-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enhancements for VPN section #114
Comments
A fantastic VPN option for iOS is OpenDNS' Umbrella Prosumer for $20/year (not to be confused with OpenDNS Home VIP. On OS X, Umbrella is custom version of dnscrypt connecting to customizable OpenDNS servers for risk mitigation, with black/whitelists and policy behaviour. But on iOS, for which there is no way to enable use encrypted DNS, they configure a full VPN using the iOS native VPN client, which goes through OpenDNS servers and is protected by the same customizable DNS lists. This is a great product; I've been using it for 15 months, very happy. It should be added alongside dnscrypt on the main page. |
This can help you, too bad that devices/os are not listed. Now at: outdated link, new one is above |
I have tested several on OSX and Android, WIFI and Cable 100/5 Mbps from Belgium. Dis/Connect immediately <5 sec, ZenMate and SurfEasy, hassle free (2 params), almost no drop, speed good. TigerVPN also connect a bit more longer. Do not use totally free vpn! Some serious paying vpn are offering limited bandwidth, speed, servers or duration. Some can be used by defining the setting in Apple Network, some required their own client. What to check before subscribing: Review sites you can trust, without affiliate links! are |
Thanks for the lively discussion and the good recommendations. Personally, I run my own OpenVPN server and connect to it from my Android device (OpenVPN app from Play Store) and OS X (Homebrew) computers when on the go. I have found the cryptographic primitives used to be quite sound (TLSv1/SSLv3 DHE-RSA-AES256-SHA w/ 4096 bit RSA, 2048-bit DH params, CBC cipher mode, SHA-256 hashing), albeit not "perfect", and the implementation seems credibly good. A separate, detailed guide to setting all this up is forthcoming. I'm not particularly keen on getting into the business of recommending VPN services, as I believe that to be outside the scope of the guide and have limited experience with current popular offerings and providers. It would be great to list out VPN client software (including proprietary third-party clients provided by VPN services) to weigh their pros and cons. An easy to understand, layperson's description of how different types of VPNs work would also be a worthwhile addition to the guide. Overall, I think providing readers with a good understanding of the networking and security concepts involved with VPNs is most productive, rather than simply saying one ought to use a VPN at their discretion. |
https://vpn-comparison.silk.co Another one: |
|
I just learned about Streisand, which goes a long way towards secure VPN (issues raised by @TraderStf above). People without deep understanding of VPN security should not attempt to roll their own VPN. Unfortunately, people running VPN services too often are in this set. Streisand seems to be well opinionated for end-users without the skills for VPN hardening. It's not trivial to setup, but may help those with only enough skills to be harmful from making bad choices. Though it might not be appropriate to recommend VPN services in this guide, it may be worth mentioning the pitfalls of doing VPN incorrectly (and the risks of subscribing to a service with gaps in security). Edit: I just re-read the VPN section, and it provides a satisfactory caveat; sorry to restate the obvious. |
@quinncomendant, I agree with you so many VPN (and their ~'masked/revamped' affiliates, different company name) are just surfing the wave$. My first checking is the creation date of their site with a whois to eliminate these newbies... VPN CHECKLIST —— TOOLS —— HARDWARE —— PROTOCOLS —— TESTS And a lot more on security/privacy, subject I don't know enough. A huge work, but can be reduced by filtering out 'new comers' thanks to vpn-comparison.silk.co and few other sites. When I'm thinking to browser fingerprinting and such deep detection using font metrics, if you combine all that, anonymity is far away... may be privacy from commercial companies, but look at FB tracking latest news... Fingerprinting web users through font metrics: |
The VPN checklist is a good start (solution agnostic), but many users are going to have different needs in terms of functionality, so it might be good to recommend the use of VPN when using untrusted networks, and then some criteria to consider when configuring/selecting the server/service such as DNS leakage, etc... |
AirVPN. Hands down.
