nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm
After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct.
Using your own words, the "cooked-in certificate" is identical on all Billion VPN routers regardless of model.
It shouldn't be necessary to use another server device (with software) to host a custom certificate on the remote network. The Billion router is the server but unfortunately with a very public CA.
nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm
After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct.
Using your own words, the "cooked-in certificate" is identical on all Billion VPN routers regardless of model.
It shouldn't be necessary to use another server device (with software) to host a custom certificate on the remote network. The Billion router is the server but unfortunately with a very public CA.
Our engineers have stated they are looking into it, lets see what they come up with
nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm
...I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.
Take a look at wikipedia:
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible
nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm
...I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.
Take a look at wikipedia:
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible
nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm
...I'm no security expert but surely a cooked-in certificate is a big 'no no'?
Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.
Take a look at wikipedia:
Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible
I'll make the suggestion to our engineers
Attached is firmware 2.52.d46a2
FW Release Notes :
1. “User can generate random CA on OpenVPN server”.
2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.
To Generate new random CA , you will need to make sure the following is set
1. OpenVPN server set to “Disable”.
2. Routers system up time must be updated to the latest current local time.
You do not have the required permissions to view the files attached to this post.
BF - Many thanks for providing this update - before I give it a whirl though, could you please confirm I can transfer settings into this new firmware from a backup made from d46? I would imagine so but you never know.....
nightcustard wrote: ↑Thu Mar 11, 2021 9:04 pm
BF - Many thanks for providing this update - before I give it a whirl though, could you please confirm I can transfer settings into this new firmware from a backup made from d46? I would imagine so but you never know.....
Yes you can
You can upgrade the device with 'Current Settings' option used to retain all settings
Ah yes! Thanks BF - I'd forgotten there is an option to retain current settings. Always wise to make a backup though
I've applied the firmware update, changed the cipher encryption and HMAC auth from the defaults and renewed the certificate (which did change).
The firmware update process seemed a little odd though - I thought you should see a progress bar after pressing 'Upgrade' but the router's admin page gave no indication the router was undergoing the update other than after a while being replaced by a frowning smiley and the message 'Invalid response'. However, after my blood pressure had increased slightly, normal function was restored and all now appears well.