user auth too low-grade for securing sites

SoftEther VPN に関するご質問はこのフォーラムにお気軽にご投稿ください。
Post Reply
vonp
Posts: 2
Joined: Sun Mar 16, 2014 4:11 pm

user auth too low-grade for securing sites

Post by vonp » Sun Mar 16, 2014 4:28 pm

SoftEther VPN Project (stable release)
As of 2014.03.15: RTM Version 4.04, BUILD 9412 dtd 2014.01.15

IT IS VERY DISAPPOINTING TO HAVE SPENT HOURS PERUSING THEIR SITE AND DOING INITIAL SET-UPS AND THEN DISCOVER THAT THEY HAVE NO ACCESS-CONTROL — AFTER A YEAR OF SELF-PROMOTION OF AVAILABILITY — AT A LEVEL REQUIRED FOR A SECURE SITE (explanation, infra).

softether have promised log-in authentication in the following flavors:
1.) anonymous
2.) password
3.) X.509 certificate-based authentication:
a.) individual certificate (similar to a public-/private-key method)
b.) authority (CA: self-signed or purchased) signed certificate
4.) RADIUS authorization (external to softether)
5.) NT Domain authorization (external to softether)

NOTES by Items:
1. no IT mgr in his right mind would allow anonymous site access, so this option is useless.
2. password-only access has so many holes and pitfalls that it is nearly useless.
3 ~ 5. THE ONLY FOUR (4) USER AUTHENTICATION METHODS ACCEPTABLE TO ANY SITE WITH HALF A MIND DEVOTED TO SECURITY ARE NOT IMPLEMENTED. this is despite the fact that their original docs from a year ago until today, their blurbs promoting their software (S/W) on other sites (softpedia, cnet, et alii), their own-site S/W feature discourses, their set-up/maintenance dialogues in their own distributed S/W, ... everything! says that these four (4) methods are available and working. they even have mentioned that systems with a large number of users should invest time and money in implementing their own outside certificate authority system (openssl et cetera) for certificate-issuance to connecting clients (users). they even have the rudiments in their own S/W (which DOES work) to create certificates for usage (or, at least, testing) in methods mentioned in 3, supra.

what is a 'SECURE SITE'? it is one that must protect:
• proprietary info (most likely a very costly loss for a business if purloined)
• personally-identifiable info (aka PII: not only protected by law in most targeted places such as EU, CH, US, CA, JP, AU, NZ ...; but, also, a potentially huge fiscal liability if compromised and/or stolen)
• financial records that reveal relationships with banks, lenders, paypal, and the like which can include account numbers, passwords, and other empowerment details
• logs, back-ups, and other historical records
• site content and databases that represent many, many man-hours of input that could become a total loss
• against the losses due to business interruptions caused by site dysfunctions and/or customer and vendor losses in confidence in the reliability of the business.

there is a very separate and distinct liability of any business or individual who causes the disrupture of a web site of a business involved with the government. the obvious concern for the confidentiality of government data might seem like all there is to worry about. WRONG! even something as low-key and mundane as delivery of janitorial supplies can involve risks such as preferential personnel access avenues exploitable at a national-security level of concern. i have personally seen the swarm of auditors and investigators IT system compromise can bring upon a targeted small business let alone an enterprise-class one.

basically, any site that relies in any part on public access to its sites to further its business has to be a 'SECURE SITE'. moreover, much is made of the fact that softether's home-/mobile-access to a business system is as "easy-as-pie" and does not require any 'root' or 'system admin' rights to implement. what is NOT mentioned is that this is a two-way street because your home/mobile system becomes just as accessible as the business side. while the fiscal damage may not be as large or even quantifiable, it could be just as severe ... or just inconvenient. imagine a CEO's personal web-browsing, downloading, and email being splashed across the Internet.

softether has promised emulations of other tunnelling applications and i will not bother to check out those features to see if they are also "vapor-ware" despite the multitudinous claims made in their S/W docs and web-site content on a par with their claims for five (5) user authentication methods when a lone one (1) method is working.

when softether's performance meets its rhetoric, they will have a great offering that should bring them well-earned kudos. until then, their lack of honesty in their claims and non-working modules in their distributions does little to earn one's respect and, undoubtedly, has and will be to their ultimate detriment. it is also hard to imagine that a university — that surely must honor its commitment to integrity — would permit such a disparate state to so long exist between claims and reality.

dnobori
Posts: 228
Joined: Tue Mar 05, 2013 10:04 am

Re: user auth too low-grade for securing sites

Post by dnobori » Thu Mar 20, 2014 2:51 pm

Hi,

Please post English messages to the http://www.vpnusers.com/viewforum.php?f=7 forum.

Anyway, SoftEther VPN 4.06 Build 9430 (March 20, 2014) has the all types of user authentications. Please try it.
http://www.softether.org/5-download/history

Post Reply