Santa Rosa, CA
Traveling for the holidays? Use our free VPN!
If you're on an un-trusted network, VPN back to Sonic for security this season!
I'd be more inclined to take you up on your offer if you upgraded the encryption strength to AES 256. Offering a VPN is a very nice bonus to your service; why not make it more secure?
That sounds important. I'm unfamiliar with VPN. At the sonic wiki, »wiki.sonic.net/wiki/VPN_Service I see
said by wiki :Here, I've got a linux program, vpnc, that states
Note: We strongly recommend using the Cisco VPN Client available below as it uses certificate-based authentication that is unavailable to other clients at this time.
said by README :and
A VPN client compatible with Cisco's EasyVPN equipment.
Supports IPSec (ESP) with Mode Configuration and Xauth. Supports only
shared-secret IPSec authentication with Xauth,
AES (256, 192, 128), 3DES, 1DES, MD5, SHA1,
DH1/2/5 and IP tunneling.
said by TODO :Cisco states
* DONE implement ISAKMP and IPSEC SA negotiate support
Wouldn't this indicate AES 256 is available?
Regarding vpnc, the statement "Supports only shared-secret IPSec authentication" means that it does not support the certificate based authentication that Dane is recommending.
Regarding AES256 support, the vpn client and the server it is connecting to both need to support for the same encryption method and key size. Part of the negotiation between client and server is to find a mutually supported encryption method. The Cisco document you linked to is for a Cisco Security Appliance so that feature list probably doesn't apply to the Cisco VPN client. For any given encryption method the level of security increases with the size/length of the key that is being used. The downside of using very long keys is that it increases the cpu load and increases the latency of the tunnel connection since it takes more processing power and time to encrypt and decrypt the packets. For battery powered devices it also means a significantly higher power drain. With modern fast processors using AES256 may not be a big deal on the client side but on the server side you have to multiply the performance impact by the number of concurrently connected clients. For most purposes a shorter key will be the optimal choice. It provides security against casual snooping and good performance.
In my opinion, anybody having secrets that are so important that only the highest available encryption strength is sufficient should probably not rely on a 3rd party vpn service to keep those secrets secure.
Got some spare cpu cycles ? Join Team Helix or Team Starfire!
The VPN Client supports AES as an encryption algorithm starting with Cisco VPN Client release 3.6.1. The VPN Client supports key sizes of 128 bits and 256 bits only.
|reply to leibold |
leibold, you are quite an active user in these forums. It's nice to see you post in this thread. Maybe it's a sign that Dane or someone else who works at Sonic.net will take notice?
Anyways, I disagree that Sonic.net's VPN service is just another random "3rd party vpn service". It is one of the most trustworthy companies out there. If I'm going to use any VPN, it will be Sonic.net's VPN, even if I have to pay extra for it. I'm not going to pay $10 a month for some random company that might not even be subject to the laws of the US. While we're on the subject of money, it would probably cost Sonic.net next to nothing to upgrade the authentication and traffic encryption strength, and it would significantly increase the security offered by the VPN so why aren't they doing it? Dane posted a while ago regarding the encryption types used by the VPN service: »Strength of VPN encryption
I would hardly consider MD5 secure; it is one of the weakest hashes and one of the easiest ones to find a collision for, so at the very least the authentication mechanism should be upgraded. And really, how hard can it be to change 3DES to AES 256 14 rounds? As Leibold said, the Cisco client may support a higher encryption strength, but the server must also support it for it to work.
Not all the sites I visit will have https, and even if they do, an untrustworthy hotspot will still know what sites you visit, even if they can't see exactly what you're doing.
Dane, please upgrade the authentication and traffic encryption strength. You're offering the VPN service for a reason. Why not make it the best service possible?