Jump to content
Not connected, Your IP: 3.138.118.250
AirVPN
Sign in to follow this  
Followers 0
5r8Ucy4JuO

Plaintext Password In Client Profile

By 5r8Ucy4JuO, ... in Eddie - AirVPN Client

Recommended Posts

5r8Ucy4JuO    1

5r8Ucy4JuO
Posted ...

Dear AirVPN staff

 

First of all, thank you very much for offering such a great service. So far, everything has been working without problems. The Eddie client is taking care of the concerns I had while using VPN (speed, failover, leaks).

 

I have however come across one thing that I am not a big fan of: The client is saving the login details without any regards to security inside the profile (AirVPN.xml). The file itself is readable by every user on the operating system.

 

There are better ways to handle the credential storage: OS X Keychain or the Data Protection API on Windows. This way, other processes or users would not have access to the AirVPN login credentials. I could at least fiddle with the file permissions myself to make the profile readable only by my user, but that is hardly optimal and should be handled by the client and not manually by the user.

 

Maybe there is a good reason that you chose to do it the way it is done now but I thought it would be important to address this.

 

Thank you very much in advance for your feedback.

usr32 reacted to this

Share this post

Link to post

Staff    9751

Staff
Posted ...

 

Dear AirVPN staff

 

First of all, thank you very much for offering such a great service. So far, everything has been working without problems. The Eddie client is taking care of the concerns I had while using VPN (speed, failover, leaks).

 

I have however come across one thing that I am not a big fan of: The client is saving the login details without any regards to security inside the profile (AirVPN.xml). The file itself is readable by every user on the operating system.

 

There are better ways to handle the credential storage: OS X Keychain or the Data Protection API on Windows. This way, other processes or users would not have access to the AirVPN login credentials. I could at least fiddle with the file permissions myself to make the profile readable only by my user, but that is hardly optimal and should be handled by the client and not manually by the user.

 

Maybe there is a good reason that you chose to do it the way it is done now but I thought it would be important to address this.

 

Thank you very much in advance for your feedback.

 

Hello!

 

Thank you for your great feedback!

 

Yes, just like browsers if you don't use a master password to encrypt all other passwords. This option is not currently available in Eddie.

EDIT: the AirVPN.xml file although belonging to root:root is actually readable by every user, you're right. This needs to be fixed.

 

You might like to not tick "Remember" in the login window: in this way the client will not store username and password and you can enter them anytime you run Eddie.

 

Kind regards

Share this post

Link to post

5r8Ucy4JuO    1

5r8Ucy4JuO
Posted ...

Hello!

 

Thank you for your great feedback!

 

Yes, just like browsers if you don't use a master password to encrypt all other passwords. This option is not currently available in Eddie. You might like to not tick "Remember" in the login window: in this way the client will not store username and password and you can enter them anytime you run Eddie.

 

Kind regards

 

Thank you very much for your quick reply.

 

Unfortunately, I have an unattended client and I do need to save the login details since at times nobody is around during startup.

 

Are there any plans to implement this or have there not been enough requests? At the very least, Eddie could set more restrictive file permissions on the profile automatically, that would be fairly simple, although I would prefer the more secure way of using the specific OS APIs to handle this.

Share this post

Link to post

Staff    9751

Staff
Posted ...

 

Hello!

 

Thank you for your great feedback!

 

Yes, just like browsers if you don't use a master password to encrypt all other passwords. This option is not currently available in Eddie. You might like to not tick "Remember" in the login window: in this way the client will not store username and password and you can enter them anytime you run Eddie.

 

Kind regards

 

Thank you very much for your quick reply.

 

Unfortunately, I have an unattended client and I do need to save the login details since at times nobody is around during startup.

 

Are there any plans to implement this or have there not been enough requests? At the very least, Eddie could set more restrictive file permissions on the profile automatically, that would be fairly simple, although I would prefer the more secure way of using the specific OS APIs to handle this.

 

 

Hello!

 

No requests at all but this the correct way hands down, you're right.

 

Kind regards

Share this post

Link to post

5r8Ucy4JuO    1

5r8Ucy4JuO
Posted ...

 

 

Hello!

 

Thank you for your great feedback!

 

Yes, just like browsers if you don't use a master password to encrypt all other passwords. This option is not currently available in Eddie. You might like to not tick "Remember" in the login window: in this way the client will not store username and password and you can enter them anytime you run Eddie.

 

Kind regards

 

Thank you very much for your quick reply.

 

Unfortunately, I have an unattended client and I do need to save the login details since at times nobody is around during startup.

 

Are there any plans to implement this or have there not been enough requests? At the very least, Eddie could set more restrictive file permissions on the profile automatically, that would be fairly simple, although I would prefer the more secure way of using the specific OS APIs to handle this.

 

 

Hello!

 

No requests at all but this the correct way hands down, you're right.

 

Kind regards

 

 

Surprising that nobody has said anything about this

 

Thank you again for your feedback.

 

Kind regards

Share this post

Link to post

zhang888    1065

zhang888
Posted ...

Just a small security related comment...

It doesn't really matter, in terms of security, whether the client config files are readable by anyone or not.

 

The Eddie client, just like any others (Viscosity, Tunnelblick) must have root permissions in order to start,

which makes any attacker capable to access the secure storage APIs OSX provides in order to read the

login/password from there.

There is a great description of those TOCTOU vulnerabilities here, a link which I posted some time ago:

http://blog.zx2c4.com/791

 

To address this issue globally, a different password should be used for the Eddie client rather than the

single-sign-on password for the AirVPN login system. That can be a client certificate, a hashed version

of the password or anything else.

Anything that would make the stored version of it unusable for the AirVPN site login.

Of couse it comes with a slight usability tradeoff, but this is the only -secure- way of implementing this.

Corporate VPNs never store the client login after the first installation, they generate a PKCS#12 cert and

store it afterwards, both on OSX and Linux.

Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post

Link to post

5r8Ucy4JuO    1

5r8Ucy4JuO
Posted ...

Just a small security related comment...

It doesn't really matter, in terms of security, whether the client config files are readable by anyone or not.

 

The Eddie client, just like any others (Viscosity, Tunnelblick) must have root permissions in order to start,

which makes any attacker capable to access the secure storage APIs OSX provides in order to read the

login/password from there.

There is a great description of those TOCTOU vulnerabilities here, a link which I posted some time ago:

http://blog.zx2c4.com/791

 

To address this issue globally, a different password should be used for the Eddie client rather than the

single-sign-on password for the AirVPN login system. That can be a client certificate, a hashed version

of the password or anything else.

Anything that would make the stored version of it unusable for the AirVPN site login.

Of couse it comes with a slight usability tradeoff, but this is the only -secure- way of implementing this.

Corporate VPNs never store the client login after the first installation, they generate a PKCS#12 cert and

store it afterwards, both on OSX and Linux.

 

As far as I know, the concerns you mention are only a problem if:

1. A process which runs as root has a vulnerability which can be exploited to do arbitrary stuff

2. The OS X Keychain is unlocked

 

However, I do agree with you that using a different password for Eddie would be better than storing the single sign-on password anywhere, no matter how secure the storage is. But using secure storage APIs of the operating systems would still be much better than storing a plaintext password in a world readable file.

Share this post

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...