Hacker News new | past | comments | ask | show | jobs | submit login

Outline is a security disaster, and I strongly recommend against using it.

- Shadowsocks is not a VPN, it's a per-application SOCKS proxy. What has Jigsaw done to ensure that packets don't leak outside of the tunnel? All UDP traffic leaks, so it looks like they did nothing! https://github.com/shadowsocks/shadowsocks-rust/issues/78

- Shadowsocks is dangerously full of bad configuration options to avoid. Did Jigsaw avoid all of them when it built Outline? Their copy of shadowsocks appears to use an unauthenticated CFB mode by default (https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...), but then this setting is overridden elsewhere. Good luck checking all the rest.

- They enabled an automated update system they called "Watchtower." Is this safe to use? Who controls the keys? When are updates pushed out? How would it react to a subpoena?

- Is shadowsocks safe? It's a giant pile of C that was purpose-built to evade censorship by the Chinese Great Firewall, nothing more. It wasn't written or designed by an expert in secure communications and it was not even intended for that purpose. It's had a bunch of bugs before (https://x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/) and none of the crypto makes sense (https://crypto.stackexchange.com/questions/39776/evaluatung-...)!

- The setup process is bonkers. Outline has an Electron app that builds a cloud server, authenticates to it over a random port, then somehow bootstraps encrypted communication with a self-signed certificate. I haven't had time to review the process in all its detail but what the hell? The certificate does not even appear pinned correctly: https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...

- Jigsaw did not pay for a reputable security review of the code. This security review is one of the worst, possibly THE worst, that I have ever read. It looks like shadowsocks was in scope at first, but then eliminated from scope. There's some weird fascination with parsing bugs in local configuration files. I don't know what's going on here, but it's a waste of paper: https://s3.amazonaws.com/outline-vpn/static_downloads/ros-re...

Jigsaw is advertising this as a method to keep high-risk journalists safe and it's likely to get someone killed (https://medium.com/jigsaw/introducing-outline-making-it-safe...). They are conflating two different use cases: Outline may be acceptable for bypassing censorship (low-risk, where success is immediately visible), but it is wholly unacceptable for protecting the safety or anonymity of speech online (which carries the risk of an invisible and potentially fatal failure in a hundred different ways if traffic can be inspected or even just attributed to a person).

tl;dr Outline is a flaming pile of garbage. Stop recommending it.




>Outline is a security disaster, and I strongly recommend against using it. >- Shadowsocks is not a VPN, it's a per-application SOCKS proxy. What has Jigsaw done to ensure that packets don't leak outside of the tunnel? All UDP traffic leaks, so it looks like they did nothing! >https://github.com/shadowsocks/shadowsocks-rust/issues/78

UDP seems to work properly with Outline without any issues. SOCKS proxies does allow UDP to be proxied.

>Shadowsocks is dangerously full of bad configuration options to avoid. Did Jigsaw avoid all of them when it built Outline? Their copy of shadowsocks appears to use an unauthenticated CFB mode by default (https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d...), but then this setting is overridden elsewhere. Good luck checking all the rest.

How can CBF mode by "unauthenticated"? What does that even mean?

>They enabled an automated update system they called "Watchtower." Is this safe to use? Who controls the keys? When are updates pushed out? How would it react to a subpoena?

Not sure about this one

>Is shadowsocks safe? It's a giant pile of C that was purpose-built to evade censorship by the Chinese Great Firewall, nothing more. It wasn't written or designed by an expert in secure communications and it was not even intended for that purpose. It's had a bunch of bugs before (https://x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/) and none of the crypto makes sense (https://crypto.stackexchange.com/questions/39776/evaluatung-...)!

Shadowsocks is/was written in Python. The CVEs you have linked affect the Python version only. There is however a much cleaner C version. If you'd read the spec, the crypto makes perfect sense, as pointed out by the stack exchange post, the lack of a PDF on the password is probably the only weakpoint.

>The setup process is bonkers. Outline has an Electron app that builds a cloud server, authenticates to it over a random port, then somehow bootstraps encrypted communication with a self-signed certificate. I haven't had time to review the process in all its detail but what the hell? The certificate does not even appear pinned correctly: https://github.com/Jigsaw-Code/outline-server/blob/d8cb1575d....

>Jigsaw did not pay for a reputable security review of the code. This security review is one of the worst, possibly THE worst, that I have ever read. It looks like shadowsocks was in scope at first, but then eliminated from scope. There's some weird fascination with parsing bugs in local configuration files. I don't know what's going on here, but it's a waste of paper: https://s3.amazonaws.com/outline-vpn/static_downloads/ros-re....

>Jigsaw is advertising this as a method to keep high-risk journalists safe and it's likely to get someone killed (https://medium.com/jigsaw/introducing-outline-making-it-safe...). They are conflating two different use cases: Outline may be acceptable for bypassing censorship (low-risk, where success is immediately visible), but it is wholly unacceptable for protecting the safety or anonymity of speech online (which carries the risk of an invisible and potentially fatal failure in a hundred different ways if traffic can be inspected or even just attributed to a person).

In a reply to a thread where it's about a easy to set up VPN, I think it is perfectly acceptable.

>tl;dr Outline is a flaming pile of garbage. Stop recommending it.

Outline is a fine iOS app that let's you connect to a shadowsocks server as a easy to use VPN. I can't speak for anything else.




Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: