NordVPN Breached

There was a successful attack against NordVPN:

Based on the command log, another of the leaked secret keys appeared to secure a private certificate authority that NordVPN used to issue digital certificates. Those certificates might be issued for other servers in NordVPN’s network or for a variety of other sensitive purposes. The name of the third certificate suggested it could also have been used for many different sensitive purposes, including securing the server that was compromised in the breach.

The revelations came as evidence surfaced suggesting that two rival VPN services, TorGuard and VikingVPN, also experienced breaches that leaked encryption keys. In a statement, TorGuard said a secret key for a transport layer security certificate for *.torguardvpnaccess.com was stolen. The theft happened in a 2017 server breach. The stolen data related to a squid proxy certificate.

TorGuard officials said on Twitter that the private key was not on the affected server and that attackers “could do nothing with those keys.” Monday’s statement went on to say TorGuard didn’t remove the compromised server until early 2018. TorGuard also said it learned of VPN breaches last May, “and in a related development we filed a legal complaint against NordVPN.”

The breach happened nineteen months ago, but the company is only just disclosing it to the public. We don’t know exactly what was stolen and how it affects VPN security. More details are needed.

VPNs are a shadowy world. We use them to protect our Internet traffic when we’re on a network we don’t trust, but we’re forced to trust the VPN instead. Recommendations are hard. NordVPN’s website says that the company is based in Panama. Do we have any reason to trust it at all?

I’m curious what VPNs others use, and why they should be believed to be trustworthy.

Tags: , , , , , ,

Posted on October 23, 2019 at 6:15 AM70 Comments

Comments

jmcken October 23, 2019 6:44 AM

I use Private Internet Access. The company’s based in the US (last I heard), but their technical setup (dozens of servers worldwide with shared IPs, DNS leak protection, killswitch, AES-256/RSA-4096), their proactive measures to protect their userbase (they’re quick to pull out of jurisdictions that log Internet activity, like Russia and more recently Brazil), and – most of all for me – the fact that their no-logging policy was proven in court twice over was all enough to persuade me they mean business about privacy and aren’t likely to sell their users out.

Of course, I’m just a layman who doesn’t want advertisers or common crooks snooping on me, so take all that for what it’s worth.

Jac October 23, 2019 6:45 AM

ProtonVPN
Reasons for choosing:
– began with ProtonMail, a trust no-one mail provider
– Swiss based, independently audited, not logged
– founders began project at CERN

Despite this, any VPN is based on trust of that entity. For me given https is more prevalent (thanks let’s encrypt), the main reason for a VPN is the DNS traffic. However, DoH (DNS over HTTPS) could render a VPN useless for me but I have privacy concerns (encrypted yes but dns data logged) with DoH at the moment given it is evolving into a centralised DNS store (mainly cloudflare). DIY DNS servers (hard for many) with DoH or a distributed DoH (ISPs adding this) is the best path for security and privacy.

Mike October 23, 2019 7:09 AM

Mullvad.net, because some guys on a podcast said they know the guys running the service and that they have the right mindset regarding this. Also something about being reviewed.

Ian October 23, 2019 7:23 AM

TunnelBear, one of the few services to undergo independent audits. My second choice, if I chose to switch, would be ProtonVPN.

Mangan October 23, 2019 7:24 AM

I use Freedome from F-Secure.

Reason? It’s european-based which makes me trust it 1000 times more than american products.

Clive Robinson October 23, 2019 7:47 AM

@ Bruce,

I’m curious what VPNs others use, and why they should be believed to be trustworthy.

Unless I’ve set them up myself and maintain them, I won’t use them for security related purposes.

They are however sometimes usefull for doing service availability testing if you can force the “end point” location to be where you want rather than a provider wants.

But the simple fact is that VPN’s are just tunnels with known end points, this does not exactly make them secure against a whole host of “communications attacks” rather than “message content attacks”. But with large file sizes some types of message content attacks become fairly trivial (ie what sound file or cat video you’ve downloaded).

I’m not awate of any VPN’s that take security measures that were first worked out as being a necessary minimum back in WWII to prevent “communications attacks”.

