Jump to content
Not connected, Your IP: 3.230.76.153

Recommended Posts

Hello, after reading the latest terrifying news about the NSA's ability to intercept and defeat VPN encryption I think we could all use a refresh on some behind the scenes AirVPN practices and defences against this evil.

 

First off here is the Ars article, if you haven't read it strap in tight it's an unnerveing ride...

http://arstechnica.com/information-technology/2014/03/nsas-automated-hacking-engine-offers-hands-free-pwning-of-the-world/

 

So what I'd like to know are what all defences AirVPN has in place to counter the things we've learned the NSA is doing to defeat even the strongest VPNs.

 

1.  When is the last time AirVPN has completely wiped ALL of its internal systems and done fresh installs, and fully patched OS's and software OFFLINE?

 

2.  We've learned governments will intercept hardware in the course of delivery and install "plants" before you even receive your new hardware.  Have you taken into account where your hardware has been since it left the manufacturer?

 

3.  Users are easily fooled if their connection is being hijacked during the time they open a new connection to AirVPN servers, is there anyway to alert a user, OR kill the connection with a warning if you (can) detect connections being made from a different location?

 

4.  From this most recent article we've learned the NSA has "VPN cracking blades."  In the article it's focused on IPSEC VPNs, have there been known weaknesses that would allow the NSA to bruteforce any part of IPSEC?  How does their method strike you as per AirVPNs entire network configuration?

 

These are just some basic questions that I could come up with, please feel free to point out any misunderstandings I may have had, and please anyone feel free to add any critical questions I didn't list.  Thanks a lot, I do love AirVPN!

Share this post


Link to post

Hello, after reading the latest terrifying news about the NSA's ability to intercept and defeat VPN encryption I think we could all use a refresh on some behind the scenes AirVPN practices and defences against this evil.

 

Hello!

 

Where do you see that in the article?

 

By the way, about your questions:

 

1 and 2. Offline access is impossible, we should be traveling around 3 continents every day and asking for infinite authorizations to access datacenters. Anyway it's not relevant, even if we did that the problem would just be the same, because there are methods to compromise a computer without having to actively operate with the computer itself, or simply because you have no guarantee that external wiretapping devices are not attached to the server a second after you leave the datacenter. The solution is completely different and we've been talking about it since years ago, please refer to https://airvpn.org/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 etc.

 

3.That's already performed by your OpenVPN, with double-certificate verification. During the connection, packet authentication is performed.

 

4. Apparently that's not relevant for us because keys are negotiated with DHE, therefore we just don't care if and who's listening to any router or any other device between your node and our node and it's not worrying not even if they catch your user.key: apart from the fact that they will be able to connect to our VPN servers with your account and therefore use our service for free, with your user.key they can't decrypt your data channel. Maybe the author of the article refers to something else (unfortunately the whole article seems to be written in too simplistic and vague terms), therefore a deeper analysis is needed.

 

Just remember that math can't be twisted.

 

Kind regards

Share this post


Link to post

The original article by Ryan Gallagher and Glenn Greenwald is here:  https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/

 

"Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through a Virtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session."

 

The supporting documents for Hammerchant and Hammerstein are here:  https://firstlook.org/theintercept/document/2014/03/12/vpn-voip-exploitation-hammerchant-hammerstein/

Share this post


Link to post

@LBDude

 

Thanks! At a first glance the document confirms that the attack can't succeed against OpenVPN because the foundation of the attack, at least according to the document, lies on IKE (used by IPsec and some VoIP software) packets "exfiling". Of course we will be waiting for more expert reviews and more information for a more thourough analysis. As a side note, it must be noted that approximately 11-12 years ago Schneier as well as Belani, Mookhey and many other persons reported and proved several vulnerabilities on IKE implementation, PSK etc. etc. so it's not upsetting that anyone exploits vulnerabilities when they have been well know for more than a decade.

 

Kind regards

Share this post


Link to post

@LBDude and Staff

 

Thanks for the replies and continuing discussion, I wasn't aware that those vulnerabilities have been known for such a long time and I'm glad so far OpenVPN appears resistant to this type of attack, keep up the great work!

Share this post


Link to post

 

 

Staff wrote:  not even if they catch your user.key: apart from the fact that they will be able to connect to our VPN servers with your account and therefore use our service for free, with your user.key they can't decrypt your data channel.

 

I have been wondering about a defense for that too.  So far I have never attempted to log on to a server and been denied.  I am assuming that means no other person is using my user:key, at least at that time.  I would really have no way to verify it wasn't being used at "off hours" assuming an adversary would know what those are for me.

 

I don't know if it would be worth Air's time to allow a user to create a new and different user:key at a reasonable interval.  This would invalidate the old user:key.  On the other hand just as with a server compromise mentioned in the posts above, if an adversary was able to grab the first user:key he could likely just do it again.  At that point there must be a weakness the specific user here is allowing, which results in the exploit.  So, would there be any value in allowing a user to exchange (via creating a new user:key) keys from within the client area?  I know that doesn't exist now and it might be an administrative nightmare with little resulting value.  Just throwing this out there as a thought.

Share this post


Link to post

I'm having some trouble understanding the difference between RSA keys as an intellectual concept and the company RSA which allowed back doors for the NSA into it's products,those products which I perceive to be the RSA (encryption) keys that are used by Open Vpn.

Can someone help me understand if there is a difference between RSA keys as an intellectual concept and as used by Open Vpn and the company named RSA that allowed back doors for the NSA into it's products please?

http://www.reuters.com/article/2014/03/31/us-usa-security-nsa-rsa-idUSBREA2U0TY20140331

http://dualec.org/

Thanks.

Share this post


Link to post

Thanks JamesDean,

I still don't know if Open VPN uses the Company RSA's keys when I log on to a server though.

Share this post


Link to post

Thanks again,

could you link me up to something that could further my understanding please?

Share this post


Link to post

Hi again,

I think what I am asking is this,

does Open VPN generate it's own RSA keys (and if so according to what rules) or does it 'buy in'  a key or key template from RSA the company?

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...