VPNs Archives - Center for Democracy and Technology

Tech Talk: Trustworthy VPNs

Tim Hoagland — Fri, 19 Oct 2018 22:00:37 +0000

CDT’s Tech Talk is a podcast where we dish on tech and Internet policy, while also explaining what these policies mean to our daily lives. You can find Tech Talk on SoundCloud, iTunes, and Google Play, as well as Stitcher and TuneIn.

Are all of you using a VPN to mask your internet browsing and protect your privacy? My hunch is that our tech savvy listeners are all about using a VPN, but of course, not all VPNs are created equal.

CDT has launched a new initiative aimed at helping internet users better assess the trustworthiness of VPNs, and a number of VPN providers were active partners in this process, which is awesome.

In this episode, our Data & Privacy mensch Joe Jerome joins us to talk about the effort and what makes for a trustworthy VPN.

Listen

The post Tech Talk: Trustworthy VPNs appeared first on Center for Democracy and Technology.

Techsplanations: Part 5, Virtual Private Networks

Tim Hoagland — Tue, 16 Oct 2018 21:09:19 +0000

Previously in this series, we talked about what the internet is and how it works, what the web is, and net neutrality. In this post, we examine the virtual private network, or VPN, a popular and prominent privacy-enhancing tool. We dive deep on what it is, how it works, and then talk about some of the challenges internet users have using VPNs. As before, please refer to this glossary for quick reference to some of the key terms and concepts (in bold).

One increasingly popular and prominent privacy-enhancing tool is the virtual private network, or VPN, which we’re going to explain a bit on this page and talk about some of the challenges internet users have using VPNs.

What is a VPN?

Illustration by Joseph Jerome.

When browsing the internet or connecting “smart” technologies, we leave a trail of information that is valuable to companies, governments, and bad actors. Unsecured Wi-Fi networks are everywhere and easily accessible to anyone with a bit of technical skill who might be curious. A means of shielding oneself from these prying eyes is undoubtedly attractive. A virtual private network, or VPN, creates a virtual tunnel that encrypts and obscures some of this information.

Illustration by Joseph Jerome.

VPNs are a tool that disguises your actual network IP address and encrypts internet traffic between a computer (or phone or any networked “smart” device) and a VPN’s server. A VPN acts as a sort of tunnel for your internet traffic, preventing outsiders from monitoring or modifying your traffic. Traffic in the tunnel is encrypted and sent to your VPN, which makes it much harder for third parties like internet service providers (ISPs) or hackers on public Wi-Fi to snoop on a VPN users’ traffic or execute man-in-the-middle attacks. The traffic then leaves the VPN to its ultimate destination, masking that user’s original IP address. This helps to disguise a user’s physical location for anyone looking at traffic after it leaves the VPN. This offers you more privacy and security, but using a VPN does not make you completely anonymous online: your traffic can still be visible to the operator of the VPN.

It is also important to recognize that a VPN is not the same thing as an ad blocker. It can mask your IP address, but a VPN does not, by default, disrupt other sorts of online tracking. VPNs are not ad blockers or other tools that block efforts to track your activities across websites and devices. The protections offered by a VPN are also not the same as those offered by web browsers, such as private modes that clear cookies on exit or security-focused browsers like Tor. VPNs are generally faster than Tor, but Tor can potentially provide more anonymity.

Why should someone use a VPN?

Why you might use a VPN really depends on your threat model, or what traffic you want to disguise and from whom. Enterprise VPNs have long been used by employers for teleworking or to give remote employees access to employers’ computer networks, but data breaches, government surveillance, and debates about net neutrality have driven additional VPN use by individuals in the United States. For example, when Congress rolled back the FCC’s broadband privacy rules in 2017, VPNs were suggested as one tool to limit the amount of web browsing activities and network information available to ISPs.

While it is true that a trustworthy VPN can shield you from having your ISP see your browsing activities, VPNs provide their best benefits by shielding your activities from other third parties that can monitor traffic on local networks. A VPN is a good tool to have if you do any of the following:

Look for any unsecured Wi-Fi networks to connect to while traveling.
Frequently take advantage of Wi-Fi networks at coffee shops or airports.
Connect to secured networks at hotels or other businesses that monitor internet usage.

