VPN Provider says they support Perfect Forward Secrecy but I am not so sure.

Discussion in 'privacy technology' started by DarkManX, Apr 1, 2014.

Thread Status:
Not open for further replies.
  1. DarkManX

    DarkManX Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    2
    Location:
    United States
    I have really looked all over for an answer to this. I signed up for a VPN service that provides a ca.crt and ta.key only. When I asked if they support PFS the tech told me yes the keys are re-negotiated every 30 minutes (what keys?) I asked what keys and never got an answer. I understand what the ca.crt does and that the ta.key is for control channel auth but there are no other keys so how do they support perfect forward secrecy?
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    OpenVPN servers can authenticate clients using client.crt/client.key or username/password, or both methods. You have perfect forward secrecy either way. See the OpenVPN HOWTO <http://openvpn.net/index.php/open-source/documentation/howto.html> and Security Overview <http://openvpn.net/index.php/open-source/documentation/security-overview.html>.
     
  3. DarkManX

    DarkManX Registered Member

    Joined:
    Apr 1, 2014
    Posts:
    2
    Location:
    United States
    I assume user/pass is the least preferred method?


    Thanks for the links I never seen the security overview one
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    That's a complicated question. Using certificates is probably more secure. And using user/pass requires custom server-side scripting, which could be buggy.

    But on the other hand, if each user has a unique certificate, it's easy to identify a user's traffic in logs, and to ban bad users by revolking their certificates. And that's bad for anonymity. Good providers use the same certificate for all users.

    The OpenVPN wiki is not very well organized or indexed :(
     
Loading...
Thread Status:
Not open for further replies.