Netherlands VPN servers at risk now?

@pcdoctor36

I've become very cautious about advocating for any particular VPN service, based on what they say in public, or in private. It's just a fact that users have no real way to verify what providers say Indeed, none of us here know what relationship you have with iVPN, and/or other context crucial to interpreting your remarks. Please don't be offended by this. It's, of course, just as true about me. And, in any case, I do appreciate your candid comments about AirVPN and iVPN.

Having said all that, I do get the sense that iVPN has retained its focus on providing secure and high-performance VPN services to serious privacy advocates and professionals. For example, some years ago, I asked iVPN support for a GnuPG public key, and they readily provided one. This was shortly after they had removed Liberty Reserve as a payment option. I asked if they would accept Liberty Reserve, and they agreed. This was, by the way, long before the US nuked Liberty Reserve.

I've had no contact with AirVPN support, as I recall. But I get the sense that they've grown more, and have become less focused than iVPN. However, I have no real evidence for that, and no reason to think that they've gotten sloppy about technical safeguards against compromise. Maybe it's just that they're handling more users, and had to do that more efficiently and less personally.

There may be other VPN services that are even more hardcore than iVPN. But, if so, I'm not cool enough to know about them

 

Make up your mind! (just giving you a hard time)

I read their "VPN Privacy Policies Decoded" blog entries, and while I understand what they're claiming to do - to make sure other VPN providers have clear, easy to understand privacy polices - it looks to me to be a thinly veiled attempt at taking shots at their competition. I read their review of AirVPN's privacy policy and chuckled at how AirVPN put them in their place with their response. Yet I have to say kudos to IVPN for publishing AirVPN's response.

What are you basing this opinion on? With AirVPN, I can check not only the up/down status of each of their servers, I can see exactly how many users are on each server and also how much bandwidth is available - and that information is available to everyone, not just their customers. https://airvpn.org/status/ I consider that to be a very high level of transparency. Does IVPN offer that? I didn't see it on their site. I may have missed it, or perhaps it's available in the customer-only area. I don't know. As to your comments about customer service transparency - I've never felt like I've had to "drag" info out of AirVPN staff. But of course that's very subjective. We've had different experiences - fair enough.

One thing that astounded me was seeing that they require you to store your username and password in plain text on your router when using DD-WRT https://www.ivpn.net/knowledgebase/86/DD-WRT-Setup-Guide---Manual-installation.html

AirVPN, Boleh, and Mullvad use only encrypted certificates and keys to identify you, which I'm much more comfortable with.

And just so we're clear, I'm not arguing with you - I think discussions like this are great. We've all had different experiences and I think it's very useful when we share them.

 

The connection username and password are needed for any automatic login, whether it's the openvpn daemon in Linux, or OpebVPN clients in DD-WRT or pfSense. You could consider that two-factor authentication for login, which must be bypassed for auto login.

For iVPN, however, that username/password combination is different from the username/password combination that you use for their website. And neither are necessarily linked to your true identity.

 

Boleh, Air, and Mullvad require no such user name and password when using OpenVPN on DD-WRT, which logs in automatically. You are identified by your user key and certificate. Unless I'm misunderstanding what you're referring to.

 

Some VPNs, such as SecurityKISS in free mode, use just ca.crt to authenticate the server, and username/password for client authentication. Many others, such as those that you mention, use ca.crt to authenticate the server, and client.crt/client.key for client authentication. But some, such as iVPN and Insorg, also use username/password to "pre-authenticate" client logins.

I don't believe that username/password here is a problem. Or, at least, it's not a problem for pfSense VMs running on my computer. Maybe is is an issue for a router that could be readily compromised. And that would only be problematic if the provider linked that username to your payment information, which would be stupid.

 

Still not a fan of any username and password being stored in plain text, regardless of platform, but I understand the "pre-authenticate" angle.

 

I know one chap on AirVPN forums who literally emailed them and "harassed" AirVPN staff, but they answered back all his questions regarding privacy and security.

I feel AirVPN is currently one of the top choices around, they seem to take privacy or bust motto very serious as should any VPN provider. But yeah I hate the fact there client software is so out of date and the guides and support seem to come from fellow members, it would have been much better if staff could have updated and created the guides and provided more support it is there but lacking a bit in comparison to others. Ie their Comodo guide is like a year out of date and incomplete and makes no sense.

