Enhancements for VPN section

[gripedthumbtacks]

https://github.com/drduh/OS-X-Security-and-Privacy-Guide/blob/master/README.md#vpn

Although OpenVPN is great, it is lacking fresh crypto, especially on mobile versions and even OS X due to builds with native (old) crypto libs. This can become a problem when you attempt to override the default cipher, keysize, digest, etc with stronger variants -- eg AES256, 4096bit keys, SHA512, etc. Notorious are the iOS and Android builds of OpenVPN as they will not support the stronger crypto currently, sometimes due to the limitation of the platforms themselves.

As a potential short term alternative until stronger crypto is supported by OpenVPN on mobile devices, Disconnect runs a tiered service that allows "free VPN" on mobile devices up to 100MB a month. This is good for casual VPN users to try out. They also offer a paid service for multiple devices for between $30-$50 annually ($3-$4 per month, very affordable). Disconnect is also the Public Benefit (B Corp) that runs the default search engine for the Tor Browser Bundle (TBB). As such, they are fairly trusted. A link to their site is below:

https://disconnect.me/

Note: Disconnect VPN blocks connections on some ports, so beware that they do perform filtering to cut down on abuse of their free service. They block commonly abused ports and also connections to high ephemeral ports. Eg. If you try to connect to services on high numbered ports via the VPN, they may not work :(

[quinncomendant]

A fantastic VPN option for iOS is OpenDNS' Umbrella Prosumer for $20/year (not to be confused with OpenDNS Home VIP. On OS X, Umbrella is custom version of dnscrypt connecting to customizable OpenDNS servers for risk mitigation, with black/whitelists and policy behaviour. But on iOS, for which there is no way to enable use encrypted DNS, they configure a full VPN using the iOS native VPN client, which goes through OpenDNS servers and is protected by the same customizable DNS lists.

This is a great product; I've been using it for 15 months, very happy. It should be added alongside dnscrypt on the main page.

[TraderStf]

This can help you, too bad that devices/os are not listed.

Now at:
https://thatoneprivacysite.net

outdated link, new one is above
https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/edit#gid=0

[TraderStf]

I have tested several on OSX and Android, WIFI and Cable 100/5 Mbps from Belgium.
Lot of good deals on stacksocial.com, my affiliate link https://stacksocial.com/?rid=1465893

Dis/Connect immediately <5 sec, ZenMate and SurfEasy, hassle free (2 params), almost no drop, speed good. TigerVPN also connect a bit more longer.
Cyberghost ok but several drops a day.
ExpressVPN,Privatoria, NordVPN, speed good, almost no drop. NordVPN full of optional parameters.
PureVPN, crap, lot of usual options to pay for, don't know what protocol is in use, warning to refund policy, lying on number of servers, no real 24/7!
ipinator just small affiliate of hideme.
hidemyass, give user data to authorities, already at least 2 times.
holavpn, some kind of p2p vpn, use your bandwidth, quite fast.

Do not use totally free vpn! Some serious paying vpn are offering limited bandwidth, speed, servers or duration.

Some can be used by defining the setting in Apple Network, some required their own client.
Some must use clumsy TunnelBlick...
Some with extra 'protection' adblocker, malware, proprietary or user definable DNS resolver, kill switch...
But the ads, malware... are not enough, always some you had to block with extra tool, so useless double filtering, switch them off and use usual web/os blocker, host file/lists...

What to check before subscribing:
refund for the test period, juridiction, real owners, just rebranded/affiliate, creation date, servers' exact locations (some say .de but it's in .nl), email port opened, IP6... what else.
Can ask me if you any questions.

Review sites you can trust, without affiliate links! are
https://vpnreviewer.com/
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/

[drduh]

Thanks for the lively discussion and the good recommendations.

Personally, I run my own OpenVPN server and connect to it from my Android device (OpenVPN app from Play Store) and OS X (Homebrew) computers when on the go. I have found the cryptographic primitives used to be quite sound (TLSv1/SSLv3 DHE-RSA-AES256-SHA w/ 4096 bit RSA, 2048-bit DH params, CBC cipher mode, SHA-256 hashing), albeit not "perfect", and the implementation seems credibly good. A separate, detailed guide to setting all this up is forthcoming.

I'm not particularly keen on getting into the business of recommending VPN services, as I believe that to be outside the scope of the guide and have limited experience with current popular offerings and providers.

It would be great to list out VPN client software (including proprietary third-party clients provided by VPN services) to weigh their pros and cons. An easy to understand, layperson's description of how different types of VPNs work would also be a worthwhile addition to the guide. Overall, I think providing readers with a good understanding of the networking and security concepts involved with VPNs is most productive, rather than simply saying one ought to use a VPN at their discretion.

[TraderStf]

Very interesting
http://www.eecs.qmul.ac.uk/~tysong/files/PETS15.pdf
found via
http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/

https://medium.com/silk-stories/choosing-a-vpn-be-careful-here-s-why-92f2b97bb203

[TraderStf]

https://vpn-comparison.silk.co
Lots of search filters available.

Another one:
https://thatoneprivacysite.net

[TraderStf]

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally.

[quinncomendant]

I just learned about Streisand, which goes a long way towards secure VPN (issues raised by @TraderStf above). People without deep understanding of VPN security should not attempt to roll their own VPN. Unfortunately, people running VPN services too often are in this set. Streisand seems to be well opinionated for end-users without the skills for VPN hardening. It's not trivial to setup, but may help those with only enough skills to be harmful from making bad choices.

