https://protonmail.com/blog/transparency-report/
On the other hand, they recently reduced the level of detail in the transparency report.
There is also the fact that they are Swiss, and their privacy laws were severely weakened by a recent referendum. In particular, the Swiss government can now monitor all cross border traffic without a warrant.
ProtonMail fought the referendum, but hasn't updated this "Why Switzerland?" page:
https://protonmail.com/blog/switzerland/
They also haven't moved to a more appropriate legal jurisdiction.
[edit: clarify links]
Agreed, and that referendum was back in September of 2016. That's almost 9 months ago. This seems really disingenuous.
And the referendum didn't just eek by but it passed by 65%.
So if the Swiss domicile doesn't offer the protections it once did, why would I choose this provider over any of the half a dozen others well-known companies in the space.
https://www.reddit.com/r/ProtonMail/comments/6id4lw/protonvp...
So which will be that new country now, since apparently Swizterland isn't that option anymore? And what if that new country does something similar? Then next? And then? I don't think there will be many countries left to go to in that case. Or any, after some time?
So, aren't user privacy and fight against surveillance running towards a wall which is the deadend?
If there's something that is a high priority for you personally to see (such as OpenPGP ECC algorithm support), I would ask that you take the time to submit it to the ProtonMail UserVoice page [ https://protonmail.uservoice.com/forums/284483-feedback ]. That page is monitored and the feedback received through UserVoice is considered and strongly influential. UserVoice has a great end user application and clarification effect that is difficult to experience through interacting with users through e-mail or traditional forum comments.
I don't believe I've seen the Reddit exchange that you are referring to (I don't personally visit that site very often). If someone using an official company account was rude to you, I sincerely apologize.
Worth mentioning their VPN recommendations: algo by trailofbits and freedome. There is another paid service they recommend but I can't recall the name.
First of all, there does not appear to be a whitepaper available that describes the security architecture in any detail. This is an immediate red flag.
Second, they do have a "Security Features" page which is rather light on the details; it mentions that ProtonVPN uses AES-256 (encryption), RSA 2048 (key exchange) and HMAC-SHA256 (auth).
I'll start with RSA: the fact that they use RSA at all for a new cryptosystem in 2017 is a red flag for me. I also can't see any details of how they use RSA, so I don't know if they have implemented padding. If they haven't implemented padding (and done so correctly!), the VPN is insecure and we can stop right here. Honestly, they should be using ECC. I'm assuming they're not using something like ECDSA because RSA is faster (but not so much so to justify the potential security tradeoff, even in a VPN client).
On to AES: they commit the common marketing-mandated-security-page sin of focusing on the key size instead of the block cipher mode. They don't explain which block cipher mode they're using for AES at all - another red flag. For all I know they're using ECB (in which case, the VPN is insecure and we can stop right here). This is putting aside the question of whether or not they correctly implemented AES in whatever mode they're using.
With regards to HMAC-SHA256: in theory this is fine, but again we have no details. I'm going to go ahead and dock another point here because they're choosing to use separate primitives for encryption and authentication, when the best practice would be to use authenticated encryption like AES-GCM or AES-CCM. I admit this is bikeshedding a bit: respectable cryptographers (like cperciva) have a preference for separate construction. However, this is a VPN we're talking about, and an authenticated encryption mode would be faster than separate encryption and authentication.
A few caveats to my points: I'm quarterbacking their cryptosystem design based on one paragraph of the security page, because that's all I can find that describes their crypto. It doesn't describe it in detail, so it might still be secure. I have no knowledge of their implementation, so I can't critique that. That said, if I had to weigh the red flags I've observed here against their "developed by scientists from MIT and CERN" marketing and nothing else, the red flags win out.
Ultimately VPNs just aren't for hiding anything that could cause you significant problems. If you want that, Tor, i2p, or piles of hacked boxes are your only options really if you must interact with the clearnet.
By the way, is it possible to have all hosts connected to reach each other, as in a lan?
I think a key problem may be that there aren't a whole lot of people who (a) understand the tech well enough to know they need this, and (b) don't understand the tech well enough to spin up a VPS and run a Bash script.
- TunnelBear is a bit more expensive (4.99$/mo, paid annually vs 4$/mo).
- TunnelBear supports up to 5 connections per account vs 2.
I use TunnelBear regularly for my browser and phone. Both works great.