Still this was all a good 8 months ago when I tried them, happy mullvad customer. May try boleh or IVPN also.

Security kiss sounds good, but its dublin/UK based, UK and US are in bed, what ever US does, UK Nods yes and follows, so not sure I would trust them fully..... not to mention 300meg allowance free per day, that would only be good for surfing. Anything with videos/pictures surely that would be finished pretty quick ?

Maybe as suggested use it as a 3rd VPN provider, and spread the paranoia amongst 3 vpns

 

I only use it tunneled through Tor. It's free, so there's no money trail

 

*Stares* There is so much disinformation unintentionally in the privacy section of Wilders its amazing. I don't know if its just people who chose a provider and back them 110% just because its their provider they chose "Just like AvB in the antivirus section" or people just claiming to know something just because. It makes life so much harder.

 

I know you have doubts on airvpn, but really are they that bad ? how to guides and client support yeah questionable....

Boleh and mullvad seem to be popular also. Never tried ivpn...

dare I ask please enlighten us with a few thoughts

 

Let us not forget about NSA basics: traffic analysis. Network cards put out unique signatures that are very difficult if not impossible to obfuscate. I am not talking about MAC addresses. No one knows how algorithmically advanced the NSA is. Remailers developed latency times to specifically thwart traffic analysis. Layered and multi-hop VPN's are needed in my opinion to thwart this type of threat.

 

@Fawkesguy - I don't see the persuit of knowledge to be an adversarial process. Our life experiences are subjective. They can be no other way. You don't know me, but I have a tendency to metaphorically put a vendors head in a vice grip when I want or need knowledge. As a client of IVPN I have done just that. Usually, and as a consumer I am sure you are aware of this, when you do that with a vendor you get push back. I have never received push back with IVPN, only calm explanative knowledge. So now you know the paradigm I used against Air when evaluating them. When you compare the two customer service departments I encountered pushback when contrasted against IVPN. When contrasted against the rest of the world AIR suctomer service is probably pretty good. I don't always have a lot of time so I will answer the rest of what you are talking about as time goes on.

 

We are in a troublesome age Mirimir. I take VPN security very seriousely. Ultimately with traffic analysis on a single hop most VPN's have issues, yet they are a critical component of any personal security platform. Candid evaluation right now is in my opinion critical if we can avoid the typical cheerleader type promotion of one service over another. I don't want to be redundant here. Read what I just posted to Fawkesguy. Ultimately there is no way to prove anything with any VPN provider. It is for that reason and that reason alone that as mentioned below I put a provider brain (I am personally considering using) in a metaphoric vice grip and squeeze either until they fail, demonstrate push back or pass 1,000 percent with a cool stream of unpretentious knowledge. IVPN met that standard and it amazed me.

I have yet to find a service that IMO beats IVPN on being "hardcore". They are not as big as many companies but what they do is high quality. In fact they are so high quality it makes me suspect a honey pot.

 

Security Kiss as you mention is incorporated in the UK and thus has fully transposed the Data Retention Directive. Bear in mind that the NSA stated mission is spying outside of the U.S. Couple this with US/UK complicity and Security Kiss is knocked clean out of contention.

 

@Fawkesguy, ith regard to the server status page. Yes it is located in the IVPN customer only area.

 

There's a simple explanation, perhaps. With iVPN customer service, you were passed along to geeks, maybe even senior staff. To them, you may have been interesting. With AirVPN, you were just dealing with customer-service staff. To them, you were probably just extra work

 

I get your point. However, none of that matters for a VPN to tunnel through Tor. Your only interaction with SecurityKISS occurs via Tor. You don't need to pay for their free service.

Consider that you're using them to search Google through Tor, or to use some other website that blocks Tor. I don't see the problem, even if SecurityKISS is logging everything. If Google or whatever let you connect directly via Tor, they could be logging everything. How is it worse when it's SecurityKISS that's logging?

Edit: I do see one concern. If you're going to use SecurityKISS in that way, it's best to use a particular SecurityKISS account only for activities that it's OK to link. If you need different identities, with distinct and incompatible sets of activities, you need multiple SecurityKISS accounts.

 

I agree that when I question a service and they respond with knowledgeable answers, in an undefensive way, and with a real attempt to explalin what they do, it's a good sign to me. People should not become defensive and find it threatening (or too much of a pain) to explalin what they do. If they really believe in it, they'll want to explain it.

