Independent auditors confirm top VPN doesn't log your data (www.techradar.com)
from AnActOfCreation@programming.dev to technology@lemmy.world on 26 Apr 2024 02:32
https://programming.dev/post/13262483

#technology

threaded - newest

henfredemars@infosec.pub on 26 Apr 2024 02:34 next collapse

Hey, if your adversarial model does not include nation states, it’s a great service. Totally fine against basic IP tracking, and I haven’t received a nastygram for sharing movies in years.

db2@lemmy.world on 26 Apr 2024 02:44 next collapse

Which one is good against nation states? Asking for a friend.

henfredemars@infosec.pub on 26 Apr 2024 02:46 next collapse

Use the one they’re using: Tor.

There’s a long list of reasons why you might not want to use it though.

Nfamwap@lemmy.world on 26 Apr 2024 02:48 next collapse

Go on

henfredemars@infosec.pub on 26 Apr 2024 02:53 collapse

Biggest problem is that it’s free. That means you’ve got very little bandwidth that’s usable since it’s being supplied out of generosity for no direct compensation that could be reinvested into the network. There’s just too many users and not enough bandwidth.

And because it actually works, it’s very difficult or impossible to police how it’s used. That means your precious bits are just as important as the 100,000 spam emails that another user is trying to send with the service.

Finally, you might not want to use it because you’re sharing the same exit nodes with many other users. This means services tend to block those IP addresses outright, limiting what you can use it for, and if you leak and identify such as your name maybe you don’t want that tied to an IP address that actual terrorists might have used.

I write this as someone who owns a bunch of official Tor merchandise.

db2@lemmy.world on 26 Apr 2024 02:56 collapse

Spam emails are about the tamest dark part of the dark web though…

henfredemars@infosec.pub on 26 Apr 2024 02:59 collapse

I’m trying to be nice for the general public that could be reading this post. But yes, there’s a lot of bad stuff out there, and VPN service providers aren’t just getting paid to invest in tons of bandwidth, but they are also doing some policing of their service. They just don’t talk about it. It’s bad for business. And yes, you can police a service without technically logging any data.

db2@lemmy.world on 26 Apr 2024 03:02 collapse

What is “official tor merchandise” btw?

Zorque@kbin.social on 26 Apr 2024 03:04 next collapse

A literal onion.

db2@lemmy.world on 26 Apr 2024 04:31 collapse

Nice 🤣

henfredemars@infosec.pub on 26 Apr 2024 03:07 collapse

They sell things! I’ve bought mostly graphic clothing at funding events. You’ll find some presence at big hacker conventions. You could sometimes get a few goodies if you operate large nodes or provide significant contributions in other ways.

13262483@lemmy.wtf on 26 Apr 2024 04:52 collapse

By default, Tor doesn’t protect you from nation states. It’s a start, but you have to be an intelligent user who understands statistics to have some protection from nation states.

Let’s assume there’s two teams, because in geopolitics, it seems like we divide into “west” and “east.” Let’s assume team 1 controls 10% [1] of the relays, they have more than enough budget to pay for the entire network 100x over. That means, on entry, there’s a 10% probability that you will land on their entry node.

Now, to do traffic analysis, they need you to also land on their exit. The probability of that is also 10% in the example. In other words, 10% of the time that you have their entry, you will also have their exit. (or, for 1 in every 100 circuits, you will have a compromised circuit) If you use Tor everyday for a year, you’ll likely have a fucked circuit at least once. If you use something like Whonix that spawns like 10-20 circuits at start, you’ll have a compromised circuit weekly.

A compromised circuit isn’t the end of the world. Most internet traffic today uses end to end encryption, [2] so as long as the service is outside of team 1’s jurisdiction, your communications are safe… but team 1 knows who you are, and that you are talking to someone they don’t trust. If it’s in their jurisdiction, they can get a warrant, and they can fully de-anonymize the traffic between the service that you were using.

