Jump to content
Not connected, Your IP: 3.144.31.17
Sign in to follow this  
xorg

SSL Test problem on SSL over VPN port 433 or am i missing something?

Recommended Posts

Hi,

I tested the SSL grade thanks to htbridge.com, unfortunately, I received a grade F on Alrai server (and many others) for the SSL over VPN, so am i missing something with the way stunnel works, or is it really dangerous?

 

For Menkab (Sweden): https://www.htbridge.com/ssl/?id=087337b0aad4a04ca5a4ed25d9468e7f67cd3df4ee86a7cdd4b7f4c700d92de6

 

FYI i'm using the portable expermiental client (because I had a lot of bugs with Debian Testing)

 

 

Share this post


Link to post

Out of curiosity I loaded the url and checked AirVPN Antares as I use SSL:443 as a gesture to make it harder to block or track VPN use by the "Internet Police/Regulators/Dataharvesters".

So 103.254.153.100:443 gets an "F". Checking the detailed report, it complains about self-signed and weak certificate and presence of weaker cipher suites with client side renegotiation. Not a security expert, but some system/network admin experience. Seems like a small degree of weakness for attack by agency with big resources, but passes for strong security, "grade C" ?

It would be nicer to be fixed and get an "A", and then brag about it on the front webpage blurb. And would "cover your a***" in some commercial organisations if chosen AirVPN rather than outsourced "security" to this ImmuniWeb org at big cost.

And of course the probability of breaking SSL multiplied by the probability of breaking OpenVPN multiplied by the probability of you being Donald's accountant is a very small probability.

Share this post


Link to post

These tests are irrelevant if you test the VPN servers, SSL is only used as a method to bypass DPI, and not for an additional security. Even SSLv2 support is ok for that.

The only amount of encryption is needed there to make it look like real SSL for restrictive networks or traffic shaping appliances.

The data channel and control channel of the actual OpenVPN connection are still encrypted with TLS1.2 and AES-256-CBC with HMAC-SHA1 for authentication.

 

The real tests you should make are supposed to be on the actual https://airvpn.org website, which complies to all modern security standards, and will obviously

score A+ on various TLS testing services, such as Qualys SSLLabs: https://www.ssllabs.com/ssltest/analyze.html?d=airvpn.org&s=5.196.64.52&hideResults=on


Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image
Sign in to follow this  

×
×
  • Create New...