One way to in theory increase your security is to use multiple VPN’s in a chain it’s not unrelated to things various crackers have used over the years to obfuscate their communications path to try to prevent “trace back”. As those who can remember back to the FBI attack on Tor, even the most complex of comms path obfuscation fails if both end points are not secure, which most often is the case.

Whilst there are some business case uses for VPN’s they are often more to do with resource access control or monitoring rather than providing comms security.

Thus from a security mechanism perspective third party VPN services don’t actually offer very much to their customers rather than an “illusion” or “faux feel good factor”…

Importantly remember that even if a service provider claims they don’t keep logs, they very probably do for a couple of reasons,

1, Technical quality control
2, Because the software they use generates them automatically and lumps way to much information in the logs.

These are “Third Party Business Records” and as such have no legal protection in many jurisdictions. Worse what might appear to be anonymous records with no PII etc in them, history has shown can very easily be de-anonymized when compared to logs other third party service providers you have no knowledge of hold.

Thus I would urge people do a sensible business case assesment on their reasons for using a third party VPN service provider…

BThePrisoner October 23, 2019 7:54 AM

Like Jac, my go-to VPN is ProtonVPN (free version) for the same reasons. I do pay for ProtonMail.

I currently use KeepSolid VPN, and have used IPVanish. IPVanish was bundled in with the portable VPN WiFi hotspot router ‘InvizBox Go’. I like the consistency network gateway security boxes provides to all connected hosts on my home LAN. [Invizbox’s new generation of routers will give me more deployment options e.g. hotspots for TOR, no VPN, VPN in city X, VPN in country Y or other variations.]

But… I don’t really trust anyone’s VPN technology fully. So I mix it up by using my two VPN providers in a random manner as possible. I don’t know if that is self-delusion or not.

“Don’t put all your eggs in one basket”. Beware: too much trust in US/UK hosted VPNs. Perhaps it is marginally safer to trust the Swiss more than others.

David October 23, 2019 8:10 AM

this is a silly discussion. your question implies that if we use the VPN provider then we blindly trust them, and this thread is now becoming very PR-driven.

“my provider doesn’t log activities”. “mine is based on the moon” (but has exit nodes = servers in the US. so corporate location isn’t so relevant).

I think that there needs to be a larger discussion about “trust” and how we as consumers can’t audit every piece of the communication puzzle.

Michael October 23, 2019 8:10 AM

I use 1.1.1.1 and Warp. The former is DNS over HTTPS, which is better than the status quo. The latter is a caching proxy, not really privacy-centric, but better than leaving it to the ISP.

I trust them at least a little because they’ve given detailed postmortems of network outages (transparency), I see their engineers on Twitter talking openly about their work (ditto), and they say they hire external auditors (though I haven’t seen the reports).

It’s an almost zero-effort approach that provides basic protection from my ISP.

Ben October 23, 2019 8:17 AM

I like PIA because like the first poster said it has a proven no log record. NordVPN and Proton have sketchy ties, and they did a poor job hiding it with a story that changed daily, so I don’t know why people are recommending either of them.

Clint October 23, 2019 9:03 AM

Currently Freedome. Used PIA in the past, but had some issues with connectivity and switched. I started using when I was soaking up wifi a lot from coffee shops and firesheep and other tools were fielded.

Aron Griffis October 23, 2019 9:04 AM

I’m curious what VPNs others use, and why they should be believed to be trustworthy.

Another question is WHY people use VPNs, and how much trust their reasons actually require.

My guess is that most people using VPNs do it to access something they can’t otherwise, whether it’s company-internal resources or region-restricted content. These use-cases don’t require much trust, because the point is access rather than either privacy or security.

Mike October 23, 2019 9:42 AM

I use my own OpenVPN server, experimenting with OBFS4 not sure where its going, but it adds some coolfactor…

I guess what must be asked is what are you using the VPN for exacly, if its to hide traffic from a public WiFi Spot or to access some specific data that has a country block set.

As for logging i would say just forget about the sweet talk, if the shit hits the fan there will be a log provided against you.
So personaly i dont need to access any specific countries lets say TV shows or similar, so not seing any point of using a third party, that would be the only case scenario where it would be justified to use one of those.