All of this is to say, it’s hard to stay in the dark if your adversary is information intelligence. The best way to stay invisible is to use the network as infrequently as possible, and to make the time correlation very far off. (Use custom relays that delay when the traffic travels so that traffic analysis like this example is not possible)

By the way, in the US, the NSA has multiple sites where they copy the traffic on the backbone for analysis. They’re performing some deep packet analysis. These systems are going to improve in the future with machine learning. As an example, in China, it’s not exactly simple to connect to Tor as some methods of concealing Tor traffic result in detection from machine learning that they’re performing on all traffic.

[1] This is a hypothetical. They could control 0%, 5%, 25%, etc. It’s publicly unknown how much they control or if they try to control the network at all.

[2] Be careful with your assumptions about https. Where are the root authorities? Why should we trust them? It’s better security to never trust them.

brbposting@sh.itjust.works on 26 Apr 2024 06:47 next collapse

Fascinating. Thank goodness my life doesn’t depend on that kind of threat modeling.

Socsa@sh.itjust.works on 27 Apr 2024 15:04 collapse

They don’t actually need to control the entrance nodes if they control the ISP. You can track TCP fingerprints through Tor with just exit nodes

Itsamelemmy@lemmy.zip on 26 Apr 2024 04:15 next collapse

If you need to ask, you probably don’t know enough to keep yourself anonymous. But it starts with tails, tor and not doing anything stupid like reusing user names that you use on the clear web or signing into something like Facebook. If a nation state has reason to find out who you are, they most likely will. All it takes is one little mistake that you most likely didn’t even know was a mistake.

Socsa@sh.itjust.works on 27 Apr 2024 15:02 collapse

The solar powered RPI jump box you installed on a telephone pole outside the McDonald’s.

db2@lemmy.world on 27 Apr 2024 18:57 collapse

Who told you about that?

That is… I don’t know what you mean…

ayaya@lemdro.id on 26 Apr 2024 10:28 collapse

Exactly. If all you want to do is torrent then it’s by far the best option. $2.22/mo ($80 for 3 years) which is less than half the price of anything else, has portforwarding, and with wireguard I can saturate a full gigabit no problem on private trackers.

MSugarhill@feddit.de on 27 Apr 2024 11:23 collapse

And while they have a sale it gets down to 68 for three years…

NGC2346@sh.itjust.works on 26 Apr 2024 02:52 next collapse

I am dedicated to Proton to be honest but PIA always seemed good to me based on these type of situations and audits.

Molecular0079@lemmy.world on 26 Apr 2024 02:59 next collapse

I think there was some bad vibes when they got bought by a less than reputable company a while back. I know a lot of people, myself included switched to Mullvad. I am on Proton now though for the port forwarding.

MrPoopbutt@lemmy.world on 26 Apr 2024 12:20 collapse

What is the benefit of port forwarding?

johannesvanderwhales@lemmy.world on 26 Apr 2024 15:07 collapse

The most common use case is probably bittorrent. Without port forwarding, you won’t be connectable. But anything where someone might need to connect to your local machine from the internet, like hosting game servers or other self-hosting.

prole@sh.itjust.works on 26 Apr 2024 15:28 collapse

I recently switched to Mullvad and have had no issues torrenting

johannesvanderwhales@lemmy.world on 26 Apr 2024 16:16 collapse

You have no problem downloading because your client is initiating the connection. But people won’t be able to initiate a connection to you. If you’re just leeching off public trackers and don’t care about your ratio, then that might not matter to you. But if you’re trying to maintain a ratio on a good quality private tracker that’s a no go.

You can use a site like this with your VPN ip and the port you have configured for bittorrent while your bittorrent client is up to see if you’re connectable.

Dark_Arc@social.packetloss.gg on 26 Apr 2024 05:00 collapse

PIA was good until they got bought out. That’s when my friend and I switched our VPNs (me to proton, him to express).

A shady parent company isn’t what you want in a VPN.

doublejay1999@lemmy.world on 26 Apr 2024 06:00 next collapse

… um……Express is also owned by Kape

Dark_Arc@social.packetloss.gg on 26 Apr 2024 14:32 collapse

It wasn’t at the time he switched … I think he looked at some other options after that, but might have just stayed.

For whatever reason he wasn’t getting the performance he wanted from Proton in Texas.

