Security 101

Steve600999Steve600999
in Feedback
Just got my new account details in an email from you. User name and password together in the same email in plain text.

Can't say this is an impressive start. 6 days off cooling off to go and I might not be sticking round...

Comments

  • OmniNegroOmniNegro
    These are user to user support forums. The staff do occasionally jump in and reply, but most of what you will get here is just other users like myself.

    Sorry to hear you are dissatisfied with the way the username and password are handed to you. If you do not mind the question, how would you handle this?

    Should they require users to make a PGP/GPG key so everything can be sent to them encrypted? If so, then unfortunately upwards of 99% of the entire Internet would be clueless as to how to even decrypt it.

    They cannot make a username and password as soon as you sign up. If they did then it would be trivial for some competing service to make a script to make fake accounts and let them expire almost instantly when the fake payment information fails.

    So I am very interested in how you would have them handle this. If you have some good ideas I and many others here will support them being implemented. Thanks in advance. Have a nice day.
  • shadowshadow
    Doesn't matter, as you can change the password so there is no risk involved. 
  • cosmoxlcosmoxl
    Omni, they should get away from using user/pass at all.  Most VPN providers use a system that creates unique certs and keys for each user.  user/pass isn't required.

    you create your account (on secure web site obviously) with them, pay, then go download your openvpn config files that have your unique certs and keys. 

    or, if you're using an app that the VPN provider has made, you just enter in your username and password that you've created yourself into the app.  It securely accesses a database to retrieve your certs and keys to more or less make the setup automatic for casual users.

    One benefit of this is that you can pass to your "friends" a config file so that they can use your VPN account.  Yet they'll never have access to your actual account because they don't have your user/pass.
  • OmniNegroOmniNegro
    Omni, they should get away from using user/pass at all.  Most VPN providers use a system that creates unique certs and keys for each user.  user/pass isn't required.

    you create your account (on secure web site obviously) with them, pay, then go download your openvpn config files that have your unique certs and keys. 

    or, if you're using an app that the VPN provider has made, you just enter in your username and password that you've created yourself into the app.  It securely accesses a database to retrieve your certs and keys to more or less make the setup automatic for casual users.

    One benefit of this is that you can pass to your "friends" a config file so that they can use your VPN account.  Yet they'll never have access to your actual account because they don't have your user/pass.
    Interesting idea. But I wonder how difficult the logistics would be. You would have to keep a copy of those same certificates on each and every server, or have the servers reliant upon an outside source.
  • rainmakerrawrainmakerraw
    Interesting idea. But I wonder how difficult the logistics would be. You would have to keep a copy of those same certificates on each and every server, or have the servers reliant upon an outside source.
    Not very difficult Omni, it's basically what AirVPN do already. You either generate the .ovpn file in the config generator and grab that (plus key and ca.crt) or Eddie does it for you when you log in with user/pass. 
  • OmniNegroOmniNegro
    Interesting idea. But I wonder how difficult the logistics would be. You would have to keep a copy of those same certificates on each and every server, or have the servers reliant upon an outside source.
    Not very difficult Omni, it's basically what AirVPN do already. You either generate the .ovpn file in the config generator and grab that (plus key and ca.crt) or Eddie does it for you when you log in with user/pass. 
    The generation of said keys is not what I was wondering about. But PIA has around 3k servers, and all would need this unless they are reliant upon an external source, and if they did rely on an external source it would not be any more secure than PIA's means of handling credentials.
  • cosmoxlcosmoxl
    of course it would be more secure.  it would be a secure connection.  emailing credentials in plain text is possibly not done with secure connections.  I highly doubt all mail servers in the world accept/initiate only secure connections.  in fact, I'm 99% sure they don't or else how would governments around the world snoop?

    but, a VPN company could surely setup secure connections between their servers and a central database.
  • OmniNegroOmniNegro
    of course it would be more secure.  it would be a secure connection.  emailing credentials in plain text is possibly not done with secure connections.  I highly doubt all mail servers in the world accept/initiate only secure connections.  in fact, I'm 99% sure they don't or else how would governments around the world snoop?

    but, a VPN company could surely setup secure connections between their servers and a central database.
    There is exactly nothing secure on the Internet. Diffie Hellman Key Exchange is fundamentally flawed. It remains a problem without any easy solution. In fact the only solution I know of is to use fixed keys unique to a user, and never transmit any portion of them via the Internet.

    The problem is that people would rather have false security that is instant than have to wait on a package containing the keys to arrive by mail and be put into use.
Sign In or Register to comment.