My subscription is going to expire soon and I'll be open to try other VPN providers, not that there is anything wrong with TunnelBear. Any recommendations?
This site [2] has feature comparisons but experience using VPN services is another story.
[1] https://www.tunnelbear.com/ [2] https://thatoneprivacysite.net/vpn-section/
Still, I think it creams every general public offering. I agree with fictioncircle above that the "anonymity" thing is a total red herring. VPNs in this application are fundamentally about creating a hack to let individuals change their Internet access from a natural monopoly situation to a strongly competitive and customer oriented market situation via virtual end point shifting. That's "it", though it's a big deal. But "anonymity" is a far, far trickier problem, requiring not just extensive infosec but also significant opsec. At a bare minimum most people would need to use something like the Tor browser, not just for the "tor" part but for the hardening they put into the browser to make it somewhat harder to get tracked anyway regardless of IP address. I think a lot of the "anonymity" marketing claims some public VPNs make verge on not merely disingenuous but outright dangerous to the extent they can create a totally false sense of security.
Pros:
- You can choose a VPS provider close to your network for better speed.
- Less likely to be blacklisted.
- No connection limits
- Not as anonymous to governments or IP-based tracking.https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...
- accessing non-encrypted stuff on an untrusted network
- firewall bypassing
- Torrenting
- IP ban bypassing (pretty popular for people writing scrapers or trolling)
Anonymous anything is garbage - many of them log and all can be logged by government agencies or datacenter owners ahead of you. Tor or similar is the best option there. Running something like Algo on your own server is pretty bad for both torrenting and IP ban bypassing as you only have a single IP and many cloud providers will accept DMCA and abuse reports.
All in all if you're looking for either torrenting or IP ban bypassing a commercial VPN solution is going to be a better bet. More IPs for cheaper and with lower risks.
You can generate unlimited free trials until you're confident you want to spend the paltry $5 a month on them.
I have been in touch with them over some issues I have had,and the support is fantastic. I had an issue with mosh over my local network (SSH worked,mosh did not) and got a very detailed reply about why they treated LAN UDP packets that way, and why I was probably not affected since I ran a modern Linux distro and of course the setting that turned that safety feature off.
And, if you do t trust them to make such decisions for you (or you run an unsupported OS) they have regular openVPN files
edit: with that said, i really appreciate the compilation of information here, so it's no knock on the site owner.
It's the tragedy of success in the privacy industry.
I also wondered why ProtonVPN doesn't list any trial period in the paid plans. So I went to the support page and found that it has nothing about payment, trials and cancellations. I then went to the Terms of Service page [1] and found that one can cancel within 14 days and get a full refund. If anyone from ProtonVPN is reading this, please move this information to the signup page and also list it on your support pages. Those are the places for this important piece of information. Almost nobody reads the terms of use on any website.
Quote from the Terms of Service page (typo "Guaranty" ought to be "Guarantee"):
> Money Back Guaranty
> You may cancel your account with a full refund within 14 days of the initial purchase. Refunds or credits beyond the 14 day window will be considered, but at the sole discretion of ProtonVPN. The Company is only obligated to refund in the original currency of payment and refunds will be processed within 14 days of the request. To request a refund under our Money Back Guarantee, send an email with your request to support@protonvpn.com.
I run free privacy/security classes for journalists, and some of them have said that their sources can't use paid VPNs because they're afraid of the purchase showing up on their credit card statement.
TOR is great, but doesn't yet work for things like video chat (yes i tell them not to use Skype...)
There are certainly VPNs available that you can sign up for over Tor, and pay for with Bitcoin. However, some bitcoin payment services block Tor IP addresses; tools for VPN-over-Tor can be clumsy; and some sites that accept Bitcoin process the payments manually so it can take a day or two.
Also, it should be able to pay them in BTC, I remember sending a donation when I signed up for protonmail.
If your target uses BTC to avoid CC payments, then they had better know how to prevent tracking the payment on the blockchain as well. If I were targeted by a bad actor with state level resources, I would assume any bitcoin transactions to ProtonVPN would be spotted easily and I would assume any wallets I've used are hot. There were lots of ways to do this explored by users of onion sites who purchased illegal items. One of the most popular was to 'launder' the coins using a mixing service which shuffles around the BTC (for a fee) and sends it to a wallet of your choice, typically a one time use wallet which sends the balance to your account on the onion site for purchases from other users. The onion site operators may also mix up their coins, making it a little harder still. The coins from origin are received, split into a bunch of tiny transactions all over in various wallets, like shuffling cards, then many wallets send small amounts whose sum is the amount laundered minus fees, to the final destination one way or another. I encourage you to browse forums on such sites for the scoop on what the users think they know, as well as what security researchers have published on the subject.