Getting to a computer at home, is easier with a VPN than using SSH so thats what i use it for, sometimes with split tunneling sometimes not, and if you need to hide from a WIFI it works to do that very well.

What more do one need really anonymity ? I would say not exactly possible to do that with this VPN approach, something else is needed for that completely.

Anyways if you dont have any possibility to make your own VPN
take what ever is free, but remember it will only hide the traffic from your endpoint to the point where the VPN tunnel terminates, after that point its in the clear
So who is your adversary is a key question

Yet another reader October 23, 2019 9:45 AM

Tor, because its security by design and I read the dev mailing list so I can keep an eye on what they’re up to, and the cool things they’re trying to do or protect against.

I do not expect perfect. I expect to make it harder for people to surveil me.

Frank October 23, 2019 10:41 AM

“From a technical perspective, WARP is a VPN.

But it is designed for a very different audience than a traditional VPN.

WARP is not designed to allow you to access geo-restricted content when you’re traveling.

It will not hide your IP address from the websites you visit.”

https://blog.cloudflare.com/announcing-warp-plus/

“VPNs mask your internet protocol (IP) address so your online actions are virtually untraceable”
https://us.norton.com/internetsecurity-privacy-what-is-a-vpn.html

Clive Robinson October 23, 2019 10:48 AM

@ Yet another reader,

I do not expect perfect. I expect to make it harder for people to surveil me.

You do not say who you mean by “people” or what you regard as “surveil”.

Normal VPNs do not provide anonymity nor do they offer much in the way of traffic obfuscation.

By and large DNS traffic can be spotted even when done through a VPN tunnel as for traffic patterns, single user computers likewise trnd to give away many users activities.

Tor is due to low latency and other issues not realy that much better it’s famed anonymity has been broken a number of times, and for various reasons not something I would consider using. In particular because using it brings a spot light on yourself.

In the past people have talked about using VPNs to access Tor…

The point is unless there are a lot of people doing that it would not take you many sessions of doing so for the usage to get cross corelated…

The whole,

… make it harder for people to surveil …

Only applies to those type 1 and some type 2 actors. Whilst type 3 actors were once seen as “State Level” actors this is nolonger true the likes of Alphabet’s Google are moving into backbone and similar thus on many respects are supranational thus more surveillance capable than most traditional nation state type 3 actors.

Steve Perry October 23, 2019 10:56 AM

I only trust OpenVPN servers I construct myself, on VPS hardware from a trusted small local privacy minded provider, who accepts crypto currency.

Michael October 23, 2019 10:58 AM

@Frank, Norton’s definition is overly-restrictive and yet over-promises (“virtually untraceable”?).

1.1.1.1/Warp shields me from my ISP which I have no doubt would bundle browsing history with my PII and sell it to the highest bidder. That’s a level of surveillance not possible for the individual sites which can see my actual IP address.

Plus their CEO’s Twitter account responded within hours to my question about an audit report: https://twitter.com/eastdakota/status/1187030459684835328

It’s a less-than-satisfying response, but much better than I’d get from an ISP.

My threat profile is very minimal. Obviously Cloudflare’s products won’t help people trying to achieve robust pseudonymity. Perhaps the false sense of security among NordVPN users is more damaging than the smaller feature set of offerings that promise less.

Trevor October 23, 2019 11:24 AM

I roll my own, sorry of. I use ZeroTier as the encrypted virtual network. I strange up an edge nice on AWS, etc and add it to my network. If I wasn’t a different there’s point, I stand up a sender in a different data center

b1k October 23, 2019 11:28 AM

  • TOR
  • Wireguard (when using untrusted networks, connecting to my home router)

*Not sure I’d trust Wireguard for anything critical, but has worked great for my personal use case – it’s certainly more efficient (faster) than OpenVPN.

David Australia October 23, 2019 12:01 PM

https://protonvpn.com/

so whose story ‘changed daily’ about ‘sketchy ties’?

