Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enhancements for VPN section #114

Closed
gripedthumbtacks opened this issue Apr 30, 2016 · 42 comments
Closed

Enhancements for VPN section #114

gripedthumbtacks opened this issue Apr 30, 2016 · 42 comments

Comments

@gripedthumbtacks
Copy link

https://github.com/drduh/OS-X-Security-and-Privacy-Guide/blob/master/README.md#vpn

Although OpenVPN is great, it is lacking fresh crypto, especially on mobile versions and even OS X due to builds with native (old) crypto libs. This can become a problem when you attempt to override the default cipher, keysize, digest, etc with stronger variants -- eg AES256, 4096bit keys, SHA512, etc. Notorious are the iOS and Android builds of OpenVPN as they will not support the stronger crypto currently, sometimes due to the limitation of the platforms themselves.

As a potential short term alternative until stronger crypto is supported by OpenVPN on mobile devices, Disconnect runs a tiered service that allows "free VPN" on mobile devices up to 100MB a month. This is good for casual VPN users to try out. They also offer a paid service for multiple devices for between $30-$50 annually ($3-$4 per month, very affordable). Disconnect is also the Public Benefit (B Corp) that runs the default search engine for the Tor Browser Bundle (TBB). As such, they are fairly trusted. A link to their site is below:

https://disconnect.me/

Note: Disconnect VPN blocks connections on some ports, so beware that they do perform filtering to cut down on abuse of their free service. They block commonly abused ports and also connections to high ephemeral ports. Eg. If you try to connect to services on high numbered ports via the VPN, they may not work :(

@quinncomendant
Copy link

A fantastic VPN option for iOS is OpenDNS' Umbrella Prosumer for $20/year (not to be confused with OpenDNS Home VIP. On OS X, Umbrella is custom version of dnscrypt connecting to customizable OpenDNS servers for risk mitigation, with black/whitelists and policy behaviour. But on iOS, for which there is no way to enable use encrypted DNS, they configure a full VPN using the iOS native VPN client, which goes through OpenDNS servers and is protected by the same customizable DNS lists.

This is a great product; I've been using it for 15 months, very happy. It should be added alongside dnscrypt on the main page.

@TraderStf
Copy link
Contributor

TraderStf commented May 1, 2016

This can help you, too bad that devices/os are not listed.

Now at:
https://thatoneprivacysite.net

outdated link, new one is above
https://docs.google.com/spreadsheets/d/1FJTvWT5RHFSYuEoFVpAeQjuQPU4BVzbOigT0xebxTOw/edit#gid=0

@TraderStf
Copy link
Contributor

I have tested several on OSX and Android, WIFI and Cable 100/5 Mbps from Belgium.
Lot of good deals on stacksocial.com, my affiliate link https://stacksocial.com/?rid=1465893

Dis/Connect immediately <5 sec, ZenMate and SurfEasy, hassle free (2 params), almost no drop, speed good. TigerVPN also connect a bit more longer.
Cyberghost ok but several drops a day.
ExpressVPN,Privatoria, NordVPN, speed good, almost no drop. NordVPN full of optional parameters.
PureVPN, crap, lot of usual options to pay for, don't know what protocol is in use, warning to refund policy, lying on number of servers, no real 24/7!
ipinator just small affiliate of hideme.
hidemyass, give user data to authorities, already at least 2 times.
holavpn, some kind of p2p vpn, use your bandwidth, quite fast.

Do not use totally free vpn! Some serious paying vpn are offering limited bandwidth, speed, servers or duration.

Some can be used by defining the setting in Apple Network, some required their own client.
Some must use clumsy TunnelBlick...
Some with extra 'protection' adblocker, malware, proprietary or user definable DNS resolver, kill switch...
But the ads, malware... are not enough, always some you had to block with extra tool, so useless double filtering, switch them off and use usual web/os blocker, host file/lists...

What to check before subscribing:
refund for the test period, juridiction, real owners, just rebranded/affiliate, creation date, servers' exact locations (some say .de but it's in .nl), email port opened, IP6... what else.
Can ask me if you any questions.