Example: User Alice wants to pay for services from Bob. Bob's services are a little questionable in Alice's jurisdiction and she is concerned about someone finding out about her payment. If Alice is being surveilled directly, and the attacker knows about the wallets Alice uses because they got records from the company she buys coins from (or somewhere else like sniffing her traffic), and the service is priced at $X on Y date given the bitcoin value at the time, the attacker can look for any transactions for that amount on dates which Alice visited the site and compare the transactions.
In our example, lets say Alice wants to upgrade to paid ProtonVPN service but doesn't want Throckmorton's Sign Company [1] to find out about it. TSC suspects Alice may be trying to smuggle information through a VPN. Alice is smart and uses all the best practices. She's got a locked down mobile device with no cellular antenna connected to a long range directional antenna. She leaves her phone at home, drives the most secure route available by avoiding main streets with traffic cameras and license plate scanners. She parks in a cheap apartment complex parking lot (no guards/cams) at the base of the mountain. She pulls a mountain bike from the trunk and places her handgun in a waist pack, and rides to a higher elevation scenic point with no security/safety cameras and infrequent civilian or police traffic, aims her high gain antenna at the hotels below, and gets a WiFi signal. She connects with a spoofed MAC address, from a Tails ISO on optical media, to somewhere she cannot be physically linked to, using a device modified for safety. She has a script which changes her apparent desktop resolution, browser size on every page load, user agent strings, window dimensions, all kinds of fingerprinting avoidance. Alice uses a virtual keyboard which randomizes the delay between keystrokes before forwarding her input. Alice checks her configuration for holes, checks TOR, checks DNS, etc. and everything is solid. Feeling secure now, Alice logs into a brand new Proton account not associated with her, checks the price, and pays via Bitcoin. She bought bitcoin from a reputable exchange and had it deposited to a new wallet. She then transfers these coins to another wallet which is brand new and uses this to pay Proton.
An unknown actor at a TSC subsidiary agency has absconded with classified intelligence reports. Agent A is being watched, his stuff searched, no reports found, and Agent A won't talk. TSC thinks Agent A leaked it. Surely he sent it to some damn media hippie who loves communism and Vegemite, and now the whole world will know. They must stop the leak. TSC knows Agent A is a Vegemite sympathizer and is known to talk with people from the media sometimes, which is why they were watching him. They know he eats at Joe's Restaurant. A TSC agent dresses in a shabby suit he rented and puts on a local law enforcement badge and ID. He goes to Joe's and interviews the manager under the auspices of a criminal investigation. The manager at Joe's was all too happy to point out that he comes in every Wednesday, sits at a table near the rear fire exit facing the door with his back to a wall in a part of the dining room with no clear window views. He always orders Vegemite sandwiches and dresses nice. But he noticed that once a month or so, Agent A has someone with him, a real pretty lady friend. He assumes they are having an affair, and he's curious about it, so he pays a little more attention to Agent A and thought there was something funny about him, and he's eager to tell the "policeman" all about it. Agent A always looks sharp but on those days he dresses down a little, wears sunglasses, and removes his wedding ring. The manager calls over Agent A's usual waiter and asks him to tell the nice officer all about this suspicious character. Agent A's waiter says he saw a media ID sticking out of her wallet when she paid one night, so he knows she works for XYZ media. Our friendly TSC agent thanks them for their time and leaves, giving them a business card with a "detective" to contact with any new details.