Though it might not be appropriate to recommend VPN services in this guide, it may be worth mentioning the pitfalls of doing VPN incorrectly (and the risks of subscribing to a service with gaps in security). Edit: I just re-read the VPN section, and it provides a satisfactory caveat; sorry to restate the obvious.

[TraderStf]

@quinncomendant, I agree with you so many VPN (and their ~'masked/revamped' affiliates, different company name) are just surfing the wave$.
Some are using google dns (tracking and censure, blocking domains), not even block ip6 leak (quite easy...), use google analytics or fonts in their software and/or apps, fake advertising (purevpn in 2015 ~120 servers, 2016 ~500!, check their servers' ip, connect to city A with X servers, only 1 IP...)

My first checking is the creation date of their site with a whois to eliminate these newbies...
I like your idea of pitfalls, a check list would be a good start. sorry for my ~English 👾 I'm a bit in hurry

VPN CHECKLIST
—— COMPANY
— domain creation date and relocation/changes/history
http://whois.domaintools.com/nordvpn.com
— real owner or affiliate
— bitcoins
— know errors, law suites, leaks, attacks...

—— TOOLS
— tracking tool: google analytics...
— internal support or third party
— own apps, open source, third party

—— HARDWARE
— own servers or third party
— maintenance by them or third party

—— PROTOCOLS
— most secure
— most recent
— outdated/insecure
— own (double encryption, own encryption)

—— TESTS
— IP6 LEAK
— DNS LEAK

And a lot more on security/privacy, subject I don't know enough.

A huge work, but can be reduced by filtering out 'new comers' thanks to vpn-comparison.silk.co and few other sites.

When I'm thinking to browser fingerprinting and such deep detection using font metrics, if you combine all that, anonymity is far away... may be privacy from commercial companies, but look at FB tracking latest news...

Fingerprinting web users through font metrics:
http://fc15.ifca.ai/preproceedings/paper_83.pdf

[mlinton]

The VPN checklist is a good start (solution agnostic), but many users are going to have different needs in terms of functionality, so it might be good to recommend the use of VPN when using untrusted networks, and then some criteria to consider when configuring/selecting the server/service such as DNS leakage, etc...

[marcus-cr]

AirVPN. Hands down.

• 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel, DH
• At this time only their beta uses latest OpenVPN
  -Still usable on iPhone, macOS, Linux, etc.
• Internal DNS (anti-ICE/ICANN censorship)
• No logging or monitoring
• No IPv6/DNS leaks

[TraderStf]

New useful sites, I have no link with any:

http://www.vpnlist.net

https://www.wikileaks.org/wiki/Alternative_DNS
https://anonymous-proxy-servers.net/wiki/index.php/Censorship-free_DNS_servers

https://www.strongswan.org - OpenSource IPsec-based VPN Solution
http://www.softether.org - OpenSource multi-protocols VPN software
https://tunnelblick.net/ - you know...

https://www.shimovpn.com - multi-protocol VPN software, commercial
https://www.sparklabs.com/viscosity/ - OpenVPN client, commercial

https://www.ivpn.net/privacy-guides
https://www.ivpn.net/setup/router-pfsense.html
(http://www.vpnsp.com/vpn-services.html)

[marcus-cr]

I'm highly skeptical over many of those links you provided. I don't touch Tunnelblick (has had it share of issues) whereas OpenVPN wouldbe better alternative, VPNList.net and VPNSP.com show many worthless VPNs (PIA isn't too bad, though I gave up my trial and went back to AirVPN), I wouldn't touch ShimoVPN or Viscosity either (proprietary), and I'm skeptical over the Wikipedia list from anonymous-proxy-servers.net.

[TraderStf]

The links I gave are to get lists or tools that can help usual user who tries to get info.
PIA is in USA, 5👁, already gave coordinates of π2π kids.
airvnp, no cookie but use Piwik analytics.

I don't want to start a 'fight', just give facts I saw, which I did not verify...

In my case, an average joe, a VPN is just to get out of 'advertisers' nests, for the rest, stop dreaming...

What I am really worried about are these 💩 insurance or pharmaceutical companies which are tracking you. (google pharma collect data to profile you)

But with all the 'leaks' and habits we have, the 'tracking', secret or not, services can already find you back: browser finger print, local-time, wake-up/sleep time, usual sites visited, free tool, apps you downloaded, vpn, protocols, net speed, keyboard typing and reading speed, languages, etc used...
All those statistics that an AI can clean out in few minutes.
For me, the battle is lost a long time ago, it's just a question of $.

The only thing, clever guys here, not me, can do is to help for few weeks/days activists, journalists... but the question is complex, you can also provide help to 'bad' guys.

One guy I would like to salute, is the one who bring down that italian company which was $$$elling exploits to anyone.

I will stop my 1984 nightmare, it's not the place to do that.
Anyway, thanks to all the clever guys here to help all to get a bit more safe.

[TraderStf]

Last words, google for them, I 'like':

• microscopic chip illegally put on usual 'cpu' chip to spy
• open source, how many genius are wasting their time to check all the updates to discover an 'unknown' backdoor
• university, with statistics, etc can figure out what kind of data is going through a vpn: movie, chat...
• so many amazing articles I don't remember

All better than an old James Bond 🍸

About PIA, can't be published at a better moment: att