Unsecure networks are a big problem; hackers can position themselves between you and the internet access point, or be the access point. This allows complete access to anything you do online. A VPN can protect you from this sort of snooping. However, anywhere a network can be monitored by a curious customer, bad actor, or interested employer can warrant a VPN.

Many people seek out VPNs to access content restricted by geography or to torrent and download media. This is because VPNs can disguise your general physical location by changing the IP address seen by the receiving end of your communications. A VPN hides your true IP address, which reveals your general location and can be valuable to anyone from advertisers to law enforcement, and shows your traffic as coming from an IP address assigned by the VPN. This not only protects your privacy by disassociating your web traffic from your home IP address, but also allows VPNs to effectively “tunnel” your traffic to another country or physical location. In this way, VPNs can help people get around content restrictions, blocked websites, and government censorship. VPNs, for example, have been an important tool to help people in China circumvent internet access restrictions and access sites blacklisted by the government.

How does a VPN work?

VPNs rely on servers, protocols, and encryption to disguise your data. If you’ve been reading this series, you should already know what the internet and the World Wide Web (that lies atop the Internet) are. Web servers receive packets of information from your modem, which has an IP address. This content and metadata can be very revealing. While unencrypted data packets are what users are often most concerned about, even our metadata reveals a lot about us. Every piece of technology your modem interacts with can learn a bit about you, which can reveal a great deal accumulatively, over time.

For example, if I visit a website to see what medical help I can get for a rash or infection, that site will learn my IP address and it will frequently log that information. This information can be used to analyze how many people visit a site or where traffic is coming from; it can also be shared with marketers or law enforcement, who can learn other information attached to that IP address. A VPN essentially replaces this visible metadata.

Illustration by Joseph Jerome.

When you launch your VPN, either as software on your computer or as an app on your phone, your traffic is encrypted and sent to your VPN and then sent onward from your VPN’s servers to your ultimate online destination. Third parties see this information as coming from a VPN server and its location, not your computer or your general location. For example, if I search for the IP address of my computer at CDT, I can learn it is 199.119.118.22, located in Arlington, Virginia. When I turn on one VPN, my IP address changes to 178.128.45.1, based in the United Kingdom. Another defaults to placing me in Los Angeles. A third keeps me close to home in Washington, DC.

This ability for VPNs to make it appear that your traffic is coming from elsewhere is how and why VPNs were used to circumvent online censorship controls, or access movies or digital content that are geoblocked. These sorts of activities can violate the terms or conditions of using those services, and many popular services block IP addresses known to be associated with VPNs. That stated, the number, variety, and location of servers that a VPN offers is often an important selling point. Many VPNs rely on third parties to host their servers, but this comes at the expense of having physical, in-house control over them.

In addition to servers, VPNs rely on protocols to ensure traffic arrives to a VPN server and back. These protocols make up the “tunnel” for your traffic and are a mixture of transmission protocols and encryption standards, which can impact the security or speed of your traffic. Transmission protocols like PPTP, L2TP/IPSec, SSTP, IKEv2, and OpenVPN are instructions for how a VPN makes an encrypted connection. Unfortunately, there is no standard transmission protocol. Each has different pros and cons. CDT recommends that most people use connections based on the OpenVPN protocol. Like HTTPS websites, OpenVPN relies on SSL/TLS. OpenVPN is a widely regarded and, importantly, open source protocol, but it may require additional work to download, install, and configure.

There are different levels of encryption to consider, as well. Encryption is like a lock that protects information. For maximum security, bigger is generally better: AES 256-bit encryption provides a good security baseline. A 256-bit encryption key, for instance, would have 1.1579 × 10^77 different lock combinations. Put another way, if the fastest computer in the world were to start guessing combinations, it could take longer than the entire lifespan of the universe to crack your key.

VPNs use encryption for a number of different purposes. For instance, encryption is used in VPNs both to protect information from anyone monitoring the tunnel and to authenticate that both the user of the VPN and the VPN provider are who they claim to be. The level of encryption really depends on what the security risk is, and a user-friendly VPN will explain what encryption method it employs and what options users have.

Sounds great! What’s the catch?