Review sites you can trust, without affiliate links! are
https://vpnreviewer.com/
https://torrentfreak.com/anonymous-vpn-service-provider-review-2015-150228/

@drduh
Copy link
Owner

drduh commented May 4, 2016

Thanks for the lively discussion and the good recommendations.

Personally, I run my own OpenVPN server and connect to it from my Android device (OpenVPN app from Play Store) and OS X (Homebrew) computers when on the go. I have found the cryptographic primitives used to be quite sound (TLSv1/SSLv3 DHE-RSA-AES256-SHA w/ 4096 bit RSA, 2048-bit DH params, CBC cipher mode, SHA-256 hashing), albeit not "perfect", and the implementation seems credibly good. A separate, detailed guide to setting all this up is forthcoming.

I'm not particularly keen on getting into the business of recommending VPN services, as I believe that to be outside the scope of the guide and have limited experience with current popular offerings and providers.

It would be great to list out VPN client software (including proprietary third-party clients provided by VPN services) to weigh their pros and cons. An easy to understand, layperson's description of how different types of VPNs work would also be a worthwhile addition to the guide. Overall, I think providing readers with a good understanding of the networking and security concepts involved with VPNs is most productive, rather than simply saying one ought to use a VPN at their discretion.

@TraderStf
Copy link
Contributor

TraderStf commented Jun 10, 2016

https://vpn-comparison.silk.co
Lots of search filters available.

Another one:
https://thatoneprivacysite.net

@TraderStf
Copy link
Contributor

http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/

Breaking a single, common 1024-bit prime would allow NSA to passively decrypt connections to two-thirds of VPNs and a quarter of all SSH servers globally.

@quinncomendant
Copy link

quinncomendant commented Jun 10, 2016

I just learned about Streisand, which goes a long way towards secure VPN (issues raised by @TraderStf above). People without deep understanding of VPN security should not attempt to roll their own VPN. Unfortunately, people running VPN services too often are in this set. Streisand seems to be well opinionated for end-users without the skills for VPN hardening. It's not trivial to setup, but may help those with only enough skills to be harmful from making bad choices.

Though it might not be appropriate to recommend VPN services in this guide, it may be worth mentioning the pitfalls of doing VPN incorrectly (and the risks of subscribing to a service with gaps in security). Edit: I just re-read the VPN section, and it provides a satisfactory caveat; sorry to restate the obvious.

@TraderStf
Copy link
Contributor

TraderStf commented Jun 11, 2016

@quinncomendant, I agree with you so many VPN (and their ~'masked/revamped' affiliates, different company name) are just surfing the wave$.
Some are using google dns (tracking and censure, blocking domains), not even block ip6 leak (quite easy...), use google analytics or fonts in their software and/or apps, fake advertising (purevpn in 2015 ~120 servers, 2016 ~500!, check their servers' ip, connect to city A with X servers, only 1 IP...)

My first checking is the creation date of their site with a whois to eliminate these newbies...
I like your idea of pitfalls, a check list would be a good start. sorry for my ~English 👾 I'm a bit in hurry

VPN CHECKLIST
—— COMPANY
— domain creation date and relocation/changes/history
http://whois.domaintools.com/nordvpn.com
— real owner or affiliate
— bitcoins
— know errors, law suites, leaks, attacks...

—— TOOLS
— tracking tool: google analytics...
— internal support or third party
— own apps, open source, third party

—— HARDWARE
— own servers or third party
— maintenance by them or third party

—— PROTOCOLS
— most secure
— most recent
— outdated/insecure
— own (double encryption, own encryption)

—— TESTS
— IP6 LEAK
— DNS LEAK

And a lot more on security/privacy, subject I don't know enough.

A huge work, but can be reduced by filtering out 'new comers' thanks to vpn-comparison.silk.co and few other sites.

When I'm thinking to browser fingerprinting and such deep detection using font metrics, if you combine all that, anonymity is far away... may be privacy from commercial companies, but look at FB tracking latest news...

Fingerprinting web users through font metrics:
http://fc15.ifca.ai/preproceedings/paper_83.pdf

@mlinton
Copy link
Contributor

mlinton commented Jul 20, 2016

The VPN checklist is a good start (solution agnostic), but many users are going to have different needs in terms of functionality, so it might be good to recommend the use of VPN when using untrusted networks, and then some criteria to consider when configuring/selecting the server/service such as DNS leakage, etc...

