There's a lot of things to consider when you are thinking about security. No system is completely bulletproof. Until we have a breakthrough in computing that allows computers to behave reliably with software, bugs and vulnerabilities will exist. You have to think about what features your customers want, which ones are absolutely necessary, and what you can do without. Once narrowing down what you want to build, you have to think about how the system will work, and most importantly, how it will break.
Threat Modelling is the name of the exercise of looking at who wants to break into your systems, what your systems do, where they are vulnerable and what those vulnerabilities mean.
VikingVPN has taken on an aggressive threat model, assuming that sophisticated attackers want to break into our systems and that, even though we stringently adhere to OpSec and have a tight security model, there may be a zero day attack or overlooked configuration error that would lead to compromise.
Harm minimization is a term usually used in the public policy arena. It refers to adopting policies that harm members of society less and provide better outcomes than other, more authoritarian approaches. This term has been carried over to the data security world, because like harm minimization in public policy, security experts realize that bugs and vulnerabilities are a problem that will always exist and need to be dealt with, and that the best way to deal with them is to protect data even when a security system fails.
An easy example of harm minimization is companies encrypting customer data. In a perfect world, hackers would never be able to reach a database of customer data behind firewalls and intrusion prevention systems. But in the real world it happens all the time, even to the most secure systems. Encrypting the user data makes it so that even if hackers get away with user data, it's either very difficult or impossible to decipher the data.
VikingVPN approaches data harm minimization in multiple ways.
Case 1: A customer loses control of their password, either through phishing, account sharing, password reuse from another service that gets compromised, a keylogger trojan, or some other threat.
How we harden our systems to protect customers even if their password is lost:
1. We made it so the profile area of the site contains no personal information. This means an attacker cannot get any information from the account related to billing, names, or customer care interactions.
2. We decoupled the VPN network from the Website. This means that an attacker cannot sign in to the VPN service with user credentials alone. They have to access the website and download a new set of keys.
3. Existing key sets are immediately revoked when a new set is downloaded. This serves two purposes. If an attacker accesses the account, they have no way to download existing keys and identify the user on our network. An attacker leeching service would also alert a user to account compromise as the Viking VPN service would immediately stop working for the customer.
Case 2: A customer loses control of their keys, either through theft of a device containing their keys, transmission of the keys through an unsafe service, or some other threat.
How we harden our systems to protect customers even if their keys are lost:
1. The separate VPN website and VPN service allow the user to retake control of their VPN service by generating new keys, and immediately revoking the compromised ones. Loss of the keys does not give the attacker access to the web account, as the attacker also needs the user name and password.
2. VikingVPN uses ephemeral sessions on the VPN network that are reset hourly. Since the keys for these sessions are not saved (they are thrown away), an attacker with full access to keys AND a privileged position on the network would still only be able to identify metadata about data streams and not be able to decrypt content.
Case 3: A state actor seizes VikingVPN servers in some country, potentially compromising user data.
How we harden our systems to protect customers even if a nation seizes our servers.
1. We have a warrant canary. It is a dead-man's-switch style canary that will activate when we fail to renew a timer. Renewing the timer is a statement on our part that we have not received nor honored any requests for data about our customers, nor any demands to change or weaken our services. If the canary trips, the site changes in a way that customers will immediately see and know that the company is under some sort of legal duress.
2. Customer data is heavily encrypted. Only two people in the world have the ability to decrypt any customer data.
3. Our servers do not log. This goes far beyond just not logging in the OpenVPN application, we have manually disabled all types of logging in the OS that do not impact startup/shutdown of the actual services. This means that seizing our servers will not give the attacker the information that they want.
There is so much heft to security that it is hard to keep up. Make sure that you understand your threat model, and minimize the damage that happens when a compromise happens.