BolehVPN: Among the Top 5 rated VPN Providers in the World

How to get a SIRIM certificate when importing mobile phones

April 15th, 2014

SIRIMEver tried to bring in a mobile phone from overseas into Malaysia and got hit with a Customs issue? Your courier will then call you up telling you that you need a SIRIM certificate. Some couriers will offer to do it for you for a fee of RM300.00 thereabouts but there’s a way to do it yourself and save some money!

Do note that although there is no import duty for bringing in mobile phones, there is a hidden charge which is the SIRIM E-Permit!

You have two options:

  1. Go to your nearest SIRIM office and fill up a form and pay the RM100.00 fee. Bring relevant invoices and details of your item! You can find your nearest SIRIM office here; OR
  2. Give your local SIRIM office a call and see if you can submit the form and supporting documents to them via e-mail and pay the RM100.00 online to their SIRIM account. There is no longer an official online system but speak to someone at the office and they may be willing to assist you. A copy of the form which is correct as the date of writing can be found here. Once you have paid, make sure to e-mail them your online payment receipt too!
  3. Download here: Application Form for E-Permit. For your information, the Tariff Code for mobile phones is 8517.12.000
  4. Once this is submitted, you can arrange for the courier to pick up the certificate from SIRIM or just bring it to the courier yourself. I understand that a PDF copy is insufficient for the courier to release the item.

I hope this helps some people when importing in phones themselves!

Testing Malaysia’s Popular Websites for Heartbleed

April 12th, 2014

After this weeks big security scare over the discovery of a 2 year old vulnerability in OpenSSL, we’ve decided to test some of Malaysia’s most popular websites and see if any are vulnerable.

We will be using and SSLLabs’ SSL test to check these sites. – Not vulnerable, support insecure protocols and cipher suites – Not vulnerable, but uses insecure protocols and cipher suites. PFS is supported on some browsers. This only applies if you’re a ProNiaga user though. – Not vulnerable, supports PFS on some browsers. – Not vulnerable, supports PFS on some browsers. – Not vulnerable, supports PFS on some browsers. -Not vulnerable, support PFS on some browsers. – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable – Not vulnerable (Public Bank) – Not vulnerable – Not vulnerable – Not vulnerable. Uses PFS on some browsers. – Not vulnerable – Not vulnerable

All tested sites were found to be clean of Heartbleed. Of course, you really should change your password on all websites anyway. Especially now that the Heartbleed bug has been fixed.

It seems that Perfect Forward Secrecy (PFS) isn’t that popular in Malaysia, with only a handful of websites supporting it. Seeing as PFS prevents retroactive decryption of data (Meaning even if the key is stolen, old data that was previously transmitted cannot be decrypted), this is something we should be pushing for to mitigate any further vulnerabilities.


Serious Bug in OpenSSL HeartBleed and Implications

April 8th, 2014

heartbleedA serious bug called “HeartBleed” has been discovered in OpenSSL on the 7th April 2014. As OpenSSL is used in both our Customer portal and OpenVPN we would like to shed some light on this bug and how it affects you (though in short, if you’re with BolehVPN, it doesn’t :))

What is the HeartBleed Bug?

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

In short here is a snippet from the information site HeartBleed

Am I affected by the bug?

You are likely to be affected either directly or indirectly. OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet. Your popular social site, your company’s site, commerce site, hobby site, site you install software from or even sites run by your government might be using vulnerable OpenSSL. Many of online services use TLS to both to identify themselves to you and to protect your privacy and transactions. You might have networked appliances with logins secured by this buggy implementation of the TLS. Furthermore you might have client side software on your computer that could expose the data from your computer if you connect to compromised services.

How widespread is this?

