After extensive discussions as per our post here and waiting for everyone to give feedback, we have decided to change our security settings again to balance performance and security.
From our tests and feedback, the biggest performance hit comes from the implemention of SHA-512 for HMAC. However SHA-1 has been demonstrated to be insecure for quite a while now and although the vulnerability does not affect SHA-1’s implemention in HMAC we feel that it is in good security practice to upgrade this. To offset this performance hit, we are reducing AES-256 to AES-128 on select configurations and we still maintain our opinion that AES-128 is just as secure as AES-256 for the next few years (and in certain scenarios can be stronger due to its stronger key schedule).
In any case, all modern CPUs should be able to handle this with no hiccups.
This will be the most used configuration for a wide variety of purposes so this needs to be in the middle ground.
Data Channel: AES 128 bit (from AES 256 bit)
This configuration will have a lower security profile as most use it for geo-location purposes and therefore will be optimized for speed while retaining a good overall security.
Data Channel: AES 128 bit (from AES256 bit)
HMAC: SHA-1 (160 bit)
This will be our highest security profile but will be the slowest among all of them. On top of these, there is also a further layer of scrambling.
Data Channel: AES 256 bit
DD-WRT and Integrated Devices
This is still under discussion with our management and we will evaluate to see if the revised configurations will hold for routers with their weaker processing power. Unfortunately we won’t be able to support older under powered routers and we will release guidelines soon as to the supported builds of DD-WRT.
If required, we would implement a handful of servers just for integrated devices/DD-WRT with reduced security settings.
This change will happen sometime this week but we will get a 48 hour notice before we initiate the configuration change. We are still concluding testing on certain naming conventions that are unique to DD-WRT due to the OpenSSL version they use. Once the configuration change is finalized, we will post an announcement and effect the changes in several phases over a 24 hour period. All you would have to do is to redownload your configurations or update it via our client.