Hello Jan, Thanks for your reply.
> Sent: Friday, December 16, 2016 at 2:24 PM > From: "Jan Just Keijser" <[email protected]> > To: "Sebastian Rubenstein" <[email protected]>, > [email protected] > Subject: Re: [Openvpn-users] Keywords to look for that may indicate a VPN > provider is providing strong encryption/decryption? > > - you can add 'remote-cert-tls server' yourself and if your VPN does > not come up (i.e. the server fails this test) then I'd *not* trust the > server or the VPN provider Thank you again. This is a significant piece of information for me :) > - tls-auth + key-direction is nice but it adds a false sense of > security: as discussed earlier, tls-auth is based on a pre-shared secret > amongst *ALL* VPN clients - this means that anybody that subscribed to > that particular VPN provider at some point the past probably has that > tls-auth key file. You can also bet that security services (FBI, NSA > etc) will have that tls-auth key already. The only extra benefit of > having the tls-auth file is that it prevents some DDoS flooding attacks, > mostly against the *server*. I really appreciate your taking the time to explain the above to me. It seems to me that using the --tls-auth key file is not good for security at all as an expert had earlier replied that anyone who has the --tls-auth key file could inject malicious packets. What viable alternatives would you propose please? > - a private key size of 4096 does not mean anything. What is more > important is that the CA certificate used to sign the client and server > certs is 4096 bits (or EC based) and that the remaining certs > (intermediate, server, client) are at least 2048 bit in strength; > Increasing the strenght beyond that is useless for now (RSA 2048 has not > been broken yet) and it will only slow things down. > There is no way for a customer like me to get hold of my VPN provider's server and intermediate certificates to check if the cipher strength is at least 2048 bits, correct? Regards. Sebastian ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Openvpn-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-users