Despite how VPNs are often marketed, they do not make a person absolutely anonymous online. They only disguise your traffic to some third parties. A VPN will not stop services like Google or Amazon from recognizing you if you sign into their services, and VPNs also cannot stop the types of invasive data fingerprinting or web tracking technologies that are pretty good at guessing who you are without your knowledge or participation. VPNs are just one tool among many to protect your online privacy.

And they are a tool that requires you to trust the provider of the VPN service, which can be easier said than done. Trust, or lack thereof, is a huge problem in the world of VPNs. Even the Federal Trade Commission has basically suggested that “buyer beware” when it comes to researching and choosing a VPN. The need for trust can be eliminated by installing your own VPN such as Algo, JigSaw’s Project Outline, or Streisand, but none of these tools are as easy to install or use as a commercial VPN service. They also require a user to sign up for a cloud service provider like Amazon Web Services to host the VPN server.

These tools have gotten more accessible, but for most users, commercial VPN services are the easier solution. This makes the reputation of the VPN incredibly important. Two years ago, ArsTechnica detailed the struggle to create a list of trustworthy, safe, and secure VPNs, and even today, while there are endless amounts of VPN review sites, it is often unclear how biased or accurate these resources are. That One Privacy Site has become perhaps the most critical source of reviews and comparison information about hundreds of different VPNs, and Wirecutter’s recent exploration into VPNs (which in full disclosure, CDT contributed to) also highlighted privacytool.io as a useful resource for information on VPNs.

CDT has been working with a number of VPNs to promote better practices. You can learn more by visiting CDT’s Signals of Trustworthy VPNs resource page.

More Techsplanations

The post Techsplanations: Part 5, Virtual Private Networks appeared first on Center for Democracy and Technology.

Signals of Trustworthy VPNs – Questions for VPN Services

Tim Hoagland — Tue, 16 Oct 2018 19:06:00 +0000

CDT has been working with a number of VPNs to promote better practices. You can learn more by visiting CDT’s Signals of Trustworthy VPNs resource page.

Below is a list of questions that a trustworthy VPN service should be able to answer honestly, clearly, and thoroughly, signaling the provider’s commitment to earning user trust. The goal of these questions is to improve transparency among VPN services and to provide a way for users to easily compare privacy, security, and data use practices, encouraging VPNs to deploy measures that meaningfully improve the privacy and security of individuals using their services.

Specific technical features and security choices are outside of the scope of this document. While we believe a baseline security standard and clearer privacy commitments are warranted for VPN services, these requirements require further independent auditing infrastructure and technical consensus.

The post Signals of Trustworthy VPNs – Questions for VPN Services appeared first on Center for Democracy and Technology.

Unedited Answers: Signals of Trustworthy VPNs

Tim Hoagland — Tue, 16 Oct 2018 18:00:40 +0000

CDT is interested in advancing better privacy and security practices by providers of virtual private networks, or VPNs. As part of this effort, CDT worked with several VPN services to produce a set of questions that trustworthy VPN services should be able to easily answer.

These questions address issues around VPNs’ corporate accountability and business models, privacy practices, and security protocols and protections. Below is a full list of the questions and answers from VPNs that we are publishing unedited. We hope these answers will improve transparency among VPN services and help users compare the approaches of different VPNs. You can learn more by visiting CDT’s Signals of Trustworthy VPNs resource page.

The VPN services that have contributed to these questions and provided answers are:

ExpressVPN (answers as of Oct. 17, 2018)
IVPN (answers as of Oct. 17, 2018)
Mullvad (answers as of Oct. 17, 2018)
TunnelBear (answers as of Oct. 17, 2018)
VyprVPN (answers as of Oct. 17, 2018) [updated 01/14/2019]
Invincibull VPN (answers as of Mar. 7, 2019)

1. What is the public facing and full legal name of the VPN service and any parent or holding companies? Do these entities have ownership or economic stakes in in other VPN services, and if so, do they share user information? Where are they incorporated? Is there any other company or partner directly involved in operating the VPN service, and if so, what is its full legal name?

FROM CDT: For commercial privacy and security tools, reputation matters. VPNs should be clear about not just the individuals in charge of running and securing a VPN, but ultimately, who owns the company. The more information that a VPN can make available here, the better. If the VPN’s public brand name is different from its legal name, users should know this.

This should include both the brand and incorporated names of company, specific individuals who are responsible for operating the company and maintaining security, and whether the VPN is part of a larger company.