Most notable software using OpenSSL are the open source web servers like Apache and nginx. The combined market share of just those two out of the active sites on the Internet was over 66% according to Netcraft’s April 2014 Web Server Survey. Furthermore OpenSSL is used to protect for example email servers (SMTP, POP and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances and wide variety of client side software. Fortunately many large consumer sites are saved by their conservative choice of SSL/TLS termination equipment and software. Ironically smaller and more progressive services or those who have upgraded to latest and best encryption will be affected most. Furthermore OpenSSL is very popular in client software and somewhat popular in networked appliances which have most inertia in getting updates.

How does it affect you as a BolehVPN customer?

In short, it most likely doesn’t. We have reviewed our servers and implementation and our customer portal implementation does not use the affected OpenSSL versions.

Our OpenVPN implementation implements tls-auth with Perfect Forward Secrecy (PFS) would protect past communications from retrospective decryption so the risk is mitigated.  In this scenario an attacker can not attack openvpn instances without the TLS-auth key.

We are however monitoring developments closely and will implement patches as they become available.


We have now fully patched our GUI versions and updated our BolehVPN-GUI to remove the threat. We are still on OpenVPN version 2.3.2 to maintain compatibility with our xCloak functions.

Further Reading




Looking for a secure alternative to WhatsApp?

March 13th, 2014

Ever since Facebook’s billion-dollar acquisition of Whatsapp, privacy conscious users have been on the hunt for a new messaging app. Stiftung Warentest, which is a leading German consumer safety group, has tested out data protection for WhatsApp, as well as alternative messaging apps Threema, Telegram, BlackBerry Messenger and Line.

These tests were conducted on both iOS and Android versions of the app. Focus is on data protection, with general use, fanbase and other aspects of the messaging service ignored. Only one of the apps scored a ‘Not critical’ rating.

WhatsApp: Privacy rating: ‘Very critical‘.

- Does not use end to end encryption. Address book data transferred without consent. Phone number of user shared with third party, unencrypted.

-Any changes from the sale to Facebook are unclear as of now, however from the terms it seems pretty clear that user data can now be passed on or sold to the new owner, Facebook.

Telegram: Privacy rating “Critical

-End-to-end encryption is available, but only if users enable it, otherwise data is transmitted in the clear. App automatically saves all contacts without consent of users.

-Terms of use allow Telegram to log their users, there is also no email address or contact info for privacy queries.

BlackBerry Messenger: Privacy rating “Very critical

-Whether BBM uses end-to-end encryption could not be verified. The iOS version shares your first and last name with third parties, and user entered data (possibly including message content) is transmitted unencrypted. The Android version transmits encrypted user data, but in greater depth, e.g. username and password, D.O.B, first and last name, country of origin, email address and security question.

-BBM’s terms allow them to combine data collected from the app with other sources, to build a detailed and accurate profile of the user for advertising purposes. They also have rights to forward data to third parties.

LINE: Privacy rating “Very critical

-End to end encryption not provided. The Android app transmits your IMEI number, unencrypted, to a third party. The iOS version transmits the IDFA, but users are able to change the IDFA or prevent transmission of this. Older iOS versions (before iOS 7), transmit the MAC address of the device, but this is encrypted and only transmitted to LINE.

Threema: Privacy rating “Not critical

- End-to-end encryption between users. iOS version sends the user ID to Threema, but this is encrypted. Android version does not send user data to Threema or third parties.

-Threema is not open source, so complete tests could not be done on the encryption. Testers are able to state the app does not transmit user data unencrypted, but whether all communication is fully encrypted wasn’t testable.

There’s always the theoretical chance of a hidden association with the NSA, as people like to point out. Also, there’s no guarantee one of these apps will not be bought over in the future. But for now, it seems that Threema is a pretty good alternative to Whatsapp.



Is Telegram a Secure Alternative to WhatsApp?

March 10th, 2014

mzl.qrowsbefWith WhatsApp being acquired by Facebook, and numerous security flaws discovered in WhatsApp being discovered in the past, many people have been looking for a more secure alternative to Instant Messaging. I was doing some online research on this after some users recommended Telegram.

