VPN Encryption (opens in new tab)

(privateinternetaccess.com)

57 pointsmtoledo12y ago45 comments

45 comments

I've been a happy PIA subscriber since the Snowden controversy. However every time I see them becoming more popular (at least 4 of my friends have signed up with them in the past few weeks) and earnestly trying to make themselves more secure, I also realize that someone, somewhere within the NSA (and yes, other intelligence agencies around the world) is elevating them on a list of VPNs to break.

IvyMike12y ago

I've said this before, but PIA and other similar VPN providers are great security against most drive-by hackers. I am a happy customer for this reason.

But if your threat model includes "NSA/CIA/FBI/DEA", you are going to have to spend more than $4 a month to remain secure.

canttestthis12y ago

Okay, I'll bite. My budget is more than $4 a month, but not thousands. Is there any way to keep myself secure from the NSA/CIA/FBI/DEA/etc in a simple VPN-way?

r0h1n12y ago

> if your threat model includes "NSA/CIA/FBI/DEA"...

I think there are two vastly different threat model within that - (a) large-scale and indiscriminate vacuuming up of the average citizen's Internet usage data to fill up datacenters and do analytics, and (b) active targeting of a specific subject.

I'm hoping a VPN will insulate me against (a) too. But for (b), I don't think I stand much of a chance even if I spent $400 a month.

duaneb12y ago

Yes. In fact, I'm not aware of a failsafe method to guard against digital surveillance at any price save not using computers.

1 more reply

sixothree12y ago

Doesn't their business location in the US negate the need to be cracked?

r0h1n12y ago

They don't store any user logs (I have no reason to suspect they'd lie about that). So there's not much stored data to break. Which means the focus will be on breaking their traffic encryption protocols.

3 more replies

drdaeman12y ago

Based on their sites, I believe they're UK-based company (and US endpoints are just endpoints, in case someone wants to have US-located exit to access US-only services), so it makes somehow reasonably harder (but not impossible) to correlate between the client and their traffic.

Still, I don't see any significant difference between NSA and GHCQ, except that we have (thanks to Snowden) some details of former's operations leaked, but the latter's remain secret (or I didn't pay enough attention to the news, maybe).

1 more reply

borski12y ago

While I've heard good things about PIA, you're still trusting someone else with your data. Whether you trust them or not is entirely up to you, but it's not that hard to set up your own VPN tunnel. We posted about it a few weeks ago here: https://www.tinfoilsecurity.com/blog/dont-get-pwned-on-publi..., and there was some good HN discussion on it here: https://news.ycombinator.com/item?id=6285458

ineedtosleep12y ago

> Whether you trust them or not is entirely up to you, but it's not that hard to set up your own VPN tunnel.

While I agree that trust is a _giant_ issue, speed and price (due bandwidth needed/used) is also a major concern if you're one looking for an always-on VPN solution.

I personally used PIA for a few months mostly due to cost and it is at or near my speed cap at all times. I have also rolled my own VPN using a VPS at the same price point, however, considering that bandwidth would be limited and speeds were not as stable, it's hard for me to choose that route for my use cases.

Sure, if I need absolute security I wouldn't use PIA and I'd reconsider using a VPN on any VPS on US soil. But then, one would have to consider if it will be worth it.

drdaeman12y ago

You still have to trust somebody to host your VPN endpoint.

(Although, it's probably less risky to use some relatively obscure VPS/dedicated/colocation ISP than major VPN service which certainly attracts some attention of TLAs)

borski12y ago

Fair point, but your personal VPN is also a lot less likely to attract scrutiny and be attractive to snooping than PIA. It's just a much bigger surface area, more popular, and potentially has a lot more useful data than your single box.

1 more reply

don_draper12y ago

" On your CA's environment (hopefully elsewhere):

openssl x509 -CA cacert.pem -CAkey cakey.pem -CAcreateserial \ -days 730 -req -in vpn.csr -out vpn-cert.pem "

What does the author mean by 'hopefully elsewhere?' It's no longer a simple one server solution, no?

borski12y ago

Your CA doesn't have to be (read: shouldn't be) the same box. Also, it doesn't have to be (read: shouldn't be) connected to the internet. I recommend a USB key you keep around your neck or on your keychain, but it's really up to you.

oleganza12y ago

Note: ECC-521 is not a typo. It is really 521-bit curve.

Standard: http://www.secg.org/collateral/sec2_final.pdf

Explanation: http://crypto.stackexchange.com/questions/6219/why-do-the-el...

gr3yh4712y ago

I use this service, and have been thrilled with it for a long time. They do no logging whatsoever, and their encryption and endpoint options are great.

they are also by far the cheapest truly secure option in this space - $40/year

coderrr12y ago

FYI, this is the info page for our new (beta) OpenVPN based client which supports multiple encryption options:

https://www.privateinternetaccess.com/forum/index.php?p=/dis...

r0h1n12y ago

Interesting to note that you've hosted your beta clients on Kim Dotcom's Mega service. This is the first time I'm coming across a legit & popular service hosting its public client files on Mega.

lmm12y ago

I've bought some digital art from a freelancer and received it via there.

jevinskie12y ago

I love PIA but I was too afraid to use it at Black Hat / DEFCON this year. If you use L2TP (required for iOS, handy for OS X because there is a native client) there is no certificate to prevent a MITM. Is there any way to address this? Can you use a certificate instead of a pre-shared key?

coderrr12y ago

Here is a way some of our customers are using OpenVPN on iOS:

https://www.privateinternetaccess.com/forum/index.php?p=/dis...

pilif12y ago

nitpick: There is a native OpenVPN client for iOS in the AppStore. I don't know how they managed to, but it's plugging into the native iOS VPN functionality and it works perfectly well.

