Major system upgrade COMPLETED

[Staff 9971]

UPGRADE COMPLETED SUCCESSFULLY

 

Hello!

We're glad to inform you that a major system upgrade will take place during Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC
This upgrade has a triple, important purpose: close any possible exploitation chance, regardless of how unlikely it could be, deriving from past "Heartbleed" vulnerability, bring AirVPN in an even higher security environment and open the road for an important new feature of the service: 3 simultaneous connections per account on different servers (details will be provided soon after the major upgrade which takes precedence).

The upgrade in details

• switch to 4096 bit size RSA and DH keys
• implementation of additional OpenVPN TLS-Auth layer
• re-generation of certificates and keys
• general optimization

During the upgrade all the VPN clients will be forcefully disconnected and will not be able to reconnect. The upgrade will take approximately 30 minutes.

Disconnections will occur on all servers from-to:
Sunday, 13 April 2014, 21:00:00 - Sunday, 13 April 2014, 22:00:00 UTC

that is:

Sunday, 13 April 2014, 14:00:00 - Sunday, 13 April 2014, 15:00:00 PDT
Sunday, 13 April 2014, 16:00:00 - Sunday, 13 April 2014, 17:00:00 CDT
Sunday, 13 April 2014, 17:00:00 - Sunday, 13 April 2014, 18:00:00 EDT
Sunday, 13 April 2014, 23:00:00 - Monday, 14 April 2014, 00:00:00 CEST
Monday, 14 April 2014, 06:00:00 - Monday, 14 April 2014, 07:00:00 JST

Click here to find your town: http://www.timeanddate.com/worldclock/fixedtime.html?msg=Switch+to+4096+bit+size+keys&iso=20140413T23&p1=215&ah=1

Mandatory actions

After the upgrade, customers running the Air client for Windows will need to shut down and restart the Air client. It is assumed that customers have already downloaded the new package for Windows which includes OpenVPN with non-vulnerable OpenSSL, available here https://airvpn.org/windows and installed the new OpenVPN version.

Customers running any other OpenVPN wrapper or OpenVPN will need to re-download configuration, certificates and keys files.

Additional information for customers running manually configured wrappers:

• the "TLS-Cipher" or equivalent name in your configuration becomes: TLS-DHE-RSA-WITH-AES-256-CBC-SHA
• in Tomato, DD-WRT, pfSense, Fritz!Box etc., the client certificate, the server certificate, the client key and the TLS key must be pasted again (after they have been generated and downloaded from the Configuration Generator as usual) in the appropriate fields of your configuration

Please do not hesitate to contact us for any further information.

Kind regards
AirVPN Staff

[pfSense_fan 181]

Excellent, excellent news!

 

Will we only be able to generate the new config files and keys after the disconnect?

[6501166996442015 35]

I know you said you will provide details afterwards, but I am really curious as to what this will mean for the 4mb minimum bandwidth & future pricing.

 

 and open the road for an important new feature of the service: 3 simultaneous connections per account on different servers (details will be provided soon after the major upgrade which takes precedence).

[Staff 9971]

Excellent, excellent news!

 

Will we only be able to generate the new config files and keys after the disconnect?

 

Hello!

 

Yes, that's correct. Only AFTER the end of the upgrade.

 

Kind regards

[dwright 25]

This is a dream come true, I feel like throwing a party.

[vpnair33 6]

This is a dream come true, I feel like throwing a party.

[S.O.A. 83]

Great news AirVPN! Keep up the great work!

[airvpn4ever 0]

Excellent news, keep up the good work!

[dd79 15]

I like the part about 3 connections

[OpenSourcerer 1435]

open the road for an important new feature of the service: 3 simultaneous connections per account on different servers

 

This is going to be very interesting.

 

switch to 4096 bit size RSA and DH keys

 

Could you provide a few more details on why you choose to switch to 4096 bit RSA keys?

[bubbba 3]

The 3 simultaneous connections per account on different servers sound wonderful, so why did I purchase a second account recently? Glad about the complete Key/Cert change. Keep up the great work...

 

Regards,

 

Bubbba

[PirateParty 49]

Awesome news from you guys. Happy to hear that key sizes are being increased from a suggestion I made earlier when I joined. And the part about 3 connections is awesome and I am very excited for it. Keep up the good work and keep on doing what you do best 

[foxbat 0]

3 simultaneous connections!   I think im going to wet myself.....ooops too late. 