The mainstream media report?

protonmail are upfront about everything. including their attack surface and their funding, their backend, and other. they are not pretending to offer more than they are capable

Matteo October 23, 2019 12:28 PM

I just don’t use vpn for all the reasons explained here:
https://gist.github.com/joepie91/5a9909939e6ce7d09e29

They only move the problrm and doesn’t solve anything, https is th correct way to protect your internet navigation because it’s end to end (if we exclude backend database connections that we have no access)

If i need it (and i rarely do) i use my home raspberry

tim October 23, 2019 1:23 PM

@matteo

They only move the problrm and doesn’t solve anything, https is th correct way to protect your internet navigation because it’s end to end (if we exclude backend database connections that we have no access)

Your conflating VPNs the technology and VPNs that are managed by others. VPNs the technology helps with a lot of issues. And HTTPS isn’t private. The web site you are visiting is right there in the header of the request. Which means everyone knows exactly where you are going. And your ISP or Country can monitor it and block it.

If i need it (and i rarely do) i use my home raspberry

What does a raspberry box have to do with anything in this article?

tim October 23, 2019 1:25 PM

I spun up infrastructure in AWS. It costs next to nothing and its in my control and AWS doesn’t care less about my internet traffic.

Steve October 23, 2019 1:36 PM

My ISP (sonic.net) has a (free for customers) VPN service that I use when I’m away from home. I already trust my ISP at home so I trust them for VPN.

parabarbarian October 23, 2019 1:42 PM

I am pretty boring. The only “vpn” service I use any more is ssh as a socks5 proxy. All I use it for at this time is bypassing OpenDNS.

Russ October 23, 2019 2:23 PM

I subscribe to PIA for my iphone and my chromebook but only used it when out of the house and traveling. Lately I’ve also started using Cloudflare’s 1.1.1.1 vpn app on my phone but I don’t think I fully understand how it differs from other vpns. I’m not paying for it (yet).

Chris October 23, 2019 2:34 PM

I use PIA to connect through my firewall and then I use DNS over HTTPS for an extra layer of privacy, even if for some reason they are required to keep logs (which they claim they don’t). Since I am mostly using it to keep my ISP from mining my data it suits.

WG October 23, 2019 2:53 PM

I use wireguard on my laptops to send all traffic other than DHCP over a wireguard tunnel to my home router. This allows me to give my laptops static IP addresses no matter where they are located. Captive portals don’t work out of the box and need manual changes to get them work before turning things back on. This allows me to be identified, but doesn’t let the host get to know much about what I’m doing.

bg October 23, 2019 3:41 PM

You can’t trust any VPN server you did not create yourself. Period.

Given how cheap it is to set up a VPN service, and given the antipathy every government has toward encryption and internet traffic they can’t read, it is more likely than not that many commercial VPN services are operated by intelligence agencies. Why bother with breaking encryption or getting warrants when you can just set up a VPN, market it with all the buzzwords (“no logs!” “servers in Encryptistan!”), then sit back and accumulate users who naively think they are now invisible on the internet.

If you put yourself in the shoes of an intelligence agency, it’s a no brainer. They have secret budgets, they’re allowed to lie, and they operate with impunity even when misdeeds are exposed. Why wouldn’t you set up dozens of fake commercial VPN services?

Ike October 23, 2019 6:23 PM

This clearly is the work of a nation-state, no one burn 0days for an operation that brings intelligence not profit. It is hard to understand why would anyone use a VPN ? The VPN is by design not secure. Of course it depends on your threat model, a VPN will help you safeguard data against low level adversaries who want to sniff your traffic. But the design is inherently insecure and anyone with the right tools and some money to burn on 0days can sniff VPN data. There are much better alternatives that are complete FREE and you don’t have to pay anything

John October 23, 2019 6:37 PM

Lol. All the people (many of who are likely Americans) using PIA to protect their privacy. PIA is based in the USA, a 5 eyes country. The US doesn’t have a good track record on privacy. Your information is less likely to be shared with the same companies/government if its not located in the same country. Plus PIA has been involved in some pretty shady stuff, just search reddit.

John Smith October 23, 2019 8:21 PM

AirVPN and ExpressVPN, mainly to (a) change my reported geo-location as needed, (b) provide some hacking resistance when using wifi (c) stop my ISP from detecting when I’m using YouTube and then down-throttling the connection.

