Billion UK Forum

nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?

Correct.

Using your own words, the "cooked-in certificate" is identical on all Billion VPN routers regardless of model.

It shouldn't be necessary to use another server device (with software) to host a custom certificate on the remote network. The Billion router is the server but unfortunately with a very public CA.

SPAU00 wrote: ↑Wed Jan 20, 2021 10:32 pm

nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm After I read through this thread, I disabled the Billion OpenVPN server and reverted to another device on my network where you can change the root cert. I'm no security expert but surely a cooked-in certificate is a big 'no no'?

Correct.

Using your own words, the "cooked-in certificate" is identical on all Billion VPN routers regardless of model.

It shouldn't be necessary to use another server device (with software) to host a custom certificate on the remote network. The Billion router is the server but unfortunately with a very public CA.

Our engineers have stated they are looking into it, lets see what they come up with

nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm ...I'm no security expert but surely a cooked-in certificate is a big 'no no'?

Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:

Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible

adeux001 wrote: ↑Tue Jan 26, 2021 9:18 pm

nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm ...I'm no security expert but surely a cooked-in certificate is a big 'no no'?

Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:

Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible

I'll make the suggestion to our engineers

billion_fan wrote: ↑Wed Jan 27, 2021 10:05 am

adeux001 wrote: ↑Tue Jan 26, 2021 9:18 pm

nightcustard wrote: ↑Wed Jan 20, 2021 1:40 pm ...I'm no security expert but surely a cooked-in certificate is a big 'no no'?

Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:

Since 2005, SHA-1 has not been considered secure against well-funded opponents; as of 2010 many organizations have recommended its replacement. NIST formally deprecated use of SHA-1 in 2011 and disallowed its use for digital signatures in 2013. As of 2020, chosen-prefix attacks against SHA-1 are practical. As such, it is recommended to remove SHA-1 from products as soon as possible

I'll make the suggestion to our engineers

Attached is firmware 2.52.d46a2

FW Release Notes :

1. “User can generate random CA on OpenVPN server”.

2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.

To Generate new random CA , you will need to make sure the following is set

1. OpenVPN server set to “Disable”.

2. Routers system up time must be updated to the latest current local time.

billion_fan wrote: ↑Tue Mar 09, 2021 10:08 am

billion_fan wrote: ↑Wed Jan 27, 2021 10:05 am

adeux001 wrote: ↑Tue Jan 26, 2021 9:18 pm

Correct, and while we are at it the cypher suites could do with an update the server still offers SHA1.

Take a look at wikipedia:

I'll make the suggestion to our engineers

Attached is firmware 2.52.d46a2

FW Release Notes :

1. “User can generate random CA on OpenVPN server”.

2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.

To Generate new random CA , you will need to make sure the following is set

1. OpenVPN server set to “Disable”.

2. Routers system up time must be updated to the latest current local time.

Can you confirm this update is appropriate for units purchased in Australia?

SPAU00 wrote: ↑Wed Mar 10, 2021 4:31 am

billion_fan wrote: ↑Tue Mar 09, 2021 10:08 am

billion_fan wrote: ↑Wed Jan 27, 2021 10:05 am

I'll make the suggestion to our engineers

Attached is firmware 2.52.d46a2

FW Release Notes :

1. “User can generate random CA on OpenVPN server”.

2. “Added new OpenVPN HMAC Authentication for more security support for SHA256, SHA384, SHA512”.

To Generate new random CA , you will need to make sure the following is set

1. OpenVPN server set to “Disable”.

2. Routers system up time must be updated to the latest current local time.

Can you confirm this update is appropriate for units purchased in Australia?

I don't think so, as our device is configured for UK ISP's.

(you should be able to request the official AU firmware from support@firstint.com.au)

BF - Many thanks for providing this update - before I give it a whirl though, could you please confirm I can transfer settings into this new firmware from a backup made from d46? I would imagine so but you never know.....

nightcustard wrote: ↑Thu Mar 11, 2021 9:04 pm BF - Many thanks for providing this update - before I give it a whirl though, could you please confirm I can transfer settings into this new firmware from a backup made from d46? I would imagine so but you never know.....

Yes you can

You can upgrade the device with 'Current Settings' option used to retain all settings

Ah yes! Thanks BF - I'd forgotten there is an option to retain current settings. Always wise to make a backup though
I've applied the firmware update, changed the cipher encryption and HMAC auth from the defaults and renewed the certificate (which did change).
The firmware update process seemed a little odd though - I thought you should see a progress bar after pressing 'Upgrade' but the router's admin page gave no indication the router was undergoing the update other than after a while being replaced by a frowning smiley and the message 'Invalid response'. However, after my blood pressure had increased slightly, normal function was restored and all now appears well.