I posted a link from MRG in a thread but want to go further. While there're many good articles about VPN service & privacy, few about VPN & security (in narrow definition). We almost know nothing about each service's security, not just about firewall. Some services such as PIA, Mullvad, PP, ExpressVPN seems to have a kind of bug bounty but they're not transparent. It seems Express' bounty doesn't work as there's no mention in their release notes. Some, such as encrypt.me & HIDE.ME, had 3rd party audit but still not very clear about what it means. Audit may have privacy concern, but think about it...if a service has decent security but logs everything and sell that then they're no use for privacy minder. But if a service really doesn't log but their server have poor security thus any bad actor can easily compromise them, then there's no real privacy. (IIRC, some commercial VPN services deploy NIPS, it might be more serious privacy concern.) AirVPN's response to heartbleed was quick and good, but not sure for other services, nor other vulnerability if any (BTW all of best VPNs recommended in Wilders support public audit of OpenSSL or OpenVPN!). OVPN explain well about their physical security, but AFAIK no others do this. WhattheSEVER says they use OpenBSD which is by my knowledge probably the most secure OS, but I know little about what OS, software, hardware, network security measure etc. other service use. Any input will be appreciated. As I don't take security-through-anonymity much, I think these services should be more transparent. If someone tried to probe security of a service, it can be illegal unless there's pre-agreement so it will be hard to know, but bad guys won't care.
I found Mullvad uses Qubes. Also Cryptstorm says they employed GRSecurity but apparently they don't purchase it after they went private (correct me if I'm wrong). They also mention some OS hardening.
I think these are good points. All it takes is one one screw up for a bad actor to get into the system and make it all insecure. I look around at the staff of the VPN - can you find them on LinkedIn, do they have a good reputation? I usually stay away from ones where you can’t find some established names behind the staff. All it takes is one sloppy dude to make a mistake. The answer is yes with Mullvad and iVPN, not so much with AirVPN.
Yup, reputation is one important aspect, but I'm more frustrated not to be able to find many technical details about each VPN service. Cryptostorm might be exception, tho their way of explanation is terrible, especially PJ (aka Douglas Spink)'s one is just too much verbose with much of unneeded frills. I guess Air seconds to CS, tho most of them are only found on forums or other place, not their official website.
Not sure if it's worth making new topic, but anyway: A flaw in Hotspot Shield can expose VPN users, locations http://www.zdnet.com/article/privacy-flaw-in-hotspot-shield-can-identify-users-locations/
Google Maps will put a router's location in its location database. The link below doesn't state it but I'm pretty sure the MAC address as well as the SSID will be used. I can't see the location system being very good without it. https://support.google.com/maps/answer/1725632?hl=en I found this out because I was getting my real location from the Browserleaks.com geolocation test through a dual hop vpn tunnel with the first hop in the router and the second using OpenVPN client software. If you ever use Google Earth or Google Maps through a router and identify a home location, that router's MAC address will be added to the Google location database with the location entered. I don't like the opt out method of adding a tag to the SSID but at least you can have your home router opt out of this but you have no control over a public hotspot's router. And Google isn't the only location service out there so just opting out of their location service won't solve the problem. You need to use a VPN in a VM to get around this. I can see the possibility of coding a light virtualization of just a network adapter to do this but I don't know of any code out there that does this. In my home setup, I daisy chain routers so the VPNs have a different MAC address from the ISP router. With Tomato firmware, I can periodically randomize the MAC address of each wifi SSID and each Wifi SSID is for a different VPN.
Google uses MAC address or BSSID when its SSID don't include '_nomap'. Their self regulation is they require 2 different addresses/BSSIDs for geolocation collection, which nowadays won't work as most user use multi SSID and it often uses different (usually sequential) BSSIDs. And they no more need Google car as almost everyone use Android, Chromebook, or G-something which can catch your wifi and have geolocation functionality. A possible mitigation is weaken/limit power of wifi so that only your family can manage to catch, but once you invite a guest who has Android and it's game over. As you said, '_nomap' can never be real solution as they're not only one to collect geolocation. So probably, as you said, only real solution will be either separate or randomize MAC which I haven't tried, but it's good to know. Thankfully, it seems DD-WRT also supports this.