ExpressVPN is operated by Express VPN International Limited, a privately held British Virgin Islands company. ExpressVPN’s leadership team and owners are not involved in any other VPN company/brand or any business other than ExpressVPN.

While the company, its infrastructure, and its agreements with users all fall under BVI jurisdiction, ExpressVPN’s team is physically distributed across more than a dozen cities worldwide. In many cases we contract with local entities or subsidiaries to provide payroll services for staff that ExpressVPN hires. Our core functions like engineering, network operations, marketing, and customer service are performed by full-time, dedicated employees who work solely on ExpressVPN.

The public facing name is IVPN. The legal name of the company is Privatus Limited. Privatus Limited has no parent or holding companies. There are no other companies or partners directly involved in operating the IVPN service.

The public-facing name is Mullvad VPN.

The legal name of the company is Amagicom AB which is directly owned by the founders Fredrik Strömberg and Daniel Berntsson. Amagicom AB is incorporated in Sweden.

Neither Amagicom AB nor Fredrik Strömberg nor Daniel Berntsson has ownership or economic stakes in other VPN services.

No other companies are directly involved in operating Mullvad VPN.

TunnelBear’s team and offices are based in Toronto, Canada while the corporation, TunnelBear LLC, is incorporated in Delaware, USA. TunnelBear is wholly owned by McAfee. McAfee is a well known security software company, with both consumer and enterprise products. While McAfee owns TunnelBear, TunnelBear operates independently with no TunnelBear customer information shared with McAfee.

Golden Frog, GmbH is the full legal name of the company that offers VyprVPN. You can have more details about our team and company’s ownership on our About Us page.

We do not have economic stakes in other VPN providers and thus do not share any user information with any other VPN service.

Golden Frog GmbH is incorporated in Switzerland and we store all of our customer data in Switzerland. Switzerland’s favorable privacy laws reflect our mission as a company and respect the rights of Internet users.

To our knowledge, we are the only VPN provider in the world that 100% owns and operates its server and network infrastructure, including our zero-knowledge DNS service. We do not rely on third party hosting companies for servers or network services and therefore are not vulnerable to their privacy policies or security practices.

InvinciBull by Finjan Mobile, Inc. is a service of Finjan Holdings, Inc., a NASDAQ company (NASDAQ:FNJN). Finjan licenses the VPN network from partner Avira.

2. Does the company, or other companies involved in the operation or ownership of the service, have any ownership in VPN review websites?

FROM CDT: One of the major issues with VPN reviews across the internet is that are many incentives for VPN providers to “game” the system. VPN providers should not be reviewing themselves.

No, neither Express VPN International Limited nor any related companies own a VPN review website.

No.

No. TunnelBear offers an affiliate program where we pay commissions to websites who send us customers. We require these affiliates to disclose their financial relationship with TunnelBear. TunnelBear does not own or operate any review or affiliate websites.

No. Our company does not have ownership nor operate any VPN review websites.

Finjan Mobile, Invincibull or Avira do not operate, own, nor do they have any involvement in VPN review websites.

3. What is the service’s business model (i.e., how does the VPN make money)? For example, is the sole source of the service’s revenue from consumer subscriptions?

FROM CDT: A VPN should be upfront about how it makes money and any incentives that aren’t aligned with user’s privacy and security interests. If all or more of the VPN’s revenue comes from customer subscriptions, that suggests a VPN’s users are its actual customers rather than its product. We would note that as VPNs provide “white label” services, such as offering their technology to other companies, and diversify their businesses by offering other security tools or technologies, this should also be disclosed.

ExpressVPN’s sole source of revenue is from consumer VPN subscriptions. We never sell user information or utilize the information that customers provide to us for any purpose other than operating the VPN service.

All revenue comes from VPN customer subscriptions.

The paid version of TunnelBear solely and exclusively generates revenue from subscriptions. The free version of TunnelBear serves as a marketing tool to permit individuals to try TunnelBear; TunnelBear does not profit from free users by selling bandwidth, usage habits, or use them as a botnet. TunnelBear has plans to offer an SDK which would allow select partners to resell a white labeled VPN service.

We do not sell user data to generate revenue. Our sole source of revenue comes from VyprVPN consumer and business subscriptions.

The sole source of Invincibull VPN revenue is from consumer subscriptions; Invincibull operates as a freemium model.

4. Does the service store any data or metadata generated during a VPN session (from connection to disconnection) after the session is terminated? If so what data?

FROM CDT: A responsible VPN is very up front about what it means by logging and what data it retains over time, even if it is aggregated or anonymous. This should be at the top of any privacy policy or terms of service. It should be separately disclosed and easily discoverable via the VPN’s website or app.

ExpressVPN’s apps and servers are engineered to categorically eliminate sensitive information. We do collect limited metadata to aid technical troubleshooting and service improvements, which are: operating systems and app versions successfully activated; dates (not times) when connected to the VPN service; choice of VPN server location (no IP addresses are ever stored); total amount (in MB) of data transferred per day. None of the above data enable ExpressVPN or anyone else to match an individual to specific network activity or behavior.

Optionally, users may also opt to share anonymized analytics data such as speed test data, connection failures, and crash reports. These diagnostic reports do not tie back to individual users because we’ve engineered our apps to never know which user sends which data. For details, please see our Privacy Policy.

No.

No. For details, see our privacy policy
(https://www.mullvad.net/en/guides/no-logging-data-policy/).

No. TunnelBear is proud to not store any data surrounding the times and IP addresses when people use TunnelBear. We do collect the aggregate amount of data you use in a given month. This data usage is not session specific, aggregated over the month and deleted once a new month starts.

At TunnelBear, we spend a lot of time thinking about how to reduce the data that we’re collecting and share the process with our customers. Since 2014, our privacy policy has documented every piece of data that we collect both through our service and more recently, on our website. Having a comprehensive policy has meant that every decision we make has to consider the privacy impact.

Whether it’s designing features like our map to not store your IP address, setting up marketing tools to respect privacy or even creating our own privacy focused social media buttons, we try to consider privacy in every decision we make. Most recently, in preparation for the GDPR, TunnelBear launched a tool which allows customers to see exactly what information we store.

[UPDATED 01/14/2019] VyprVPN is a zero log VPN Service. We do not record or retain any data when you use the VyprVPN Service.

We engaged a respected security firm to audit our zero-log policy so users have third party validation of our logging policies. You can view the full report here at: VyprVPN Letter of Attestation and No Log Assessment by Leviathan

This means:
· We do not log a user’s source IP address (typically assigned to the user by their ISP).
· We do not log the IP address assigned to the user when using VyprVPN.
· We do not log connection start or stop time.
· We do not log a user’s traffic or the content of any communications.
· We are network neutral. We do not discriminate against devices, protocols, or application.
· We do not throttle or rate limit your Internet connection.

InvinciBull does not store nor does it track any data or metadata generated during a VPN session, nor after the session is terminated. We require an email to register for the service, and know the date of registration, last log on and whether or not users paid for a subscription and/or participated in promotions.

5. Does your company store (or share with others) any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited?

FROM CDT: This question further addresses the need for VPNs to be clear about how they treat data that could conceivably fit into the definition of “usage” or “activity” logs. VPNs should not maintain this information.

No, ExpressVPN never logs any user browsing or network activity data, and we go to great lengths to ensure such information never even hits a disk on any server. We run our own private, zero-knowledge DNS on every VPN server. And of course, as we do not possess any such activity data, we do not (and cannot) share it.

No.

No. For details, see our privacy policy
(https://www.mullvad.net/en/guides/no-logging-data-policy/).

No. We do not collect connection times, IP addresses, DNS requests, browsing data, or anything else that could be directly linked with an account. TunnelBear has an easy to read privacy policy that outlines what data we collect and how we use it. In it, we explain that we log no customer activity.

We do not store or share any browsing, network activity data, or DNS lookups. We own and operate our own server and network infrastructure, including our zero-knowledge DNS service, so we can ensure that user data is not shared with any third party. This is part of our commitment to providing the highest level of user privacy.

Furthermore the company does not store, nor does it share with others any user browsing and/or network activity data, including DNS lookups and records of domain names and websites visited.

6. Do you have a clear process for responding to legitimate requests for data from law enforcement and courts?

FROM CDT: A VPN’s physical location and the national law it operates under can afford users different privacy protections and does dictate how a VPN might respond to a government request for data. CDT recommends that VPNs, at minimum, provide transparency reports about how often they receive court orders and other government requests and have a clear process in place for responding to any requests for data.

