Here's why VPN services are turning to WireGuard - TechRadar
Here's why VPN services are turning to WireGuard - TechRadar |
Here's why VPN services are turning to WireGuard - TechRadar Posted: 28 Feb 2021 06:02 AM PST When it comes to VPN services, everyone has their individual preferences, and the same is true of the protocols used to encrypt them. OpenVPN and IPsec encryption protocols have long ruled the roost, but up-and-coming protocol WireGuard is proving that high levels of encryption can be had for less overhead. We caught up with Daniel Sagi, COO at Kape Technologies, parent company of Private Internet Access, to find out about the value WireGuard can deliver and the company's approach to protocols going forward. You've financially contributed to the WireGuard protocol and now all your desktop and mobile apps support the protocol. The mobile clients are still missing some features such as per-app connections. When will these be available and are there any other features that you are currently working on?The split-tunneling feature is available on the Android version. Noting that iOS apps utilize Apple sandbox, changing the behavior of other apps is not supported. As a result, we currently do not implement this feature on iOS as it is a platform-specific limitation. For the desktop clients we are currently working on a new network management feature The Network Management feature permits the users to create dedicated automation rules for each type of Network (wireless or wired, open or secure wi-fis). In this way, the PIA application will automatically connect or disconnect when the user connects to that particular Network in manner that the user had dedicated through the automation rule. Do you plan to switch to WireGuard instead of OpenVPN by default?We don't want to force anyone to use a specific protocol. We want to give our customers full control regarding the protocol setup and see this being an evolving decision with delivering the best service to a customer based on their needs. To that end, we're clearly explaining the advantages of the Wireguard in dedicated intro screens from which they can activate it and will be looking at ways in the client to optimize automatically their recommended connection based on their preferences this year. Can you tell us some of the advantages WireGuard offers over the venerable OpenVPN? What's the advantage of having the WireGuard built directly into the Linux kernel for PIA users?WireGuard is a new VPN protocol that was built after cryptography specialists studied OpenVPN and IPsec and came with a new design that improves the network stack used and also has a modern selection of encryption algorithms, which results in better transfer rates and faster connection times. Up to this point, WireGuard provides more stability and better speed. All software that runs in "kernel space" will run faster and will consume less CPU power. The Linux kernel was the first kernel to receive support for WireGuard. Users that use the kernel module for WireGuard will probably experience better transfer rates (10% higher speeds for downloads), and will also get improved battery lifetime for their devices. We are excited to see the results when new Android devices will receive the WireGuard kernel module from the factory, and we hope Microsoft and Apple will also make a move into this direction to provide divers/modules for WireGuard, so that we can see the same improvement on all platforms. You've put up the code of all your clients and extensions on GitHub. Is that just for auditing purposes? Or are you open to receiving contributions and bug fixes from external contributors as well?Yes, we have all our clients' code on GitHub. We're doing this to permit a public auditing process. We're also continually discussing with our community, and we're even accepting Pull Requests for improvements and bug fixes from external contributors Talking about bug fixes, some of your peers (most notably, ProtonVPN) have bug bounty programs as well. Do you have any such plans?PIA was one of the first VPN providers to create a bespoke bug bounty program in November 2013 and will continue to look how we can extend the successful program further this year. ProtonVPN has also had its code vetted by Mozilla. Open Sourcing the code is a positive step, but do you plan to invite auditors to comb through your code as well?Open-sourcing means that our code is open to anyone to audit at any time. Verify, not trust is an ethos and message we have used for a number of years. We welcome external validation and have been actively looking at this option for some time. We want to ensure that an audit is not just a badge that is bought - it is a verification you can trust. Can you share some details about the servers that power the service? What OS/distro do they run? What security measures do you implement on the servers?We are running Linux on the traffic nodes, with the following security measures:
Since your clients are under GPLv3, do you plan to work with Linux distros to have them included in the official repos?We have discussed other Linux packaging options such as offering DEB/RPM packages, but the obstacle to inclusion in official distro repos is that we'd have to pull all dependencies from the distribution - meaning we might not get the precise version of Qt we want. As a result we are still evaluating the option we wish to proceed with.
