VNet Security

How safe is VNet?

⚠️ If you're a security researcher and have found any vulnerabilities, please contact me at support at denchisoft dot com

⚠️ This article is available in Chinese as well: https://jiaoma.tw/2023/10/vnet-security/ ❤️ Thanks to dd-han for the translation!!

In general, if you don't trust the other collab participants you should not use this, as they could use specialized software to steal your shared model during collabs (only models/items you load). This is true for VNet and any other collab application that shares your models with other participants. People outside the collab cannot steal your model.

VNet is just one more tool you can use in your collabs. In many cases, using video-sharing-based tools like VDO.Ninja, Discord, ping.gg or MultiV is the right choice.

General information about what VNet is can be found on the page "Multiplayer".

Short version:

• People outside the collab will not be able to access your files. They would need to know the random secret file URLs. Even if they had that, all files are strongly encrypted.
• The 4 collab participants could use specialized tools to extract/decrypt model and item files from memory while the collab is ongoing.
• Your IP isn't leaked to the other participants.
• Never use this with people you don't trust. Use video-based collab tools in that case.
• I (developer) also do not have access to any of the encryption keys so I can't decrypt any files shared during collabs. I also cannot see who is currently in a collab or any Steam IDs.

More detailed version:

• A host has to create a collab session. The host has to manually add up to 3 participants to the session (4 participants can be in a session), selected from their Steam friends. The host also has to set a secure session password.
• When you join a session and are not on the guest list or have the wrong password, your connection will be rejected. That means that even people who have the password cannot join without being invited by the host.
• No new participants can be added to the guest list while the session is ongoing.
• All connections are established using and routed through Steam's relay servers, so all participants are fully authenticated using their Steam IDs and communication is always end-to-end encrypted during a session.
• When you join a session with the correct password and you are on the guest list, you will be presented with a list of all other invited participants and can choose whether or not you want to actually enter the session.
• If you choose to join the session, any items/models you load will be uploaded to the VNet servers. Before the upload, they are encrypted with a 256 bit AES key. The file name for the upload will also be randomized (random 32 byte hex string)
• The encryption key and random file name are then distributed to all connected session participants. The key and file name are never shown or stored by VTS so you cannot accidentally reveal anything on stream.
• The other participants will download all shared files and decrypt/load them automatically. The files (including Live2D models) will be loaded entirely from memory and are never stored on the other participants' PCs.
• When the host closes the session, all files that were shared during the session are deleted from the VNet servers.
• If for some reason the host's VTube Studio crashes, it won't be able to delete the files anymore since the random filenames are never stored locally. Any files left on the VNet servers will automatically be wiped after 48 hours (max. session time).

Super detailed version:

Link: "VNet Sequence Diagram and Security Details"