Key Length
-
- Posts: 3
- Joined: Fri Jun 06, 2014 6:27 am
Key Length
Hi,
Key length is now 1024 instead of 2048, Why this change?
Key length is now 1024 instead of 2048, Why this change?
-
- Posts: 228
- Joined: Tue Mar 05, 2013 10:04 am
Re: Key Length
Does "key length" mean the bit-length of the SSL server certificates on each VPN Gate relay servers?
If so, VPN Gate has not changed the key length since its launch on March 2013.
There are two types of SSL server certificates for VPN Gate relay servers.
Type 1: Self-signed SSL certificate (1024bit).
This kind of self-signed SSL certificate is generated automatically for each VPN Gate relay server. In order to prevent VPN packets to be found by government censorship firewalls (e.g. GFW), the CN (common name) field of each certificate is randomized string (e.g. 'abc12345.com'), in order to reduce its characteristic. (If it is not randomized, the firewall can easily identify them easily to disconnect the VPN session.)
Type 2: *.opengw.net wildcard certificate (2048bit).
This kind of RapidSSL-signed SSL certificate is not generated automatically, and each of all this type of VPN Gate relay servers has the same certificate. It is useful to support Microsoft SSTP-VPN protocol with dynamic dns (abc.opengw.net), however, it is very weak to censorship firewalls. Because firewalls can find the "*.opengw.net" bit pattern very easily by capturing packets over the border.
In order to make the censorship firewall difficult to find VPN Gate communication packets, approximately 75% of VPN Gate relay servers are using Type 1, and rest 25% servers are using Type 2.
Type 1 has been 1024bit, and Type 2 has been 2048bit for more than one year since VPN Gate launched.
If so, VPN Gate has not changed the key length since its launch on March 2013.
There are two types of SSL server certificates for VPN Gate relay servers.
Type 1: Self-signed SSL certificate (1024bit).
This kind of self-signed SSL certificate is generated automatically for each VPN Gate relay server. In order to prevent VPN packets to be found by government censorship firewalls (e.g. GFW), the CN (common name) field of each certificate is randomized string (e.g. 'abc12345.com'), in order to reduce its characteristic. (If it is not randomized, the firewall can easily identify them easily to disconnect the VPN session.)
Type 2: *.opengw.net wildcard certificate (2048bit).
This kind of RapidSSL-signed SSL certificate is not generated automatically, and each of all this type of VPN Gate relay servers has the same certificate. It is useful to support Microsoft SSTP-VPN protocol with dynamic dns (abc.opengw.net), however, it is very weak to censorship firewalls. Because firewalls can find the "*.opengw.net" bit pattern very easily by capturing packets over the border.
In order to make the censorship firewall difficult to find VPN Gate communication packets, approximately 75% of VPN Gate relay servers are using Type 1, and rest 25% servers are using Type 2.
Type 1 has been 1024bit, and Type 2 has been 2048bit for more than one year since VPN Gate launched.
-
- Posts: 3
- Joined: Fri Jun 06, 2014 6:27 am
Re: Key Length
Thanks for the answer.
replace self-signed SSL certificate 1024 to 2048 would be a good stuff for security, but i suppose there is a reason to keep 1024.
replace self-signed SSL certificate 1024 to 2048 would be a good stuff for security, but i suppose there is a reason to keep 1024.
-
- Posts: 228
- Joined: Tue Mar 05, 2013 10:04 am
Re: Key Length
There is no reason to keep it 1024bit. It is just neglect.
-
- Posts: 8
- Joined: Sun Apr 27, 2014 3:46 pm
Re: Key Length
I think it's very unprofessional of those to not answer the posts here. there is obviously problems with this VPN possibly the software or those silly idiots in the censorship departments blocking it and denying people the right to an open internet where they can gain knowledge.
Astrill VPN works fine, and there is also Zenmate that is a google plugin that lets you browse any site. Goagent is another.
Softether net. why don't you just let the people know what is happening, then we would all know where we are.
Frankly speaking I would have no problem paying for this service it it worked on a regular basis. This VPN has worked quite well since it's release last year up till now.
I am glad that I also have three other VPN services that I use and if something goes wrong they always inform their users about any problems. I shall wait like many others for an ANSWER from you.
Many thanks in advance.
Astrill VPN works fine, and there is also Zenmate that is a google plugin that lets you browse any site. Goagent is another.
Softether net. why don't you just let the people know what is happening, then we would all know where we are.
Frankly speaking I would have no problem paying for this service it it worked on a regular basis. This VPN has worked quite well since it's release last year up till now.
I am glad that I also have three other VPN services that I use and if something goes wrong they always inform their users about any problems. I shall wait like many others for an ANSWER from you.
Many thanks in advance.
-
- Posts: 3
- Joined: Fri Jun 06, 2014 6:27 am
Re: Key Length
For the price, we cant find better i think. ;)
I didnt know VPNgate till last month, and this is a great stuff. My question was just about security not reliability. Anyway, with OpenVPN, all works fine for me.
Knowing that 1024 bit key are crackable and considered as weak since 2010-2011, Admin of VPNgate should take measure to ensure this great project. Is there an upgrade in prevision?
I didnt know VPNgate till last month, and this is a great stuff. My question was just about security not reliability. Anyway, with OpenVPN, all works fine for me.
Knowing that 1024 bit key are crackable and considered as weak since 2010-2011, Admin of VPNgate should take measure to ensure this great project. Is there an upgrade in prevision?
-
- Posts: 228
- Joined: Tue Mar 05, 2013 10:04 am
Re: Key Length
VPN Gate is not a guaranteed service.
It is just an academic project for writing papers.
Users who need stability and satisfying technical support should use commercial VPN services.
It is just an academic project for writing papers.
Users who need stability and satisfying technical support should use commercial VPN services.
-
- Posts: 228
- Joined: Tue Mar 05, 2013 10:04 am
Re: Key Length
Thank you for your suggestion. We will upgrade the key length in the recent future when we will be in the mood.
-
- Posts: 228
- Joined: Tue Mar 05, 2013 10:04 am
Re: Key Length
The key length of random-generated self-signed root certificate has been set to 2048 bit since 2:30 A.M. June 8, 2014 (JST).
Each VPN Gate server will have 2048 bit RSA key when the timing of next global IP change.
(Since each OpenVPN configuration file for each server has inline-embedded SSL certificate, each server cannot change the current certificate in order to prevent connecting errors from users. That is why the key-change timing will postpone after next changing of global IP address.)
Each VPN Gate server will have 2048 bit RSA key when the timing of next global IP change.
(Since each OpenVPN configuration file for each server has inline-embedded SSL certificate, each server cannot change the current certificate in order to prevent connecting errors from users. That is why the key-change timing will postpone after next changing of global IP address.)