The security of OVPN’s web servers

author David Wibergh, about Products & features

A VPN service provider should offer integrity and security, and there are a lot of things to think about in order to achieve this. As you are probably already aware of at this point, we have put a lot of effort into making sure that no logs of our user’s activity are kept or stored on our servers as well as focusing on physical security.

A VPN service provider needs to be able to protect customer information more than an ordinary web page, as part of what a VPN service provider is selling is trust, security, and integrity. At OVPN, we have thus focused not only on the security of our VPN servers but also on making extensive security measures on our web servers.

We strive to create and maintain proactive protection, meaning that we wish to keep a security system that is safer than actually needed. We do this in order to protect us from potential future vulnerabilities that we are yet unable to foresee. In order to achieve this, we have taken the following steps:

  • Using the best ciphersupport available for HTTPS (SSL Labs-results)
  • Using HSTS with a long expiration time
  • Forcing web browsers to use their built-in XSS protection
  • Making sure that cookies are only set via HTTPS
  • Not allowing frames and iframes on OVPN.com
  • Telling proxies and web browsers not to cache any content of our web page

We have also established the following routines to make sure that utmost security is in place:

  • Statistical analysis of our source code in order to find any vulnerabilities.
  • We encourage responsible vulnerability reporting by offering rewards to anyone finding vulnerabilities.
  • We write blog entries about things that might decrease a user’s anonymity and security and how customers can better protect themselves. (bash-vulnerability, tunneling Tor, superfish, webrtc, [säkrare Browsing the internet (/blog/gor-ditt-surfande-mer-sakert/)).
  • We aim to be as transparent as we can in order to decrease ambiguity and misunderstandings about our services.
  • We have chosen our software carefully (Ghost-CMS, OpenVPN, nginx, debian).
  • CSRF, SQLi, and XSS protection
  • Prevents bruteforce-attacker
  • The employees of OVPN have taken steps to secure the safety of their workstation such as encrypting their hard drives.
  • We encrypt our internal communication.
  • We encrypt user e-mails with unique encryption keys that are changed daily.

We also have a few things planned to improve security even more, such as:

  • Improve blocking of brute-force attacks
  • Improve blocking of different timing attacks
  • Upgrading our SSL certificate to one with a stronger encryption algorithm as well as stronger organization validation
  • Allowing users to upload their PGP/GPG-keys in order for all mail communications from OVPN is encrypted automatically
  • We also plan to set up a sandbox environment where we will offer seasoned specialists to find vulnerabilities without any risk of exposing user information.

Ideas on how we can improve?

Do you have ideas or suggestions as to increase our security even further? If so, please contact us and tell us about them.