|
New useful sites, I have no link with any: https://www.wikileaks.org/wiki/Alternative_DNS https://www.strongswan.org - OpenSource IPsec-based VPN Solution https://www.shimovpn.com - multi-protocol VPN software, commercial https://www.ivpn.net/privacy-guides |
I'm highly skeptical over many of those links you provided. I don't touch Tunnelblick (has had it share of issues) whereas OpenVPN wouldbe better alternative, VPNList.net and VPNSP.com show many worthless VPNs (PIA isn't too bad, though I gave up my trial and went back to AirVPN), I wouldn't touch ShimoVPN or Viscosity either (proprietary), and I'm skeptical over the Wikipedia list from anonymous-proxy-servers.net. |
The links I gave are to get lists or tools that can help usual user who tries to get info. I don't want to start a 'fight', just give facts I saw, which I did not verify... In my case, an average joe, a VPN is just to get out of 'advertisers' nests, for the rest, stop dreaming... What I am really worried about are these 💩 insurance or pharmaceutical companies which are tracking you. (google pharma collect data to profile you) But with all the 'leaks' and habits we have, the 'tracking', secret or not, services can already find you back: browser finger print, local-time, wake-up/sleep time, usual sites visited, free tool, apps you downloaded, vpn, protocols, net speed, keyboard typing and reading speed, languages, etc used... The only thing, clever guys here, not me, can do is to help for few weeks/days activists, journalists... but the question is complex, you can also provide help to 'bad' guys. One guy I would like to salute, is the one who bring down that italian company which was $$$elling exploits to anyone. I will stop my 1984 nightmare, it's not the place to do that. |
Last words, google for them, I 'like':
All better than an old James Bond 🍸 About PIA, can't be published at a better moment: att |
No fights, only discussion. I gave up PIA. I believe AirVPN is based out of Italy. Elaborate on AirVPN using Piwik, and with sources if you have any. Of course there are ways to track users via user browsing habits, even bio-metric behavioral profiling based upon user's typing abilities. If someone is trying to avoid surveillance then it is best to get completely off the grid/technology. |
Go on their site, you'll see piwik in any adblocker or in the page code, anyway not a big deal, though. |
Seems rare to find websites that aren't trying to see what areas on their site are being frequented often, albeit unnecessarily and/or possibly in an unethical manner. It is public facing after all. But like you said it is most likely not a big deal. |
link? |
FYI F-Secure Freedome might be a semi-trustworthy VPN solution if you trust Mikko Hyppönen. |
I think it's safe to say that we shouldn't include any VPN services. The fact that people in the discussion can't agree on any VPN services because at the end of the day, it comes down to the users wants and needs. There's just so many services out there and how do we know they're trustworthy or better than each other. By comparing when a website has Piwik or analytics software running? I know @TraderStf is trying to push for the VPN services and recommending services not in the Five-Eyes countries. My question to @TraderStf is how do you know services from non-Five-Eyes countries is better than the one from Five-Eyes countries. Is there any proof that they're trustworthy or are we taking what they say on their website for truth? Oh this service has 4096-bit RSA keys, no-logging, no DNS leak ... that suddenly makes them better? Not trying to start a fight but I think it's just not worth it to list out services - we don't know if they're good and trustworthy. That should be up to the user. By putting it in the guide, we specifically say, these services are good without actually knowing if they are or not. And really, there isn't a one-size fits all solution; everyones different and that's why there is a diverse amount of VPN services. In the spirit of the guide, it is more technical and touches on topics that can be verified or has other trusted resources. If we are going to expand the VPN section, I'd rather it explain anything we can actually verify that is working as expected.
|
I appreciate you playing devil's advocate here, @xdtnguyenx, but:
Disagree. This guide lists plenty of tools for users to pick from, VPNs should not be any different. This guide shouldn't neglect to reference some services with a history of being credible and reliable. Many VPN's are garbage. Any Joe can find a random blog listing VPN services. I can see why the dissonance between VPN services would cause you to say that all should be left out, but you could also argue that this should/would apply to the other tools this guide references (or doesn't reference), e.g. why cover Little Snitch instead of Murus firewall, or why not just cover built-in PF entirely instead of third-party firewalls? (not even bothering with the application layer vs network layer firewall debate here)
I'd opt for 4096-bit RSA keys with no-logging, no DNS leaks, and a history of being reliable with some credibility... so yes. Much better than its opposite. I avoid free VPNs like the plague and question anything less than 2048-bit keys. So yes, the guide should cover some basics so users can make their own choices.. But this guide is just that... a guide. Security/privacy is about weighing risks. |
Not really... at least not anymore, and with so few people involved. Extensive lists of VPNs are available on 2 sites, see above. As I told in other threads, would be better to mention:
My goal is to avoid 'ads, marketing, malware, insurances..." exploiting data too easily, not any gov, agencies... fight is already lost for 99.9% Spot useless tools, services, and crooks to help average non-tech users. I just collect information about things to be avoided or which are useless today/soon. |
@kristovatlas articles by π2 addicted which are wasting their time copying brainless movies and apps... |
