-2

Which vendors of network products like firewalls, routers, switches, VPN softwares and similar are likely to be free from backdoors, already built in surveillance capabilities, secretly broken encryption keys inserted by NSA? Is there an independent vendor that can say no to NSA cheating?

John
  • 167
  • 4
  • 2
    I propose to close the question. Given that you don't trust the vendors since they might have added secret backdoors you similarly should not trust any advice you get here about backdoor-free systems since these might be deliberately false to trick you into trusting specific vendors. Also, one vendor which might be "clean" today might be corrupted tomorrow. – Steffen Ullrich Apr 28 '18 at 18:40
  • I do not agree. Few years ago on Allied Telesis presentation of their network devices, one of the main item in their portofolio was that their devices don't subject to NSA regulation. We all knew what the presenter ment. Cisco for example, never said something similar. I emphasized that I need information for the year of 2018. – John Apr 28 '18 at 19:40
  • 1
    I see: you actually trust both the vendors and this forum to not lie to you. In this case I recommend that you figure out exactly what kind of use case you have, find out which products fit this use case and then ask the specific vendors about their relationship to the NSA. Because, at the end you need to have some problem solved and cannot just switch to a trusted vendor even though it doesn't provide solutions for your problem. – Steffen Ullrich Apr 28 '18 at 19:53
  • 1
    Even if a vendor is free from regulation, you have no idea if a shipment has been intercepted and the device altered. Plus you are assuming that some guys on a random web site aren’t lying to you. – myron-semack Apr 29 '18 at 18:56

1 Answers1

2

Open source software, like OpenVPN is likely to be free of back-doors. Other than that, depends on how paranoid you are, but it is possible for back-doors to be in everything.

While companies based in other countries may be able to say no, the NSA according to leaks had budget to pay them for cooperation. They could also make it hard for resisting companies to sell in the US, which is a huge market.

Note: As Steffen Ullrich mentioned, there may be hard to find back-doors in open software, such as careful choice of DH keys. To avoid these, you want to generate your own keys and parameters. Using your own will prevent any such back-door. You also don't want to use NIST curves for elyptic cryptography.

Peter Harmann
  • 7,728
  • 5
  • 20
  • 28
  • 1
    While it is more likely that open source software is free of obvious backdoors there might be backdoors which are less obvious. These could be for example the choice of specific DH keys which allow a NOBUS (Nobody but us) attack. See [How to Backdoor Diffie-Hellman](https://www.cryptologie.net/article/360/how-to-backdoor-diffie-hellman-quick-explanation/). – Steffen Ullrich Apr 28 '18 at 18:29
  • Additionally, there is no functional difference between a backdoor and a 0day with equivalent capabilities. And the NSA (or rather, contractors they hire) _do_ have 0days for OpenVPN and many other popular applications (at least in their default configuration). – forest Apr 29 '18 at 09:37