|
This is how law enforcement gets around your phone's encryption - Wired.co.uk Posted: 17 Jan 2021 12:00 AM PST Lawmakers and law enforcement agencies around the world, including in the United States, have increasingly called for backdoors in the encryption schemes that protect your data, arguing that national security is at stake. But new research indicates governments already have methods and tools that, for better or worse, let them access locked smartphones thanks to weaknesses in the security schemes of Android and iOS. Cryptographers at Johns Hopkins University used publicly available documentation from Apple and Google as well as their own analysis to assess the robustness of Android and iOS encryption. They also studied more than a decade's worth of reports about which of these mobile security features law enforcement and criminals have previously bypassed, or can currently, using special hacking tools. The researchers have dug into the current mobile privacy state of affairs, and provided technical recommendations for how the two major mobile operating systems can continue to improve their protections. "It just really shocked me, because I came into this project thinking that these phones are really protecting user data well," says Johns Hopkins cryptographer Matthew Green, who oversaw the research. "Now I've come out of the project thinking almost nothing is protected as much as it could be. So why do we need a backdoor for law enforcement when the protections that these phones actually offer are so bad?" Before you delete all your data and throw your phone out the window, though, it's important to understand the types of privacy and security violations the researchers were specifically looking at. When you lock your phone with a passcode, fingerprint lock, or face recognition lock, it encrypts the contents of the device. Even if someone stole your phone and pulled the data off it, they would only see gibberish. Decoding all the data would require a key that only regenerates when you unlock your phone with a passcode, or face or finger recognition. And smartphones today offer multiple layers of these protections and different encryption keys for different levels of sensitive data. Many keys are tied to unlocking the device, but the most sensitive require additional authentication. The operating system and some special hardware are in charge of managing all of those keys and access levels so that, for the most part, you never even have to think about it. With all of that in mind, the researchers assumed it would be extremely difficult for an attacker to unearth any of those keys and unlock some amount of data. But that's not what they found. "On iOS in particular, the infrastructure is in place for this hierarchical encryption that sounds really good," says Maximilian Zinkus, a PhD student at Johns Hopkins who led the analysis of iOS. "But I was definitely surprised to see then how much of it is unused." Zinkus says that the potential is there, but the operating systems don't extend encryption protections as far as they could. When an iPhone has been off and boots up, all the data is in a state Apple calls "Complete Protection." The user must unlock the device before anything else can really happen, and the device's privacy protections are very high. You could still be forced to unlock your phone, of course, but existing forensic tools would have a difficult time pulling any readable data off it. Once you've unlocked your phone that first time after reboot, though, a lot of data moves into a different mode – Apple calls it "Protected Until First User Authentication," but researchers often simply call it "After First Unlock." If you think about it, your phone is almost always in the AFU state. You probably don't restart your smartphone for days or weeks at a time, and most people certainly don't power it down after each use. (For most, that would mean hundreds of times a day.) So how effective is AFU security? That's where the researchers started to have concerns. The main difference between Complete Protection and AFU relates to how quick and easy it is for applications to access the keys to decrypt data. When data is in the Complete Protection state, the keys to decrypt it are stored deep within the operating system and encrypted themselves. But once you unlock your device the first time after reboot, lots of encryption keys start getting stored in quick access memory, even while the phone is locked. At this point an attacker could find and exploit certain types of security vulnerabilities in iOS to grab encryption keys that are accessible in memory and decrypt big chunks of data from the phone. Based on available reports about smartphone access tools, like those from the Israeli law enforcement contractor Cellebrite and US-based forensic access firm Grayshift, the researchers realised that this is how almost all smartphone access tools likely work right now. It's true that you need a specific type of operating system vulnerability to grab the keys – and both Apple and Google patch as many of those flaws as possible – but if you can find it, the keys are available, too. The researchers found that Android has a similar setup to iOS with one crucial difference. Android has a version of "Complete Protection" that applies before the first unlock. After that, the phone data is essentially in the AFU state. But where Apple provides the