I use OpenVPN to access my home network, locally and remotely. My main concern is being hacked via a wifi connection.

Rightly or wrongly, I do not trust plain vanilla wifi, and refuse to use wireless keyboards and mice.

MrC October 23, 2019 10:28 PM

I used a self-managed wireguard installation on a rented VPS. The problem, of course, is that I don’t really trust the VPS provider. At least not in the face of a NSL. I don’t think they’d backdoor me on the say-so of the copyright cops.

@Steve Perry: I’d like to hear about this VPS provider of yours.

Ismar October 23, 2019 11:23 PM

Maybe it’s a good time to start using NordVPN as they have had time to learn their lesson and harden their servers ?????

On a more serious note, it will come as no surprise that i also use ProtonVPN as some of the others have already identified it as one of the best alternatives out there.

I think that it offers a reasonable level of protection against all but most capable adversaries and as such a good choice for your average internet user.

lurker October 24, 2019 12:09 AM

@Matteo: https is th correct way to protect your internet navigation because it’s end to end

While I was in China, adjusting my bank account outside China, the thought occurred to me that with the calculation power in the Great Firewall, it might be relatively trivial to do a MITM job with TLS handshakes in both directions. The triviality comes from stolen/forged certificates. But my few dollars wouldn’t be worth their while, nor mine to use a VPN. If they’ve got tabs on you they just block your VPN.

Danny Boy October 24, 2019 12:44 AM

PIA. As others have said, it has stood the test of a couple of court cases. Using PIA’s DNS. Occasionally Windscribe or Proton (free) for web browsing, just to mix the pot a little. Regularly change servers. They’re probably not protection against state-level attack, but I’m not particularly worried about that.

Why? To withhold info from my ISP, as part of muddying the waters against website-running snoops, occasionally to get around geolocation, and because I share files. I have not received any takedown notice in the decade I’ve been using PIA.

dimi October 24, 2019 3:29 AM

I could never understood how tech people turn to paid VPN solutions…Why not get small appliance at home and install openvpn on. Its your network, your VPN so you don’t have to worry or trust some third party network for your security

Jan October 24, 2019 3:43 AM

My DSL router (Fritzbox) has a VPN server included, so I only have to trust my own equipment (and its manufacturer to some degree).

Who? October 24, 2019 4:47 AM

I have three VPNs. One of them, built using strongSwan, is targeted for a small subset of devices owned by my research group at the University. Another one, built using OpenVPN, is flexible enough to home all class of devices (Linux (CentOS, RedHat, Gentoo and Ubuntu), Windows, OS X, iOS, Android and OpenBSD). It is used to link together certain data adquisition equipment, usually buried in the forests all over the country. I do not think these technologies are highly secure, but they are much better than not running a VPN. Of course, all systems are firewalled, and not remotely reachable by other means.

Another VPN, much more restrictive, built using software available on the OpenBSD base system only links four small computer rooms with equipment that runs on the OpenBSD operating system. All these computer rooms are firewalled by both pf(4) and, usually, Junos.

At last, sometimes I build short-lived VPNs (these ones usually do not last more than a few hours) using OpenSSH to connect to remote TCP ports and Unix sockets. Very handy.

Matteo October 24, 2019 5:12 AM

@tim

If i need it (and i rarely do) i use my home raspberry
What does a raspberry box have to do with anything in this article?

Schneier wrote “I’m curious what VPNs others use” so i explained (in short) my setup: i have installed openvpn on my home raspberry and use it as my “vpn provider”.

The web site you are visiting is right there in the header of the request. Which means everyone knows exactly where you are going. And your ISP or Country can monitor it and block it.

with vpn you only move the problem, now it’s a different country that can monitor and block it: now it’s from the vpn end point (included) to the website instead from your home to the website.
if you use to bypass a block it will work, but if you use it to avoid people knowing which websites you visit vpn is useless.
also note that the only information leaked by https is domain (not full url) and ip, if you enable encrypted SNI only the ip address.

@lurker

trivial to do a MITM job with TLS handshakes in both directions

why it’s trivial with https but not vpn? both use public key and the vpn public key/configuration is downloaded from a https website.

