undefined | Better HN

story

0 pointsLoony28y ago0 comments

The security of Wireguard is completely unknown. Sure, it might be more secure after a formal release and a security evaluation.

They even state themselves that they should not be used if security is required.

0 comments

tptacek8y ago

I don't know anyone working in the field who believes Wireguard is likely to be less secure than StrongSwan or OpenVPN, and Wireguard is something that gets talked about a lot.

It's early days for Wireguard, to be sure, but it's one of the most promising security projects there is right now.

Loony2OP8y ago

I work in the field and anybody that says that a piece of software is secure before it has even had a security evaluation by a third party does not know what they are talking about.

I think what you have seen is security people saying that the design of Wireguard seems to be equal or better than other, current, options, that doesn't mean that the implementation is just yet.

tptacek8y ago

I've spent my career doing third-party software security evaluations --- among other things, I founded the NCC Cryptography Services practice --- and I will tell you right now that the Wireguard security story is far more compelling than any third-party audit.

It's not simply the protocol design, which is superior in pretty much every conceivable way to IKE or TLS, but also the code, which is carefully written to minimize attack surface and increase reviewability.

Choosing OpenVPN or StrongSWAN over WireGuard to minimize exposure to vulnerabilities would be a dumb bet. Sometimes dumb bets pay off, but it's still dumb to make them.

jwfxpr8y ago

Could you unpack your statement about the careful code writing, or link to an explanation? We would usually expect a formal third-party audit to substantiate such a claim, but if there is other good evidence for their code's secure implementation I'd love to see it.

1 more reply

nickpsecurity8y ago

I agree with you. It needs formal evaluation by pros with time to dig into it with review and tool-assisted analysis. That said, a person as experienced at pentesting as tptacek saying the crypto and code looked good puts its trustworthiness above most options in my eyes. I mean, you rarely here good things about both in such software. The quality of average development in crypto is just that bad. I also liked what I saw when I looked at it in terms of simplicity.

dadrian8y ago

The Wireguard protocol has been symbolically verified for correctness using Tamarin.

1 more reply

__jal8y ago

I only know Thomas via his output, but will say that based on it, he very much knows what he is talking about when it comes to the design and implementation of security protocols.

j / k navigate · click thread line to collapse

0 comments

tptacek8y ago

I don't know anyone working in the field who believes Wireguard is likely to be less secure than StrongSwan or OpenVPN, and Wireguard is something that gets talked about a lot.

It's early days for Wireguard, to be sure, but it's one of the most promising security projects there is right now.

Loony2OP8y ago

I work in the field and anybody that says that a piece of software is secure before it has even had a security evaluation by a third party does not know what they are talking about.

I think what you have seen is security people saying that the design of Wireguard seems to be equal or better than other, current, options, that doesn't mean that the implementation is just yet.

tptacek8y ago

Choosing OpenVPN or StrongSWAN over WireGuard to minimize exposure to vulnerabilities would be a dumb bet. Sometimes dumb bets pay off, but it's still dumb to make them.

jwfxpr8y ago

1 more reply

nickpsecurity8y ago

dadrian8y ago

The Wireguard protocol has been symbolically verified for correctness using Tamarin.

1 more reply

__jal8y ago

I only know Thomas via his output, but will say that based on it, he very much knows what he is talking about when it comes to the design and implementation of security protocols.

j / k navigate · click thread line to collapse