Do you mean DD-WRT? I'm not sure and their official database is useless. Maybe just Googling is better. It has been long time after final stable release and most of new router supported are by so-called Kong build, which are variation of base DD-WRT built and tested by Kong, one of the old members of DD-WRT devs.
Maybe these 2 are useful? https://www.myopenrouter.com/ https://www.dd-wrt.com/wiki/index.php/Main_Page
No, I meant Google's database, for routers that don't have _nomap in SSID and were mapped using location services.
Thnx @mirimir I see that that option is more suited for developers. I was hoping that there would be easier way for end user to check if their hardware is in database.
@Minimalist Sorry for misinterpretation. I thought there was an unofficial website somewhere to check if your MAC is registered, but I hesitated and didn't enter mine (even after checked source).
It's been a while since I dealt with this but now I remember that Google Location will check the SSIDs of all wifi connections that are seen not just the one connected to so the only real solution is a VM. If your neighbors router is in the database, it will be used. I had the location test fail due to a router around a 1/4 mile away. I could turn off wifi for the ISP router and write a script that randomizes the Mac addresses of the VPN channels on the daisy chained router every time it boots but that would only partially help. The only real solution is a completely virtualized system that has no access to host wifi.
Yes, that would be another solution for home setups but not for mobile connections. Due to limited home bandwidth, I sometimes take a laptop to a cafe that has a 100mbs connection. Even in my home setup it would be a bit inconvenient to have everything on ethernet cables but I do keep some devices off wifi.
Any OS/Platform that has support for Qt5: Linux, Windows, Mac, Raspberry Pi etc... I don't really know. I was hoping maybe getting lil money from this ($3 per binary + zipped source code + support maybe? Or something like that....). But there is one difficulty: Because it uses Google API it also needs API key. And Google set's daily limits how many requests each API key holder can make https://developers.google.com/maps/documentation/geolocation/usage-limits Obviously, I can't give my own API key away, because then it would run out at notime. So anyone wanting to use this thing would have to create their own API key by first having a valid gmail address and then API key from here: https://developers.google.com/maps/documentation/geolocation/get-api-key
It will be interesting to see if GDPR has anything to say about this - the lack of consent is obvious, particularly when reported by 3rd parties. But I guess, legally they will claim all this stuff is publicly broadcast, so tough. At least they nominally have a get-out with _nomap, but this is no real redress when devices 1/4 mile away nail you whether you like it or not.. @Stefan Froberg - astonishing work, very interesting. I think I'm in a mixture of awe and shock for what's available really. Just to make sure I understand the situation @MisterB , if I connect via wireless on the host, but then chain (say) a pfsense VM with a client VM, that's OK on the client?
Sorry for noob question, but aren't Wifi MAC address or BSSID, router's WAN MAC address, and its ethernet LAN MAC address all different? (I think it depends on router tho.) If they're different, am I safe? Even more basic question, assuming your router (or your neighbor's?) is already in Google's database, then how exactly it is detected on browserleak.com which is over the internet...do they execute some script to know that? I'm really noob about network.
Each network interface device, be it WLAN (WiFI), WWAN (3G/4G Modem) or plain boring LAN (ethernet) has an unique serial numer that is also called MAC. BSSID (not to be confused with ESSID) is the MAC address of your router WLAN interface. So yes, you are right, WiFI router MAC = BSSID. MAC address consist of 3 byte vendor prefix followed by 3 byte unique identifier. The factory MAC address is hardcoded but you can spoof it easily with software (my laptop does it automatically for all interfaces with macchanger linux program). For example, here is my spoofed WWAN MAC 00:1A:51:02:25:0A 00:1A:51 is the vendor prefix for Alfred Mann Foundation while the 02:25:0A is a unique identifier. So I guess, if you had your WiFI MAC spoofed at the time Google car went close by your router, you should be safe. Other than that, I have no clue how Google actually finds anything with just WiFI MAC address alone ? (probably they save your latitude & longitude and use your WiFI MAC as key to that, which would make it useless if you say, move to some other place) EDIT: Or maybe they just keep updating it with Google car....haven't seen one since 2014 tought.... EDIT2: Ah, but smartphones a totally different story than routers, you don't need Google car for that to harwest their WiFi MAC's .....