Telegram was spearheaded by Nikolai Durov, the founder of VK, the Facebook of Russia and it’s been gaining popularity due to its focus on privacy and security. It’s been well covered in many news sites and promoted as a super secure instant messaging client:

Let’s see Telegram’s claims:

  1. It is open-source and therefore subject to public scrutiny
  2. It is very secure with end to end encryption
  3. It was designed to defeat Russian secret agencies
  4. It is so secure that they have issued a $200,000 challenge to anyone who breaks it.
  5. It will not sell ads or attract outside investment. It will remain free.

However, there appears many people are challenging their claims. The guys at Crypto Fails raised many alarm bells:

First of all it is claimed the $200,000 dollar challenge is designed in such a way that it’s difficult to win even if the underlying protocol is insecure.

The contest works like this:

Every day, Paul sends a message to Nick containing an email address. You win the contest by sending an email to that address. You get a transcript of the network traffic coming in and out of Paul’s account. According to the faq, you can send arbitrary packets to the server, but you can’t intercept/modify the communication.

The problem should be clear now: Telegram’s contest does not give the adversary enough power. The adversary doesn’t doesn’t get known plaintexts, can’t choose plaintexts, can’t choose ciphertexts, can’t modify network traffic, or anything like we covered in the previous sections. The contest barely fits into the known plaintext attack (KPA) model.

If nobody wins the contest, it does not mean Telegram is secure. It means Telegram might be secure within the constraints of the contest. However, there are extremely weak systems that can survive a Telegram-style contest, so if nobody wins the contest, it won’t give us any more confidence in Telegram’s security.

Moxie MarlinSpike from ThoughtCrime (who incidentally created TextSecure , a competitor) echoed these concerns.

Secondly, their cryptographic implementation appears to be designed by people who do not have a cryptographic background and it shows.



Here is what Crypto Fails had to say:

Some problems are immediately apparent:

They use the broken SHA1 hash function.
They include a hash of the plaintext message in the ciphertext. Essentially, they are trying to do “Mac and Encrypt” which is not secure. They should be doing “Encrypt then Mac” with HMAC-SHA512.
They rely on an obscure cipher mode called “Infinite Garble Extension.”
Some really weird stuff about factoring 64-bit integers as part of the protocol.
They do not authenticate public keys.

If their protocol is secure, it is so by accident, not because of good design. They claim the protocol was designed by “six ACM champions” and “Ph.Ds in math.” Quite frankly, the protocol looks like it was made by an amateur. The tight coupling between primitives suggests the designer was not familiar with basic constructs, like authenticated encryption, that you can find in any cryptography textbook.

Thirdly, there was actually a vulnerability discovered in the end to end encryption chat but true to their word, Telegram gave him $100,000 (as it was not a complete break) and issued a fix.

vuln (1)

However despite all of this, Telegram is dealing with it well issuing their own counterarguments in all of these blogs and providing further information on their protocol and implementation, which is a vast improvement from other IM messaging clients which often kept quiet on their security breaches (including WhatsApp).

I would suggest that Telegram improves their competition terms and give these people a full go at their system and see if the purported inherent weaknesses are really exploitable. Telegram can be improved of course and let’s hope that the developers continue to improve the security of their system.

As for the suggested alternatives, many of these articles quote TextSecure or CryptoCat. However CryptoCat had its own share of rookie mistakes in vulnerabilities and does not have an Android client yet (it does have a iOS client now). TextSecure improves on the proven OTR system but does not have an iOS client yet. I personally would put my trust more in TextSecure at this point in time but only Telegram has cross platform support and to be frank, Telegram is probably good enough for the average Joe as long as no serious vulnerabilities emerge. Telegram’s interface is also much more polished. It is also noted that both TextSecure and Telegram both require your phone number as well.

It’s early days yet and it’s hard to say whether Telegram will stand the test of time but it’s off to a good start and we would be cautiously optimistic about it. Let’s hope this pushes other mobile instant messaging clients to put a bigger focus on security.

Other Sources:

Telegram: Stand back we know Maths