The most secure VPN :)

Discussion in 'privacy technology' started by chrismani, Sep 28, 2013.

Thread Status:
Not open for further replies.
  1. chrismani

    chrismani Registered Member

    Joined:
    Oct 29, 2010
    Posts:
    37
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Cool, it seems that they've strengthened their openvpn setup.

    Thanks for the update :)
     
  3. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Only problem comes when PIA are based in the USA and have offices in the UK. Two of of places you least want as a VPN customer.
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Well, that depends on where you're coming from, and where you're going through. If those are places that don't play well with the US and UK, no problem ;)
     
  5. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    True but PIA could be put under the same laws that Lavabit was hit with a little while ago "Secret Logging NSA" National security order, which breaking could land them in jail, which is why they would fault.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Any VPN service is vulnerable to its own government. And if there's no government, it's vulnerable to whomever has the biggest militia ;)
     
  7. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    I agree but the risk factor for government surveillance is much higher in the US/UK. You must agree with that.
     
  8. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    Last edited: Sep 29, 2013
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That's true for US/UK surveillance. But in Russia, the Russians presumably have the best surveillance. And in China, the Chinese. But the US and Five Eyes no doubt do the best job overall, although the Chinese are catching up fast. Anyway, I agree that it's generally best to pick VPN services outside the US sphere. And in chaining VPNs, it's best to mix different spheres of influence to reduce risk of collaboration.
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I was just checking them out and after downloading OpenVPN configs, I only see the config files for the servers themselves and ca.cert but no private key etc:
    https://www.wilderssecurity.com/showpost.php?p=1777244&postcount=1

    You don't necessarily need 4 separate files afaik, because they can also be included in the .config file, but that doesn't seem the case here.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    That's not good :(
     
  12. Taliscicero

    Taliscicero Registered Member

    Joined:
    Feb 7, 2008
    Posts:
    1,439
    Its been brought up before, PIA does not use Private Keys. One more reason that they are suspect to me, that and the strangely low yearly price.
     
  13. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    I have asked PIA why this is, awaiting response....
     
  14. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    I wouldn't trust any VPN. The Snowden documents said that NSA has backdoors in VPN encryption chips.
     
  15. dartmouthduck

    dartmouthduck Registered Member

    Joined:
    Sep 29, 2013
    Posts:
    10
    Location:
    Romania
    Why anyone would want a client crt/private key in this situation? That would be more ideal for office/work VPN because you need to identify the client.

    In this case, you want to be more anonymous. OpenVPN doesn't use a client crt/private key for any encryption. Its just to identify.

    Avoid VPN if used for privacy if they require you to hold these key/certs. You should only have a certificate authority cert and it should be self issued by your VPN, not by certificate authority. If they do give client crt/private key they either dont know what they are doing or maybe worse.
     
  16. firefox2008

    firefox2008 Registered Member

    Joined:
    May 17, 2007
    Posts:
    125
    No VPN is secure unless it accepts paper/metal cash anonymously.
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    The client.crt (and its key) help secure the server, because it won't talk with clients that don't properly sign traffic. Part of that is for blocking DoS attacks, but it's my understanding that it helps to protect the server more generally.

    I don't agree. Do you have a cite for your claims?
     
  18. dartmouthduck

    dartmouthduck Registered Member

    Joined:
    Sep 29, 2013
    Posts:
    10
    Location:
    Romania
    The client cert is only used during the initial handshake. The server checks if the client cert was issued by the server's CA. It's purely an authentication mechanism. After the connection is established a random shared secret key is exchanged via DH. That secret key is what is used to "sign" (HMAC) every encrypted packet. The "sign"ing of the data packets has nothing to do with the certificates.

    The only important cert is the server's cert. It is used by the client during the initial handhsake to make sure it's really talking to the real server and not a MITM attacker's server.

    This is how cryptography works.
     
    Last edited: Sep 29, 2013
  19. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Here's what most VPN's do :
    Some also do this :
    The reason they do it ?
    Certificate-management is time-consuming and costs money.
    Much easier, and almost as secure, to have the users set their own user-name/password on the sign-up page.
     
  20. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Requiring initial authentication improves security. For example, a DDoS attack on the server might facilitate exploitation of other vulnerabilities. Or it might make the server drop connected clients, which would be useful in traffic analysis.

    You'll have to do better than that ;)
     
  21. Gitmo East

    Gitmo East Registered Member

    Joined:
    Jul 28, 2013
    Posts:
    106
    I'm still awaiting PIA's response...
    would like to add that the PIA Android app eats battery as the phones radio is always on keeping the connection alive.
    The PIA app gives credit to Arne Schwabe so I have continued and recommend to use his (Arne Schwabe's) Open VPN app https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en
     
  22. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Unrealistic, unless your neighborhood sets up a VPN service.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    Are you serious?

    Mullvad, iVPN and Cryptohippie, for example, accept cash by mail. I'm sure that other providers also do as well.
     
  24. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,166
    Location:
    EU
    Sure, but I would never sent cash via post.
    At least where I live it's gonna be 100% stolen by someone in the middle.
     
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,028
    :(

    OK, you can also use thoroughly-anonymized Bitcoins. Buy as anonymously as you can, and then mix 3-4 times through different mixing services, using Multibit clients running in Whonix instances.
     
Loading...
Thread Status:
Not open for further replies.