From: Roman Mamedov <rm@romanrm.net>
To: Brian Candler <b.candler@pobox.com>
Cc: wireguard@lists.zx2c4.com
Subject: Re: Reflections on WireGuard Design Goals
Date: Fri, 10 Aug 2018 20:03:46 +0500 [thread overview]
Message-ID: <20180810200346.0e9646ac@natsu> (raw)
In-Reply-To: <b66a15d1-c4f1-78a5-cf5a-4d2a4ca9ce54@pobox.com>
On Fri, 10 Aug 2018 14:35:14 +0100
Brian Candler <b.candler@pobox.com> wrote:
> From my point of view, the only thing which makes me uncomfortable=20
> about wireguard is the lack of any second authentication factor. Your=20
> private key is embedded in a plaintext file in your device (e.g.=20
> laptop), not even protected with a passphrase.=C2=A0 Anyone who gains acc=
ess=20
> to that laptop is able to establish wireguard connections.
>=20
> Of course, it can be argued that the laptop holds other information=20
> which is more valuable that the wireguard key, therefore you should=20
> concentrate on properly securing the laptop itself (*). Furthermore, to=20
> be able to talk to the wireguard kernel module you're already root, and=20
> therefore have all sorts of malicious options available to you. etc etc
>=20
> But I'd feel a lot happier if a second level of authentication were=20
> required to establish a wireguard connection, if no packets had been=20
> flowing for more than a configurable amount of time - say, an hour. It=20
> would give some comfort around lost/stolen devices.
Couldn't you just encrypt your home directory? Or even the root FS entirely.
Either of those should be a must on a portable device storing valuable
information.
--=20
With respect,
Roman
next prev parent reply other threads:[~2018-08-10 14:52 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <mailman.1318.1533866648.2201.wireguard@lists.zx2c4.com>
2018-08-10 13:35 ` Reflections on WireGuard Design Goals Brian Candler
2018-08-10 14:09 ` Matthias Urlichs
2018-08-10 14:09 ` Kalin KOZHUHAROV
2018-08-10 14:42 ` Eisfunke
2018-08-10 14:47 ` Konstantin Ryabitsev
2018-08-10 15:03 ` Roman Mamedov [this message]
2018-08-10 16:03 ` Brian Candler
2018-08-10 16:38 ` Kalin KOZHUHAROV
2018-08-10 16:40 ` jungle Boogie
2018-08-10 17:12 ` Aaron Jones
2018-08-10 17:25 ` jungle Boogie
2018-08-10 20:15 ` em12345
2018-08-10 23:07 ` Reuben Martin
2018-08-11 19:18 ` Jason A. Donenfeld
2018-08-11 22:52 ` Luiz Angelo Daros de Luca
2018-08-12 0:15 ` Aaron Jones
2018-08-12 0:46 ` Jason A. Donenfeld
2018-08-12 1:07 ` Aaron Jones
2018-08-09 21:52 Jason A. Donenfeld
2018-08-10 15:19 ` nicolas prochazka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180810200346.0e9646ac@natsu \
--to=rm@romanrm.net \
--cc=b.candler@pobox.com \
--cc=wireguard@lists.zx2c4.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.