Question about BolehVPN - passwords stored in cleartext?

Recently I've started looking around for a good VPN service that takes privacy seriously. From what I've been able to scrape together from these forums and elsewhere on the net, BolehVPN is an excellent service, and many threads here on Wilders speak highly of them.

I had decided that I'd give them a shot and set up a login (before paying or activating any VPN service), and I was positively shocked when I went to the profile information page to see my account password presented to me! This means they store all of their credentials in cleartext! This is security no-no number ONE, and I was baffled that a service supposedly established for privacy and security would make such a blunder. My password, username, and account number were additionally sent to me in cleartext via email.

Am I missing something? I feel like Wilders wouldn't give BolehVPN the praise it has if it were an disreputable service, but storing passwords in cleartext makes me feel extremely uncomfortable about actually giving them money. Is this not as big a deal as I think it is?

 

First, BolehVPN's focus is torenting, not privacy, security, anonymity and so on. Second, it is really not that big of a deal. Some providers don't even use username+password authentication. For them, all you need are their CA certificate (which confirms that you're connecting to one of their servers) and your client certificate and key (which verify that you're a paying client). Using two factor client authentication helps protect providers from bad clients. If someone steals your client credentials, they could get free service. However, they couldn't snoop on your VPN connections, or access any of your stuff. At worst, you might get blamed for their crimes. But you could also blame your crimes on them.

 

Actually that is your login creditenals and password not for the VPN, the VPN security is through certs and key...

They're a good VPN, but they still target themselves for P2P, so at what level is their security, hmm good question...

 

Regardless of what or who they're targeting with their service, basic security of customer personal information is not only common sense, it's respect due to your customer base. Email addresses, login names, and passwords should be hashed and salted no matter what you're doing. Never store passwords in cleartext. NEVER.

It doesn't engender much confidence for me to give my money to them. How are they storing credit card information? Notice they're running a forum, too. How many websites have been hacked recently by placed file intrusions through a forum? Even Steam!

Anyhow, my main reason for asking here is I don't really know what the main information at risk is if your login is compromised. It sounds like not a whole lot depends on the login and password used to sign up - If an account were compromised, would it be possible to recover it? Could the thief use stored billing data to make charges to the VPN service, and then change your password, to basically get a free lunch out of you? Or is it a completely useless login?

In other words, let's say you signed up for BolehVPN, and got it working. Then, their forums get hacked and their databases are stolen (not unlikely), and your password/username are stolen. What do you risk losing?

It's a got me a bit miffed. I was all set to drop the scratch and sign up with them. Out of all the myriad VPN services I've been pouring over, they seem like the only solid choice.

 

Certainly clear text is not good and you should contact them and discuss this with them and ask they improve this, they seem to listen and it might help...

 

Good idea, DasFox. I have a question in to BolehVPN and I will report back here once I get an answer!

 

I got two responses from BolehVPN regarding the storage of user data in cleartext:

 

Good to hear, if you use them, keep after them and let us know...


THANKS

 

I have concerns about this also. If it is being sent in clear text, that means anyone listening between here and there can pick up your password, which also gives them access to your login information on boleh directly. That means anyone can go in, pick up your user info and/or keys, and nothing then is protected at all, based off my limited knowledge on the subject. Since Boleh uses the same username and pwd for login for VPN as they do their main site, then the very first line of defense is completely down. If you are not concerned with IP masking as much as you are hiding from your ISP, then having a VPN seems pointless from this perspective. Being two months away from a fix to this problem raises even bigger concerns. I would think this is something that should be fixed by the end of the week, not the end of the next quarter.

Just my confused thoughts though...

 

Here's the problem, their thinking has been more towards being just a p2p provider and in that process, they seemed to have lost sight of maintaining a high level of security.

They also don't seem to realize that being a vpn tailored specifically for p2p torrents could end up becoming a bigger target for law enforcement crack down, instead of a vpn that most people see as one that is just saying we are about privacy and security, that most people want just for an internet connection is all.

In the world of law enforcement that scours our web, to talk about p2p with torrents is a matter of piracy.

So how in someone's mind you end up offering a vpn torrent service and you don't take your security very serious, it's beyond me.

Maybe the problem is they think they are to far away from the law that has the greatest impact on the world, which is America and maybe to them in their own county of Malaysia this isn't much of an issue and their government could care less, or cooperate with other countries...

Well guess again, if the USA thinks you are causing an impact in the world of piracy, music and movie downloads, they're going to come after you.

