Security issue - my default encryption key is on the repo

theinvisible / openfortigui

VPN-GUI to connect to Fortigate-Hardware, based on openfortivpn

https://hadler.me/linux/openfortigui/

GNU General Public License v3.0

492 stars 54 forks source link

Security issue - my default encryption key is on the repo #16

Closed navarroaxel closed 6 years ago

navarroaxel commented 6 years ago

The config.h has the aeskey and aesiv installed by default. This aeskey is copied to a config file on my home folder when I install the Deb package. Could be autogenerated on the .deb package installation?

The IV is not configurable. Right?

I think this is a security issue. And makes my VPN password easily readable with the default config.

OS Ubuntu MATE 16.04.3 LTS amd64

theinvisible commented 6 years ago

This is indeed a problem and did not had priority yet.

I think its best to check on application start if default keys are installed and give an option to autogenerate them or manually set them as not everyone uses .deb packages.

Thanks and best regards Rene

theinvisible commented 6 years ago

Since version 0.4.0 there is now a setup wizard which change the AES key.