Do recent SSL issues like 'BREACH' effect OpenVPN?

[redradioflyer]

Hi,

I was just wondering if anyone out there was familiar with some of the recent SSL vulnerabilities (i.e. BREACH), and could comment if they might theoretically apply to OpenVPN's use of SSL. If they do, is there an easy way to mitigate this issue? From what I've read the problem has to do with how some data is compressed for transmission. So, would turning off OpenVPN's compression mitigate any potential risk?

I confess I don't know enough to even pretend to speak intelligently on this subject, but I'm hoping someone else out there does.

Thanks!

[rbeede]

Turning off compression would help to mitigate the risk. The principal used in BREACH would apply here also, but it would be more difficult as it would require the attacker getting the victim to send requests with chosen plaintext the attacker knows.

Note that using OpenVPN to help mitigate against BREACH when the user is accessing a vulnerable web server and application may not be effective. Assume you had OpenVPN compression disabled but the https web application had HTTP compression still enabled and was vulnerable. Even though the attacker cannot observe the https encrypted packets (which have compressed HTTP data) the attacker could still deduce the response length based on the OpenVPN packets length.

Currently there is no PoC against OpenVPN, but it is a possible attack vector. The complexity of analyzing the proper padding and length would make such an attack time intensive to develop.