Our first principle is that we never store any data that could match an individual to specific network activity or behavior. Thus, our process is to inform law enforcement that we do not possess logs of connections or user behavior that could associate a specific end user with an infringing IP address, timestamp, or destination. Not storing any sensitive information also protects user privacy and security in the event of law enforcement gaining physical access to servers. This was proven in a high-profile case in Turkey in which law enforcement seized a VPN server leased by ExpressVPN but could not find any server logs that would enable investigators to link activity to a user or even determine which users, or whether a specific user, were connected at a given time.

ExpressVPN is based in the British Virgin Islands, a jurisdiction with strong privacy legislation and no data retention requirements. Legally our company is only bound to respect subpoenas and court orders when they originate from the British Virgin Islands government or are made in conjunction with BVI authorities. The British Virgin Islands only upholds foreign governments’ requests for information when the crime under investigation would be punishable by at least a one-year prison sentence under BVI law (dual criminality provision).

Yes, please see Law Enforcement Legal Process Guidelines: https://www.ivpn.net/legal-process-guidelines …and Transparency report: https://www.ivpn.net/transparency-report

Yes, see our article “How we handle government requests for user data:” (https://mullvad.net/en/guides/how-we-handle-government-requests-user-data/).

Over the past 7 years, more than 25 million people have connected to TunnelBear. By design, we don’t know much about who these people are or how they’ve used our service. We’ve done this on purpose, as we see it as crucial to operating a VPN service.

When TunnelBear receives a request from governmental authorities, law enforcement agencies or in connection with a legal proceeding, the request is reviewed by our legal counsel to ensure that the request is valid and to determine the appropriate nature and scope of our response.

At TunnelBear, we believe that the best way to protect our customer’s privacy is simply to not store data that puts your privacy at risk. If we’re required to respond to a request, you can see the exact data that we might be required to provide by downloading a copy of your data from TunnelBear’s privacy center.

Yes. All legal requests are directed to Golden Frog GmbH’s legal team. Golden Frog GmbH is a Swiss corportation and because all customer data is stored in Switzerland, we are legally prevented from directly answering any foreign (non-Swiss) legal requests. We will only respond to a valid legal order from the relevant Swiss law enforcement agency acting on its own or at the request of a foreign law enforcement agency using the proper Mutual Legal Assistance Treaty with its legal jurisdiction.

Finjan Holdings (InvinciBull’s parent company) may share your email address if Finjan believes that such sharing is required by law. We will take commercially reasonable steps to notify you if we are required to provide your personal information to third parties as part of a legal process. Finjan also may use and disclose your information in the prosecution or defense by Finjan of any litigation involving Finjan that arises out of, or is related to, your use of any Finjan product, service or right.

7. What do you do to protect against unauthorized access to customer data flows over the VPN?

FROM CDT: It is very difficult for an individual to assess the security practices of a VPN. While perfect privacy and security does not exist, VPN users can expect trustworthy VPNs to use up-to-date protocols and software/hardware hardening. Several practices CDT thinks are important to look out for include practices and policies around software updating (“patching”), vulnerability handing (which includes “bug bounties” as well as process for addressing flaws), and any discussion of technical, administrative, and even physical security.

ExpressVPN takes the following approach to ensuring the security of our systems and customers:

• Make systems very difficult to compromise.
• Minimize the potential damage if a system were to be compromised.
• Minimize the amount of time that a system can remain compromised.
• Validate these points with regular penetration tests, both internal and external.

Specifically for our VPN servers, here are some examples of measures we employ:

