Why are all VPN Gate servers using RC4-MD5 Encryption?!

Post your questions about VPN Gate Academic Experiment Service here. Please answer questions if you can afford.
Post Reply
GIANT_CRAB
Posts: 62
Joined: Tue Mar 17, 2015 7:54 am

Re: Why are all VPN Gate servers using RC4-MD5 Encryption?!

Post by GIANT_CRAB » Sat Mar 21, 2015 1:48 am

No. The server chooses what cipher it wants to communicate in. There's no cipher preference for SoftEther, which is available for web servers.

PacoBell
Posts: 15
Joined: Tue Mar 24, 2015 11:45 pm

Re: Why are all VPN Gate servers using RC4-MD5 Encryption?!

Post by PacoBell » Wed Mar 25, 2015 6:34 am

I agree with Russtopia. This is pretty egregious. These servers out there are next to worthless if they're running this cipher suite. Even if the GFW can't tell them apart from normal TLS traffic, it's a passive attack that has the potential to leak important authentication cookies. That we're still arguing about this two years later is kind of ridiculous. At least give the clients the ability to list / filter out all servers that run vulnerable cipher suites (which, I guess, is all the currently supported ones at this point. What a mess!)

http://blog.cryptographyengineering.com ... en-in.html
https://www.pentestpartners.com/blog/rc ... d-harmful/
http://www.isg.rhul.ac.uk/tls/RC4mustdie.html

We can do better:

https://tools.ietf.org/html/draft-mavro ... cha-tls-04
https://www.ietf.org/mail-archive/web/t ... 09847.html
https://www.imperialviolet.org/2013/10/07/chacha20.html

also

http://blog.djm.net.au/2013/11/chacha20 ... enssh.html

and

https://blog.cloudflare.com/do-the-chac ... ptography/
https://github.com/cloudflare/sslconfig ... 5_cf.patch

Post Reply