BolehVPN: Freedom Through Security

Archive for the ‘Announcements’ Category

Wednesday, December 24th, 2014

Merry Christmas from BolehVPN!

animated-christmas-cat-[WapVilla.CoM]Wishing everyone a merry Christmas and happy holidays!

We will still be operational but support queries will be slightly slower.

Be safe in real life as you are using BolehVPN ;P Ho Ho Ho!

 

Thursday, December 18th, 2014

BolehVPN and GST Tax

This is just a quick heads up that starting 1 April 2015, BolehVPN will be charging 6% GST for its Malaysian customers or amounts paid in RM. We’ll have detailed updates on pricing adjustments (if any) as soon we confirm some things on our end.

This will not affect international customers coming from an IP that is outside Malaysia.

Tuesday, November 25th, 2014

Black Friday Deals from BolehVPN

Black-Friday-Deals1BitCoin Black Friday

We are happy to provide a 10% discount for all purchases made using BitCoin during the promotional period which is 28th November 2014 – 1st December 2014.

Check out BitCoinBlackFriday.com for a whole list of other merchants offering promotions for BitCoin use and spread the love!

BestVPN Deal

We are also proud to partner with BestVPN.com to offer 15% additional days on any account purchased during the same period (28th November 2014 – 1st December 2014) if they send after purchase to our e-mail [sales [a] bolehvpn.net] with the following:

Subject: BestVPN Black Friday BolehVPN
Body:

BolehVPN Username:
Invoice ID:
Package Purchased:

For a full list of BestVPN.com’s promotions head on here.

Tuesday, November 4th, 2014

BolehVPN Security Decisions and Configuration Update Plan

After extensive discussions as per our post here and waiting for everyone to give feedback, we have decided to change our security settings again to balance performance and security.

From our tests and feedback, the biggest performance hit comes from the implemention of SHA-512 for HMAC. However SHA-1 has been demonstrated to be insecure for quite a while now and although the vulnerability does not affect SHA-1’s implemention in HMAC we feel that it is in good security practice to upgrade this. To offset this performance hit, we are reducing AES-256 to AES-128 on select configurations and we still maintain our opinion that AES-128 is just as secure as AES-256 for the next few years (and in certain scenarios can be stronger due to its stronger key schedule).

In any case, all modern CPUs should be able to handle this with no hiccups.

Configuration Changes

FullyRouted

This will be the most used configuration for a wide variety of purposes so this needs to be in the middle ground.

Data Channel: AES 128 bit (from AES 256 bit)
HMAC: SHA-512

SurfingStreaming

This configuration will have a lower security profile as most use it for geo-location purposes and therefore will be optimized for speed while retaining a good overall security.

Data Channel: AES 128 bit (from AES256 bit)
HMAC: SHA-1 (160 bit)

Cloak

This will be our highest security profile but will be the slowest among all of them. On top of these, there is also a further layer of scrambling.

Data Channel: AES 256 bit
HMAC: SHA-512

DD-WRT and Integrated Devices

This is still under discussion with our management and we will evaluate to see if the revised configurations will hold for routers with their weaker processing power. Unfortunately we won’t be able to support older under powered routers and we will release guidelines soon as to the supported builds of DD-WRT.

If required, we would implement a handful of servers just for integrated devices/DD-WRT with reduced security settings.

When is this change happening?

This change will happen sometime this week but we will get a 48 hour notice before we initiate the configuration change. We are still concluding testing on certain naming conventions that are unique to DD-WRT due to the OpenSSL version they use. Once the configuration change is finalized, we will post an announcement and effect the changes in several phases over a 24 hour period. All you would have to do is to redownload your configurations or update it via our client.

Wednesday, October 29th, 2014

Reports on Slowdowns on Encryption Upgrade

Since our upgrade to AES256 for the data channel (previously AES128) and SHA2-512bit (from SHA1-160 bit) for the HMAC authentication channel, we’ve been receiving reports on slowdowns especially for those using routers/integrated devices whereby CPU processing power is limited.

We had previously decided on this upgrade because of numerous complaints and several review sites marking us down for using AES128 only when the competition is using AES256. We have previously expressed that AES128 in many cases is just as good as AES256 and in certain cases better since AES128 implements a better key schedule. It is an opinion we still hold today and our opinion is that for the average VPN user, AES128 is pretty good.

However, after implementing AES256, our servers do not show any additional CPU impact and are therefore investigating the reports on slowdowns. It is also possible that the SHA-512 upgrade to the HMAC is causing the slowdown, however, SHA-1 is already considered insecure as it is vulnerable to collision attacks and therefore we believe it is prudent to upgrade this despite the performance hit.

Therefore, in light of this, before we decide on what to do, we would wish to monitor the situation for the next few days. If the speed issues persist and cannot be attributed to other causes we would be doing the following:

  • Announcing our decision via this blog, Facebook and an e-mail to all current users giving at least two days notice.
  • Moving back from AES256 to AES128 for the data channel for all configurations except xCloak configurations which will maintain AES256.
  • Maintaining SHA-512 for added security on the HMAC authentication channel despite the performance hits. It is noted that SHA-256 in many cases is slower than SHA-512 especially on modern PCs. This however still will have an impact on weaker routers.

The alternative would be to segregate high security servers and keep them as xCloaks with the highest protection while keeping the weaker SHA-1 for regular servers for maximum performance. The problem with this is that for most people it will reduce security and introduce inequal distribution of users. We probably would see heavily underutilized high security servers.

Feedback is greatly appreciated and thank you for your patience and understanding as we move to improve our service and achieve a balance between performance and security. Please note that comments especially for first time posters may take time to be moderated as they will need to be processed manually.


-->