X-Git-Url: http://www.git.cypherpunks.ru/?a=blobdiff_plain;f=doc%2Fprecautions.texi;h=20570b00aa528147d1c9eb783afd97c81d0577ac;hb=b779397ef0dba12ed2fb117e1a514bf0d5b598ef;hp=93b179e427f6829246d6a45e4b70bb0cb0f8068e;hpb=e7ba034dd3beb3f8f54c4d2e0f858eb23f58c147;p=govpn.git

diff --git a/doc/precautions.texi b/doc/precautions.texi
index 93b179e..20570b0 100644
--- a/doc/precautions.texi
+++ b/doc/precautions.texi
@@ -1,24 +1,20 @@
 @node Precautions
 @unnumbered Precautions
 
-The very important precaution is the @strong{cryptographically good}
-pseudo random number generator. GoVPN uses native operating system PRNG
-as entropy source. You have no way to check it's quality in closed
-source code operating systems, so it is recommended not to use them if
-you really needs security. Moreover it is possible that those OS leaks
-information about possible PRNG states. And at least Apple OS X and
-Microsoft Windows are already known to have weak CSPRNGs.
+@enumerate
+@item
+We use passphrase authentication, so overall security fully depends on
+its strength. You @strong{should} use long, high-entropy passphrases.
+Also remember to keep passphrase in temporary file and read it securely
+as described in @ref{Verifier, verifier}.
 
-GoVPN could use it's own PRNG implementation like
-@url{https://www.schneier.com/fortuna.html, Fortuna}, but it is
-much easier to use the right OS, to use free software.
+@item
+You must @strong{never} use the same key for multiple clients.
 
-Also you should @strong{never} use one key for multiple clients. Salsa20
-encryption is randomized in each session, but it depends again on PRNG.
-If it fails, produces equal values at least once, then all you traffic
-related to that key could be decrypted.
-
-We use password (passphrase) authentication, so overall security fully
-depends on it's strength. So you should use long, high-entropy
-passphrases. Also remember to keep passphrase on temporary file as
-described in @ref{Verifier}.
+@item
+You must use @strong{cryptographically good} pseudo random number
+generator. By default we use default @code{crypto/rand} library that
+reads @file{/dev/urandom} source. Some GNU/Linux and FreeBSD systems
+are rather good with this entropy source. Closed proprietary ones are
+always not and you must use optional @ref{EGD} feature with them.
+@end enumerate