@marcus-cr
Copy link
Contributor

marcus-cr commented Nov 18, 2016

AirVPN. Hands down.

  • 4096 bit RSA keys size, AES-256-CBC Data Channel, HMAC SHA1 Control Channel, DH
  • At this time only their beta uses latest OpenVPN
    -Still usable on iPhone, macOS, Linux, etc.
  • Internal DNS (anti-ICE/ICANN censorship)
  • No logging or monitoring
  • No IPv6/DNS leaks

@TraderStf
Copy link
Contributor

@marcus-cr
Copy link
Contributor

I'm highly skeptical over many of those links you provided. I don't touch Tunnelblick (has had it share of issues) whereas OpenVPN wouldbe better alternative, VPNList.net and VPNSP.com show many worthless VPNs (PIA isn't too bad, though I gave up my trial and went back to AirVPN), I wouldn't touch ShimoVPN or Viscosity either (proprietary), and I'm skeptical over the Wikipedia list from anonymous-proxy-servers.net.

@TraderStf
Copy link
Contributor

The links I gave are to get lists or tools that can help usual user who tries to get info.
PIA is in USA, 5👁, already gave coordinates of π2π kids.
airvnp, no cookie but use Piwik analytics.

I don't want to start a 'fight', just give facts I saw, which I did not verify...

In my case, an average joe, a VPN is just to get out of 'advertisers' nests, for the rest, stop dreaming...

What I am really worried about are these 💩 insurance or pharmaceutical companies which are tracking you. (google pharma collect data to profile you)

But with all the 'leaks' and habits we have, the 'tracking', secret or not, services can already find you back: browser finger print, local-time, wake-up/sleep time, usual sites visited, free tool, apps you downloaded, vpn, protocols, net speed, keyboard typing and reading speed, languages, etc used...
All those statistics that an AI can clean out in few minutes.
For me, the battle is lost a long time ago, it's just a question of $.

The only thing, clever guys here, not me, can do is to help for few weeks/days activists, journalists... but the question is complex, you can also provide help to 'bad' guys.

One guy I would like to salute, is the one who bring down that italian company which was $$$elling exploits to anyone.

I will stop my 1984 nightmare, it's not the place to do that.
Anyway, thanks to all the clever guys here to help all to get a bit more safe.

@TraderStf
Copy link
Contributor

TraderStf commented Nov 18, 2016

Last words, google for them, I 'like':

  • microscopic chip illegally put on usual 'cpu' chip to spy
  • open source, how many genius are wasting their time to check all the updates to discover an 'unknown' backdoor
  • university, with statistics, etc can figure out what kind of data is going through a vpn: movie, chat...
  • so many amazing articles I don't remember

All better than an old James Bond 🍸

About PIA, can't be published at a better moment: att

@marcus-cr
Copy link
Contributor

marcus-cr commented Nov 18, 2016

No fights, only discussion. I gave up PIA. I believe AirVPN is based out of Italy. Elaborate on AirVPN using Piwik, and with sources if you have any. Of course there are ways to track users via user browsing habits, even bio-metric behavioral profiling based upon user's typing abilities. If someone is trying to avoid surveillance then it is best to get completely off the grid/technology.

@TraderStf
Copy link
Contributor

Go on their site, you'll see piwik in any adblocker or in the page code, anyway not a big deal, though.

@marcus-cr
Copy link
Contributor

marcus-cr commented Nov 19, 2016

Seems rare to find websites that aren't trying to see what areas on their site are being frequented often, albeit unnecessarily and/or possibly in an unethical manner. It is public facing after all. But like you said it is most likely not a big deal.

@kristovatlas
Copy link

@TraderStf

PIA [...] already gave coordinates of π2π kids.

link?

@gripedthumbtacks
Copy link
Author

FYI F-Secure Freedome might be a semi-trustworthy VPN solution if you trust Mikko Hyppönen.

https://www.f-secure.com/en_US/web/home_us/freedome

@ghost
Copy link

ghost commented Jan 6, 2017

I think it's safe to say that we shouldn't include any VPN services. The fact that people in the discussion can't agree on any VPN services because at the end of the day, it comes down to the users wants and needs. There's just so many services out there and how do we know they're trustworthy or better than each other. By comparing when a website has Piwik or analytics software running?

