My VPN Testing Site is Finally Up

Discussion in 'privacy technology' started by mirimir, Jun 16, 2016.

  1. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,376
    Location:
    UK
    I don't agree that your tests were too stringent, it only takes the one leak. Stress testing IS what's required.

    Echoing others, thanks for doing this, I think it should be part of differentiating VPN service offerings as people get more discerning. While one can never be sure about the logging, at least we can have a feel for whether the jurisdiction is likely to be cooperative, and choosing mutually antagonistic ones!
     
  2. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    144
    Location:
    Metropolis
    Good so the testing was rigerous and thorough! Have you seen that comprehensive "VPN Providers" chart that some random guy created and updates? It's not like yours, there is no testing and the only technical information he provides is what the VPN providers themselves claim on their websites, but he has gathered a lot other info such as country of jouresdiction, whether they own their servers, etc. He has broken down their TOS and Priv Policies and points out the unique differences and risks of each individual provider. Im sure youve seen it, i'd post it if the computer i have it on worked. Well the research and information he has gathered paired with the data you have now collected would be a very comprehensive resource!
     
  3. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    144
    Location:
    Metropolis
    @mirimir You should include your bitcoin address on your site!
     
  4. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    144
    Location:
    Metropolis
    I definitely agree that knowing factors such as what country they operate out of, server info, and really anything legal are important details
     
    Last edited: Aug 23, 2016
  5. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    144
    Location:
    Metropolis
    NVM @mirimir I now see where your Bitcoin address is. Obviously my understanding on what you exactly did as far as testing is concerned is very limited. Would you say it is reliable enough to be damning evidence against providers who fail testing since they are providing a service that is highly flawed and not doing what they claim? That industry needs some oversight and accountabiliy
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Yes, I know /r/ThatOnePrivacyGuy :)

    And yes, it's just aggregated information from providers, and some classification.
     
  7. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Yes, I thought about that :)

    Actually, I've thought about crowdfunding additional VPN testing. That is, have a page that accepts requests from users, and allows users to bid on VPNs to test, using a reputable Bitcoin escrow service.
     
  8. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,424
    Location:
    Ontario, Canada
    Awesome and thanks for your hard work! Out goes the Window with PureVPN in comes....I haven't decided yet. *puppy*

    Cheers,

    Daniel :)
     
  9. n8chavez

    n8chavez Registered Member

    Joined:
    Jul 19, 2003
    Posts:
    2,464
    Location:
    Location Unknown
    mirimir, has this forwarded ports vulnerability been tested for? If so, which ones passed?
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    I did some work on that. I created my own VPN, which was vulnerable because the server used the same IP for entry and exit. And even then, it was pretty hard to get it to leak. You need two accounts, both using the same server with the same IP. So I decided that it was low risk and too much work.

    Anyway, VPNs with different IPs for entry and exit aren't vulnerable.
     
  11. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    144
    Location:
    Metropolis
    Yeah that's the direction I figured you were going. Towards growth, and turning it into something more.
     
    Last edited: Aug 24, 2016
  12. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,950
    Location:
    Outer space
    Nice!
    The official OpenVPN client doesn't have killswitch protection so I guess that would mean it would fail all the tests? A shame since I trust it better, which has been confirmed with the Cyberghost client collecting info.
    It would also be interesting to know if the clients use DEP/ASLR on Windows(And Mac equivalents) for basic exploit protection.
     
  13. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    For the most part, yes. But FrootVPN with stock OpenVPN in Windows didn't leak at all. So it's possible.
    As long as you prevent IPv4 and IPv6 leaks with firewalls, and block IPv6 if you don't need it, stock OpenVPN is safe.
    Please say more about that.
     
  14. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,950
    Location:
    Outer space
    Ah great I'll research that some more.

    On Windows you can check if a process has DEP(Data Execution Prevention, sometimes also known as NX bit or W^X) and ASLR(Address Space Layout Randomization) easily with Process Explorer.
    Be sure to run it as Admin, customize the columns and add DEP Status and ASLR Enabled. Then you'll be able to see if the processes itself have it enabled.
    If you set the Lower pane view to DLLs, then you can check if the DLL files loaded into the process also have ASLR enabled, because if not they could be used to bypass it. (You need to add a column for ASLR again in the DLL view.)
    I'm not familiar with OS X so I'm not sure how to check it there.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Thanks :)
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Well, there are lots of VPN services, and they're frequently updating stuff. So keeping a testing site up to date would be at least a full-time job. But I must work, so I can only spend limited time unless it's generating income.
     
  17. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    144
    Location:
    Metropolis
    Yes @mirimir I can imagine that it's pretty time consuming.
     
  18. Triple Helix

    Triple Helix Webroot Product Advisor

    Joined:
    Nov 20, 2004
    Posts:
    12,424
    Location:
    Ontario, Canada
    Last edited: Sep 15, 2016
  19. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,194
    Location:
    EU
    @mirimir any plan to test clients for Linux? PIA, AirVPN and others have their own client for at least the most popular flavors.
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    I doubt that I'll test Linux clients. I mean, why bother with them? It's really easy to do it right, using iptables rules.
     
  21. trott3r

    trott3r Registered Member

    Joined:
    Jan 21, 2010
    Posts:
    935
    Location:
    UK
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,879
    Generally, I think so. But please keep in mind that it's primarily based on what VPN providers say. There's no feasible way to verify most of it. I get that he's conscientious and reliable. And he has done some reviews.
     
  23. ComputerSaysNo

    ComputerSaysNo Registered Member

    Joined:
    Aug 9, 2012
    Posts:
    1,448
    thatoneprivacyguy is very active on reddit. If you have any questions just find his sub-reddit. I find his site to be pretty good.
     
  24. box750

    box750 Registered Member

    Joined:
    Nov 11, 2008
    Posts:
    260
  25. okiejay1

    okiejay1 Registered Member

    Joined:
    Dec 11, 2016
    Posts:
    1
    Location:
    US
    Did you get a chance to test: BolehVPN, Insorg, Windscribe and Witopia. I didn't see them included in your report. Are those results updated somewhere else?
     
Loading...