HeckGazer@programming.dev on 26 Apr 2024 09:21 next collapse

PIA got bought out
switched to express

Oh no

makingrain@lemm.ee on 26 Apr 2024 06:04 next collapse

On September 13, 2021, it was reported that ExpressVPN had been acquired by Kape Technologies, an LSE-listed digital privacy and security company

I_Miss_Daniel@lemmy.world on 27 Apr 2024 00:11 collapse

I’m on Express VPN only because they apparently specialise in avoiding geoblocks and VPN detection for overseas TV sites etc. (Plus three months free for being a TWiT.) So far it’s true for BBC iPlayer, RTe Player and UK Channel 4. For this purpose I’m not overly worried about how log-resistant they are, but interesting to keep up with the score here. The integrated ‘ad blocking’ is also useful, but slower than AdGuard as it seems pages have to wait for assets to fail to load before displaying rather than just being 404’d.

lemmyingly@lemm.ee on 27 Apr 2024 01:02 collapse

I wonder how they manage to bypass the geo-location blocks? I would if they frequently rotate their IP Addresses with fresh ones.

I_Miss_Daniel@lemmy.world on 27 Apr 2024 01:07 collapse

Possibly, or they have multiple entry points on residential ISP blocks and don’t have too many people NAT’d per IP so it looks legit. That would explain the higher costs.

nothingcorporate@lemmy.world on 26 Apr 2024 03:33 next collapse

PIA got purchased by Kape Technologies a couple years ago. With their track record, you can choose to believe the report issued by consultants they paid, or you can just go to companies with better track records, like Mozilla VPN or Mullvad.

Seems like an easy choice to me.

WhatsThePoint@lemmy.world on 26 Apr 2024 03:36 next collapse

I used Nord VPN after a lot of research when I initially started using them years ago. What have you heard about them?

Alk@lemmy.world on 26 Apr 2024 04:23 next collapse

Personally I don’t trust companies who aggressively advertise like they do, but that’s not a real reason grounded in evidence. It just tends to be correct. I recommend Mullvad.

WhatsThePoint@lemmy.world on 26 Apr 2024 04:50 next collapse

They didn’t aggressively advertise when I first started using them like 6 years ago. I have yet to see evidence of their no-log policy being broken but it’s hard to trust most companies these days.

WamGams@lemmy.ca on 27 Apr 2024 02:19 collapse

I feel like 6 years ago was the height of their marketing. Literally every podcast I listened to had them as a sponsor and maybe half of the YouTube sponsorships were Nord.

It is because of them most people probably now know what a VPN is, but I feel like their marketing budget is a hundred fold smaller than it used to be.

randomname01@feddit.nl on 26 Apr 2024 09:47 collapse

They advertise aggressively because running a VPN is ridiculously profitable. I do agree with your apprehensive feeling, but at the same time their advertisements do make sense.

Socsa@sh.itjust.works on 27 Apr 2024 14:59 collapse

Right,but their YouTube ads also contain a bunch of misleading statements and outright lies about streaming services, privacy and military grade encryption.

Dark_Arc@social.packetloss.gg on 26 Apr 2024 04:58 next collapse

Nord had a very bad incident a few years ago techcrunch.com/…/nordvpn-confirms-it-was-hacked/

They were also REALLY late to the disclosure and tried to play it off as “them being responsible”:

NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”

They (at least were) also very aggressive about advertising (all over YouTube at one point sponsoring all kinds of stuff)… Which is typically the opposite of what you want.

Proton has had write ups in the past about the VPN review market as well and how a lot of reviews are “whoever pays us the most money is the top VPN.” Proton has a strong enough track record in their other software for doing the right thing and truly valuing security, privacy, and open standards, so I’m inclined to believe them. VPN was one of the first spinoff products they launched when it was still mail, and they did so because some of their more sensitive customers (think journalists in some bad parts of the world) were having to rely on third party VPNs of questionable integrity.

I trust Mullvad and Proton at this point for VPNs, nobody else.

evranch@lemmy.ca on 27 Apr 2024 06:37 collapse

I trust Mullvad and Proton at this point for VPNs, nobody else.

Any reason you can state not to use AirVPN? I switched to them from Mullvad because they support port forwarding. So far I’ve been very happy with their service.