Being difficult to compromise:
• Fast patching, made possible through automatic provisioning and deployment.
• Hardened OS and applications
• Training of employees
• Requiring multi-factor authentication, including YubiKey physical touches for commits and SSH access
• Hardening workstations, i.e. protecting devices used by employees by eliminating risks and threats
• Using bastion boxes for SSH access, which channel information between the internet and the internal network through a high-security intermediary
• Strong security settings for the VPN:
i. Secrets generated on the server itself
ii. Weak authentication protocols are disabled
iii. Strong encryption and hashes
iv. Perfect forward security to ensure that compromised or stolen encryption keys do not affect the security of past or future communications (learn more here: https://www.expressvpn.com/blog/perfect-forward-secrecy/)
v. Clients strongly authenticate servers: clients expect both a signature from our CA, as well as a specific common-name for a given server; we can revoke server certificates in less than an hour (learn more here: https://www.expressvpn.com/blog/secure-expressvpn-server-connections/)
• Code audits
i. Requiring code reviews for all changes
ii. Github scanning for known vulnerabilities in dependencies
iii. External scanning for known vulnerabilities
iv. Static analysis tools running with every commit as part of our Continuous Integration process.
v. Audits by external security penetration testers
• Physical security of the team and infrastructure.

Minimizing the potential damage stemming from a compromised server:
• Encrypted filesystem
• Services running with least privilege possible
• Authentication credentials are strongly hashed

Limiting the length of time that a system can remained compromised:
• Notice hacks early: Intrusion detection, including integrity checks at boot
• Read-only disk image running in RAM only, doesn’t use disk, which means neither data nor access by hackers can persist
• Frequent rebuilds of the OS to ensure servers are regularly patched and preventing attackers from having persistence (learn more here: https://www.expressvpn.com/blog/how-expressvpn-keeps-its-web-servers-patched-and-secure/)
• Frequent reboots: since we boot into a read-only image with integrity checks, a reboot will clear most attempts at persistence

In general, security is ingrained in our culture. ExpressVPN’s reputation and long-term business success depend on protecting our customers. We believe we are both properly incentivized as well as capable of doing this well.

We maintain a library of content detailing various other measures for other parts of our service such as our website, API servers, and customer support team. For more information, please visit our Trust Center: https://www.expressvpn.com/trust.

If an adversary gains physical access to a server it is prudent to assume that they will gain access to the unencrypted data stored on the server. As VPN servers are not under the direct physical control of IVPN they have been designed with the expectation that they will be compromised. To protect the privacy of IVPN customers the following controls are implemented:

• No logs relating to the customer connection or network activity generated by an IVPN user are created or stored. This includes not creating any temporary or in-memory logs.
• No storage of information relating to an IVPN user’s account i.e. authentication credentials are not stored locally.
• 24/7 monitoring of all servers to alert IVPN of any suspicious activity or if a server is taken offline. If a server is offline and there no evidence from the data center that it is a hardware fault then procedures are followed to revoke the certificates on the server to prevent a potential MITM attack.

Administrative controls:
• Implementation of an Information Security Management System (ISMS) based on ISO 27001.
• Background screening of all employees.
• Mandatory information security training.
• Vetting of data centers where servers are hosted.
• Patch management policy to ensure consistent and rapid resolution of vulnerabilities.
• VPN servers do not store any logs relating to the customer connection or network activity generated by the customer. VPN gateways do not store any information relating to a user’s account e.g. authentication credentials.

Technical controls:
• Enforcement of 2FA for system access.
• Access control using a private VPN with RSA 4096 certificates for authentication.
• Mandatory Access Controls (SELinux).
• Firewalled IPMI.
• Full disk encryption (LUKS) requiring password entry at boot.
• Configuration management software to enforce consistent configuration and security controls based on CIS Benchmarks.
• 24/7 systems monitoring and alerting of suspicious system activity using host-based integrity protection.

Customer connections:
• Customer VPN connections are secured using OpenVPN with RSA-4096 / AES-256-GCM keys.
• Full mesh multi-hop network – IVPN customers can choose to connect to any location in the IVPN infrastructure and have their VPN traffic exit in any other location. To enable this functionality, secure VPN tunnels are established between every server in the IVPN network. This makes it significantly more difficult for an adversary to gain access to a server as the servers would be in multiple jurisdictions. In addition, should the exit server be compromised the adversary would not be able to trace an IVPN customer’s connection other than to the entry VPN server.

Secure systems are required for privacy, and since Mullvad’s beginning, security has always been deeply ingrained in our culture.

• In our app we offer such security features as a kill switch, DNS leak protection, and IPv6 support, all of which we were either first or among the first.
• We only utilize the two best VPN protocols, OpenVPN and WireGuard (we were an early adopter of the former and we pioneered the latter).
• Because reliability is paramount, our app is built in Rust, a programming language made for building secure programs.
• We use code signing for app and server code.
• All of our sysadmins use the Qubes operating system, as does most of our team.
• We also protect our laptops against tampering.