I think the difference @marcus-cr is that you can test a firewall if it's working. You can have an outside source capturing packets to see if it's legit, trustworthy, etc. When you start bringing in VPN services, you can only test everything exterior to it, which is what they claim. What makes a service trustworthy though? Playing devils advocate. It's been around for a while? It provides strong encryption? If tomorrow, I decided to start a VPN service that starts logging but claim that I don't, but offer strong encryption. How do you know? If no one knew and I had the services around for years, then is it credible and reliable? I guess that's what I ultimately want to know - what qualifies? Because there's a lot of VPNs that have been around for a while too, provide strong 4096 RSA keys, all claim no-logging and no-DNS leaks. (Last time I check, all services say the same thing, why would I advertise as being less secure?) I'd feel more comfortable giving people tips on what to look for in VPN services or to avoid, rather than actual services. Services can change through time and so do it's reliability. You say that it's a guide, so why not it let it be one? Just give them tips & let them decide, instead of making that decision for them by giving them a list to choose from. Little sidenote: Yeah, why don't we have a better section on the PF? |
As I stated before, it's all about weighing risks. I can't emphasize this enough. Also you can't compare measuring local security mechanisms vs the security mechanisms at a remote location. Now if we're talking about a firewall at a remote location... That's a different story. Security audits would be needed, but commercial providers don't generally allow their users to do so. I'm not a lawyer but if a company (or individual) violated the ToS... well then they're violating a legally-binding contract. Companies and individuals have been sued over this. If you truly want to ensure strong encryption without logs then you (or users) should roll their own VPN, however know the caveats: there most likely will be potential security holes; this also applies to commercial VPNs though (there are no guarantees, even with no-logging policies). PF is so extensive it would require its own guide entirely, unfortunately. That's why third-party vendors create software like Murus. |
(Accidentally deleted my post) But my statement still stands since you didn't answer my concern and have decided to dance around the question, what qualifies as reliable and trustworthy? Just going off of TOS, when was the last time a VPN provider was sued? If you can't really prove that I violated my TOS, how do you even take me out to court? Again not a lawyer. Which I still stand by my statement of why we shouldn't list actual services: -Can't prove they are trustworthy or not If all the "trustworthy" ones disappeared, which one do you use then? You might as well as teach people how to find good ones and look at their practices, rather than recommending a list. |
I've written an MIT licensed Ansible playbook designed to leverage yet another ansible role (Stouts.openvpn) for OpenVPN. As long as we are having this conversation about trusting VPN providers, here it is so you can become a VPN provider for your friends and family: https://github.com/robbintt/popup-openvpn |
Working with 'positive results' is impossible, unverifiable for VPN. We can already start a listing of VPN which sVcks (technically, legally 5 eyes or $/1 option), outdated settings, few verifications steps (webrtc ip6) and no-to-do while under VPN (read FaceCrook, gmail, NTP, calendar, updates,paypal,avatar,disqus...) You get the idea. There are 3 goals: anonymity (press, whistleblowers,...), privacy (ads, insurances,...) and protection (malware, bank,...), can't have all at 100% at the same time. What do you think of these 3 goals? When I go to my bank under VPN (protection OK), I don't care about reading my twitter at the same time (anonymity not of coz and privacy so so). |
@xdtnguyenx I already answered your questions above. Contact an attorney if you want to know the process of suing a company who violates their own ToS. Can someone else chime in? @TraderStf VPNs don't protect against malware. What is 'positive results' when you wrote:
|
@marcus-cr Still coping out on the question: "what qualifies as reliable and trustworthy?" Which I asked about 3 times now (which people can look up at the comments and see that he's actively avoiding). But whatever, it seems like you don't even know yourself. I was playing devil's advocate and trying to make enhancements more meaningful, but if it's being ignored, do whatever with the guide. It's like I'm talking to a brick wall; I asked the question, just answer it. |
You're asking common sense questions ("what makes a company trustworthy?") while being insulting. To address your question again, as stated above:
Security audits is most likely the answer you've overlooked. I'm not going into much detail here since it is self-explanatory. This would address the VPN's security posture, or lack thereof. Of course this varies upon the scope of the audit and preferable performed by a third-party. The last point requires more research on the user's part, with their own needs taken into account. There is at least one VPN I'm aware of that actively supports and help fund open-source projects such as OpenNIC and OpenBSD, and even provides Tor relay/exit nodes and the Tor Project itself. If this still doesn't satisfy your question, please try adding what you personally think would deem a VPN as reliable. Please consider this my last post to help you. Cheers. |
@marcus-cr of vpn don't protect against Application malware, but against sites delivering malware, if the vpn offers that option. 'positive' no one can say for example "they dont keep logs", all we can proof is negative results. |
Another advanced method: Behavioral FingerPrinting. Obviously but... |
I just noticed that NordVPN is supporting IP6. |
Thoughts on this?
|
It’s very interesting and powerful, but..