[foxwood 4]

There's obvious advantages to having 3 simultaneous connections (albeit this is already possible if your router is vpn enabled), but can anyone please answer what advantages would there be in having your simultaneous connections on different servers?

[24FWgGC 6]

Thank you for upgrading all of this so quickly!

I do notice that OpenVPN has now released version 2.3.3, however AirVPN is hosting the 2.3.2 quickfix that was released the other day. Updates moving quickly these days.

[McLoEa 25]

Va bene!

[airvpnusercoin 0]

Great to see the new features. As I am telling everybody AirVPN is the most trustable VPN provider ever. Never saw stable and fast connections like here and the support team is excellent and always kindly.

[HurderDurder 2]

Excellent product getting better. Thank you.

[Guest]

Never been this happy about downtime

[sony_15 3]

Great to see the new features. As I am telling everybody AirVPN is the most trustable VPN provider ever. Never saw stable and fast connections like here and the support team is excellent and always kindly.

Couldn't agree more. That's why after testing other VPN this one is miles ahead in all possible elements, like speed, security, support and privacy policy from others.

[Wazzza 0]

Nice

What is the current DH parameter size? It is not mentioned on the website.

And how about TLS 1.2 support? OpenSSL may not be vulnerable to attacks on TLS 1.0, but TLS 1.2 supports SHA-2.
SHA-1 is in progress of deprecation by MS: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx
NIST advises against SHA-1: http://www.zdnet.com/nist-makes-a-hash-of-sha-1-ban-7000025980/
This may be less worrysome in the VPN/OpenSSL context, but it's best to stay ahead instead of becoming a cat and mouse game.

[Staff 9971]

Nice

 

What is the current DH parameter size? It is not mentioned on the website.

 

Hello!

 

2048 bit keys, currently.

 

 

And how about TLS 1.2 support? OpenSSL may not be vulnerable to attacks on TLS 1.0, but TLS 1.2 supports SHA-2.

SHA-1 is in progress of deprecation by MS: http://blogs.technet.com/b/pki/archive/2013/11/12/sha1-deprecation-policy.aspx

NIST advises against SHA-1: http://www.zdnet.com/nist-makes-a-hash-of-sha-1-ban-7000025980/

This may be less worrysome in the VPN/OpenSSL context, but it's best to stay ahead instead of becoming a cat and mouse game.

 

So what...? The Control Channel cipher is HMAC SHA1, not SHA1. SHA1 is the underlying hash verification. Deprecation has nothing to do with it. It is well known that SHA1 should never be used as a security cipher and OpenVPN does not use it. In HMAC SHA1 we don't even have to care at all about SHA1 hash collisions. In order to inject forged packets in your traffic flow, an attacker should first break every single upper layer, starting from HMAC which is extremely robust, and THEN try hash collisions.

 

Kind regards

[waterfall 10]

Thnaks for all that you do to protect me!

""""So what...? The Control Channel cipher is HMAC SHA1, not SHA1. SHA1 is the underlying hash verification. Deprecation has nothing to do with it. It is well known that SHA1 should never be used as a security cipher and OpenVPN does not use it. In HMAC SHA1 we don't even have to care at all about SHA1 hash collisions. In order to inject forged packets in your traffic flow, an attacker should first break every single upper layer, starting from HMAC which is extremely robust, and THEN try hash collisions.

 

Kind regards"""""

 

You guys rock, protecting me from all those hash collisions, and acronyms beyond my desire to investigate, memorize and produce more of.  I use the net for research and organizing.  F#$% the police, and the crackers, who are probably one and the same...

[PirateParty 49]

There's obvious advantages to having 3 simultaneous connections (albeit this is already possible if your router is vpn enabled), but can anyone please answer what advantages would there be in having your simultaneous connections on different servers?

 

Its better to use your regular connection for personal things and use a VPN for everything else in your anonymous life. Also you can use different servers on different devices. Not really sure what the benefit of that is but 3 connections is better than 1!

[CorbellMarkIII 1]

Fantastic. This aggressive response to HeartBleed and customer service by AirVPN is quite uplifting.