amazeballs 2 Posted ... Hi team, I'm using Eddie on the latest OS X 10.10.2. I thought I would mosey on over to the SSL Server Test site linked to on AirVPN and I got the following table: Server Key and Certificate #1Common names *.airvpn.org Alternative names *.airvpn.org airvpn.org Prefix handling Both (with and without WWW)Valid from Sun Sep 14 13:19:02 PDT 2014Valid until Wed Sep 23 06:22:02 PDT 2015 (expires in 5 months and 29 days)Key RSA 2048 bits (e 65537)Weak key (Debian) No Issuer Go Daddy Secure Certificate Authority - G2Signature algorithm SHA256withRSAExtended Validation NoRevocation information CRL, OCSP Revocation status Good (not revoked)Trusted Yes Does this mean I am not using a 4096 bit key like is advertised on the AirVPN website?Also, if I read further I get this: Safari 8 / OS X 10.10 RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) FS128 Does this mean I am not getting the 256-CBC data channel on the front page? Is this because I am using Eddie and not Tunnelblick? Many thanks! Quote Share this post Link to post
InactiveUser 188 Posted ... I'm not part of the team but since you haven't received any replies yet I'll chime in: It doesn't matter which application you use.AES-256-CBC refers to the cipher mode of the OpenVPN tunnel between you and AirVPN's VPN server.4096 bit is the length of your RSA private key (user.key) that is used to authenticate yourself to the VPN server.Both of these parameters only concern the VPN tunnel itself.Any other encryption layer that gets established within that tunnel - for example, SSL/TLS encryption between your browser and some website is a totally separate matter.Browsers and web servers both have a set of supported/preferred cipher suites and negotiate the one they want to use. If I go to about:config in my Firefox and type in "security.ssl3", I get a list of disabled and enabled ciphers, I'm sure Safari provides a similar facility. By the way, you can also click on the "lock" icon in your browser bar to find out more about your current SSL/TLS connection to whatever website you're on.Because the web server at https://airvpn.org does support AES_256_GCM, I could theoretically force Firefox to use that cipher by disabling all the other 128-bit ciphers (but I would run into problems with other websites that might only support AES-128).In reality and in this instance, AES-256 would not make any difference because the key exchange would still rely on a 2048-bit RSA key which is currently considered standard / recommended TL;DR / conclusion:- AirVPN provides you with an AES-256 encrypted VPN tunnel between you and AirVPN but that doesn't impact how (or even if) your browser encrypts communication with any websites- AirVPN's website will usually negotiate AES-128 SSL/TLS encryption but it wouldn't make sense to use AES-256 unless their CA supported 4096-bit keys. Also, AES-128 / RSA 2048 is still considered secure for decades to come. 1 amazeballs reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
amazeballs 2 Posted ... I'm not part of the team but since you haven't received any replies yet I'll chime in: It doesn't matter which application you use.AES-256-CBC refers to the cipher mode of the OpenVPN tunnel between you and AirVPN's VPN server.4096 bit is the length of your RSA private key (user.key) that is used to authenticate yourself to the VPN server. Both of these parameters only concern the VPN tunnel itself.Any other encryption layer that gets established within that tunnel - for example, SSL/TLS encryption between your browser and some website is a totally separate matter. Browsers and web servers both have a set of supported/preferred cipher suites and negotiate the one they want to use. If I go to about:config in my Firefox and type in "security.ssl3", I get a list of disabled and enabled ciphers, I'm sure Safari provides a similar facility. By the way, you can also click on the "lock" icon in your browser bar to find out more about your current SSL/TLS connection to whatever website you're on.Because the web server at https://airvpn.org does support AES_256_GCM, I could theoretically force Firefox to use that cipher by disabling all the other 128-bit ciphers (but I would run into problems with other websites that might only support AES-128).In reality and in this instance, AES-256 would not make any difference because the key exchange would still rely on a 2048-bit RSA key which is currently considered standard / recommended TL;DR / conclusion:- AirVPN provides you with an AES-256 encrypted VPN tunnel between you and AirVPN but that doesn't impact how (or even if) your browser encrypts communication with any websites- AirVPN's website will usually negotiate AES-128 SSL/TLS encryption but it wouldn't make sense to use AES-256 unless their CA supported 4096-bit keys. Also, AES-128 / RSA 2048 is still considered secure for decades to come.Thanks so much for the detailed answer! I understand. Do you know of a way I can test the VPN tunnel? Just for giggles. Quote Share this post Link to post
InactiveUser 188 Posted ... I'm not sure what exactly you want to test for but you can use a site like http://ipleak.net/ to verify that your traffic is routed through the VPN. It'll also inform you about WebRTC or DNS leaks.You could also verify that the correct default route (via the tun interface, gateway address 10.x.x.x) has been set, I believe the correct OS X Terminal command would be: route -n get default I'd recommend enabling Eddie's network lock feature. It will configure your Mac's PF firewall to only allow tunneled traffic while Eddie is running.The last, underlined part is important to keep in mind:As soon as you close Eddie, your Mail client, browser, OS updater, P2P app and so on will happily transfer data outside the tunnel. Same goes for reboots: If some application auto-starts on boot it will communicate outside the tunnel - as long as you haven't launched Eddie yet.There are a few techniques with varying degrees of efficiency (and difficulty) to avoid this:don't have your internet applications auto-start on bootdisable your network interfaces before reboots, re-enable them only after starting Eddie and verifying that network lock is active, then start your internet appsuse your own (permanent) PF firewall rules (advanced topic! this post might get you started)run OpenVPN & firewall on a router / network appliance (OpenWRT, DD-WRT, PFSense, etc. - advanced topic!) 1 amazeballs reacted to this Quote Hide InactiveUser's signature Hide all signatures all of my content is released under CC-BY-SA 2.0 Share this post Link to post
Not connected, Your IP: 18.119.122.69
Online: 26439 users - 315351 Mbit/s total BW