Having ads and sponsors blocked I can’t be 100% sure, but I don’t think they advertise at all. I only tried them because of a recommendation on Lemmy. Their site design is very old school which really says “run by nerds and not marketers” to me.

Dark_Arc@social.packetloss.gg on 27 Apr 2024 13:54 collapse

I do not know anything about AirVPN specifically.

Proton does provide port forwarding these days FYI.

I think “run by nerds not marketers” is a good thing … though I don’t know if a site looking old really means it’s run by nerds lol

evranch@lemmy.ca on 27 Apr 2024 14:52 collapse

Yeah I know, but have you seen their site? It’s like an old 90s static HTML page. The main thing I see is that it’s clearly not a glossy “marketing first” service. They’re surviving off of their actual product.

Dark_Arc@social.packetloss.gg on 27 Apr 2024 14:59 collapse

Yeah that’s fair. It can definitely go both ways though. Like your sign over your shop can look old because you’re still getting growth/a really nice cash flow without updating the sign or it can look old because you stopped caring a long time ago and you’re just milking what you can from the remaining customers.

I had a friend who’s ISP was very much in the latter category about a decade ago, charging like $90/mo for 10Mbps (IIRC with a data cap).

Lazhward@lemmy.world on 27 Apr 2024 18:31 collapse

To counter some of the other comments, them being based in Panama is a huge plus imo, if you’re inclined to do things deemed illegal by local authorities. They have no incentive to comply with government issued search warrants or the like. Most western country-based companies are legally obligated to comply with those requests, or even store information for a number of years. With quantum-based decryption there’s no saying how long even encrypted data will be safe.

WhatsThePoint@lemmy.world on 27 Apr 2024 23:19 collapse

That was my rational too when I initially did my research.

No_Eponym@lemmy.ca on 26 Apr 2024 04:49 next collapse

Yeah as soon as I saw Delloite I knew it was shit.

Dark_Arc@social.packetloss.gg on 26 Apr 2024 04:52 next collapse

Or Proton.

Alk@lemmy.world on 26 Apr 2024 05:02 next collapse

I use Proton vpn and love it. I actually like mullvad more as a standalone vpn, but Proton vpn is still great and I use it because of the whole bundle. It’s a great deal and VERY convenient. The unlimited email aliases built in seamlessly to the password manager is a game changer for easy to use privacy.

Bosht@lemmy.world on 26 Apr 2024 06:29 next collapse

Hey so I just looked up Proton and see no mention on their main marketing page for email aliases or password manager. Where can I find thst? I’m intrigued obviously haha. I’ve been woth Norn for a couple years but dont do anything crazy or get additional benefits.

blue_struct@feddit.de on 26 Apr 2024 06:53 next collapse
user224@lemmy.sdf.org on 26 Apr 2024 06:55 next collapse

It’s right there on proton.me

It’s possible you checked protonvpn.com instead.

Bosht@lemmy.world on 27 Apr 2024 05:40 collapse

You know what thats EXACTLY what I did. Thanks for the clarification!

Alk@lemmy.world on 26 Apr 2024 07:04 next collapse

Others have linked it to you but let me tell you why I like it. It lets you generate a new email alias and password instantly whenever you make a new online account somewhere. Or just whenever you want. I’ve been slowly changing all my accounts over to their own unique email alias that can’t be tied back to my main email. My main address is known by nobody at all.

The main benefits are if someone steals a password, the email address that comes with it will only be useful for that one account. (I don’t need to go over the benefits of a standard password manager.) and so if that email is leaked or added to a spam list, I simply delete that address after changing the address for the single account it was used for. I can tell exactly which address is getting spam easily. 0 spam. Ever. Spam email has been solved for me.

Proton remembers which sites use which email/password as well.

Other than that, it’s just good for privacy. Having a different email for each account makes it harder to track a user across accounts.

These addresses are somewhat auto generated, with the name of the site along with a random word and a few numbers. But if you want to create another email address, you get a handful of custom ones for free with the subscription too. You can revoke these the same way, so you can have a professional looking email to hand out to people that’s not auto generated, without giving out your account’s root email address.

