Answered: Initial thoughts on security from a new user

dave4444

New Member
My initial thoughts...

--

1) there seems to be quite a flaw in the password distribution design.

While I can understand distributing an initial password via email I went to change the initial password after logging into the HTTPS server via the 'Apply for a new password' form. After entering the supplied PIN the new password was displayed via HTTPS which is fine with banners saying "this will only be displayed once" or similar words.

That's good, however moments later I received another email with the new password. This completely defeats the point of changing the password! Please stop leaking user passwords via email when passwords are changed!

--

2)

As an experienced openvpn user and basic knowledge of SSL/TLS I became somewhat concerned as I was reviewing the supplied .ovpn files.

The provided config files uses both auth-user-pass and TLS, that's good. However the included config contains a CA Cert, Client Cert, Client Private Key, and TLS-Auth PSK.

Decoding the Client Cert, it is unique to the server but not unique to me and the provided client private key presumably is also not unique. This would seem to indicate all users of PP are using the same OpenVPN private keys for TLS (one per server). Is this true? Seems like a major secuirty issue defeating the whole point of a VPN as the TLS connection would be used to send session keys after user-pass auth is succesful.

Ideally, each user should be submitting a CSR for thier own Client Cert to PP for signing by PP's CA keeping the private key to themselves. Old users would then get their cert revoked when no longer using the service if needed.

Distributing private TLS data to all members (and it appears the same for all users), seems like a show stopper to me.

--
 
Solution
1) What "point" in changing the password is it that is defeated?
Your password does not affect the security of the vpn or its encryption. Email servers use encryption when communicating to each other. So the attack scenario would be that the attacker would have to get the email from your email providers mail server, and could then use Perfect Privacy without paying for it.

2) Thats not how encryption works. The client key authenticates you to the server, along with the password. Its not some kind of shared encryption key everybody uses. The encryption is done using a session secret that uses perfect forward secrecy.

Regards
Lars

PP Lars

Staff member
1) What "point" in changing the password is it that is defeated?
Your password does not affect the security of the vpn or its encryption. Email servers use encryption when communicating to each other. So the attack scenario would be that the attacker would have to get the email from your email providers mail server, and could then use Perfect Privacy without paying for it.

2) Thats not how encryption works. The client key authenticates you to the server, along with the password. Its not some kind of shared encryption key everybody uses. The encryption is done using a session secret that uses perfect forward secrecy.

Regards
Lars
 
Solution
Top