The most secure VPN :)

You can control what encryption you want to use.



http://i.imgur.com/CGHlUUr.jpg



Read more : https://www.privateinternetaccess.com/pages/vpn-encryption


Download the new client :

https://www.privateinternetaccess.c...24/encryption-now-its-in-your-control-beta/p1

 

Cool, it seems that they've strengthened their openvpn setup.

Thanks for the update

 

Only problem comes when PIA are based in the USA and have offices in the UK. Two of of places you least want as a VPN customer.

 

Well, that depends on where you're coming from, and where you're going through. If those are places that don't play well with the US and UK, no problem

 

True but PIA could be put under the same laws that Lavabit was hit with a little while ago "Secret Logging NSA" National security order, which breaking could land them in jail, which is why they would fault.

 

Any VPN service is vulnerable to its own government. And if there's no government, it's vulnerable to whomever has the biggest militia

 

I agree but the risk factor for government surveillance is much higher in the US/UK. You must agree with that.

 

I use PIA on Android, there Swedish/Romanian servers....
Also they have released a play store app https://www.privateinternetaccess.com/forum/index.php?p=/discussion/1023/tut-how-to-use-android-pia-vpn-app-apk-inside which seems pretty cool, gets the job done

EDIT: Here's there response to the NSA/Snowjob revelationshttp://vpncreative.net/private-internet-access-responds-to-nsa-prism-controversy/ for what it's worth.

 

That's true for US/UK surveillance. But in Russia, the Russians presumably have the best surveillance. And in China, the Chinese. But the US and Five Eyes no doubt do the best job overall, although the Chinese are catching up fast. Anyway, I agree that it's generally best to pick VPN services outside the US sphere. And in chaining VPNs, it's best to mix different spheres of influence to reduce risk of collaboration.

 

I was just checking them out and after downloading OpenVPN configs, I only see the config files for the servers themselves and ca.cert but no private key etc:

https://www.wilderssecurity.com/showpost.php?p=1777244&postcount=1

You don't necessarily need 4 separate files afaik, because they can also be included in the .config file, but that doesn't seem the case here.

 

That's not good

 

Its been brought up before, PIA does not use Private Keys. One more reason that they are suspect to me, that and the strangely low yearly price.

 

I have asked PIA why this is, awaiting response....

 

I wouldn't trust any VPN. The Snowden documents said that NSA has backdoors in VPN encryption chips.

 

Why anyone would want a client crt/private key in this situation? That would be more ideal for office/work VPN because you need to identify the client.

In this case, you want to be more anonymous. OpenVPN doesn't use a client crt/private key for any encryption. Its just to identify.

Avoid VPN if used for privacy if they require you to hold these key/certs. You should only have a certificate authority cert and it should be self issued by your VPN, not by certificate authority. If they do give client crt/private key they either dont know what they are doing or maybe worse.

 

No VPN is secure unless it accepts paper/metal cash anonymously.

 

The client.crt (and its key) help secure the server, because it won't talk with clients that don't properly sign traffic. Part of that is for blocking DoS attacks, but it's my understanding that it helps to protect the server more generally.

I don't agree. Do you have a cite for your claims?

 

The client cert is only used during the initial handshake. The server checks if the client cert was issued by the server's CA. It's purely an authentication mechanism. After the connection is established a random shared secret key is exchanged via DH. That secret key is what is used to "sign" (HMAC) every encrypted packet. The "sign"ing of the data packets has nothing to do with the certificates.

The only important cert is the server's cert. It is used by the client during the initial handhsake to make sure it's really talking to the real server and not a MITM attacker's server.

This is how cryptography works.

 

Here's what most VPN's do :

Some also do this :

The reason they do it ?
Certificate-management is time-consuming and costs money.
Much easier, and almost as secure, to have the users set their own user-name/password on the sign-up page.

 

Requiring initial authentication improves security. For example, a DDoS attack on the server might facilitate exploitation of other vulnerabilities. Or it might make the server drop connected clients, which would be useful in traffic analysis.

You'll have to do better than that

 

I'm still awaiting PIA's response...
would like to add that the PIA Android app eats battery as the phones radio is always on keeping the connection alive.
The PIA app gives credit to Arne Schwabe so I have continued and recommend to use his (Arne Schwabe's) Open VPN app https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en

 

Unrealistic, unless your neighborhood sets up a VPN service.

 

Are you serious?

Mullvad, iVPN and Cryptohippie, for example, accept cash by mail. I'm sure that other providers also do as well.

 

Sure, but I would never sent cash via post.
At least where I live it's gonna be 100% stolen by someone in the middle.

 

OK, you can also use thoroughly-anonymized Bitcoins. Buy as anonymously as you can, and then mix 3-4 times through different mixing services, using Multibit clients running in Whonix instances.