Hi, On 16/12/16 16:34, Sebastian Rubenstein wrote: >> Sent: Friday, December 16, 2016 at 2:31 PM >> From: "Jan Just Keijser" <janj...@nikhef.nl> >> To: "Sebastian Rubenstein" <asdf123...@gmx.com>, >> openvpn-users@lists.sourceforge.net >> Subject: Re: [Openvpn-users] Experts' opinions needed: Is my VPN provider >> using weak or strong encryption algorithms? > Hello Jan, thanks for your reply. > > I have learnt something new from you. I was under the impression that > tls-auth is used to protect customers while in actual fact, it is used to > protect the VPN provider's servers. How ignorant of me! >> >> Not really - it means they use tls-auth to protect their servers against >> DDoS attacks. I'd not trust the tls-auth key file provided by a large >> VPN provider at all, as almost *anybody* will have access to that file. >> >> > Having said that, what alternatives would you propose that a large VPN > provider could use, since *every customer* will have access to tls-auth key > file? > > well, it's not 100% black and white: current VPN providers will use tls-auth mostly to protect their own servers, but it *does* protect the clients a little bit as well - it prevents DDoS attacks on the VPN client as well (but those hardly ever occur in the first place) and it actually makes it slightly harder for the NSA to decrypt the traffic ;)
With the upcoming 2.4 release and/or the new tls-crypt option security *is* improved for the clients, as it will become harder to sniff any part of the initial control channel negotiation. That doesn't mean that *without* tls-crypt your connection is not secure, it just means that with tls-crypt your connection is 0.5% more secure. JJK ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
