Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

frootvpn.com - publishing "private" client keys

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN
User avatar

Topic Author
cryptostorm_admin
ForumHelper
Posts: 74
Joined: Tue Jan 01, 2013 5:43 pm
Contact:

frootvpn.com - publishing "private" client keys

Postby cryptostorm_admin » Thu Oct 23, 2014 3:08 am

This is taken from the frootvpn OpenVPN configuration file, client-side:

Code: Select all

<key>
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDftRDk9EbrSEH2
gAuSeBUiQXHECZ/KflM1tWRo4DMwNsXuMM5WnqPln38svypE9a5BKGO8ZEsM5LAf
Oik5yPYcLGilslYsbowcRsnnrhOkPp2AJDrZzcJCXjdQsCDpapErCzyon58T6Vuc
27TW369cUTk40Hz3uBOkYNMmYqhePu3EwKXzMjy8o0qaFlO+8Y6qNEPv8AGhljIw
o0Q70xQjDrNxwSBMvKnYOvjtvH0HlgXYWTQ7Y8/hy8wUnJZg3UX/+7TC2ks+sj3w
SDB4CyU+v9lauChqfrdJR2ziXXi/b/CNNfDuuqAWya70/ABdsfG0E583jPxh7Vuw
nrYrbm51AgMBAAECggEADOgAWoUxVj+r9pG6mS+uYHSQILRBcMhK+q1FZruQmHaA
gtZ0ARFT+VpzVtyMjr/x1raC0oqivdKvyo1rdXb/o+539x9L03JpSPRYj7I+Vdp6
8bqlXo19aKDQ5inTLERGrcoPLNdQsTBkZa9TRpZPIq9Y8ssseoo3L+OaKvvEJPO2
0nv9un2kfPU/JvN2taV6D/6atEmXDIMIXumTJCSCfU2hq513nZjEVccS691Oug87
siKi5NyqNloq6iinVLvhSGOQ+gt68iZ0G1McH2jnJIXnpRXM0UpjMAYtfRYUh6ow
4bOxHxcTf6UCt0rY1KwSfjS/hd7NFgqcuzwEM6yXfQKBgQD8v0NtnW2AUE32uvDd
Et67Wg5p3w4cRZZ2wXQvsoyuotBS+deo8CN113bdYJel3CtqdxdTkY20j5Xmf2sq
NkBE+lGMfSxLph40bqIUEQ4dp4EXsVOwz1XeNmGYAwQ2PRGZ+H3QrEjZOcrqKLTI
uvy+MuV6vGWFdkdH6esenhr5ZwKBgQDilh+zzMWvc1M4o9xuROAh9ObE8t5I4bb0
g9aVZtX1zBE309lEx8CuUAXwbRpfpFgBDQHkfS38PhNqeC0OXbe/Qq3J6j6Nq5Ou
Y00uceMyJk6FVeEwpJ/pf62ZnGpqZ+n7DGLlGTKQ/Mhxf3Xb7Np/HUvRBjPKR0bU
NbC4AS/DwwKBgATCTTC5MCCkYnNs3bAr9MmuTmsr6gYaQVUHG3ryb7eyFR4a2jay
HtjPL8vHT9Otq5ublnLaYMKvmXD3oTrwPpGN7Q8qJDVgcV0nYCHkmFFyn/mkOyEv
JjzC5V+JXwDucXBmv2e4dr6wWePC1HSbILssFioTdg3nRjxSaTzwWS2tAoGAfEy+
t3PuPoGVdczub8945SfkMMbLClBIfXqVjQAM//oit+2PkxvBp95eY7Z2cWFGpczs
7Nt/DpE/NXkXvnnLAzEhBVNrXWxyZ4gyHvh7GlfJW3vxPS4SS5WvNkWIWzcGNKJm
3ickhkUl8J1rmmoksvbvUIuGfcD8Kg4KE+cSvOECgYEAsX+GdWvo4EguqtDqiOWA
5xIjJsc6sAlUu1JzNUYuTv7l6fmKG5IVM3lL1n6PCc+c15sofFosA1dHINyhpyC6
LuIQQV37gBRZDFcH5PkggmdmhWkOvm84YiulO2smidD4D0N/qsqLCpgJ9XDyteF4
c2h3FhYC3DC06hHX9ozbyAk=
-----END PRIVATE KEY-----
</key>


Copy of ovpn.conf file, verbatim:
frootvpn.ovpn
(5.82 KiB) Downloaded 566 times


..we'll just leave this here, as it's an issue that was somewhat beaten to death in last year's "Havenco VPN debacle." Which might be worth reviewing, for background.

Sigh.

~ cryptostorm_admin

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

cipher suites?

Postby Pattern_Juggled » Thu Oct 23, 2014 3:51 am

Also no ciphers specified, which means (generally) OpenVPN server-side will negotiate the cipher suite that the local OpenSSL build has in common with whatever client is trying to connect... which is, unfortunately, an excellent attack surface for "rollback attacks" of the sort that have been so publicly highlighted by the "POODLE" SSL3.0 rollback vuln.

Which is not good, imho.

Cheers,

~ pj

User avatar

Lunar
Posts: 9
Joined: Wed Mar 26, 2014 10:36 pm
Contact:

Re: frootvpn.com - publishing "private" client keys

Postby Lunar » Sat Oct 25, 2014 10:02 am

Hah! The owners are either idiots or that is just a plain old 'honey pot'... :shock:


Iddertew
Posts: 9
Joined: Sat Aug 08, 2015 10:45 pm

Re: frootvpn.com - publishing "private" client keys

Postby Iddertew » Sat Aug 08, 2015 11:02 pm

A great exchange of information.


Return to “#cleanVPN ∴ encouraging transparency & clean code in network privacy service”

Who is online

Users browsing this forum: No registered users and 4 guests

Login