I know @TraderStf is trying to push for the VPN services and recommending services not in the Five-Eyes countries. My question to @TraderStf is how do you know services from non-Five-Eyes countries is better than the one from Five-Eyes countries. Is there any proof that they're trustworthy or are we taking what they say on their website for truth? Oh this service has 4096-bit RSA keys, no-logging, no DNS leak ... that suddenly makes them better?

Not trying to start a fight but I think it's just not worth it to list out services - we don't know if they're good and trustworthy. That should be up to the user. By putting it in the guide, we specifically say, these services are good without actually knowing if they are or not. And really, there isn't a one-size fits all solution; everyones different and that's why there is a diverse amount of VPN services.

In the spirit of the guide, it is more technical and touches on topics that can be verified or has other trusted resources. If we are going to expand the VPN section, I'd rather it explain anything we can actually verify that is working as expected.

  • Listing strong ciphers and mechanisms - sure and verifiable
  • Listing appropriate settings for VPNs - sure and verifiable
  • Listing a bunch of VPN services - that's all trust and can't be verified.

@marcus-cr
Copy link
Contributor

I appreciate you playing devil's advocate here, @xdtnguyenx, but:

I think it's safe to say that we shouldn't include any VPN services

Disagree. This guide lists plenty of tools for users to pick from, VPNs should not be any different.

This guide shouldn't neglect to reference some services with a history of being credible and reliable. Many VPN's are garbage. Any Joe can find a random blog listing VPN services.

I can see why the dissonance between VPN services would cause you to say that all should be left out, but you could also argue that this should/would apply to the other tools this guide references (or doesn't reference), e.g. why cover Little Snitch instead of Murus firewall, or why not just cover built-in PF entirely instead of third-party firewalls? (not even bothering with the application layer vs network layer firewall debate here)

Oh this service has 4096-bit RSA keys, no-logging, no DNS leak ... that suddenly makes them better?

I'd opt for 4096-bit RSA keys with no-logging, no DNS leaks, and a history of being reliable with some credibility... so yes. Much better than its opposite. I avoid free VPNs like the plague and question anything less than 2048-bit keys.

So yes, the guide should cover some basics so users can make their own choices.. But this guide is just that... a guide. Security/privacy is about weighing risks.

@TraderStf
Copy link
Contributor

TraderStf commented Jan 6, 2017

Not really... at least not anymore, and with so few people involved.
Anyway, it's impossible and as you say can't verify almost anything except few technical points.

Extensive lists of VPNs are available on 2 sites, see above.

As I told in other threads, would be better to mention:

  • useless settings, config, magic-services, encryption
  • methods to verify settings (see osx-config-check, osxlockdown...)
  • buggy apps, see the Issue I have just closed ~"ipinator logs macos login/pw", or above May 1.
  • add this extension, settings to avoid known problems (webrtc, dns ip6...)

My goal is to avoid 'ads, marketing, malware, insurances..." exploiting data too easily, not any gov, agencies... fight is already lost for 99.9%

Spot useless tools, services, and crooks to help average non-tech users.

I just collect information about things to be avoided or which are useless today/soon.

@TraderStf
Copy link
Contributor

@kristovatlas articles by π2 addicted which are wasting their time copying brainless movies and apps...
You know "Smart phones for stupid people" 🤡... too bad there is no Lemmings icon/emoji

@ghost
Copy link

ghost commented Jan 6, 2017

I think the difference @marcus-cr is that you can test a firewall if it's working. You can have an outside source capturing packets to see if it's legit, trustworthy, etc. When you start bringing in VPN services, you can only test everything exterior to it, which is what they claim. What makes a service trustworthy though? Playing devils advocate. It's been around for a while? It provides strong encryption?

If tomorrow, I decided to start a VPN service that starts logging but claim that I don't, but offer strong encryption. How do you know? If no one knew and I had the services around for years, then is it credible and reliable? I guess that's what I ultimately want to know - what qualifies? Because there's a lot of VPNs that have been around for a while too, provide strong 4096 RSA keys, all claim no-logging and no-DNS leaks. (Last time I check, all services say the same thing, why would I advertise as being less secure?)

