1

We're getting push back from a third party (much larger company) over our decision to use OpenVPN to protect our AWS resources. Specifically, they're claiming that closed source is in general more secure than open source, a claim that is effectively addressed here. The consensus here and elsewhere seems to be that there's no advantage to either choice in general.

However, we're looking at a specific piece of software here, OpenVPN. Are there specific reasons why OpenVPN would be considered less secure than commercial VPN service alternatives?

rambler
  • 64
  • 3
  • 5
    Note that the OpenVPN tool that has been recently evaluated by [two](https://www.privateinternetaccess.com/blog/2017/05/openvpn-2-4-evaluation-summary-report/#section_3_1) [independent](https://ostif.org/the-openvpn-2-4-0-audit-by-ostif-and-quarkslab-results/) third parties and given a [nearly clean](https://www.theregister.co.uk/2017/05/16/openvpn_security_audit/) bill of health. – rambler May 31 '17 at 16:16
  • This is common open vs. closed source argument. It's a conflation of known issues with open source solutions like OpenSSL which has been under tremendous fire very recently. I would argue open source is very often scrutinized more publicly and is thrashed heavily for any shortcomings.Third party solutions have similar issues and there is no real true case (that I can account for) that one is inherently more secure than the other (so long as the project is heavily tested and actively maintained). – Signus Jun 01 '17 at 00:37
  • 1
    Obscurity is not security, don't be lulled in by those pitching it as such. If you don't know what code you're running, how can you make security claims about it? No serious cryptographer would use an algo that wasn't open to review, that's a complete disregard of Kirchhoff's security principle. – dandavis Jun 01 '17 at 02:49

3 Answers3

4

OpenVPN is a trusted well used open source vpn application as you know. At the end of the day if your third party doesn't want to use it and you have no contractual power to decide the use of OpenVPN I don't see what people on here can do to help. You even link to recent audits yourself.

ISMSDEV
  • 3,272
  • 12
  • 22
2

While I am only guessing here, I think typical objection to OS solutions could be traced to various audit requirement that force organization to use only maintained solutions. With closed source it is straightforward checkbox requirement - look at a service contract or license. With OS you have to provide proof that the project is updated and vulnerabilities are addressed.

I suggest offering evidence (CVE search, patch history, independent reports you linked) and asking what specific objections they have to OpenVPN.

Kirill Sinitski
  • 989
  • 6
  • 12
1

There is a pretty simple answer to this, the security should not rely on that the source code is closed. If it's a good and secure VPN software, it should withstand a review of the source code. This is also one of the reasons for why i prefer OpenVPN over other closed source VPN solutions, with OpenVPN there will be many thousend of people review the source code looking for mistakes og vulnerabilities. When someone finds a fault in the code, it's reported and fixed.

There will also be possible for the enduser to download OpenVPN source code from the OpenVPN webpage, verify the download by checking that the signature matches and compile it self. In this way the OpenVPN community can garantee that there is no malicious changes in the software.

That said, the security still depends on the configuration of the OpenVPN software, use secure algorithms, good certificate handling etc... Dutch governments has modificated OpenVPN so it meets the requirements for transporting of classified data. They have also released the modificated source under the name OpenVPN-NL.

BufferOverflow
  • 340
  • 1
  • 7