Hello, Privateinternetaccess.org supplies secure VPNs. Their Windows installer (v75) has a SHA256 result that does not match what is supplied on their website.
Fucking terrible "security" solution, is it not? As a prospective user of OpenBSD, I would hope that this never occurs, and that free software would fulfill its promises. I am considering switching to OpenBSD, but am afraid that I will be overcome by the difficulty of learning Linux commands. I am not incompetent and willing to read code and manpages, just timid, about this "big change." As part of considering OpenBSD adoption, I am extremely focused on security. However, trivial and fundamental issues are difficult to work around. My conclusion that the privateinternetaccess.org security solution is terrible is not necessarily well-founded. The checksum could be modified for these reasons: - file was messed with in transit to me - incompetent administrators did not update the checksum when they updated the file I suspect the latter, and unless my support ticket currently opened with Private Internet Access is resolved to my satisfaction I will be forced to use a free software solution. I am patient, but intolerant of stupidity. The determination remains to be made. GNUPG is my first step towards a cryptographically secure future. However, in downloading it, I am confronted by a serious problem. They state the following: Comparing Checksums If you are not able to use an old version of GnuPG, you can still verify the file's SHA-1 checksum. This is less secure, because if someone modified the files as they were transferred to you, it would not be much more effort to modify the checksums that you see on this webpage. As such, if you use this method, you should compare the checksums with those in release announcement. This is sent to the gnupg-announce mailing list (among others), which is widely mirrored. Don't use the mailing list archive on this website, but find the announcement on several other websites and make sure the checksum is consistent. This makes it more difficult for an attacker to trick you into installing a modified version of the software. As a result, I obtained an SSL/TLS server test to determine whether they would be exposed to MITM despite their https:// prefix due to no implementation of HSTS. GNUPG is HSTSecure. Private Internet Access is not, another flaw in their system. However, the classic Orwellian security problem cannot be solved in this case. The serious problem is that HSTS does not prevent a first-time user from being MitM'd when they visit the site, and I may have been attacked every single time. I have not yet verified the SHA1 sum in the archives -- are they correctly in stating that this is the best method? How can I positively verify an OpenBSD install is secure? How can implementing secure processes begin? Do I need to write my own checker from scratch to know that things are operating properly? That's a joke, but it's not that funny, is it? If a user on a compromised device installs an operating system with privilege separation, pledges could still be meaningless. What is the correct way to wear a tinfoil hat? Regards
