← Back to context

Comment by Msurrow

14 days ago

You are still implying that wireguard are somehow different from ssh in its suceptibilty to vulnerabilities existing or being introduced into its codebase. And it simply is not.

Edit: codebase of ssh/wireguard implementations, just to be clear

3 comments

Msurrow

Reply
rl3  14 days ago

Yes, the two are very different in that regard.

WireGuard is 4k LoC and is very intentional about its choice of using a single, static crypto implementation to drastically reduce its complexity. Technically speaking, it has a lower attack surface for that reason.

That said, I've been on your side of the argument before, and practically speaking you can expose OpenSSH on the public internet with a proper key setup and almost certainly nothing will happen because it's a highly-audited, proven piece of software. Even though it's technically very complex.

But, that still doesn't mean it isn't best practice to avoid exposing it to the public internet. Especially when you can put things in front of it (such as WireGuard) that have a much lower technical complexity, and thus a reduced attack surface.

  • Msurrow  13 days ago

    No, they are not. Doesn’t matter how many LoC; it only take 1 LoC to introduce a vulnerability.

    Wireguard is a protocol. So what implementation is “very intentional about its choice of …”? Are you talking about my own WG client implementation? Or the one made by this other Chinese vendor?

    I don’t care what software we are talking about, or who made it. All software has a risk of undiscovered/-disclosed vulnerabilities already existing, or when new ones introduced with an update.

    If you really want to make this argument we can talk about the implementing organisations SDLC, including SW supply chain, and compare those.

    But back to the OP/point above: its false to state that one piece of software has a “principle risk” of vulnerabilities that another piece does not. At least, not when both are internet exposed and accepting incoming data.

    Lasty remember that I never disagreed with you point that a VPN solution is often a better solution, but that was never what I was arguing about. Simply that all code always has a risk of vulnerabilities. No piece of software is excempt from that.

    • rl3  12 days ago

      >No, they are not. Doesn’t matter how many LoC; it only take 1 LoC to introduce a vulnerability.

      So according to you, the concept of attack surface doesn't exist. A 100MB binary is equivalent in risk to a 1KB binary. Got it.

      If both are highly-audited, their risk is equal despite their size and protocol complexity. Got it.

      >...its false to state that one piece of software has a “principle risk” of vulnerabilities that another piece does not.

      That's like the third or fourth time you've scare-quoted the word principle. You're aware that principle and principal are two different words with different meanings?

      The word I used, principal, in that context means the foremost or primary risk.

      Anyways, I'm just telling you how major corporations think about it. Their underlying rationale is exactly what I've explained thus far, and hence why it's best practice.

      Keep shooting the messenger I guess.