User.key password?

[yigiel 0]

Hello

 

I am aware it is not required with AirVPN, but can a user somehow add a password to the User.key using the OpenVPN client?

 

I know you can do it client side, but I have not been able to find the option to do so in the Config Generator (server side).

 

Password is for added security in case the User.key got intercepted when initially sent to me, or somehow gets later copied on my host.

 

end Hello

[yigiel 0]

Its been a while, and I still have not received a reply to this question from an AirVPN representative.

 

Allowing a single point of failure (unauthorized access to the config files) seems unnecessarily risky to me. I believe it is reasonable to facilitate a simple password verification to strengthen the overall security of the AirVPN service for those who want to use that added security option.

 

Am I missing something here? Is it not technically possible for some reason?

[Staff 9773]

Hello!

 

PKCS#12 is not supported. Which point of failure are you referring to? user.key is transmitted to you over a TLS connection, and anyway possession of the key by an adversary does not allow him/her to decrypt any of your past, present and future communications to/from the VPN server.

 

Kind regards

[yigiel 0]

Hello

 

With the recent ProPublica leaks, I don't think I am alone in questioning whether SSL or TLS is secure.

 

I wanted the added security of issuing a password (which I could set/change) every time I logged onto the VPN service.

 

I understand an adversary will not have access to my comms, but they will be able to use the key to access the VPN under my account and do who knows what with. I just feel uncomfortable logging on to a secure service where I don't issue my own changeable password. Maybe its just me, and this is how all VPNs services work.

 

Anyway, if its not supported, its not supported.

 

Just one last question. If I now reissue myself with another key, do the previous key(s)/certs remain valid and usable to connect to AirVPN ?

 

Thank you.

[Staff 9773]

Hello With the recent ProPublica leaks, I don't think I am alone in questioning whether SSL or TLS is secure. I wanted the added security of issuing a password (which I could set/change) every time I logged onto the VPN service.

 

Hello!

 

That's not necessary, our TLS web server implementation includes Perfect Forward Secrecy, so a different TLS key is negotiated (through ECDHE or DHE, according to your browser) with airvpn.org server at each SSL/TLS connection (provided that you don't run an obsolete browser or IE 8 in Windows XP). The underlying preferred encryption is AES-256 (but you can change your preferences on the cipher from you browser) making any attack revealed by the recent leaks ineffective. Please check here:

 

https://www.ssllabs.com/ssltest/analyze.html?d=airvpn.org

 

Anyway you can change your web site password as many times as you wish from your control panel.

 

 

Just one last question. If I now reissue myself with another key, do the previous key(s)/certs remain valid and usable to connect to AirVPN ? Thank you.

 

Yes, until the account subscription expires or you explicitly require account de-activation.

 

Kind regards