option for developers to keep some data under the more stringent Complete Protection locks all the time – something a banking app, say, might take them up on – Android doesn't have that mechanism after first unlock. Forensic tools exploiting the right vulnerability can grab even more decryption keys, and ultimately access even more data, on an Android phone. Tushar Jois, another Johns Hopkins PhD candidate who led the analysis of Android, notes that the Android situation is even more complex because of the many device makers and Android implementations in the ecosystem. There are more versions and configurations to defend, and across the board users are less likely to be getting the latest security patches than iOS users. "Google has done a lot of work on improving this, but the fact remains that a lot of devices out there aren't receiving any updates," Jois says. "Plus different vendors have different components that they put into their final product, so on Android you can not only attack the operating system level, but other different layers of software that can be vulnerable in different ways and incrementally give attackers more and more data access. It makes additional attack surface, which means there are more things that can be broken." The researchers shared their findings with the Android and iOS teams ahead of publication. An Apple spokesperson told WIRED that the company's security work is focused on protecting users from hackers, thieves, and criminals looking to steal personal information. The types of attacks the researchers are looking at are very costly to develop, the spokesperson pointed out; they require physical access to the target device and only work until Apple patches the vulnerabilities they exploit. Apple also stressed that its goal with iOS is to balance security and convenience. "Apple devices are designed with multiple layers of security in order to protect against a wide range of potential threats, and we work constantly to add new protections for our users' data," the spokesperson said in a statement. "As customers continue to increase the amount of sensitive information they store on their devices, we will continue to develop additional protections in both hardware and software to protect their data." Similarly, Google stressed that these Android attacks depend on physical access and the existence of the right type of exploitable flaws. "We work to patch these vulnerabilities on a monthly basis and continually harden the platform so that bugs and vulnerabilities do not become exploitable in the first place," a spokesperson said in a statement. "You can expect to see additional hardening in the next release of Android." To understand the difference in these encryption states, you can do a little demo for yourself on iOS or Android. When your best friend calls your phone, their name usually shows up on the call screen because it's in your contacts. But if you restart your device, don't unlock it, and then have your friend call you, only their number will show up, not their name. That's because the keys to decrypt your address book data aren't in memory yet. The researchers also dove deep into how both Android and iOS handle cloud backups – another area where encryption guarantees can erode. "It's the same type of thing where there's great crypto available, but it's not necessarily in use all the time," Zinkus says. "And when you back up, you also expand what data is available on other devices. So if your Mac is also seized in a search, that potentially increases law enforcement access to cloud data." Though the smartphone protections that are currently available are adequate for a number of "threat models" or potential attacks, the researchers have concluded that they fall short on the question of specialised forensic tools that governments can easily buy for law enforcement and intelligence investigations. A recent report from researchers at the nonprofit Upturn found nearly 50,000 examples of US police in all 50 states using mobile device forensic tools to get access to smartphone data between between 2015 and 2019. And while citizens of some countries may think it is unlikely that their devices will ever specifically be subject to this type of search, widespread mobile surveillance is ubiquitous in many regions of the world and at a growing number of border crossings. The tools are also proliferating in other settings like US schools. As long as mainstream mobile operating systems have these privacy weaknesses, though, it's even more difficult to explain why governments around the world – including the US, UK, Australia, and India – have mounted major calls for tech companies to undermine the encryption in their products. This article was originally published on WIRED US More great stories from WIRED🧮 The UK can't even keep track of its spiralling Covid-19 case numbers 💉 Inside the race to stop the next pandemic 🏋️ Gyms are closed so which workout app is better? Apple Fitness+ vs Peloton vs Fiit 🔊 Listen to The WIRED Podcast, the week in science, technology and culture, delivered every Friday |
You are subscribed to email updates from "android encrypt sd card,is my iphone encrypted,what does android mean in mobile phones" - Google News. To stop receiving these emails, you may unsubscribe now. | Email delivery powered by Google |
Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States |
Comments
Post a Comment