0

When setting up a DD-WRT router to use a major VPN service, I stumbled upon something that seems like it could be a significant weakness and after getting an abysmally lacking answer from the company, I though I would ask here.

The services stipulates that the OpenVPN protocol be used with the same user certificate and private key used by everyone and available to anyone for download on their website. My questions is: given a known user private key, is it possible someone could intercept the TLS handshake and gain the session key to the underlying encryption - or does this weaken security in any other way? To my knowledge, ephemeral encryption in TLS would prevent this but without a guarantee of a server configuration requiring its use, this is an unknown and cannot be relied upon. The service claims "other mechanisms such as username password authentication" are in use but to my knowledge this has nothing to do with transport security and is only used to authenticate the user to the service. The mere fact that user certificates are not required by the OpenVPN protocol but this service demanding the customers use the same private key is a huge red flag to me.

Improve this question
6
  • the distributed key is a client certificate, the encryption is handled by the server certs which private keys are private to the server. Sure they should give each user a private key pair but not required. basic user/pass would be more susceptible to brute force attacks Commented May 6, 2017 at 23:12
  • so for the actual TLS handshake does the OpenVPN client generate a new cert/key pair for key negotiation? the provided key would only be for the authentication portion? Commented May 6, 2017 at 23:15
  • it uses the openvpn public key just like any other SSL technology. Commented May 6, 2017 at 23:22
  • okay, I'm still trying to wrap my head around this so bare with me for a moment. so in just a regular SSL/TLS handshake, a compromised client private key does not endanger the session key? or are there additional steps/factors in the OpenVPN protocol that affect this? Commented May 6, 2017 at 23:35
  • go to your bank, enter a username and password, same concept Commented May 6, 2017 at 23:40

1 Answer 1

Reset to default
0

the distributed key is a client certificate, the encryption is handled by the server certs which private keys are private to the server. Sure they should give each user a private key pair but not required. basic user/pass would be more susceptible to brute force attacks. client certificates used for authentication not encryption.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.