I'd feel more comfortable giving people tips on what to look for in VPN services or to avoid, rather than actual services. Services can change through time and so do it's reliability. You say that it's a guide, so why not it let it be one? Just give them tips & let them decide, instead of making that decision for them by giving them a list to choose from.

Little sidenote: Yeah, why don't we have a better section on the PF?

@marcus-cr
Copy link
Contributor

marcus-cr commented Jan 6, 2017

As I stated before, it's all about weighing risks. I can't emphasize this enough.

Also you can't compare measuring local security mechanisms vs the security mechanisms at a remote location. Now if we're talking about a firewall at a remote location... That's a different story. Security audits would be needed, but commercial providers don't generally allow their users to do so.

I'm not a lawyer but if a company (or individual) violated the ToS... well then they're violating a legally-binding contract. Companies and individuals have been sued over this.

If you truly want to ensure strong encryption without logs then you (or users) should roll their own VPN, however know the caveats: there most likely will be potential security holes; this also applies to commercial VPNs though (there are no guarantees, even with no-logging policies).

PF is so extensive it would require its own guide entirely, unfortunately. That's why third-party vendors create software like Murus.

@ghost
Copy link

ghost commented Jan 6, 2017

(Accidentally deleted my post)
Yes with everything, it is about weighing risk.

But my statement still stands since you didn't answer my concern and have decided to dance around the question, what qualifies as reliable and trustworthy?

Just going off of TOS, when was the last time a VPN provider was sued? If you can't really prove that I violated my TOS, how do you even take me out to court? Again not a lawyer.

Which I still stand by my statement of why we shouldn't list actual services:

-Can't prove they are trustworthy or not
-Services and feature sets change
-Guides are static

If all the "trustworthy" ones disappeared, which one do you use then? You might as well as teach people how to find good ones and look at their practices, rather than recommending a list.

@robbintt
Copy link

robbintt commented Jan 6, 2017

I've written an MIT licensed Ansible playbook designed to leverage yet another ansible role (Stouts.openvpn) for OpenVPN. As long as we are having this conversation about trusting VPN providers, here it is so you can become a VPN provider for your friends and family: https://github.com/robbintt/popup-openvpn

@TraderStf
Copy link
Contributor

TraderStf commented Jan 7, 2017

Working with 'positive results' is impossible, unverifiable for VPN.

We can already start a listing of VPN which sVcks (technically, legally 5 eyes or $/1 option), outdated settings, few verifications steps (webrtc ip6) and no-to-do while under VPN (read FaceCrook, gmail, NTP, calendar, updates,paypal,avatar,disqus...)

You get the idea.

There are 3 goals: anonymity (press, whistleblowers,...), privacy (ads, insurances,...) and protection (malware, bank,...), can't have all at 100% at the same time.

What do you think of these 3 goals?
Hope I'm clear enough 😜

When I go to my bank under VPN (protection OK), I don't care about reading my twitter at the same time (anonymity not of coz and privacy so so).

@marcus-cr
Copy link
Contributor

@xdtnguyenx I already answered your questions above.

Contact an attorney if you want to know the process of suing a company who violates their own ToS.
Find an attorney who studies IT case law and ask them when a VPN was last sued for violating their own ToS.

Can someone else chime in?

@TraderStf VPNs don't protect against malware. What is 'positive results' when you wrote:

"Working with 'positive results' is impossible, unverifiable for VPN."

@ghost
Copy link

ghost commented Jan 11, 2017

@marcus-cr Still coping out on the question: "what qualifies as reliable and trustworthy?" Which I asked about 3 times now (which people can look up at the comments and see that he's actively avoiding). But whatever, it seems like you don't even know yourself.

I was playing devil's advocate and trying to make enhancements more meaningful, but if it's being ignored, do whatever with the guide. It's like I'm talking to a brick wall; I asked the question, just answer it.

@marcus-cr
Copy link
Contributor

You're asking common sense questions ("what makes a company trustworthy?") while being insulting.
Be grateful I am actually trying to help you with whatever free time I have, with whatever information at hand.

To address your question again, as stated above:

  • High-bit encryption
  • No DNS-leaks/logging (dependent upon needs)
  • Security audits
  • Established or well-known within security community/anti-surveillance community/open-source community/torrenting community, etc.

