undefined | Better HN

0 pointsverandaguy2y ago0 comments

Audits are IMO worthwhile, but end users should be aware of the scope of an audit. In the context of commercial VPN providers, it's usually just a code security audit -- are there any memory leaks? Is sensitive data being passed around a little bit too loosely? Is there some way for unprivileged users to gain privilege escalation by crafting a malicious request against one of your services?

In this sense, they're valuable. As someone working in software, I can figure out if the bugs were subtle or blatant, which is often a good proxy metric for the competence of the team behind the product. Are the same bugs cropping up year after year, even if they've already been previously fixed in other parts of the code? Again, a good red flag to use there.

Audits do not and often cannot cover things like "is the company reselling connection/user metadata to other companies," though, and in most cases consumers will care that there is an audit rather than caring what's in the audit.

0 comments

patrakov2y ago

Well... using PureVPN as an example. They claim that they have been audited twice.

First audit, from 2019: https://my.purevpn.com/pdf/Privacy_No_Log_Audit_Report.pdf

I tried to contact the auditor, Altius IT, in order to confirm whether exfiltrating connection data to a third party would result in the audit failure. They replied, but in a very vague way (refused to answer any questions regarding Altius IT's audit of PureVPN's environment). Well, at least they confirmed indirectly that the audit did exist.

Second audit, from 2023: https://www.purevpn.com/wp-content/uploads/2023/07/KPMG_Pure...

I tried to contact KPMG to verify the authenticity of that report, and also asked the same question - "whether deliberate real-time exfiltration of origin IP addresses, assigned VPN IP addresses, connection timestamps, or connected user activities to a third party by PureVPN, without PureVPN (as opposed to that hypothetical third party) storing anything locally in any form of logs, would have constituted a failure of the privacy assessment." Result: no reply from KPMG at all, so I cannot be sure even that the report indeed comes from KPMG and is not a fake.

verandaguyOP2y ago

There are bad auditors, of course. Having had the displeasure of working with KPMG (not in a code-security-audit setting, mercifully), I genuinely don't understand how their staff can be allowed within a ten mile radius of source code.

The ideal way to authenticate audits IMO would be for the audited entity to link back to a PDF or other report hosted on the auditor's site.

aaomidi2y ago

Honestly, this audit from Mullvad is showing some really rookie mistakes.

j / k navigate · click thread line to collapse