The thing is, they have to find you, well BolehVPN does seem to have a bit of a name in vpn circles, next the law needs to know whether or not there's a problem, only time will tell.

One thing I wonder about if there are some massive torrent users on this service going at it 24/7 because if you start moving that much bandwidth all the time, they'll come knocking...

 

First of all our order site is secured with https so it's not so simple to 'intercept' passwords. It's already secured using https via a VERIFIED SSL certificate. In any case you always send your passwords in cleartext if there is no https protection. To have your passwords encrypted again is an added protection and yes we agree with you guys that we should do this but this doesn't mean we're unsecure. We wanted to make it as easy as possible and let's just put it this way, we have users who don't know how to upgrade their configurations despite it only taking ONE BUTTON PRESS so we figured to make it as easy as possible despite the reduced security as in any case it was already protected with HTTPS. Our admin panel is going through a security audit and we are beefing up its security so development takes time. This password matter is merely one of the matters we are addressing. I cannot go into details for obvious reasons but rest assured that we're looking into it.

Secondly, even before this, ONLY the proxied servers were unencrypted and we made it clear that if you want full encryption, you go by the Fully-Routed options which are encrypted. However as of 25 December ALL SERVERS ARE ENCRYPTED.

We started off with a totally different base of users with different concerns and we felt at the time that we had to cater to both those who didn't want that 5% drop in speed and just wanted a traffic shaping bypass. Even as we implemented encryption, we angered quite a few of our most loyal subscribers despite our explanation that it was for their own good. Our management had a long discussion on this and we decided to take this risk for the greater good.

Their reasoning was, we already have both choices, we can go encrypted if we want security, and we can go unencrypted if we want that slight speed boost which is a fair assessment. Some of them also said, I PAID FOR THIS SERVICE for one year to be a certain way but now you're changing it. However new users who do not know our history tend to bash our service saying we don't care about security/privacy or they may not read through the guides well enough to understand what our different configurations do.

So at the risk of disenfranchising our most loyal customer base (many of them that have been with us since 2007), we decided to go ahead with encryption anyway. I'll leave you to draw the conclusions of whether we are security/privacy conscious or not.

One of the reasons why my partner Pit Boss in one of his less patient days just simply replied to DasFox to say we're a P2P VPN only that doesn't care about privacy is that he was simply tired of answering pages and pages of questions many of which we have answered before in excruciating detail only to have it ignored again or completely misunderstood or criticizing a problem that simply does not exist or going into technical details that a user may not completely understand unless they understand VPNs very well. I will not post these correspondences for privacy reasons but just a quick count shows that more than a 100 e-mails have gone between us, many of them containing large volumes of text. Replying to even one of these e-mails can take up an hour or more as we need to be careful and accurate. I don't know any other VPN provider who would answer queries to this extent.

I know DasFox means well and we welcome his contributions. A lot of the changes we made were partly influenced by our correspondences with him and we thank him greatly for that.

But I think due to the way our responses have been sometimes misconstrued and quoted in public forums, we will from now on be very wary in giving responses to probing questions from unknown users of which we have been receiving an abnormal amount of and many of which do not lead to sales. We'll instead post a more detailed FAQ when we can. Hopefully this will also free up support to respond to technical problems in a more timely fashion as well.

 

Also previously, utorrent leaked data out of the proxy although it was specified to use the proxy hence we felt it was pointless to secure the proxied setups when the major torrent client could not handle it securely. This was fixed in subsequent releases just this year and another reason why we have decided to also implement encryption.

 

I have asked several questions of your VPN and I feel you all have done an excellent job in answering them in a timely manner. You also ALWAYS fully answer the questions I ask. I appreciate this greatly. Your VPN gets a A+++ from me for customer service. I sometimes am not sure what people are expecting from a VPN. They seem to expect PERFECTION. Well there is no perfect VPN out there. People seem to expect a VPN to protect EVERYONE including the person that is hacking into government computers etc. I pointed out how ridiculous I found this here: https://www.wilderssecurity.com/showpost.php?p=1994074&postcount=498

For anyone that doubts that BolehVPN cares about your privacy and security read this from there forum: http://www.bolehvpn.net/forum/index.php/topic,6499.msg36395.html#msg36395

Sure they are going through some changes and are improving somethings but this is a top notch VPN in my opinion.

 

Forgot to update here but with the implementation of our new portal, the passwords are now encrypted. Thanks!