ANSWERED Eddie and AirVPN Login Privacy Issue

[airvpn.hunter 0]

Hello

I used Eddie software to connect AirVPN's servers.
I tried to sniff traffic when Eddie software started and I found a privacy/security issue due to authentication.
Eddie sends encoded data to AirVPN website via HTTP in clear (before and after login)!
 
BEFORE AND AFTER LOGIN:

* Host: 52.48.66.85:80 (Amazon Server with AirVPN website)

- Request:

POST / HTTP/1.1
Host: 52.48.66.85
User-Agent: curl/7.55.1
Accept: */*
Content-Length: 817
Content-Type: application/x-www-form-urlencoded
    
s=[ENCODEDD_DATA_HERE]  (what data is sent before login and what after?)

- Response:

HTTP/1.1 200 OK
Server: nginx
Date: Wed, 13 Sep 2017 16:20:38 GMT
Content-Type: application/octet-stream
Content-Length: 65472
Connection: keep-alive
Pragma: no-cache
Expires: 0
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-AirVPN-Bk: 1

So Eddie uses AirVPN website (HTTP post) to authenticate user. This is a very security/privacy concern because any entity with
access to that Web Site (AirVPN admins and Law enforcement) can catch user's real IP address (username -> Real IP address -> VPN Server used). Many users chose to register on AirVPN website via proxy. Current AirVPN's login schema bring any security/privacy behavior done by user during registration completely useless.
 

Thank you

 

[zhang888 1065]

No security/privacy issue here. Obviously both the authentication server and each OpenVPN server will know the IP you

are connecting from, this is how TCP/IP works.

 

The OpenVPN connection has nothing to do with the initial connection with Eddie,  after the login process Eddie gets

a list of servers, and then OpenVPN is used to do the rest.

 

Eddie can also work in a way where your initial connection will go via Tor first:

https://airvpn.org/tor/

[Clodo 171]

Read here: https://airvpn.org/topic/11545-airvpn-client-eddie-beta-testing-phase/?do=findComment&comment=17709

[airvpn.hunter 0]

​Hello

> No security/privacy issue here. Obviously both the authentication server and each OpenVPN server will know the IP you
> are connecting from, this is how TCP/IP works.

I know how TCP/IP works. However Issue is how Eddy authenticates user.
Each OpenVPN server will know the IP you are connecting from: OK, it's correct. But a middle authentication server (serving
request via HTTP is not correct, it's very BAD [1]). This introduce another very weak link in the chain.

Any third entity witch access to middle authentication Server could compromise user privacy/anonimity.
(Amazon VPS? Are you really sure that a third party like Law Enforcement or Intelligence Agencies could get no access [either covert or overt] to that Server?)

[1] And also why HTTP and not HTTPS? I read your link https://airvpn.org/topic/11545-airvpn-client-eddie-beta-testing-phase/#entry17709   but I don't understand why you have to "downgrade" security using cleartext protocol (also if you say HTTP's parameters content is  encrypted).
 
Thank you
 

[Staff 9744]

I know how TCP/IP works. However Issue is how Eddy authenticates user.

 

Hello,

 

the name is Eddie, not Eddy

 

 

Each OpenVPN server will know the IP you are connecting from: OK, it's correct. But a middle authentication server (serving

request via HTTP is not correct, it's very BAD [1]). This introduce another very weak link in the chain.

 

You have already received an explanation to show that you have assumed a false premise. From a false premise you unavoidably build wrong conclusions. However, you pose additional interesting arguments which are unrelated to your original one.

 

 

Any third entity witch access to middle authentication Server could compromise user privacy/anonimity.

(Amazon VPS? Are you really sure that a third party like Law Enforcement or Intelligence Agencies could get no access [either covert or overt] to that Server?)

 

Not at all.

 

Before anything else, let's make it clear that law enforcement agencies are not in general our enemies, EXCEPT of course those agencies which operate under a legal framework which is incompatible with the ECHR, the Charter of Fundamental Rights of the EU - and more in general, with the EU law. Defeating them and more sinister criminal organization is of course one of the purposes of our service.

 

What you call middle authentication servers are useless to an adversary which gets access to them. Their purpose is the authorization to access the service and NOT to negotiate the encryption keys of the Data Channel.

 

On top of that, users data are not there (of course, this does NOT mean that we encourage to enter real name and surname in your username, or using an e-mail address that can be exploited to disclose the identity). Under this respect, and as a generic security rule, it would be wrong to store on every and each VPN server the clients credentials, data, certificates and keys. Trivially, this would expose such data to a myriad of datacenter technicians, multiplying the risk by the amount of datacenters --- and also pose some additional concerns on correlations with different servers usages, illegality of storing data outside the EU, violation of our Terms of Service and more, but the first cited reason is more than enough to close this argument.

 

That said, let's go on to the next step, because apparently you are raising and mixing a third, different security concern. You must ask yourself what an adversary could do with a client key and certificate. Connecting to our VPN servers as if he/she was the legitimate customer, sure. Decrypting the flow of data of the legitimate user to some VPN server, even if the adversary is wiretapping the client line? Of course not. You can easily see how this is not possible, we leave that as an exercise for you (hint: check https://airvpn.org/specs ).

 

 

[1] And also why HTTP and not HTTPS? I read your link https://airvpn.org/topic/11545-airvpn-client-eddie-beta-testing-phase/#entry17709   but I don't understand why you have to "downgrade" security using cleartext protocol (also if you say HTTP's parameters content is  encrypted).

 

You still have not understood the content, please re-read and study.

 

Also feel free to elaborate an attack with which you could decrypt the flow of data between a client and a VPN server if you have access simultaneously to the three following different cases:

1) the data exchanged in the authentication procedure

 

1) the target Internet line

2) the data exchanged in the authentication procedure

 

1) the target Internet line

2) the data in the authentication procedure

3) the client certificate and key

 

[let's disregard momentarily,for the sake of discussion, that an adversary accessing the target Internet line could save himself/herself any almost-impossible task with much simpler and more effective attacks, such as infecting with spyware the system of the target, especially when the target runs Windows/Android/iOS]

 

Thank you

 

 

Thank you for this interesting discussion. However, let's continue with the correct premises.

 

Kind regards