I don't agree that your tests were too stringent, it only takes the one leak. Stress testing IS what's required. Echoing others, thanks for doing this, I think it should be part of differentiating VPN service offerings as people get more discerning. While one can never be sure about the logging, at least we can have a feel for whether the jurisdiction is likely to be cooperative, and choosing mutually antagonistic ones!
Good so the testing was rigerous and thorough! Have you seen that comprehensive "VPN Providers" chart that some random guy created and updates? It's not like yours, there is no testing and the only technical information he provides is what the VPN providers themselves claim on their websites, but he has gathered a lot other info such as country of jouresdiction, whether they own their servers, etc. He has broken down their TOS and Priv Policies and points out the unique differences and risks of each individual provider. Im sure youve seen it, i'd post it if the computer i have it on worked. Well the research and information he has gathered paired with the data you have now collected would be a very comprehensive resource!
I definitely agree that knowing factors such as what country they operate out of, server info, and really anything legal are important details
NVM @mirimir I now see where your Bitcoin address is. Obviously my understanding on what you exactly did as far as testing is concerned is very limited. Would you say it is reliable enough to be damning evidence against providers who fail testing since they are providing a service that is highly flawed and not doing what they claim? That industry needs some oversight and accountabiliy
Yes, I know /r/ThatOnePrivacyGuy And yes, it's just aggregated information from providers, and some classification.
Yes, I thought about that Actually, I've thought about crowdfunding additional VPN testing. That is, have a page that accepts requests from users, and allows users to bid on VPNs to test, using a reputable Bitcoin escrow service.
Awesome and thanks for your hard work! Out goes the Window with PureVPN in comes....I haven't decided yet. Cheers, Daniel
I did some work on that. I created my own VPN, which was vulnerable because the server used the same IP for entry and exit. And even then, it was pretty hard to get it to leak. You need two accounts, both using the same server with the same IP. So I decided that it was low risk and too much work. Anyway, VPNs with different IPs for entry and exit aren't vulnerable.
Yeah that's the direction I figured you were going. Towards growth, and turning it into something more.
Nice! The official OpenVPN client doesn't have killswitch protection so I guess that would mean it would fail all the tests? A shame since I trust it better, which has been confirmed with the Cyberghost client collecting info. It would also be interesting to know if the clients use DEP/ASLR on Windows(And Mac equivalents) for basic exploit protection.
For the most part, yes. But FrootVPN with stock OpenVPN in Windows didn't leak at all. So it's possible. As long as you prevent IPv4 and IPv6 leaks with firewalls, and block IPv6 if you don't need it, stock OpenVPN is safe. Please say more about that.
Ah great I'll research that some more. On Windows you can check if a process has DEP(Data Execution Prevention, sometimes also known as NX bit or W^X) and ASLR(Address Space Layout Randomization) easily with Process Explorer. Be sure to run it as Admin, customize the columns and add DEP Status and ASLR Enabled. Then you'll be able to see if the processes itself have it enabled. If you set the Lower pane view to DLLs, then you can check if the DLL files loaded into the process also have ASLR enabled, because if not they could be used to bypass it. (You need to add a column for ASLR again in the DLL view.) I'm not familiar with OS X so I'm not sure how to check it there.
Well, there are lots of VPN services, and they're frequently updating stuff. So keeping a testing site up to date would be at least a full-time job. But I must work, so I can only spend limited time unless it's generating income.
@mirimir any plan to test clients for Linux? PIA, AirVPN and others have their own client for at least the most popular flavors.
I doubt that I'll test Linux clients. I mean, why bother with them? It's really easy to do it right, using iptables rules.
Generally, I think so. But please keep in mind that it's primarily based on what VPN providers say. There's no feasible way to verify most of it. I get that he's conscientious and reliable. And he has done some reviews.
thatoneprivacyguy is very active on reddit. If you have any questions just find his sub-reddit. I find his site to be pretty good.
He is on Voat now: That One Privacy Guy - Getting set up on Voat in light of the recent censorship on Reddit
Did you get a chance to test: BolehVPN, Insorg, Windscribe and Witopia. I didn't see them included in your report. Are those results updated somewhere else?