7

Back in https://devrant.com/rants/5492690 @Nihil75 referred to SlickVPN with a link, where you can buy a lifetime licence for $20. I thought - what the hell.. I don't need a public VPN rn, but for $20 for a lifetime lic - I'll take it, in case I'll ever need one.

I had some trouble signing up - the confirmation email never reached my inbox. So I got in touch with support. And they.... generated and send me a password in plain-text.

And there even isn't any nagging requirement to change the pass after I sign in for the first time!

IDK... As for a service claiming to be security-oriented, the first interaction already screams "INSECURE".

Well.. should still be OK for IP switching, to unlock Netflix content I guess. Don't need anything secure for that 🤷

Comments
  • 1
    @theKarlisK you know... I wouldn't be surprised... Maybe I accidentally caused an SQLi?

    Whoops... 🤷
  • 2
    hmm... It gets better. I've tried to connect to several servers and I'm getting an error saying that the certificate is self-signed and not trusted

    So far nothing seems secure in here....
  • 1
    @Nihil75

    am I using it wrong perhaps?
  • 1
    @netikras slick is in the name for the amount of lube you're going to need after you use their service.

    Better butter up your butthole for all that "security" you're about to experience.
  • 2
    The service of a public VPN (paid or unpaid) is the endpoint obfuscation. You use it to make your traffic look like it is comming from their IP. For that job it doesn't matter whether your password is secure or not. The password is just there so you can't use the sevice without paying...

    And the cert is just there to stop your internet provider from looking at your traffic. Self-signed is okay for that - if you verify the fingerprint.
  • 0
    @Oktokolo I know. I'm challenging their 'secure' claim
  • 0
    Honestly I use it for IP/region switching.

    Don't care too much about "security" becaue:

    A. SSL/TLS still works fine

    B. if they get hacked, the attacker will..what? have my SlickVPN account?

    Not the end of the world. I don't use that password anywhere else.
  • 1
    @netikras Their secure claim is correct if they: Don't log. Have enough users use each IP at the same time. Are usable pseudonymously. And use transport security barely strong enough to keep the internet provider's nose out of your DNS traffic and connection details.

    So far you did not challenge their "secure" claim.
  • 0
    @Oktokolo I believe I have... At least the ones in their front page.

    If they are sending my pw in plain-text, 3rd parties might get a hold of it (not to mention that this password is stored in the support person's outbox now, as well as their mail server). There are oh so many angles of attack to acquire this info.

    Hadn't I changed my password (bcz I'm not forced to before I continue using their services), at least the support person could easily log into my web account, take my VPN login credentials, login to the VPN with my creds and be in the same VPN as I am. And from there is another list of attack vectors to either get into my laptop (in the same VPN) or control where I'm making requests to or observe requests I'm making.

    In fact, you're right. I did NOT challenge their "secure" claim. They've proven it to be false themselves, proactively.
  • 1
    @netikras Obviously, "anyone" has to exclude them as the VPN connection literally ends at their servers. You have to trust them to not using your DNS and connection data. Better passwords can't change that.

    If you want zero-trust endpoint obfuscation, you have to use an onion routing service like TOR. But they generally are far too slow and unreliable for realtime communication (including streaming).

    And the worst thing anyone could do with your password is buying you more months as that password most likely justs "protects" your user account (which shouldn't contain any sensitive data anyways and is only used for keeping track of who may use the service)...
  • 0
    @Oktokolo "shouldn't contain"

    but it does. It contains my vpn acc creds.

    As for dns - no diff whether vpn enforces their own settings or are using mine. Dns spoofing still will work. Prolly would be even better if I used my own dns server
  • 1
    @netikras speaking from an enterprise background, sharing secrets securely is a BIG problem that's often overlooked.

    If I could create a solution that wouldn't get stolen by my employer I would do it.

    Key features would be:

    - hosted on prem or in a managed cloud (company owns the infra)
    - routine encryption key rotation
    - encryption at rest
    - multifactorial retrieval
    - customizable expiration
    - extensive auditing
    - IDP integration
    - API supported

    That pretty much covers the hard hitters, the rest is fluff.
  • 1
    @sariel I know. And that's my point - the support rep should have never shared any secrets with me. There's a password reset feature that allows me to set the password only I will know [unless they store plain-text pw in the db or log my pw in the POST /login req].
  • 0
    @Oktokolo "shouldn't contain"

    I agree. It shouldn't. But it does.
  • 0
    @netikras Not sure about IPSec (quite surprised it still exists) - but normally that passwords can't be used to break into your VPN connection - they can only be used to establish new VPN connections.

    Yes, there could be freeloaders using the service without paying - but as long as it is a flatrate the only one who should care about that is the service provider...

    And as i predicted: No sensitive data. Just the bare minimum neccessary subscription details and the passwords allowing you to use the service.
Add Comment