Tunnelblick vs. PIA Client

369 views
Skip to first unread message

rock8...@gmail.com

unread,
Oct 12, 2014, 11:17:59 AM10/12/14
to
I heard that the PIA Client ist more secure than tunnelblick due to the additional security features implemented in the PIA client.
Which security features do Tunnelblick offer?
Thanks in advance!

jkbull...gmail.com

unread,
Oct 12, 2014, 12:31:46 PM10/12/14
to tunnelbli...@googlegroups.com
Where did you hear that?

What are the "additional security features implemented in the PIA client" that you think Tunnelblick does not have?

Tunnelblick is "just" the software, is that what you are asking about, or are you asking about the security of an OpenVPN VPN, or about the security of a VPN provider's service?

For a broader discussion about using VPNs, see Privacy and Security.

On Sunday, October 12, 2014 11:17:59 AM UTC-4, Phoenix I wrote:
I heated that the PIA Client ist more secure than tunnelblick due to the additional security features implemented in the PIA client.

Phoenix I

unread,
Oct 12, 2014, 1:45:54 PM10/12/14
to
Thank you for the reply.

On the Client you can add the following security features: 
  • Maximum Protection — AES-256 / SHA256 / RSA-4096
                                           DataEncryption/DataAuthentification/HandshakeEncryption

That are the values I can add on their Client Software. So I just wanted to know if Tunnelblick can provide those security features as well, or what Tunnelblick is using for securing data.
Message has been deleted

jkbull...gmail.com

unread,
Oct 12, 2014, 3:42:12 PM10/12/14
to tunnelbli...@googlegroups.com
"AES-256/SHA256/RSA-4096" refers to encryption and digest algorithms. It is not referring to "security features".

You (or whoever sets up your VPN) determine what encryption and digest algorithms to use, not Tunnelblick. 

Tunnelblick is a graphic interface to OpenVPN, which uses OpenSSL for encryption and authentication. You can configure OpenVPN to use any encryption and authentication methods that OpenSSL supports. Tunnelblick 3.4 includes OpenSSL 1.0.1i, which includes the following digests:

MD5 128 bit digest size
RSA-MD5 128 bit digest size
SHA 160 bit digest size
RSA-SHA 160 bit digest size
SHA1 160 bit digest size
RSA-SHA1 160 bit digest size
DSA-SHA 160 bit digest size
DSA-SHA1-old 160 bit digest size
MDC2 128 bit digest size
RSA-MDC2 128 bit digest size
DSA-SHA1 160 bit digest size
RSA-SHA1-2 160 bit digest size
DSA 160 bit digest size
RIPEMD160 160 bit digest size
RSA-RIPEMD160 160 bit digest size
MD4 128 bit digest size
RSA-MD4 128 bit digest size
ecdsa-with-SHA1 160 bit digest size
RSA-SHA256 256 bit digest size
RSA-SHA384 384 bit digest size
RSA-SHA512 512 bit digest size
RSA-SHA224 224 bit digest size
SHA256 256 bit digest size
SHA384 384 bit digest size
SHA512 512 bit digest size
SHA224 224 bit digest size
whirlpool 512 bit digest size

and the following ciphers:
DES-CBC 64 bit default key (fixed)
IDEA-CBC 128 bit default key (fixed)
RC2-CBC 128 bit default key (variable)
DES-EDE-CBC 128 bit default key (fixed)
DES-EDE3-CBC 192 bit default key (fixed)
DESX-CBC 192 bit default key (fixed)
BF-CBC 128 bit default key (variable)
RC2-40-CBC 40 bit default key (variable)
CAST5-CBC 128 bit default key (variable)
RC2-64-CBC 64 bit default key (variable)
AES-128-CBC 128 bit default key (fixed)
AES-192-CBC 192 bit default key (fixed)
AES-256-CBC 256 bit default key (fixed)
CAMELLIA-128-CBC 128 bit default key (fixed)
CAMELLIA-192-CBC 192 bit default key (fixed)
CAMELLIA-256-CBC 256 bit default key (fixed)
SEED-CBC 128 bit default key (fixed)

and the following TSL ciphers:

TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDHE-RSA-WITH-AES-256-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-256-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-256-CBC-SHA
SRP-AES-256-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
TLS-DHE-RSA-WITH-AES-256-CBC-SHA256
TLS-DHE-DSS-WITH-AES-256-CBC-SHA256
TLS-DHE-RSA-WITH-AES-256-CBC-SHA
TLS-DHE-DSS-WITH-AES-256-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-256-CBC-SHA
TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384
TLS-ECDH-RSA-WITH-AES-256-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-AES-256-GCM-SHA384
TLS-RSA-WITH-AES-256-CBC-SHA256
TLS-RSA-WITH-AES-256-CBC-SHA
TLS-RSA-WITH-CAMELLIA-256-CBC-SHA
TLS-PSK-WITH-AES-256-CBC-SHA
TLS-ECDHE-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA
TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-DSS-WITH-AES-128-CBC-SHA
TLS-SRP-SHA-RSA-WITH-AES-128-CBC-SHA
SRP-AES-128-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-DSS-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA256
TLS-DHE-DSS-WITH-AES-128-CBC-SHA256
TLS-DHE-RSA-WITH-AES-128-CBC-SHA
TLS-DHE-DSS-WITH-AES-128-CBC-SHA
TLS-DHE-RSA-WITH-SEED-CBC-SHA
TLS-DHE-DSS-WITH-SEED-CBC-SHA
TLS-DHE-RSA-WITH-CAMELLIA-128-CBC-SHA
TLS-DHE-DSS-WITH-CAMELLIA-128-CBC-SHA
TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256
TLS-ECDH-RSA-WITH-AES-128-CBC-SHA
TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-AES-128-GCM-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA256
TLS-RSA-WITH-AES-128-CBC-SHA
TLS-RSA-WITH-SEED-CBC-SHA
TLS-RSA-WITH-CAMELLIA-128-CBC-SHA
IDEA-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-PSK-WITH-AES-128-CBC-SHA
TLS-ECDHE-RSA-WITH-RC4-128-SHA
TLS-ECDHE-ECDSA-WITH-RC4-128-SHA
TLS-ECDH-RSA-WITH-RC4-128-SHA
TLS-ECDH-ECDSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-SHA
TLS-RSA-WITH-RC4-128-MD5
TLS-PSK-WITH-RC4-128-SHA
TLS-ECDHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDHE-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-DSS-WITH-3DES-EDE-CBC-SHA
TLS-SRP-SHA-RSA-WITH-3DES-EDE-CBC-SHA
SRP-3DES-EDE-CBC-SHA (No IANA name known to OpenVPN, use OpenSSL name.)
TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
TLS-DHE-DSS-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-RSA-WITH-3DES-EDE-CBC-SHA
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA
TLS-RSA-WITH-3DES-EDE-CBC-SHA
TLS-PSK-WITH-3DES-EDE-CBC-SHA
TLS-DHE-RSA-WITH-DES-CBC-SHA
TLS-DHE-DSS-WITH-DES-CBC-SHA
TLS-RSA-WITH-DES-CBC-SHA
TLS-DH-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-DH-DSS-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-DES40-CBC-SHA
TLS-RSA-EXPORT-WITH-RC2-CBC-40-MD5
TLS-RSA-EXPORT-WITH-RC4-40-MD5



On Sunday, October 12, 2014 1:45:54 PM UTC-4, Phoenix I wrote:
Thank you for the reply.

On the Client you can add the following security features: 
  • Maximum Protection — AES-256 / SHA256 / RSA-4096
                                           DataEncryption/DataAuthentification/HandshakeEncryption

That are the values I can add on their Client Software. So I just wanted to know if Tunnelblick can provide those security features as well, or what Tunnelblick is using for securing data.

On Sunday, October 12, 2014 6:31:46 PM UTC+2, jkbull...gmail.com wrote:

Phoenix I

unread,
Oct 13, 2014, 9:57:42 AM10/13/14
to
Thanks for the reply.
Which of the following security features would you suggest to use?
What are the standard configurations of Tunnelblick OpenVPN do they provide a sufficient layer of security?

jkbull...gmail.com

unread,
Oct 13, 2014, 10:06:47 AM10/13/14
to tunnelbli...@googlegroups.com
Tunnelblick itself does not have anything to do with the "security features" you are asking about. OpenVPN does all that.

You should read the OpenVPN documentation to see what security measures they recommend:

On Monday, October 13, 2014 9:57:42 AM UTC-4, Phoenix I wrote:
Thanks for the reply.
Which of the following security features would you suggest to use?
What are the standard configurations of Tunnelblick OpenVPN do they provide a sufficient layer of security?

On Sunday, October 12, 2014 9:42:12 PM UTC+2, jkbull...gmail.com wrote:
Reply all
Reply to author
Forward
0 new messages