TSC has only to look at all bitcoin transactions received by Proton since the leak, and I imagine this is a small set, and look at where those coins came from. TSC can and does keep banking and financial records for companies who sell Bitcoin. They run a search against the transactions looking for any wallets associated with those used to pay Proton during the period since the leak. They find 666 wallets. 420 are from Alice's country. Of these payers, only 42 paid with BTC from a wallet which had no other appreciable history. They check these 42 and the wallets connected to them by BTC transactions and find exactly one which was separated by 2 degrees and funded by BTC from Alice's reputable exchange. They quickly search the exchange's records and find that the wallet in question was funded by an account with a CC# belonging to one Alice Suspect who lives right there in Big Brotherville, and her name is on the list of XYZ media employees. TSC now knows Alice bought a VPN account, and to some courts that might be enough to escalate this. In some jurisdictions that shit will get you killed. Alice lives in a civilized democratic nation however, so instead she becomes the target of a massive and focused TSC investigation. They raid her home or intercept her vehicle, maybe they throw her in a van with a burlap sack over her head. Regardless of how they get her, TSC agents find encrypted disks, and order her to unlock them or go to prison (or face a $5 hammer). Alice sure did a lot to cover her ass, for nothing. One leaker, one media contact locally with a BTC wallet which paid Proton. Even assuming they don't target Proton, but check against all records of all VPNs on a list, doesn't change much but computing requirements to find out who is buying VPN service with BTC on their list. Assuming they don't ever go to Joe's restaurant, or even know about the pretty lady, they know local media only has so many journalists, fewer who travel these circles, and fewer still who would touch something that hot. Even assume they check ALL journalists in the entire country, how freakin hard would you have to look? How many suspects would there be who have bitcoin exchange accounts? Monitoring their search entries or IP traffic would reveal a lot and narrow the list down. Assume this is all happening in a state with a highly developed legal system and TSC has to request warrants and subpoena records to get them, and show to the satisfaction of a court that she is guilty, they still have the authority needed to grab the rest of the info they need once they have a short list of targets and they can acquire the rest through this investigation. Assume TSC never found the actual documents on Alice or in her property, the original problem of Alice being known to use a VPN is still not solved. Another approach would be to check all persons of interest for bitcoin exchange accounts by CCs, emails, names, etc., and then check those accounts for direct or indirect payments to VPN receiving wallets. Let's even assume that Alice purchased a prepaid credit card and for some reason was able to buy bitcoins with it, now they just ask FailMart to give them the register record and the video from that time. Even assume Alice isn't a journalist but a source as the OP says, and this source doesn't want people knowing they got a VPN. Follow the same breadcrumbs and you still have a bloody short list, the rest is old school tradecraft and detective work. In a not so developed legal system, only a shred of suspicion can end your life without needing anything solid at all. You see where I'm going I hope. The moral of the story is, BTC come from money, money is watched, BTC are watchable, so without a mixnet or something between purchase of coins and purchase with said coins, or a way to acquire them with complete anonymity, you're holding up a sign with your name on it which is just obfuscated enough to seem anonymous to average people. Money and identity are linked thanks to our current global financial system and all of the people who have exploited it. Selling BTC is regulated to "prevent drug lords and child sex traffickers" and other evil persons of the week from using BTC to launder money, but it's watched anyhow and every technique to link identities of individuals to bitcoin purchases can be assumed to be in use.
[1] This is actually funny, a medical joke. https://radiopaedia.org/articles/throckmorton-sign-pelvis
https://arstechnica.com/security/2015/11/crypto-e-mail-servi...
By the way, the party that initiated the ddos did stop the attack but a much bigger one took over. Probably state sponsored.
I'm not sure a data haven works unless you have a sovereign military that can defend itself against the rest of the world (good luck!)...
It might be a good idea to mention that on the page as (I'd guess) many tech literate people use the service.
OpenVPN and IKE both have terrible track records in terms of implementation security.
This was to their us-07 server in SF.
What they changed in the model? Is it trustless?
The reason is using it on mobile unlocked devices, rather than desktop.
I recommends the shadowsocks protocol[2] which I used in the censored network, which is hard to be detected and decrypted.
I don't expect most VPN users to need protocol obfuscation, especially since the IPs of the VPN operator are probably well known. If you're serious about that, you either need your own server or take great effort to hide the entry points (like Tor bridges attempt to).
Tunnelbear are one of the few VPN providers that use a thing called obfsproxy to circumvent this kind of censorship. They call it 'Ghostbear'[0] but really it's just an obfsproxy bundling which uses the domain fronting technique.
[0] https://help.tunnelbear.com/customer/en/portal/articles/2435...
Packages like STunnel/stunnel might help(available for both windows/linux).
But that would be another bet-the-company prospect, and I don't see them likely to try that for a couple years.
"ProtonVPN is a no logs VPN service. We do not track or record your internet activity, and therefore, we are unable to disclose this information to third parties."
I just tried again and it completed and is working okay now - bit of a fiddly registration process but actual vpn seems to pretty good and there are lots of endpoints, so great too.