Are we all going to do this? How about an average user that just want some privacy and don’t his/her internet experience to be hijacked? I guess they will suffer and have a very hard time, and in my opinion, this approach will fail.
If you have time and you’re willing to be go ahead, otherwise, it’s not for you.
VPNs don’t cost much these days and are decent enough to keep ISPs blind. I have big hopes in ProtonVPN https://www.protonvpn.com/ <https://www.protonvpn.com/> which is by the guys behind ProtonMail in Switzerland. I guess they are going to do a great job. At least they know how to secure things more than others.
Another option is OpenDNS Umbrella (which was recommended before), also I think TunnelBear is great as well; as I said, for the purpose of blinding ISPs. Finally, and one of the strongest out there if you were lucky to get an account is RiseUp VPN https://riseup.net/en/vpn/ <https://riseup.net/en/vpn/> it doesn’t get mentioned that much, but in terms of trust, I believe they are just great.
Total protection? I don’t think so, it’s just impossible, but you have good tools out there to help reduce the impact but the cost is less convenience and slower internet speed.
Unless, a smarter solution if found.
–M
… On Mar 29, 2017, at 3:07 PM, Nadav Appel ***@***.***> wrote:
Thoughts on this?
https://www.reddit.com/r/news/comments/621tqg/house_repeals_fcc_broadband_privacy_rules/dfj3qnz/ <https://www.reddit.com/r/news/comments/621tqg/house_repeals_fcc_broadband_privacy_rules/dfj3qnz/>
Build your own VPN. Host an OpenVPN server on AWS, buy a RouterBoard and connect it as a client, tunnel everything.
You'll now be connecting to the Internet via a AWS endpoint, where your ISP will see nothing but encrypted garbage, and AWS has no incentive to log browsing data.
Write some exceptions for your game consoles, and gaming servers so that you don't add latency to your online gaming.
If you don't know how to do this, you should learn. Online privacy rights are eroding, so everyone should strive to learn about how the Internet works so that they can personally protect their own privacy.
To get you started: https://www.comparitech.com/blog/vpn-privacy/how-to-make-your-own-free-vpn-using-amazon-web-services/ <https://www.comparitech.com/blog/vpn-privacy/how-to-make-your-own-free-vpn-using-amazon-web-services/>
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#114 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AZaHQCmb-2c7oD7YEJIx9u3XPBVOoVa9ks5rqkmbgaJpZM4ITaF2>.
|
Helpful guide. Thanks to all who have contributed. Consider including Algo VPN. It's a package of Ansible scripts that install strongSwan, an open-source self-hosted IPsec VPN, on a cloud server. All this is new to me and I found it easy enough to set up. I've written up my experience for similarly-situated users: Brew Your Own VPN With Algo — Take 2. Whether a self-hosted VPN such as Algo is appropriate for you depends upon your threat model. |
The website https://thatoneprivacysite.net, mentioned by @TraderStf, is very helpful and detailed. It worth being considered to be mentioned in the VPN section. |
Although disconnect.me is a good option for mobile devices. But there are several other tested VPN that works properly with IOS devices. In my opinion, we have a list of free VPN for Mac that can work with strong crypto under this list. |
FYI https://getoutline.org/en/home https://www.zdnet.com/article/more-privacy-busting-bugs-found-in-popular-vpn-services/ A bit related, DNSr: euh 5 👁... |
https://github.com/drduh/OS-X-Security-and-Privacy-Guide/blob/master/README.md#vpn
Although OpenVPN is great, it is lacking fresh crypto, especially on mobile versions and even OS X due to builds with native (old) crypto libs. This can become a problem when you attempt to override the default cipher, keysize, digest, etc with stronger variants -- eg AES256, 4096bit keys, SHA512, etc. Notorious are the iOS and Android builds of OpenVPN as they will not support the stronger crypto currently, sometimes due to the limitation of the platforms themselves.
As a potential short term alternative until stronger crypto is supported by OpenVPN on mobile devices, Disconnect runs a tiered service that allows "free VPN" on mobile devices up to
100MB a month. This is good for casual VPN users to try out. They also offer a paid service for multiple devices for between $30-$50 annually ($3-$4 per month, very affordable). Disconnect is also the Public Benefit (B Corp) that runs the default search engine for the Tor Browser Bundle (TBB). As such, they are fairly trusted. A link to their site is below:https://disconnect.me/
Note: Disconnect VPN blocks connections on some ports, so beware that they do perform filtering to cut down on abuse of their free service. They block commonly abused ports and also connections to high ephemeral ports. Eg. If you try to connect to services on high numbered ports via the VPN, they may not work :(
The text was updated successfully, but these errors were encountered: