hashtag 151 Posted ... US and British intelligence agencies have successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, online transactions and emails, according to top-secret documents revealed by former contractor Edward Snowden. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security 61 Michaelboilt, AustinAcibe, Jamesdoorp and 58 others reacted to this Quote Share this post Link to post
hashtag 151 Posted ... How to remain secure against NSA surveillancehttp://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillanceBruce Schneier's response to the article. Quote Share this post Link to post
Staff 10016 Posted ... On top of that, this is an answer given on some tickets a few minutes ago, as a reply to worried inquiries following the new articles on The New York Times and other publications. Hello![Looking deeper into papers and more technical articles, already available] NSA can decrypt only encrypted data for which NSA already has the keys (through back doors or just by getting the keys) or for weak, obsolete ciphers.That's why it's very important to use services (like ours ) which do not possess your key and comply to Perfect Forward Secrecy. For example, when your OpenVPN client establishes a connection to one of our servers, a new TLS key is negotiatied (Diffie-Hellman/Perfect Forward Secrecy) AND and a new TLS re-keying occurs every 60 minutes.Additionally, AirVPN is based on OpenVPN, which is free and open source, and have been and is being under intensive crypto-experts peer-reviews since its birth more than 10 years ago. No backdoor has ever been found.We run OpenVPN with the following ciphers:OpenVPN Data Channel: AES-256-CBCOpenVPN Control Channel: HMAC SHA1RSA keys: 2048 bit sizeOpenVPN in TLS mode (Perfect Forward Secrecy: re-keying at each connection and re-keying every 60 minutes)Now let's assume that NSA (or any other very malignant adversary) breaks into your system or into our secret backend servers and obtain your user.key (the user.key is not kept in the VPN servers, and the location of the backend servers is unknown to everyone except the Air founders; the clients and the VPN servers never communicate directly with the backend servers). Now, the user.key is used to authenticate your client, but the TLS key is re-negotiated. So NSA or that malignant entity could use our VPN with your account, assuming that they get also the certificates (so they can save 7 EUR a month and get a free ride with our service ), but it would not be able to decrypt your communications with our servers. Kind regards Quote Share this post Link to post
Staff 10016 Posted ... Some additions in order to be more precise: You can lower the re-keying time, if you wish so, with the directivereneg-key to be inserted in the .ovpn configuration file (note: this option is not available in the Air client, you'll need to run OpenVPN GUI or OpenVPN directly).You can NOT increase the re-keying time (3600 seconds), because that would need a modification on server side configuration. If you do so, your connection will be lost after the first 3600 seconds.We use "method 2":In method 2, (the default for OpenVPN 2.0) the client generates a random key. Both client and server also generate some random seed material. All key source material is exchanged over the TLS channel. The actual keys are generated using the TLS PRF function, taking source entropy from both client and server. Method 2 is designed to closely parallel the key generation process used by TLS 1.0.Note that in TLS mode, two separate levels of keying occur:(1) The TLS connection is initially negotiated, with both sides of the connection producing certificates and verifying the certificate (or other authentication info provided) of the other side. The --key-method parameter has no effect on this process.(2) After the TLS connection is established, the tunnel session keys are separately negotiated over the existing secure TLS channel. Here, --key-method determines the derivation of the tunnel session keys.Please see the OpenVPN manual for more details.Kind regards Quote Share this post Link to post
degas432 0 Posted ... So in lay terms, what you are saying is that the NSA cannot break AIR VPN encryption. Is that correct please? TIA. Quote Share this post Link to post
Staff 10016 Posted ... @degas432 Yes, we're saying that, but we're saying even more. We're also saying that if (just to make bad science fiction, because all the elements point to the contrary) NSA could break the encryption for ONE of your keys AND discern AND capture the packets stream of a client for THAT key, it could decrypt ONLY the packets stream included in the time frame between two TLS re-keyings (see also on Wikipedia "Perfect Forward Secrecy"). An interesting discussion is here http://crypto.stackexchange.com/questions/579/how-can-we-reason-about-the-cryptographic-capabilities-of-code-breaking-agencies one paragraph of one of the posts is particularly worth to be quoted. It's one month old but it was prophetic in light of the most recent leaked documents:Reading the slides for PRISM the cost of the program is way too low to include any sort of computationally intensive pursuits. It's not a far leap to infer PRISM being a key sharing effort. Several accounts seem to indicate the NSA are actively subverting security on the standards level or in collusion with software developers. If either proposition is true, any serious cryptographer needs to use systems where every component is known and excludes closed source operating systems and software black boxes. One side note as a figurative example: being worried about NSA decrypting your one-hour AES-256 traffic while at the same time running Windows is like being worried exclusively about an asteroid hitting your head when you walk at night alone in San Pedro Sula while happily waving 10000 dollars in your hand.Kind regards 1 fursday reacted to this Quote Share this post Link to post
degas432 0 Posted ... Thanks very much for this response and the great work you do. Can I ask you what operating system you recommend. Is Linux better for example. TIA Quote Share this post Link to post
dwright 25 Posted ... So, suppose my VPN connection was vulnerable to decryption, would using the SSL version with STunnel provide an extra layer of protection? Even if it's not really a significant risk, as you explain. Quote Share this post Link to post
Staff 10016 Posted ... Hello! Yes, it's an additional encryption layer. Unnecessary as you said, if the magic of the attacker could decrypt OpenVPN ciphers before we're all dead, instead of million of years, the additional SSL would be no match as well. Kind regards Quote Share this post Link to post
#!@root88 0 Posted ... Thanks very much for this response and the great work you do. Can I ask you what operating system you recommend. Is Linux better for example. TIA If you're on Windows, I wouldn't trust it as there is no way of viewing the source code, so they could have have backdoors built in. Also, I wouldn't trust Microsoft as far as I could throw them. Linux is making leaps and bounds lately, and I recommend Linux Mint if you're a new user. You can then move onto other Linux distros. I started with Mint, and now I'm using an Arch-based distro which for me is a lot faster. You could also look into FreeBSD if you want a full OS, but your hardware might not work on it. The best thing to do is to download virtualbox and test them before you install them. Have a look at the following sites. http://distrowatch.com/https://prism-break.org/ Quote Share this post Link to post
Anthony.Dellabarba 0 Posted ... Thanks for all this information members and staff. I read the TorrentFreak article yesterday and it did make me wonder. Feel a little better after reading comments above and still feel secure with this VPN provider. Everybody have a great day. Ref: http://torrentfreak.com/nsa-can-spy-on-vpn-traffic-and-other-encrypted-communication-130906/ Quote Share this post Link to post
vashtanerada 0 Posted ... Thanks very much for this response and the great work you do. Can I ask you what operating system you recommend. Is Linux better for example. TIA Disclaimer, I'm a Linux and FOSS fanboy. But I also work with RSF protecting bloggers and journalists who risk their lives. Because open source can be checked for weaknesses and backdoors in a way that commercial software (OSX, Windows) cannot, you gain some confidence with Linux and BSD, especially if you compile your own. For that, I recommend FOSS operating systems, just be careful what proprietary software you install -- many Linux drivers are closed source, so it's not impossible that say, a video or wifi driver could betray you. Sometimes it's difficult to run a purely FOSS system; either for drivers, or for closed software that we all depend on daily (Flash, Adobe Reader, etc.). This, I believe is what Snowden had in mind when he said [much mathematically sound] crypto can be trusted, but that weak endpoint security may make comms security alone not enough. That said, we can have precisely zero confidence in Win or OSX (or IOS, and the closed bits of Android), but we have half a fighting chance with Linux and BSD (and Firefox OS or Ubuntu Touch). Linux Mint will include some closed source drivers and comes pre-compiled (by whom?), but you can have more confidence with them than their closed source alternatives. I agree with previous poster that Mint (and others) are a great start and offer more privacy. After that introduction, you may wish to try something even more trustworthy. I'm working up to OpenBSD myself, but am not there yet. Bottom line, you don't have to be in the top 1% of secure users overnight. Every step we take in the privacy direction makes our past data and leaks more and more obsolete by the second. Just by asking the question, we're no longer the low-hanging fruit. Quote Share this post Link to post
AV_AVPN 0 Posted ... In response to "But I also work with RSF protecting bloggers and journalists who risk their lives. Because open source can be checked for weaknesses and backdoors in a way that commercial software (OSX, Windows) cannot, you gain some confidence with Linux and BSD, especially if you compile your own. For that, I recommend FOSS operating systems" While I hope that FOSS is more secure I'm not sure that can be taken as a given. For everyones consideration, I offer this post that John Gilmore recently submitted to The cryptography mailing list. You can find a archived version with additional discussion Here:http://www.mail-archive.com/cryptography@metzdowd.com/msg12325.html Re: [Cryptography] Opening Discussion: Speculation on "BULLRUN"John Gilmore Fri, 06 Sep 2013 17:49:35 -0700 Speaking as someone who followed the IPSEC IETF standards committeepretty closely, while leading a group that tried to implement it andmake so usable that it would be used by default throughout theInternet, I noticed some things: * NSA employees participted throughout, and occupied leadership rolesin the committee and among the editors of the documents* Every once in a while, someone not an NSA employee, but who hadlongstanding ties to NSA, would make a suggestion that reducedprivacy or security, but which seemed to make sense when viewedby people who didn't know much about crypto. For example,using the same IV (initialization vector) throughout a session,rather than making a new one for each packet. Or, retaining away to for this encryption protocol to specify that no encryptionis to be applied.* The resulting standard was incredibly complicated -- so complexthat every real cryptographer who tried to analyze it threw uptheir hands and said, "We can't even begin to evaluate itssecurity unless you simplify it radically". See for example:https://www.schneier.com/paper-ipsec.htmlThat simplification never happened.The IPSEC standards also mandated support for the "null"encryption option (plaintext hiding in supposedly-encryptedpackets), for 56-bit Single DES, and for the use of a 768-bitDiffie-Hellman group, all of which are insecure and each of whichrenders the protocol subject to downgrade attacks.* The protocol had major deployment problems, largely resulting fromchanging the maximum segment size that could be passed through anIPSEC tunnel between end-nodes that did not know anything aboutIPSEC. This made it unusable as a "drop-in" privacy improvement.* Our team (FreeS/WAN) built the Linux implementation of IPSEC, butat least while I was involved in it, the packet processing codenever became a default part of the Linux kernel, because ofbullheadedness in the maintainer who managed that part of thekernel. Instead he built a half-baked implementation that neverworked. I have no idea whether that bullheadedness was natural,or was enhanced or inspired by NSA or its stooges.In other circumstances I also found situations where NSA employeesexplicitly lied to standards committees, such as that for cellphoneencryption, telling them that if they merely debated anactually-secure protocol, they would be violating the export controllaws unless they excluded all foreigners from the room (in aninternational standards committee!). The resulting paralysis is howwe ended up with encryption designed by a clueless Motorola employee-- and kept secret for years, again due to bad NSA export controladvice, in order to hide its obvious flaws -- that basically XOR'deach voice packet with the same bit string! Their "encryption"scheme for the control channel, CMEA, was almost as bad, beingbreakable with 2^24 effort and small numbers of ciphertexts:https://www.schneier.com/cmea-press.htmlTo this day, no mobile telephone standards committee has consideredor adopted any end-to-end (phone-to-phone) privacy protocols. This isbecause the big companies involved, huge telcos, are all in bed withNSA to make damn sure that working end-to-end encryption never becomesthe default on mobile phones.John Gilmore Quote Share this post Link to post
Staff 10016 Posted ... Hello, side note: in 2010, when AirVPN was being born, we discarded PPTP (that was an obvious choice) and after a careful evaluation we picked OpenVPN and discarded IPsec as well. There are even additional considerations about IPsec, on top of those that you have kindly reported, which convinced us to prefer OpenVPN. Kind regards Quote Share this post Link to post
vashtanerada 0 Posted ... While I hope that FOSS is more secure I'm not sure that can be taken as a given. I hope I didn't give the impression that FOSS is a magic bullet. It's not, and I only say we have a fighting chance with it compared to closed-source. On the topic of IPSec, I've found it exceedingly difficult to find IPSec VPNs that are not commercial vendor-supplied, either as libraries or full solutions. My hands are tied at the office where Cisco rules and OpenVPN is a tough and incompatible (with other businesses/partners) sell. I can only hope that that will change now or soon the same way that TOR use has doubled in the past month. Fortunately, FOSS and OpenVPN are much more accessible to those who still choose to risk a blog when their freedom from harassment, at very least, is at risk. I absolutely assure them as much and more than I assure you now, that there are herds and herds of smarter and near-infinitely funded infosec people working for every country's TLA agencies than I can hope to match even as a pro and hobbyist. We can only share what we know. Let's hope that people who need it will become as good or better than us, whether we're CYA as a whistle-blower, a journalist, HIV+ and looking for support, a doctor, an NGO in hostile territory, or just staying off the radar for a Breaking Bad download. I hate that we can't trust our own computers anymore. It is a sad day. Quote Share this post Link to post
Staff 10016 Posted ... Hello, as an important side note that we forgot to mention, the airvpn.org web site does support Perfect Forward Secrecy through both Diffie-Hellman (DHE) and Elliptic Curve (ECDHE) keying, provided that you do not use an obsolete browser. It also supports TLS 1.2. You can check any web site, for example, through the SSL Labs web site to see all the features: https://www.ssllabs.com/ssltest Enter the web site you wish to check and wait for the full test to be performed. Kind regards Quote Share this post Link to post
amazeballs 2 Posted ... Hi, bit of a noob question:I can see that you use a 2048 Bit RSA key which is great and a 256bit AES cipher (also great), however I was just wondering about the level of encryption on the connection. Do you use Elliptic Curve Cryptographic security on the symetric cipher? Cheers! Quote Share this post Link to post
bubbba 3 Posted ... Is there a way to use this via DD-WRT in the OpenVPN config? I tried adding it to 'Additional Config' box just as I had it in my .ovpn files but that didn't seem to work. It worked great in the .ovpn file just by adding "reneg-key 120". Thanks... Quote Share this post Link to post
amnesty 18 Posted ... You can check any web site, for example, through the SSL Labs web site to see all the features: https://www.ssllabs.com/ssltestWhen I test a site, does it matter (in your opinion) who the Certificate Issuer is (issued by a U.S. company or not)? Would running OpenVPN on a DD-WRT router (appliance) be more secure than OpenVPN on a single (Win, OS X and/or Linux) system? Tnx for your service Quote Share this post Link to post
McLoEa 25 Posted ... Thank you for this discourse folks,I was getting concerned that the NSA,GCHQ et al had our encryption keys and could tap in whenever they want to but the reminder that Open VPN is an open source program has partially laid my mind to rest.I do still have concerns about the software and maybe even the processor manufacturers though but those arguments belong on a different forum I guess. Quote Share this post Link to post