*** Welcome to piglix ***

Opportunistic encryption


Opportunistic encryption (OE) refers to any system that, when connecting to another system, attempts to encrypt the communications channel, otherwise falling back to unencrypted communications. This method requires no pre-arrangement between the two systems.

Opportunistic encryption can be used to combat passive wiretapping. (An active wiretapper, on the other hand, can disrupt encryption negotiation to either force an unencrypted channel or perform a man-in-the-middle attack on the encrypted link) It does not provide a strong level of security as authentication may be difficult to establish and secure communications are not mandatory. Yet, it does make the encryption of most Internet traffic easy to implement, which removes a significant impediment to the mass adoption of Internet traffic security.

Opportunistic encryption on the Internet is described in : "Opportunistic Security: Some Protection Most of the Time".

The FreeS/WAN project was one of the early proponents of OE. The effort is continued by the former freeswan developers now working on Libreswan. libreswan aims to support different authentication hooks for Opportunistic Encryption with IPsec. Version 3.16 released in December 2015 has support for Opportunistic IPsec using AUTH-NULL which is based on . The Libreswan Project is currently working on (forward) DNSSEC and Kerberos support for Opportunistic IPsec.

Openswan has also been ported to the OpenWrt project. Openswan used reverse DNS records to facilitate the key exchange between the systems.

It is possible to use OpenVPN and networking protocols to set up dynamic VPN links which act similar to OE for specific domains.

The FreeS/WAN and forks such as Openswan and strongSwan offer VPNs which can also operate in OE mode using IPsec based technology. Obfuscated TCP is another method of implementing OE.

Windows platforms have an implementation of OE installed by default. This method uses IPsec to secure the traffic and is a simple procedure to turn on. It is accessed via the MMC and "IP Security Policies on Local Computer" and then editing the properties to assign the "(Request Security)" policy. This will turn on optional IPsec in a environment.


...
Wikipedia

...