How NSA-proof is your VPN?

Discussion in 'privacy technology' started by lotuseclat79, Oct 24, 2013.

Thread Status:
Not open for further replies.
  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    How NSA-proof is your VPN?.

    Reference URL: How NSA-Proof Are VPN Providers?.

    -- Tom
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Have you tried TorGuard?
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'd like to see responses from AirVPN, iVPN, etc.

    The response from PIA was impressive :) They seem more serious about privacy than I had imagined.
     
  4. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Yeah, I'm impressed too. Do you think PIA's having moved their entire administration and development team out of the U.S. (those are some seriously devoted people) makes it a viable VPN choice? "The team in its entirety are decentralized across the globe in countries that have historically been very reluctant to assist the US."

    *

    They also seem to think for the time being, in the wake of the Federal Judge lifting the gag order on Lavabit, that gag orders cannot be used.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I do think that they're a viable choice. I'm especially impressed that the US co-founder no longer has admin access. If that's true, anyway ;)

    However, I don't like their reliance on username/password for client authorization, with no client.crt/client.key, and no ta.key either. That's all to reduce admin overhead, I suspect, and allow more clients per server. I'd never use them as the first or last VPN in a chain. But their bandwidth is generally very good.

    I'm not counting on that ;)
     
  6. Less

    Less Registered Member

    Joined:
    Dec 24, 2008
    Posts:
    248

    hi there, is it less secured? I guess i will hate it each time i need to key in the username and password.

    i am still deciding whether to buy PIA or Torguard...
     
  7. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    The *only* reason that the judge lifted the gag order, was because Levison appealed to the 4th Circuit. It *has* to be unsealed to fight his appeal. Also - Levison asked *twice* to unseal, and he was denied. The third time, the *government* asked, and it was granted. Believe me, the *only* reason it was unsealed was because the government believed that doing so, benefited *them*.

    PD
     
  8. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I'm pretty sure that it's only less secured in the sense that somebody could use their service for free if they found a working username/password combination.

    Even if an adversary logged in using your username/password, I doubt that they could interact with your VPN tunnel. It's possible, but enabling that would be a major security hole. And it would be easy to test, just by logging in twice, from two different machines, and doing some ping (or better, nmap) tests.

    In some OpenVPN clients, you can save your username/password, and login automatically. You can definately do that with any client by editing the OpenVPN configuration file. Just change "auth-user-pass" to "auth-user-pass /[path]/vpncred", and create a text file "vpncred" in "/[path]" like:

    username
    password

    I don't know Torguard. Just the name bothers me ;) But PIA is OK. They're inexpensive, and have lots of cool exit IPs.
     
  9. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks for the thoughts. So I guess you don't see them as a great option for someone using a single VPN? Or is it that you would just never use only a single VPN?

    By the way, here's PIA's statement on their website about the NSA issue: https://www.privateinternetaccess.com/blog/2013/06/prism/
    And an interview with Andrew Lee (one of the co-founders), to get more of a sense where he's coming from: https://www.bestvpn.com/blog/7319/an-interview-with-private-internet-access-founder-andrew-lee/

    *

    In the interview, Andrew Lee the co-founder of PIA (who is apparently also an privacy advocate) says that a federal judge recently ruled the gag orders unconstitutional. Perhaps he was not referring to the Lavabit case and I got that wrong. I see with a little research that in March, a federal judge did in fact rule the gag order provision of national security letters unconstitutional, in a case brought by the EFF. http://www.wired.com/threatlevel/2013/03/nsl-found-unconstitutional/ I assume this is being appealed. It also confuses me about how Levinson was initially issued a gag order. In any case, it sounds like the gag order thing is up in the the air.
     
    Last edited: Oct 25, 2013
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    Right. I don't know enough about OpenVPN to assess the security impact of relying on username/password vs client.crt/client.key but the openvpn manual <-http://openvpn.net/index.php/open-source/documentation/manuals/65-openvpn-20x-manpage.html-> says this ...

    ... and this ...

    Yes, I never use less than two nested VPNs, for actual work. However, each VPN level has a Linux management VM for its pfSense VM, and I download updates there.

    Although I haven't followed this closely, there are many federal judges, and sometimes they rule in unusual ways, but those rulings rarely ever take effect. They get reversed on appeal, and the wayward judge gets a lecture ;)
     
  11. cb474

    cb474 Registered Member

    Joined:
    May 15, 2012
    Posts:
    325
    Thanks mirimir. For better or worse I guess I'm not planning to use nested-vpn's. My techno-privacy-nerdiness only goes so far. So I'm just on the look out for the best single VPN options. Seems like AirVPN and iVPN still top the list for me.

    *

    Yes, I'm aware that lower federal Judges make different decisions. From what I read it sounds like there may be a split decision in the offing with different appeals judges ruling different ways, increasing the likelihood it will go to the Supreme Court.

    If you look at the article though (or maybe it was a different one at Ars Technica, I don't' remember), the Judge was pretty impatient with the government and after her March ruling only gave them 90 days to appeal to the Ninth Circuit. I don't know what happened after that.

    It is possible, I know, to get different rulings in different circuts and actually have the law applied differently in different parts of the country, until the Supreme Court settles it. So perhaps Levinson was at first subject to a gag order, because he's in Texas, part of a different circuit. Maybe for now gag orders are unconstitutional on the west coast.

    To add to the confusion, the same Judge appears in May, a couple months after the EFF ruling, to have ruled against Google's bid to get the gag orders declared unconstitutional: http://www.zdnet.com/google-fails-t...espite-constitutionality-concerns-7000016185/.

    According to the EFF, though, it sounds like the current state of things is that the March ruling finding the gag orders unconstitutional is on hold pending appeal: https://www.eff.org/deeplinks/2013/10/deeper-dive-into-facebook-and-yahoo-transparency-reports

    My hopes are not high that this will really get overruled. And if it does, I suspect the secret powers that be will find other ways to keep their secrets secret.
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Anyone else notice Torguards comment regarding Blowfish?
     
  13. PaulyDefran

    PaulyDefran Registered Member

    Joined:
    Dec 1, 2011
    Posts:
    1,163
    cb474,

    You may be right...I was just going off of what Levison said in an interview. Could be a bunch of separate cases.

    PD
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,771
    Location:
    Outer space
    VikingVPN also responds in the article from Torrentfreak, anyone have experience with them?
    https://vikingvpn.com/
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,497
    Looks worth checking out... thanks, because the list of worthy choices is just so thin.

    I'd be interested in hearing reviews about it from people trying it first hand in here.
     
  16. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I wouldn't trust any VPN. The Snowden documents showed that NSA has put backdoors in VPN encryption chips. So assuming your VPN provider is using such hardware, it is highly likely NSA has the "keys" to the kingdom. Even if your VPN is completely honest and has no ties to NSA, it wouldn't matter.
     
  17. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,102
    Running a VPN server does not mean necessarily that those servers are using VPN encryption chips compromised by the NSA.

    -- Tom
     
  18. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,425

    Yes. & I think it's a load of crap and dishonest by Torguard. They may not be able to break 128BIT keys yet, but they sure as hell Man In The Middle it.
     
Loading...
Thread Status:
Not open for further replies.