R6700v2 Firmware: VPN Service uses MD5 but newest standards call for SHA256

Ahem. Yeah, I'm sitting here, too, watching the clock tick away. A few things:

1. The software I'm using an Android to connect with the R6700v2 is, from the suggestions in the Netgear help files, is OpenVPN Connect. I should not that for all the "Open" words in there this is a commercial company that is attempting to monetize what appears to be an open source package.

2. It was this package that initially was complaining that Netgear's use of MD5 was a Bad Idea and that in a short time the OpenVPN Connect software would cease to support Netgear's use of that function. I should note that before using OpenVPN Connect I tried a couple of other OpenVPN clones.. to no avail. Maybe I'm just stupid, or there's something in particular about OpenVPN Connect and Netgear's implementation that made the two connect. As in, they have a contract. That's a suspicion, not straight knowledge.

3. About a month after this thread was created there was an update to OpenVPN Connect. Besides a switched-around UI, the main "feature" is that the updated OpenVPN Connect no longer complains about the use of MD5 on every start. However, the help link puts one on an OpenVPN site that still says that MD5 will be depreciated as of May 2018, giving "older equipment" a chance to get changed over to something more secure. However, I have to wonder: Was the suppression of the MD5 warning message due to somebody at Netgear giving OpenVPN a call?

4. I joke about it, but I definitely wear a tin-foil hat. Because sometimes the bad people really are out to get you. In particular, both the FBI and NSA have stated multiple times that they fear the world "going dark"; that is, more difficult for them to capture data. In particular, the NSA has been capturing all the data, all the time, on all the trunks going through AT&T and other major long-haul providers, and, in particular, capturing encrypted data. The claim is that this pretty-much-illegal act is OK so long as they only "select" data upon which they search, and those selectors are under the aegis of FISA court warrants. You know, the ones that come with gag orders, the court and its ruling being about 99 44/100ths pure secret.

It's no surprise that these people hate VPNs with a raw passion because, just like bad guys use telephone networks (which the three-letter agencies monitor and capture), they use encryption and VPN's, too. So, this slow-move from Netgear.. Is this because some gag-ordered warrant demands that they backdoor consumer VPNs with obsolete, easily breakable VPN software? With the same key used across multiple routers?

If so, that's not good. And it's worse, really: Crooks like money. They like lots of money even more than that. And they have a slightly modified desire than the three-letter agencies: They don't want to capture it all; they want to capture the financial details so they can rob people, prefereably on masse. And if VPNs with Netgear are easily broken by the NSA, they can certainly be broken by crackers with $$$ in their eyes. All you need is somebody who happens to use the same password, in the clear, for their bank accounts somewhere, too. And if you don't think crackers have access to major network routers and pass points, then you haven't been paying attention.

5. Of course, all this aluminum foil hat stuff may be complete BS. It may be very much simpler: Netgear is playing IoT (Internet of Things) follies. This argument goes along the line of Netgear making its money by selling hardware; the software is there to make sure the hardware is sold. Once the hardware is out the door, any desire for updated software is muted by the desire to Not Spend Money Doing That. Unless one is still selling that hardware, in which case a competitive disadvantage may be occur, thus causing a little more development bucks being spent.

This is the reason that things like commercial grade routers with no effective software support are lumped with IoS (Internet of S**t) objects, like refrigerators and the like. The lack of an update may simply be that Netgear has unofficially abandonded the v2 version of the R6700, with the famous, "Screw You!" that businesses like to do. They got your money, what are you going to do?

With many commercial routers that use Open Source software, like the R6700v2, a user community effort helps with that: DD-WRT, Tomato, and others are out there, get regular updates, and support VPNs. But from what I hear no effective support has appeared for the R6700v2, which makes Netgear's apparent approach much, much worse for all the punters left holding the bag with their IoS hardware.

Netgear: Please respond and give some indication that you're working to fix this router's VPN server software. Really, the UI and all that is superior, and it works. If no indication is coming.. You may find yourself on the pages of Arstechnica sooner than later.

KBeck