1 more reply

canistr12y ago

It should be noted that while they use curves generated by Certicom, Certicom is now a subsidiary of BlackBerry.

HPLovecraft12y ago

a friend of a friend is a happy customer of PIA for over 9 months now. their customer service is actually really good.

Fourplealis12y ago

How is this different from other commercials VPNs? If you really want privacy choose offshore VPN that doesn't keep logs.

duaneb12y ago

VPN providers would make great honeypots.

drdaeman12y ago

I was a bit surprised OpenVPN still doesn't support GCM mode.

kzrdude12y ago

Pretty bogus preset choices, what is this? If the provider isn't providing the expertise to ensure a safe connection for every customer, what the hell are they doing?

coderrr12y ago

@HNmods, any reason this was removed from the first page?

awayand12y ago

or, you could just use https://airvpn.org/

beernutz12y ago

Though they do NOT allow multiple simultaneous connections, and are not as inexpensive.

cowboy_coder12y ago

I hear airvpn is awesome. They have many different options to encrypt your connections.

xxdesmus12y ago

Yeah, that was helpful.

j / k navigate · click thread line to collapse

45 comments

r0h1n12y ago

IvyMike12y ago

I've said this before, but PIA and other similar VPN providers are great security against most drive-by hackers. I am a happy customer for this reason.

But if your threat model includes "NSA/CIA/FBI/DEA", you are going to have to spend more than $4 a month to remain secure.

canttestthis12y ago

Okay, I'll bite. My budget is more than $4 a month, but not thousands. Is there any way to keep myself secure from the NSA/CIA/FBI/DEA/etc in a simple VPN-way?

r0h1n12y ago

> if your threat model includes "NSA/CIA/FBI/DEA"...

I'm hoping a VPN will insulate me against (a) too. But for (b), I don't think I stand much of a chance even if I spent $400 a month.

duaneb12y ago

Yes. In fact, I'm not aware of a failsafe method to guard against digital surveillance at any price save not using computers.

1 more reply

sixothree12y ago

Doesn't their business location in the US negate the need to be cracked?

r0h1n12y ago

3 more replies

drdaeman12y ago

1 more reply

borski12y ago

ineedtosleep12y ago

> Whether you trust them or not is entirely up to you, but it's not that hard to set up your own VPN tunnel.

While I agree that trust is a _giant_ issue, speed and price (due bandwidth needed/used) is also a major concern if you're one looking for an always-on VPN solution.

Sure, if I need absolute security I wouldn't use PIA and I'd reconsider using a VPN on any VPS on US soil. But then, one would have to consider if it will be worth it.

drdaeman12y ago

You still have to trust somebody to host your VPN endpoint.

(Although, it's probably less risky to use some relatively obscure VPS/dedicated/colocation ISP than major VPN service which certainly attracts some attention of TLAs)

borski12y ago

1 more reply

don_draper12y ago

" On your CA's environment (hopefully elsewhere):

openssl x509 -CA cacert.pem -CAkey cakey.pem -CAcreateserial \ -days 730 -req -in vpn.csr -out vpn-cert.pem "

What does the author mean by 'hopefully elsewhere?' It's no longer a simple one server solution, no?

borski12y ago

oleganza12y ago

Note: ECC-521 is not a typo. It is really 521-bit curve.

Standard: http://www.secg.org/collateral/sec2_final.pdf

Explanation: http://crypto.stackexchange.com/questions/6219/why-do-the-el...

gr3yh4712y ago

I use this service, and have been thrilled with it for a long time. They do no logging whatsoever, and their encryption and endpoint options are great.

they are also by far the cheapest truly secure option in this space - $40/year

coderrr12y ago

FYI, this is the info page for our new (beta) OpenVPN based client which supports multiple encryption options:

https://www.privateinternetaccess.com/forum/index.php?p=/dis...

r0h1n12y ago

Interesting to note that you've hosted your beta clients on Kim Dotcom's Mega service. This is the first time I'm coming across a legit & popular service hosting its public client files on Mega.

lmm12y ago

I've bought some digital art from a freelancer and received it via there.

jevinskie12y ago

coderrr12y ago

Here is a way some of our customers are using OpenVPN on iOS:

https://www.privateinternetaccess.com/forum/index.php?p=/dis...

pilif12y ago

nitpick: There is a native OpenVPN client for iOS in the AppStore. I don't know how they managed to, but it's plugging into the native iOS VPN functionality and it works perfectly well.

1 more reply

canistr12y ago

It should be noted that while they use curves generated by Certicom, Certicom is now a subsidiary of BlackBerry.

HPLovecraft12y ago

a friend of a friend is a happy customer of PIA for over 9 months now. their customer service is actually really good.

Fourplealis12y ago

How is this different from other commercials VPNs? If you really want privacy choose offshore VPN that doesn't keep logs.

duaneb12y ago

VPN providers would make great honeypots.

drdaeman12y ago

I was a bit surprised OpenVPN still doesn't support GCM mode.

kzrdude12y ago

Pretty bogus preset choices, what is this? If the provider isn't providing the expertise to ensure a safe connection for every customer, what the hell are they doing?

coderrr12y ago

@HNmods, any reason this was removed from the first page?

awayand12y ago

or, you could just use https://airvpn.org/

beernutz12y ago

Though they do NOT allow multiple simultaneous connections, and are not as inexpensive.

cowboy_coder12y ago

I hear airvpn is awesome. They have many different options to encrypt your connections.

xxdesmus12y ago

Yeah, that was helpful.

j / k navigate · click thread line to collapse