Recently in the news, Tech In Asia reported that VPN providers ExpressVPN and Astrill have been using Certificate Authority (CA) certificates generated from 1024-bit keys. As far back as 2003, 1024-bit keys were projected to be crackable by 2010, and current research estimates that 1024-bit keys can be brute-forced today by the resources available to nation-state actors. Since offering OpenVPN and IPsec VPN services in 2010, Golden Frog has always used 2048-bit keys for both its CA certificates and the keys used for encrypting VyprVPN connections. Security researchers project that 2048-bit keys will be sufficient until around 2030.
So specifically, what is wrong with the 1024-bit key being used by ExpressVPN and why should VPN customers be concerned? For encrypting the VPN connection, ExpressVPN was using 2048-bit keys, so the data was protected at a higher level. As with all things related to security, though, the answer comes down to trust.
In an OpenVPN connection, the Certificate Authority (CA) certificate allows the OpenVPN client to know that the VPN server is who it claims to be. The VPN server’s identity is signed by the CA key, and with the CA certificate, the client can verify that a third party it trusts (the certificate authority) has vouched for that. This trust is predicated on the authority having the only access to the CA key. If someone unrelated to the authority also had access to the key, they could create and sign their own server certificates – and those servers would be just as trusted as the authority’s. No one could tell the difference, so no one could trust that the server is really who it says it is.
As a result, the CA key is very important to the VPN server trust chain, and it’s just as important to anyone who wants to pretend to be that VPN server. One way for someone else to get the key is to guess it. If someone guesses all of the possible keys, one of them will be the right key. We call this a brute-force attack, and at large key sizes, brute-force attacks are computationally huge. A 1024-bit key requires 21024, or over 1e+308 (1 followed by 308 zeroes), guesses. Even for the fast computer clusters we have today, that would take longer than the current age of the universe. Algorithmic attacks can substantially reduce the number of guesses necessary, though. Researchers today estimate that, for a few hundred million dollars, someone could put together a computer system powerful enough to crack a specific 1024-bit key in a year or less. With the key guessed, that person or group could set up their own VPN servers pretending to be the real VPN servers, and then decrypt all of the traffic. Since the same CA key is usually used for all of a provider’s VPN servers, they can effectively decrypt all VPN traffic to all of the servers, without the user knowing. This is called a man-in-the-middle attack, and it’s the most efficient method for large scale surveillance of encrypted data.
So, although your data is encrypted in transit, the data may be going to a malicious third party who can decrypt the data upon arrival using a man-in-the-middle attack. Encrypting the data is worthless if the CA key can be cracked. It is the equivalent of putting all of your documents in a secure lockbox, and then mailing the lockbox to your enemy who has stolen the key.
Weak CA keys are even worse than weak encryption keys, because they control the entire kingdom. Tech In Asia rightly questions whether Chinese users of these VPN providers should be worried, because China is easily capable of performing both the brute-force computations and subsequent man-in-the-middle attacks necessary to decrypt the VPN traffic. VyprVPN is safe from this for now, and we’ll continue to update our systems and configurations to follow current best practices to stay safe in the future.
Learn more in this blog post by former Google Engineer Mark Brevard.
Update – February 16, 2016
ExpressVPN has reported on their blog that they rolled out new security settings for all their apps to address the CA key issue.