Edit: I also want to specify that while all of this is technically possible through other means, Proton makes it easier than any other option. Plus access to a good vpn, a nice replacement for Google drive (for storage and basic editing, at least) in addition to the email service and password manager mentioned above. A very good deal, in my opinion.

Edit 2: it sure sounds like I’m a paid shill but I can assure you I just really fucking love Proton and I get too excited about things.

Bosht@lemmy.world on 27 Apr 2024 05:39 collapse

I appreciate your type up! Thanks for taking the time. Didnt come off as a shill at all was explanatory and informative which is what I was looking for. Thanks again and habe a great weekemd!

impersonator@lemmy.ml on 26 Apr 2024 09:13 next collapse

Look for simplelogin

priapus@sh.itjust.works on 26 Apr 2024 18:35 collapse
Lazhward@lemmy.world on 27 Apr 2024 18:18 collapse

Yeah the moment Proton developed a password manager I switched. Very convenient and the price ain’t bad if you use all their services.

conciselyverbose@sh.itjust.works on 26 Apr 2024 09:06 next collapse

Proton also, unlike PIA, doesn’t routinely crash and break my VPN access on iPhone.

My sessions go until I disable them (for stuff like sports betting that legally has to restrict VPN usage).

[deleted] on 26 Apr 2024 12:55 next collapse

.

UnsavoryMollusk@lemmy.world on 27 Apr 2024 02:32 collapse

Do they have port forwarding?

Dark_Arc@social.packetloss.gg on 27 Apr 2024 02:33 collapse

Yup, protonvpn.com/support/port-forwarding/

UnsavoryMollusk@lemmy.world on 27 Apr 2024 07:04 collapse

Awesome, thank you !

Black616Angel@discuss.tchncs.de on 26 Apr 2024 05:49 next collapse

Mozilla VPN vor Mullvad

I mean, Mozilla VPN is Mullvad, so yeah. You can trust Mullvad.

phoneymouse@lemmy.world on 26 Apr 2024 07:19 collapse

Does Mullvad let you use a custom DNS?

Sunny@slrpnk.net on 26 Apr 2024 08:07 collapse

yes :)

unbroken2030@lemmy.world on 27 Apr 2024 01:05 next collapse

I understand the sentiment about the inherent conflict of interest with paying someone to audit your software, but it’s highly unlikely that anyone is going to do that work for free. I’d want some evidence before taking your comment for anything other than opinion/bias. I don’t use any of these products so whatever the reality is doesn’t affect me, it just seems like nuance is too easily lost.

UnsavoryMollusk@lemmy.world on 27 Apr 2024 02:32 next collapse

I loved mullvad but they removed port forwarding and now I don’t know where to go sadly.

wanderer@scribe.disroot.org on 27 Apr 2024 03:48 collapse

I think Air VPN supports port forwarding

lud@lemm.ee on 27 Apr 2024 08:44 next collapse

Do they but unfortunately they are also slower. I could get max 600 Megabits per second with them. I now use proton that supports at least 2,5 gigabits

wanderer@scribe.disroot.org on 27 Apr 2024 11:24 collapse

Actually I mentioned AirVPN because I forgot that Proton supports port forwarding 😄

lud@lemm.ee on 27 Apr 2024 11:45 collapse

Their port forwarding works but it’s very annoying because it changes the port after each connection.

Fortunately I use a third party app that automatically updates qbittorrent with the new port.

UnsavoryMollusk@lemmy.world on 27 Apr 2024 09:24 collapse

Can we trust them though (I mean as much as mullvad) ?

MSugarhill@feddit.de on 27 Apr 2024 11:16 next collapse

I am inclined to say see. But probably just because I bought a three years subscription and need a peace of mind. Sadly their vl8ent is crap but at least wireguard works fine.