Really the only experience I've had like this was with Lavabit, back in the day, when I was first checking them out. I didn't realize at the time what a one man show they were, but in retrospect it must have been Levinson himself responding and it all makes sense given what I have recently learned about him.

That being said, what is one to do when it gets so good that it makes one suspect a honey pot? It's like one has come full circle and still confronts the reality that one doesn't ever truly know what one is getting into.

We can devise standards to figure out what sort of person we're dealing with. But when it is ultimately an unknown person on the other side of the world there is always an element of trust (and faith that other knowledgeable users might catch something we have missed). I don't know that there is any way around this. Even the metaphorical vice grip.

We are making judgements about people, based on their behavior (whether online or in person), that cause us to trust them. A good knowledgeable undefensive explanation might be what works for one person, something else might inspire trust for another person. But there is that element of trust. I don't think there is any ultimate way to interrorgate a service provider and know with logical certainty that one is getting what one thinks one is getting.

I suppose this might be where mirimir would say this is why one needs partitions of trust. To which I'll respond what if it's honepots all the way down?! (I don't really believe that.)

 

That's it

We can never really know.

But we do know that it's safer, or at worst no less safe, to trust two providers half as much, or three providers one third as much, and so on. If they're not colluding, then the overall probability of compromise is the product of the individual probabilities. Consider a period of time where the probability of compromise using a single provider approaches 100%. With two such providers, one VPN tunneled through the other, compromise would take on the order of four times as long, given that (1/2)^2=1/4. With three such providers in a nested chain, compromise would take on the order of 27 times as long, given that (1/3)^3=1/27. With four, it would take on the order of 256 times as long, given that (1/4)^4=1/256.

To the extent that the providers are colluding, one must add the probability of joint compromise. At worst, if all of the providers are fully colluding, then the overall probability of compromise approaches the sum of the individual compromise probabilities. That is, the overall probability of compromise hasn't changed.

Me, I'm happier trusting math than people

 

I was making a blanket statement. I'm just a guy that knows my logical level limit on risk and reward for logical behavior patterns. Your time is valuable, don't waste your value on superficial non necessities.

 

With the number of VPN services that are out thee it is best to avoid services like Security Kiss entirely. Country of incorporation has to come first. I am forced to realize that the NSA is years perhaps even a decade ahead of us technologically. Traffic analysis is no joke. NSA advanced and automated algorithyms are no joke. The better model is to avoid logging whenever and wherever you can. Don't get married to any service. Constantly evaluate and be ready to give any of these services an unbiased kick in the pants.

 

Do you know of a better free VPN service?

Free means no money trail. Even mailing cash creates a money trail.

Signing up via Tor, using an email account accessed only via Tor, creates at most a very tenuous money trail.

 

@Mirimir. Free, no I do not. If you want speed then you pretty much have to pay. If a person has the capacity to pay attention to detail it is possible to use bitcoin to go anonymous. Cash if carefully handled can be anonymous. Everything takes planning and care. As I travel a bit I have paid for services from different cities in the equivalent of a cyber cafe. My point is there are many ways to do things. I firmly believe the future of privacy on the net is decentralized, encrypted p2p networks.

 

Some great debates and info I enjoy reading them all

I too agree about spreading the paranoia, or multiple barriers. You could never 100% rely on a VPN providers words, no matter where they are based.

I think with 2 VPNs or 1 decent one, and encrypted Virtual box>whonix under tor is more then enough, back this up with combination of encrypted hidden os or FDE.

Even then one could rattle the cage or hit you over the head with a wrench

 

@Fawkes, I have twisted this one around in my mind multiple times. While there are ways for a non-USA vpn provider to place a server in the U.S. that doesn't log is it advisable? A reason for a US breakout might be escaping geographical content restrictions. It seems you have to ask what the worse case scenario is. If you assume the advesary is the NSA then traffic analysis could in theory be used to id a specific user. In most instances that would not be the case. Then you would have to ask yourself why would a company want a vpn breakout in the US? If it is not escaping geographical restrictions then are they trying to serve a Usenet or Torrent population? That type of user wants to excape the US not come into it. Concluding I don't see a sensible reason for a provider to want a breakout in the US. Is it possible to do it and be secure? Possibly! Is it wise? No.