Private Internet Access is protected from the SWEET32 attack on OpenVPN
Last week, two French computer scientists demonstrated SWEET32, an attack that allows data recovery from encrypted traffic using 64 bit ciphers. A well-motivated attacker could access HTTPS traffic encrypted with TRIPLE-DES (3-DES) or OpenVPN traffic encrypted with Blowfish (BF-CBC); however, the SWEET32 attack requires many prerequisites. If an encrypted connection is particularly long-lived then the encryption algorithm will eventually “leak” some data about the encrypted traffic. In comparison, for 128 bit ciphers to be susceptible to birthday attacks (which SWEET32 is based on), network traffic between a client and server will need to exceed 256 exabytes.
SWEET32 attack requires:
- the attacker to have man-in-the-middle (MITM) position that can record all of your encrypted traffic
- the attacker to have some control over your internet behavior (ex: gets you to click a bad link)
- you to be using BF-CBC (Blowfish) or 3DES
- you to be sending large amounts of traffic (~32GB to decrypt tiny amount of traffic of 8 bytes)
More information can be found at the SWEET32 website.
Private Internet Access advises everyone to stop using Blowfish
Everyone should stop using BF-CBC immediately. For those who can’t or won’t, we have mitigated this attack on the server side. Even if you ignore the industry’s warnings about 64 bit ciphers and still continue to use Blowfish, our servers were immediately configured to prevent against SWEET32 upon disclosure. All of our servers use --reneg-bytes to renegotiate the encryption key every 64MB for BF-CBC connections. Additionally, 3-DES has been removed from all of our ciphersuites to make sure older clients never choose it.
Again, Blowfish was not the default encryption algorithm for the PIA VPN client and, due to the recent SWEET32 birthday attack vector, Blowfish has been removed as an encryption algorithm option in the next release. If you use a manual OpenVPN configuration that uses BF-CBC, please download the current recommended Private Internet Access configs at https://www.privateinternetaccess.com/pages/client-support/#first.
Thanks again for your business and support. We do this for you.
- The Private Internet Access Team
tl;dr: Private Internet Access always puts the security of our users first; after all, privacy is our policy. We have made changes to our server to prevent this attack from happening on our networks. We are now re-negotiating keys after every 64 MB of data transfer if the cipher used is BF-CBC, so that all of our customers are protected from the SWEET32 attack irrespective of the client they are using. Your network traffic is protected from the SWEET32 attack when you use Private Internet Access VPN.