UnsavoryMollusk@lemmy.world on 27 Apr 2024 13:44 collapse

Perfect, I only use wireguard anyway, thanks.

wanderer@scribe.disroot.org on 27 Apr 2024 11:23 collapse

I rarely use VPN, but personally I would trust them, although not as much as Mullvad

UnsavoryMollusk@lemmy.world on 27 Apr 2024 13:45 collapse

Alright, thank you

sunbeam60@lemmy.one on 27 Apr 2024 05:59 collapse

What’s wrong with PIA’s track record?

wanderer@scribe.disroot.org on 27 Apr 2024 11:31 collapse

Kape used to be a malware company or something. Also, a few years ago PIA made a negative statement about Proton but instead it backfired. I can’t remember exactly what it was

sunbeam60@lemmy.one on 27 Apr 2024 14:02 collapse

Ah right. I was totally unaware.

restoreprivacy.com/private-internet-access-kape-c… for those that want to read a bit more.

Brkdncr@lemmy.world on 26 Apr 2024 06:11 next collapse

How to you syslog or net flow to identify malicious actions if you’re not logging?

johannesvanderwhales@lemmy.world on 26 Apr 2024 15:09 collapse

You don’t, which is why VPN ips get blacklisted so much.

cmgvd3lw@discuss.tchncs.de on 26 Apr 2024 08:26 next collapse

How is windscribe?

valek879@sh.itjust.works on 26 Apr 2024 23:39 next collapse

I am also interested in the Lemmy opinion of windscribe. My wife really likes them but their app used to brick my computer requiring a hard reset so I don’t use them.

cmgvd3lw@discuss.tchncs.de on 27 Apr 2024 03:33 collapse

their app used to brick my computer requiring a hard reset so I don’t use them.

Which OS?

valek879@sh.itjust.works on 28 Apr 2024 23:40 collapse

Windows 10. I’ve since moved on to 11 but haven’t tried it since then.

PlantObserver@lemmy.world on 27 Apr 2024 16:17 collapse

I tried it for awhile. Speed was good, unfortunately for my use case had some show stoppers.

Pros: -It worked good on Linux. -Custom pricing plans (you can pick exactly which nodes you need and only pay for those) available month-to-month, makes it easy to try

Cons: -Android app couldn’t remain connected as I move from mesh WiFi pod to pod. It would think its connected still but I would have no internet connectivity until I manually reconnected the app. (Everytime I crossed my house I would have to manually reconnect). -No port forwarding (torrents)

Ended up switching to airvpn. Use “openVPN for Android” which handles the mesh pods, and openvpn on Linux as well. Works perfectly.

troglodytis@lemmy.world on 27 Apr 2024 19:39 collapse

Port forwarding is available with Windscribe. A temporary, resetable one is included in pro plans. Permanent port forwarding is available for additional costs

itsgroundhogdayagain@lemmy.ml on 26 Apr 2024 11:53 next collapse

Only 1 more year left on my PIA subscription. /sigh

crozilla@lemmy.world on 26 Apr 2024 13:42 next collapse

Yeah, I dunno if I’d trust Deloitte about anything, not to sh!t on PIA’s tech which I have no knowledge of.

duckduckgo.com/?q=Deloitte+scandals&t=ffip&ia=web

werefreeatlast@lemmy.world on 27 Apr 2024 00:59 next collapse

Remember when Google wasn’t evil?

Nah, it’s time for something other than email that does what email did before but without the ability to spam or inject bad stuff.

lemming741@lemmy.world on 27 Apr 2024 10:45 next collapse

<img alt="" src="https://lemmy.world/pictrs/image/e77750cf-c825-4a4a-a1fb-9a387308a1e2.jpeg">

Omgboom@lemmy.zip on 27 Apr 2024 11:44 next collapse

Lol what the hell does Deloitte know about technical infrastructure.

klef25@lemmy.world on 27 Apr 2024 14:05 next collapse

This just reads like an ad. There doesn’t seem to be any journalistic value to this article and it’s got a clickbait title. At minimum, it should have noted results for competitors.

Zeoic@lemmy.world on 28 Apr 2024 20:07 collapse

How is that a clickbait title?? If this is clickbait, there is no possible title that wouldn’t be…

derpgon@programming.dev on 27 Apr 2024 16:40 next collapse

I wonder, is there a way to ensure they work the way they advertise to besides being investigated by the police and observing the result? It has to be blatant in order to force the VPN service to comply if they can.

It’s a case od who do you believe more. The provider or the police.

[deleted] on 28 Apr 2024 10:36 collapse

.