How NSA-proof is your VPN?

How NSA-proof is your VPN?.

Reference URL: How NSA-Proof Are VPN Providers?.

-- Tom

 

Have you tried TorGuard?

 

I'd like to see responses from AirVPN, iVPN, etc.

The response from PIA was impressive They seem more serious about privacy than I had imagined.

 

Yeah, I'm impressed too. Do you think PIA's having moved their entire administration and development team out of the U.S. (those are some seriously devoted people) makes it a viable VPN choice? "The team in its entirety are decentralized across the globe in countries that have historically been very reluctant to assist the US."

*

They also seem to think for the time being, in the wake of the Federal Judge lifting the gag order on Lavabit, that gag orders cannot be used.

 

I do think that they're a viable choice. I'm especially impressed that the US co-founder no longer has admin access. If that's true, anyway

However, I don't like their reliance on username/password for client authorization, with no client.crt/client.key, and no ta.key either. That's all to reduce admin overhead, I suspect, and allow more clients per server. I'd never use them as the first or last VPN in a chain. But their bandwidth is generally very good.

I'm not counting on that

 

hi there, is it less secured? I guess i will hate it each time i need to key in the username and password.

i am still deciding whether to buy PIA or Torguard...

 

The *only* reason that the judge lifted the gag order, was because Levison appealed to the 4th Circuit. It *has* to be unsealed to fight his appeal. Also - Levison asked *twice* to unseal, and he was denied. The third time, the *government* asked, and it was granted. Believe me, the *only* reason it was unsealed was because the government believed that doing so, benefited *them*.

PD

 

I'm pretty sure that it's only less secured in the sense that somebody could use their service for free if they found a working username/password combination.

Even if an adversary logged in using your username/password, I doubt that they could interact with your VPN tunnel. It's possible, but enabling that would be a major security hole. And it would be easy to test, just by logging in twice, from two different machines, and doing some ping (or better, nmap) tests.

In some OpenVPN clients, you can save your username/password, and login automatically. You can definately do that with any client by editing the OpenVPN configuration file. Just change "auth-user-pass" to "auth-user-pass /[path]/vpncred", and create a text file "vpncred" in "/[path]" like:

username
password

I don't know Torguard. Just the name bothers me But PIA is OK. They're inexpensive, and have lots of cool exit IPs.

 

Thanks for the thoughts. So I guess you don't see them as a great option for someone using a single VPN? Or is it that you would just never use only a single VPN?

By the way, here's PIA's statement on their website about the NSA issue: https://www.privateinternetaccess.com/blog/2013/06/prism/
And an interview with Andrew Lee (one of the co-founders), to get more of a sense where he's coming from: https://www.bestvpn.com/blog/7319/an-interview-with-private-internet-access-founder-andrew-lee/

*

In the interview, Andrew Lee the co-founder of PIA (who is apparently also an privacy advocate) says that a federal judge recently ruled the gag orders unconstitutional. Perhaps he was not referring to the Lavabit case and I got that wrong. I see with a little research that in March, a federal judge did in fact rule the gag order provision of national security letters unconstitutional, in a case brought by the EFF. http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/ I assume this is being appealed. It also confuses me about how Levinson was initially issued a gag order. In any case, it sounds like the gag order thing is up in the the air.

 

Right. I don't know enough about OpenVPN to assess the security impact of relying on username/password vs client.crt/client.key but the openvpn manual <-http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html-> says this ...

... and this ...

Yes, I never use less than two nested VPNs, for actual work. However, each VPN level has a Linux management VM for its pfSense VM, and I download updates there.

Although I haven't followed this closely, there are many federal judges, and sometimes they rule in unusual ways, but those rulings rarely ever take effect. They get reversed on appeal, and the wayward judge gets a lecture

 

Thanks mirimir. For better or worse I guess I'm not planning to use nested-vpn's. My techno-privacy-nerdiness only goes so far. So I'm just on the look out for the best single VPN options. Seems like AirVPN and iVPN still top the list for me.

*

Yes, I'm aware that lower federal Judges make different decisions. From what I read it sounds like there may be a split decision in the offing with different appeals judges ruling different ways, increasing the likelihood it will go to the Supreme Court.

If you look at the article though (or maybe it was a different one at Ars Technica, I don't' remember), the Judge was pretty impatient with the government and after her March ruling only gave them 90 days to appeal to the Ninth Circuit. I don't know what happened after that.

It is possible, I know, to get different rulings in different circuts and actually have the law applied differently in different parts of the country, until the Supreme Court settles it. So perhaps Levinson was at first subject to a gag order, because he's in Texas, part of a different circuit. Maybe for now gag orders are unconstitutional on the west coast.

To add to the confusion, the same Judge appears in May, a couple months after the EFF ruling, to have ruled against Google's bid to get the gag orders declared unconstitutional: http://www.zdnet.com/google-fails-t...espite-constitutionality-concerns-7000016185/.

According to the EFF, though, it sounds like the current state of things is that the March ruling finding the gag orders unconstitutional is on hold pending appeal: https://www.eff.org/deeplinks/2013/10/deeper-dive-into-facebook-and-yahoo-transparency-reports

My hopes are not high that this will really get overruled. And if it does, I suspect the secret powers that be will find other ways to keep their secrets secret.

 

Anyone else notice Torguards comment regarding Blowfish?

 

cb474,

You may be right...I was just going off of what Levison said in an interview. Could be a bunch of separate cases.

PD

 

VikingVPN also responds in the article from Torrentfreak, anyone have experience with them?
https://vikingvpn.com/

 

Looks worth checking out... thanks, because the list of worthy choices is just so thin.

I'd be interested in hearing reviews about it from people trying it first hand in here.

 

I wouldn't trust any VPN. The Snowden documents showed that NSA has put backdoors in VPN encryption chips. So assuming your VPN provider is using such hardware, it is highly likely NSA has the "keys" to the kingdom. Even if your VPN is completely honest and has no ties to NSA, it wouldn't matter.

 

Running a VPN server does not mean necessarily that those servers are using VPN encryption chips compromised by the NSA.

-- Tom

 

Yes. & I think it's a load of crap and dishonest by Torguard. They may not be able to break 128BIT keys yet, but they sure as hell Man In The Middle it.