Jump to content
Not connected, Your IP: 34.207.247.69

Recommended Posts

Hi team,

 

I'm using Eddie on the latest OS X 10.10.2.  I thought I would mosey on over to the SSL Server Test site linked to on AirVPN and I got the following table:

 

 

Server Key and Certificate #1

Common names *.airvpn.org 

Alternative names *.airvpn.org airvpn.org 

Prefix handling Both (with and without WWW)

Valid from Sun Sep 14 13:19:02 PDT 2014

Valid until Wed Sep 23 06:22:02 PDT 2015 (expires in 5 months and 29 days)

Key RSA 2048 bits (e 65537)

Weak key (Debian)  No 

Issuer Go Daddy Secure Certificate Authority - G2

Signature algorithm SHA256withRSA

Extended Validation No

Revocation information CRL, OCSP 

Revocation status Good (not revoked)

Trusted Yes

 

Does this mean I am not using a 4096 bit key like is advertised on the AirVPN website?

Also, if I read further I get this:

 

Safari 8 / OS X 10.10  RTLS 1.2TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   FS128

 

Does this mean I am not getting the 256-CBC data channel on the front page?

 

Is this because I am using Eddie and not Tunnelblick?

 

 

Many thanks!

 

 

Share this post


Link to post

I'm not part of the team but since you haven't received any replies yet I'll chime in:

 

It doesn't matter which application you use.

AES-256-CBC refers to the cipher mode of the OpenVPN tunnel between you and AirVPN's VPN server.
4096 bit is the length of your RSA private key (user.key) that is used to authenticate yourself to the VPN server.

Both of these parameters only concern the VPN tunnel itself.
Any other encryption layer that gets established within that tunnel - for example, SSL/TLS encryption between your browser and some website is a totally separate matter.

Browsers and web servers both have a set of supported/preferred cipher suites and negotiate the one they want to use. If I go to about:config in my Firefox and type in "security.ssl3", I get a list of disabled and enabled ciphers, I'm sure Safari provides a similar facility. By the way, you can also click on the "lock" icon in your browser bar to find out more about your current SSL/TLS connection to whatever website you're on.

Because the web server at https://airvpn.org does support AES_256_GCM, I could theoretically force Firefox to use that cipher by disabling all the other 128-bit ciphers (but I would run into problems with other websites that might only support AES-128).

In reality and in this instance, AES-256 would not make any difference because the key exchange would still rely on a 2048-bit RSA key which is currently considered standard / recommended

 

 

TL;DR / conclusion:

- AirVPN provides you with an AES-256 encrypted VPN tunnel between you and AirVPN but that doesn't impact how (or even if) your browser encrypts communication with any websites

- AirVPN's website will usually negotiate AES-128 SSL/TLS encryption but it wouldn't make sense to use AES-256 unless their CA supported 4096-bit keys. Also, AES-128 / RSA 2048 is still considered secure for decades to come.


all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

I'm not part of the team but since you haven't received any replies yet I'll chime in:

 

It doesn't matter which application you use.

AES-256-CBC refers to the cipher mode of the OpenVPN tunnel between you and AirVPN's VPN server.

4096 bit is the length of your RSA private key (user.key) that is used to authenticate yourself to the VPN server.

 

Both of these parameters only concern the VPN tunnel itself.

Any other encryption layer that gets established within that tunnel - for example, SSL/TLS encryption between your browser and some website is a totally separate matter.

 

Browsers and web servers both have a set of supported/preferred cipher suites and negotiate the one they want to use. If I go to about:config in my Firefox and type in "security.ssl3", I get a list of disabled and enabled ciphers, I'm sure Safari provides a similar facility. By the way, you can also click on the "lock" icon in your browser bar to find out more about your current SSL/TLS connection to whatever website you're on.

Because the web server at https://airvpn.org does support AES_256_GCM, I could theoretically force Firefox to use that cipher by disabling all the other 128-bit ciphers (but I would run into problems with other websites that might only support AES-128).

In reality and in this instance, AES-256 would not make any difference because the key exchange would still rely on a 2048-bit RSA key which is currently considered standard / recommended

 

 

TL;DR / conclusion:

- AirVPN provides you with an AES-256 encrypted VPN tunnel between you and AirVPN but that doesn't impact how (or even if) your browser encrypts communication with any websites

- AirVPN's website will usually negotiate AES-128 SSL/TLS encryption but it wouldn't make sense to use AES-256 unless their CA supported 4096-bit keys. Also, AES-128 / RSA 2048 is still considered secure for decades to come.

Thanks so much for the detailed answer!  I understand.  

 

Do you know of a way I can test the VPN tunnel?  

Just for giggles.

Share this post


Link to post

I'm not sure what exactly you want to test for but you can use a site like http://ipleak.net/ to verify that your traffic is routed through the VPN. It'll also inform you about WebRTC or DNS leaks.

You could also verify that the correct default route (via the tun interface, gateway address 10.x.x.x) has been set, I believe the correct OS X Terminal command would be:

route -n get default

 

I'd recommend enabling Eddie's network lock feature. It will configure your Mac's PF firewall to only allow tunneled traffic while Eddie is running.

The last, underlined part is important to keep in mind:
As soon as you close Eddie, your Mail client, browser, OS updater, P2P app and so on will happily transfer data outside the tunnel. Same goes for reboots: If some application auto-starts on boot it will communicate outside the tunnel - as long as you haven't launched Eddie yet.
There are a few techniques with varying degrees of efficiency (and difficulty) to avoid this:

  • don't have your internet applications auto-start on boot
  • disable your network interfaces before reboots, re-enable them only after starting Eddie and verifying that network lock is active, then start your internet apps
  • use your own (permanent) PF firewall rules (advanced topic! this post might get you started)
  • run OpenVPN & firewall on a router / network appliance (OpenWRT, DD-WRT, PFSense, etc. - advanced topic!)

all of my content is released under CC-BY-SA 2.0

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...