Security audits is most likely the answer you've overlooked. I'm not going into much detail here since it is self-explanatory. This would address the VPN's security posture, or lack thereof. Of course this varies upon the scope of the audit and preferable performed by a third-party.

The last point requires more research on the user's part, with their own needs taken into account. There is at least one VPN I'm aware of that actively supports and help fund open-source projects such as OpenNIC and OpenBSD, and even provides Tor relay/exit nodes and the Tor Project itself.

If this still doesn't satisfy your question, please try adding what you personally think would deem a VPN as reliable. Please consider this my last post to help you.

Cheers.

@TraderStf
Copy link
Contributor

@marcus-cr of vpn don't protect against Application malware, but against sites delivering malware, if the vpn offers that option.

'positive' no one can say for example "they dont keep logs", all we can proof is negative results.

@TraderStf
Copy link
Contributor

TraderStf commented Mar 10, 2017

I just noticed that NordVPN is supporting IP6.

@nadavP3
Copy link

nadavP3 commented Mar 29, 2017

Thoughts on this?
https://www.reddit.com/r/news/comments/621tqg/house_repeals_fcc_broadband_privacy_rules/dfj3qnz/

Build your own VPN. Host an OpenVPN server on AWS, buy a RouterBoard and connect it as a client, tunnel everything.
You'll now be connecting to the Internet via a AWS endpoint, where your ISP will see nothing but encrypted garbage, and AWS has no incentive to log browsing data.
Write some exceptions for your game consoles, and gaming servers so that you don't add latency to your online gaming.
If you don't know how to do this, you should learn. Online privacy rights are eroding, so everyone should strive to learn about how the Internet works so that they can personally protect their own privacy.
To get you started: https://www.comparitech.com/blog/vpn-privacy/how-to-make-your-own-free-vpn-using-amazon-web-services/

@ghost
Copy link

ghost commented Mar 29, 2017 via email

@TraderStf
Copy link
Contributor

PureVPN Helped the FBI with Logs

@useradd-deploy
Copy link

useradd-deploy commented Dec 9, 2017

Helpful guide. Thanks to all who have contributed.

Consider including Algo VPN. It's a package of Ansible scripts that install strongSwan, an open-source self-hosted IPsec VPN, on a cloud server.

All this is new to me and I found it easy enough to set up. I've written up my experience for similarly-situated users: Brew Your Own VPN With Algo — Take 2.

Whether a self-hosted VPN such as Algo is appropriate for you depends upon your threat model.

@lebensterben
Copy link
Contributor

The website https://thatoneprivacysite.net, mentioned by @TraderStf, is very helpful and detailed. It worth being considered to be mentioned in the VPN section.

@janecollen
Copy link

Although disconnect.me is a good option for mobile devices. But there are several other tested VPN that works properly with IOS devices.
Disconnect.me is quite expensive if we compare it to other VPNs like NordVPN, IPVanish and several others. On the other hand, it is not much familiar in the vpn industry, I couldn't find any reviews of Disconnect which makes it questionable whether it fulfills all the requirements or just promise to fulfill.

In my opinion, we have a list of free VPN for Mac that can work with strong crypto under this list.

@TraderStf
Copy link
Contributor

TraderStf commented Apr 9, 2018

FYI

https://getoutline.org/en/home
(google) Alphabet's Outline is an open-sourced VPN builder for anybody. Instead of trusting some shady company with all of your traffic, you can build your own private network that protects all of your data.

https://www.zdnet.com/article/more-privacy-busting-bugs-found-in-popular-vpn-services/
PureVPN aka liars, google to see how quickly they pretend to have 'grown', tests IP, etc... gives up users too.
HotSpot Shield, google, gives up users.
Zenmate

A bit related, DNSr:
https://blog.cloudflare.com/dns-resolver-1-1-1-1/
IP4 and IP6
tests: http://www.dnsperf.com and
From Belgium, it's really fast, very close to the speed of my ISP DNSr which is fasttttt.
Try https://code.google.com/archive/p/namebench/

euh 5 👁...

@drduh drduh closed this as completed in dfd85f0 Jul 30, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests