undefined | Better HN

0 pointssomeplaceguy1y ago0 comments

> The bet is that a compromise in both the service and wireguard at the same time is unlikely

An RCE in wireguard would be enough -- no need to compromise both.

0 comments

I was going to say something like this, but in practice wireguard is very very tiny. It doesn't have pluggable authentication, or passwords, or user transitions, or forked subprocesses, or systemd integrations. Using it or another simple secure transport in front of SSH is probably a good idea.

someplaceguyOP1y ago

I don't disagree with you. However, my point was that the parent poster's reasoning was flawed.

Stacking these services on top of each other in this way does not necessarily mean that an attacker has to compromise both services in order to compromise a host. The parent poster's flawed reasoning appeared to lead to a false sense of security as a result.

remram1y ago

Yes for sure. An RCE in the first is sufficient, or an auth bypass in the first and some other vulnerability in the second.

j / k navigate · click thread line to collapse

0 pointssomeplaceguy1y ago0 comments

> The bet is that a compromise in both the service and wireguard at the same time is unlikely

An RCE in wireguard would be enough -- no need to compromise both.

0 comments

remram1y ago

someplaceguyOP1y ago

I don't disagree with you. However, my point was that the parent poster's reasoning was flawed.

remram1y ago

Yes for sure. An RCE in the first is sufficient, or an auth bypass in the first and some other vulnerability in the second.

j / k navigate · click thread line to collapse