Can VPN’s be trusted?
I got wind of an interesting rumour yesterday, passed to me by a fairly trustworthy source. I don’t normally comment on rumours until I’ve had a chance to check the facts for myself, but this looks like it’s going to spread.
Basically, the FBI paid certain developers working on the OpenBSD IPsec stack to and asked for back-doors or key leaking mechanisms to be added. This occurred in 2000/2001. Allegedly.
The code in question is open source and is likely to have been incorporated in various forms in a lot of systems, including VPN and secure networking infrastructure.
Whilst I have names of the developers in question and the development company concerned, it wouldn’t be fair to mention them publicly, at least until such code is found. If you’re using the IPsec stack in anything might want to take a good look at the code, just in case.
However, if the code has been there for nearly ten years in open source software, how come no one has noticed it before?