Eddie's start-up and login vulnerable?

[macang 0]

It seems that Eddie's start-up process (the "phoning home") part could get disrupted rather easily.

Although I haven't studied the code, it seems that Eddie (as of 2.13.6) contacts a remote server to update system information, as shown in the following start-up log. Of course, it does so when the user authenticates. However, when the connection to the server is severed by a hostile party in the middle (for example by the nation-state), Eddie will timeout at this and many things break. You're essentially prevented from connecting to any server, because you're not logged in.

 

Is there anything we can do to prevent this?

I 2017.10.24 18:54:05 - Eddie version: 2.13.6 / macos_x64, System: MacOS, Name: 10.13, Version: Darwin --- 17.0.0 Darwin Kernel Version 17.0.0: Thu Aug 24 21:48:19 PDT 2017; root:xnu-4570.1.46~2/RELEASE_X86_64 x86_64, Mono/.Net Framework: v4.0.30319
. 2017.10.24 18:54:05 - Reading options from /Users/---/.airvpn/AirVPN.xml
. 2017.10.24 18:54:06 - Command line arguments (0):
I 2017.10.24 18:54:07 - OpenVPN Driver - Expected
I 2017.10.24 18:54:07 - OpenVPN - Version: 2.4.3 - OpenSSL 1.0.2l  25 May 2017, LZO 2.10 (/Applications/Eddie.app/Contents/MacOS/openvpn)
I 2017.10.24 18:54:07 - SSH - Version: OpenSSH_7.5p1, LibreSSL 2.5.4 (/usr/bin/ssh)
I 2017.10.24 18:54:07 - SSL - Version: stunnel 5.40 (/Applications/Eddie.app/Contents/MacOS/stunnel)
I 2017.10.24 18:54:08 - curl - Version: 7.54.0 (/usr/bin/curl)
I 2017.10.24 18:54:08 - Certification Authorities: /Applications/Eddie.app/Contents/MacOS/cacert.pem
. 2017.10.24 18:54:08 - Updating systems & servers data ...
! 2017.10.24 18:54:08 - Ready
. 2017.10.24 18:54:10 - Systems & servers data update completed

[Staff 9751]

It seems that Eddie's start-up process (the "phoning home") part could get disrupted rather easily.

 

Although I haven't studied the code, it seems that Eddie (as of 2.13.6) contacts a remote server to update system information, as shown in the following start-up log. Of course, it does so when the user authenticates. However, when the connection to the server is severed by a hostile party in the middle (for example by the nation-state), Eddie will timeout at this and many things break. You're essentially prevented from connecting to any server, because you're not logged in.

 

That's totally correct (except for the fact that the remote servers are four in different countries). Eddie developers are aware of it and the next version of Eddie will address this weakness.

 

The problem is not in updating the information (Eddie can very well use the old ones on the HDD when it can't download new ones) but to log the account in the service the first time, download servers information the first time and so on.

 

EDIT: remember that you can configure Eddie to connect over Tor or some SOCKS or HTTP proxy. This could be useful to download info the first time you run Eddie in those networks where the "bootstrap" Eddie servers are blocked but Tor or some third-party proxy is not.

 

Kind regards

[macang 0]

Hello staff member,

 

Thank you for the information and the reassurance that you are working on this. I look forward to the updates!