3. OpenSSL Releases Security Advisory for FREAK - It has been upgraded from low to ...

OpenSSL Releases Security Advisory for FREAK - It has been upgraded from low to high. Check your VPN

Some clarifications about FREAK:

Because FREAK relies on a MITM scenario, HMAC firewall (tls-auth) only protects you if your tls-auth key is secret and unique to you, rather than shared accross all users. Almost all VPN providers that use tls-auth use a shared key accross all users and therefore do not mitigate the FREAK attack.

"Allow cipher negotiation" is an ambiguous term. There are two different ciphers in OpenVPN. There is the OpenVPN cipher which is set with the 'cipher' option in the config file. This is the cipher that our application lets you change. This cipher is completely unrelated to FREAK.

There is also the TLS cipher, or more correctly ciphersuite. The TLS ciphersuite is automatically negotiated by OpenSSL. There is an option in OpenVPN (tls-cipher) to limit the TLS ciphersuites that the client or server are allowed to select from. This is usually never set because it doesn't need to be (OpenSSL choses the strongest cipher that both the client and server support) except in rare cases like the FREAK attack, see below.

That said, there are two ways for OpenVPN providers to protect against the FREAK attack:

1) Upgrade the OpenSSL version of the client to a non affected version.

2) Disable TLS EXPORT ciphersuites on the server side (using tls-cipher). This is the path that we took back when the FREAK attack was discovered. This prevents any OpenVPN client from connecting with a TLS EXPORT ciphersuite which is what the FREAK attack requires. We preferred this solution because it requires no work for our users and we can be 100% sure that our users are protected rather than only the ones that took the time to upgrade.

If a VPN provider goes with option #1 but not #2 then you will still be able to connect with a TLS EXPORT ciphersuite which means their users are only protected if they have upgraded to the latest OpenSSL.

To reiterate, being able to change encryption level (cipher/auth) client-side has nothing to do with FREAK.

/r/VPN Thread
Previous
Next

Recently removed from /r/VPN

Won't Hackers Just Monitor Traffic At VPN Servers? My cable/wifi provider offers me to view live tv/on demand through their app on mobile, but I must be logged into my home wifi. Would a "self hosted" VPN circumvent this so I could watch no matter my location? Youtube blocking specific youtube video from IP address? Stop using VPNs. They will manually investigate my IP. How do i make it look as legit as possible? Is OpenVP good? Vpn and college. Would an US net neutrality repeal affect US based VPNs and connections to US VPNs? [new server] Cheapest and lightning fast VPN. 1Gbps network, $10CAD/$8USD for 1 YEAR! unlock US netflix, hulu, prime! Limited Quantities, 3 spots left, Free trials available [US] [new server] Cheapest and lightning fast VPN. 1Gbps network, $10CAD/$8USD for 1 YEAR! unlock US netflix, hulu, prime! Limited Quantities, 3 spots left, Free trials available [US] How and can I use VPN at school for example? I wrote a program to start a VM on AWS every time you log into your computer, and turn off the VM when you log out. Different IP every time, no need to trust that logs aren't stored My new user experience with PureVPN My new user experience with PureVPN FinchVPN Does not have a quality service!

More Random Comments

Pizza Contest #11: Writing Prompt: You live up in a world where all people are 'your kind' - like-minded, and very similar to you, for better or worse. Show me around. TIFU by watching VR Porn VBA- Help with going to next row in sequence VBA- Help with going to next row in sequence Amazing Star Wars Themed Christmas Light Display in Newark, CA [WP] Aliens visit earth, but humans arent the race they are interested in and mostly ignore us. The Christmas Spirit is Strong With This House The Christmas Spirit is Strong With This House The Christmas Spirit is Strong With This House [fan content] A Korrasami song "That Other Fire Boy." Lyrics in the comments. If this gets 2000 upsmashings r/circlejerk will become Nigel Thornberry themed Knee-Jerk Rejection Of Things Like Video Games Isolates Conservatives Wife was out shopping for the peasant brother-in-law's gift World of Warcraft: Warlords of Draenor has been live for over a month. Now that the "honeymoon" phase is over, what is everyone's opinion? TIFU by calling my sister a "septic bitch".