Matteo October 24, 2019 5:17 AM

@dimi
in fact i’m using my raspberry, also the network should be treated as unsafe/untrusted always there is really no reason except bypass a block to get a vpn.
they will not make your traffic any safer because they can not cover the whole path exactly like your wifi passowrd doesn’t make your connections safe because it cover only the first 50 meters of the path.
what about the rest?
https solves the problem it begins on your computer and ends on destination computer: end-to-end. this! works.

Frank October 24, 2019 8:27 AM

Opera built in VPN (browser proxy) ditto Tenta browser and Firefox/Cloudflare for US users (Or set up via VPN US setting)
Free Android VPNs: Calyx, Bitmask, Riseup
+Psiphon Pro

Some routers have VPN settings or modified with Asuswrt-Merlin and DNS lookup via likes of Cloudflare, using local ISP for www connections

Tor browser is getting quicker these days

lurker October 24, 2019 4:42 PM

@dimi: Why not get small appliance at home and install openvpn on. Its your network, your VPN so you don’t have to worry…

Riiight, it’s your IP in the packet headers with the flag saying shoot me. That seems like security by obscurity to me, you’re such a small target you’re less likely to be directly aimed at. If it works for you go for it.

SpaceLifeForm October 24, 2019 5:24 PM

@Bruce, @Clive

LOL. Great article. LOL.

Seriously. No, just no.

Just say NO to VPN or TOR.

Just, NO.

LOL. They just don’t get ip, and RSA.

Jim October 24, 2019 6:22 PM

I’m curious what VPNs others use, and why they should be believed to be trustworthy.

This past Winter, after several weeks of careful analysis, I choose Mullvad as my VPN.

Reasons I believe Mullvad is trustworthy:

Website inspires a feeling of trustworthiness
The website is simple, uncluttered, to the point. No pop-ups, no trackers, no excessive cookies, no count-down timers to get the “deal of the day.”
The company name, owners and principal employees are listed prominently.
Mullvad has no affiliate program. Therefore VPN review sites receive no “kickback” for referring potential customers.
Not a fly-by-night operation: in the VPN business since 2009.
Supports the Center for Democracy & Technology (CDT) VPN Questionnaire Project.

Anonymous, numbered accounts
No name, email or other info needed for registration.
Payment can also be anonymous.

Security
Mullvad’s VPN application is open-source software.
Only offers the OpenVPN and WireGuard security protocols. (Unlike many VPNs, does not even provide the option of using the older and insecure PPTP.)
Has submitted to a third-party audit.

Highly rated on unbiased site
Mullvad is very highly rated on the only unbiased VPN info site of which I am aware: ThatOnePrivacySite.

Jim

François October 25, 2019 12:31 AM

I use F-secure Freedome and ProtonVPN.
Having no way of assessing their security, I picked EU compagnies because they must comply to GDPR, which gives a higher probability that they have a proper security program in place.

Bill October 25, 2019 7:16 AM

I guess I’m glad I dumped NordVPN a couple years ago after signing up for their 3 year plan on some kind of fire sale. I didn’t like that you had to use their client, and everything was too slow. This just confirms my decision.

Currently, I’m using iVPN.net for VPN service. I pay $99/year, and haven’t had any issues with the service. I Google around for them every few months to make sure the hasn’t been news of a breach, and I’ve been happy so far.

Brian October 25, 2019 1:42 PM

My company had a team of interns implement in three months software the successfully de-cloaks traffic coming out of a VPN and maps it back to individual users and individual user devices. I was always skeptical about the effectiveness of VPNs, and that de-cloaking project cemented my doubts in stone. I no longer recommend any VPN products to my friends and family who are concerned about privacy or security. VPN traffic by its nature invites scrutiny, anyway.

Bram October 26, 2019 8:59 AM

The reason for using a VPN is simple protection from the “sleepwet” we have in the Netherlands: the government is allowe to store my activity for five years if one of my neighbors Google “how to make a bomb” (not how it really works, but how it feels ;-))

AzireVPN has a great article on how they provide their own hardware to circumvent exactly the problem that NordVPN had, and include a patched kernel to keep root from being able to wiretap.

