:</p>
<ul>
<li>Code &amp; Bugtracker: <a href="https://0xacab.org/leap">https://0xacab.org/leap</a></li>
<li>♥ donation: <a href="https://leap.se/en/about-us/donate">https://leap.se/en/about-us/donate</a></li>
<li>Desktop translations: <a href="https://www.transifex.com/otf/bitmask/RiseupVPN/">https://www.transifex.com/otf/bitmask/RiseupVPN/</a></li>
<li>Android translations: <a href="https://www.transifex.com/otf/bitmask-android/dashboard/">https://www.transifex.com/otf/bitmask-android/dashboard/</a></li>
<li>Mailinglist: <a href="mailto:[email protected]">[email protected]</a></li>
<li>Chat: ircs://irc.freenode.org/#leap if you don&rsquo;t have an irc client, you can use a gateway like
<a href="https://about.riot.im/" target="_blank" rel="noopener">Matrix</a></li>
</ul>
<p>Image by Ross Harmes: <a href="https://www.flickr.com/photos/rossharmes/4347385767">https://www.flickr.com/photos/rossharmes/4347385767</a></p>
</description>
</item>
</channel>
</rss>