sha512 checksums for openvpn files
@sn0wmonster
@PIAColleen
@Max-P
Is it possible to get sha512 checksums for the following files hosted on the website?:
@PIAColleen
@Max-P
Is it possible to get sha512 checksums for the following files hosted on the website?:
https://www.privateinternetaccess.com/openvpn/openvpn-strong-tcp.zip
I can get the checksums myself but it would be nice to post them on the website so we can verify the downloads.
I understand the logic that the files are available over HTTPS and therefore shouldn't be tampered on the way, but they are also available over HTTP (very bad).
If you posted the sha512 checksums on the site somewhere then people could verify if their zips have been tampered before using.
Cheers
I can get the checksums myself but it would be nice to post them on the website so we can verify the downloads.
I understand the logic that the files are available over HTTPS and therefore shouldn't be tampered on the way, but they are also available over HTTP (very bad).
If you posted the sha512 checksums on the site somewhere then people could verify if their zips have been tampered before using.
Cheers
Comments
Please note however that these are not stable. These files are regularly regenerated when servers are added or removed, or for the -ip variant when the IPs of those regions change, and as such their checksum is going to change.
Also please note that given that both the checksums and the zip files are provided on the same website, if someone is able to compromise the zip files they also would be able to edit the checksum to match. Just make sure to download them over HTTPS and you should be fine. VPN profiles are just text files, so you can also open them in a text editor to verify that the config makes sense for your needs.
I am aware of that, how hard is it to just post the updated checksums whenever you upload new zips?
I can make a 2 minute script to help you if you like.
FYI i am the author of https://github.com/d4rkcat/pia and so am very aware of how ovpn files work, it's not for me as I would never download these files over HTTP, but more for new users who are not security aware.
You are also not considering that over HTTP, an attacker on a local network or even a state actor could easily replace the zips on their way from your server to the end user with a malicious zip that would make the end user think they are connecting securely to PIA, when if fact they could connect to anywhere. This could also lead to theft of credentials.
There are two possible solutions to this security hole:
- Stop serving config files over HTTP.
- Post the checksums and tell the end users they must check them before use.
I recommend doing both. It's an easy fix and requires little effort, but will substantially improve the security of your service.Cheers.
Cheers bud, I don't think its acceptable to wait for PIA to realise the significance of this so I hacked together a solution for my linux client.
It checks the Last-Modified field of the headers for the file using curl eg:
And compares it to previous updates time stamps.
This doesn't help people who use raw openvpn but at least users of my script will be safe and up to date
I think for what you're trying to achieve, using the vpninfo (undocumented) API is probably a better idea. That way you can update the server list itself rather than redownloading the profiles. You only need one template profile and fill the info in. This API is also signed, although I don't have the public key on hand to validate that signature. If you load it over HTTPS it won't matter much.
I planned to retrieve the checksums from the website by curling the webpage source where they were hosted, and then compare them to the checksums of the config zip that was already on the system. If there were any changes at all, You could be sure that an update had occurred, at which point I could inform the user and download the new config files.
Checksums are also useful for the first time a user downloads the zips. They could be checked to make sure they are what PIA intends them to be, it is a very common practice with software written by security minded developers.
See https://www.kali.org/downloads/ and note the checksums prominently displayed next to the download links.
That is pretty cool, thanks very much. I don't have a use for it right now but it is interesting to see. Any further information you could provide on how to make my client better/safer for users would be much appreciated. I think my client is at least as secure as the official one at this point, with the added advantage of using whatever version of OpenVPN the user has on their system, which on Arch, is the bleeding edge newest one (2.4.4).
Cheers