RealFakeNews October 28, 2019 4:40 AM

GDPR is no guarantee of privacy.

It seems many people are unaware that after the original GDPR legislation was passed, it was so restrictive it caused ad networks problems.

Money talks, so very shortly after it appeared, several ammendments were made that basically neutured the original intent.

Now, as long as the privacy terms say that they’re harvesting all your data and your continued use (not explicit consent) is agreement to this, that is all that is required for “business as usual”.

GDPR is as useless as the cookie law, the only difference being explicit consent is not required; only continued use.

Basically: accept it, or don’t use the product/service.

The only companies being caught out are those who don’t say somewhere what they’re collecting. That is all that is required to comply.

I trust EU companies less than US companies, because the EU is more nefarious with its laws. In the UK there is RIPA Act. The rest of the EU has similar legislation.

The US actually has better protection of user rights within the USA than the EU. The problem is “rest of the world”.

Don’t however think for a moment the EU has stronger privacy rights. That’s what they want you to believe.

TRX October 29, 2019 2:45 PM

I don’t expect that my communication is secure from government agencies. But even a cheap, iffy VPN is fine for avoiding geotracking, packet inspection or insertion, etc.

I have nothing to hide, but that doesn’t mean I’m okay with almost every link in the chain sniffing my packets to either build a file on me or try to sell me something.

Urk October 29, 2019 4:51 PM

What to people mean when they say they set up own VPNs? I don’t understand. Do you have just happen to have a server on an island somewhere that you control, yet have no traces back to you? Who pays for the server? Is not “having internet in someone elses name” the same thing?

1&1~=Umm October 29, 2019 5:12 PM

@Urk:

“What to people mean when they say they set up own VPNs? I don’t understand.”

All you need are a source and destination computer and some kind of secure link between the two of then.

I’m guessing you are having problems getting your head about the destination computer?

Back in times past, Universities gave students VPN or equivalent capability, simply so that expensive software limited to a narrow IP address range could be ised by students whilst at home.

Many ‘web hosting’ companies that offer Open Source Unix style user OS etc, their managment rarely if ever care if you setup the end of a VPN on the remote desktop.

In theory any cloud service could be used that way as well.

There are quite a few more options including Mix-nets and Onion- routing…

tds October 30, 2019 3:47 PM

https://www.nsa.gov/News-Features/News-Stories/Article-View/Article/1982939/nsa-cybersecurity-advisory-malicious-cyber-actors-leveraging-vpn-vulnerabilitie/ (USG, Oct. 7, 2019)

“NSA Cybersecurity Advisory: Malicious Cyber Actors Leveraging VPN Vulnerabilities for Attack; Check VPN Products for Upgrade

[…]

Known vulnerabilities include Pulse SecureTM, Palo Alto GlobalProtectTM, and Fortinet FortigateTM VPN products. If you suspect you may have been compromised:…”

Peter October 31, 2019 4:58 AM

I use PIA. But I would never use it for anything that I wouldn’t do without it anyway. It is useful when I need to change my Geolocation info for some reason or when I do not trust the available ISP as much as PIA. So VPNs can be useful but nobody should trust their lives with them.

Ben G October 31, 2019 9:44 AM

Well, I’m still using NordVPN and I will use it. Yes, the breach should’ve been disclosed earlier, but looking from the companies perspective I would do the same. Especially knowing that they were checking every server for possible breaches, they had to make sure that everything is secure. Imagine if they really did release this immediately without checking, this would receive the attention of so many hackers, with the possibilty that there are still some holes in the security. I think everything is fine, and will be okay for the company. (only because they are taking this seriously and moving to RAM)

lkjlkj October 31, 2019 6:20 PM

I use one occasionally, but it’s more about protecting myself from my ISP, unknown WiFi networks, and Google than anything else. I don’t trust my VPN provider (or any others), and I’ve always suspected it may have connections to spy agencies. I operate with the assumption everyone is getting hacked at some point, and I do what I can to protect myself given that reality.

I’m not sure what I would do if my Internet privacy were literally a matter of life and death or my freedom as it is for those in China and many Middle Eastern countries.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.