Protecting our customers data and preventing unauthorized access is our highest priority. We employ an extensive list of processes, techniques and services.

Our infrastructure and client apps have undergone extensive hardening, testing and the VPN industry’s only independent public security audit.

TunnelBear hardens every server with full disk encryption, malware and intrusion scans and intrusion protection techniques. Security patches are up to date. Hardware 2FA is extensively applied throughout our organization. SDLC methodology is followed with all development and is architecturally reviewed, peer-reviewed, tested and independently audited on an annual basis – the results are available for the public to see.

Our approach is unique in the VPN industry; we fully own, engineer, and manage our VPN servers and network. Therefore, we are the only company that handles VyprVPN users data and we can guarantee higher levels of protection and security from end-to-end.

Unlike competitors, we don’t use any 3rd-party companies to host our servers and we have 24/7 monitoring for unauthorized changes or physical access to all servers and networks.

InvinciBull is committed to protecting against unauthorized access to customer data flows over the VPN. InvinciBull does not have access to our customers’ data flow, and we do not store it. All data that passes through the Invincibull VPN is encrypted through patented, military-grade AES 256-bit encryption; and thus no one can see it.

8. What other controls does the service use to protect user data?

We work to empower customers to protect their privacy and security in every aspect of what we do. In addition to those we’ve mentioned in previous answers, some other ways we do this include:

• Open-source leak testing tools, aimed at enabling reviewers and other third parties to independently verify leakproofing claims, providing insight into what our engineers work on to protect users, and raising the bar for the entire VPN industry.
• Acceptance of Bitcoin as payment for those seeking to increase their anonymity.
• Comprehensive and transparent Privacy Policy explaining how we treat sensitive data, what we store and never store, and why.
• Transparency and disclosure to users when things go wrong and we accidentally ship bugs in our software, through blog posts and other communications.
• Bug bounty program for any potential security vulnerabilities and privacy leaks.
• Extensive guides to general privacy and security matters on our website, including primers on tech safety for survivors of domestic violence, securing your mobile device, protecting your financial privacy, and more.
• Contributions to the VPN community, including helping to fund the Open Source Technology Improvement Fund’s (OSTIF’s) independent security audit of OpenVPN.
• Public advocacy for digital rights, including sponsoring and working with organizations such as OpenMedia (who we recently joined up with to develop a Message-Your-MEP tool) and the EFF.

• IVPN accepts anonymous payments using cash since 2010. Customers are also able to pay anonymously using Bitcoin if they are able to source Bitcoins anonymously.
• All VPN servers are built using Open Source software e.g. CentOS, OpenVPN, StrongSWAN etc.
• Vulnerability disclosure process at https://www.ivpn.net/vulnerability-reporting
• Warrant canary – https://www.ivpn.net/resources/canary.txt
• IVPN is a transparent organisation with information about staff published on https://www.ivpn.net/aboutus and Linkedin.
• In-depth privacy guides for IVPN customers – https://www.ivpn.net/privacy-guides

We offer a number of features to protect our users’ privacy, including these industry firsts:

• We accept payment with cash in the mail and Bitcoin.
• In our account sign-up process, we ask for no personal information whatsoever, not even an email address.
• Our VPN app is open source (find an independent audit report of it on our website).

We are also contributors to the privacy and security communities at large. When we discovered that OpenVPN was vulnerable to Heartbleed and later Shellshock, our warning to the community benefited many other VPN services who took action based on our advice. In addition, we are the only VPN service to currently offer VPN tunnels with experimental post-quantum security.

TunnelBear is proud to be the first and only VPN provider in the world that has released a public, full infrastructure security audit from a verified third party. We have hosted bug bounties, accept honey and Bitcoin as alternative payment options for privacy conscious customers, and continue to have annual full audits of our system, apps and code.

Any site-to-site transfers of customer metadata is via encrypted channels only.

We store no credit card or other immediately abusable payment information for any of our customers. (We utilize well known, industry standard, payment processors to protect this information.)

We utilize multiple protocols for encryption which include a NAT firewall for all connections.

Additionally, we have a Kill Switch feature which automatically blocks your internet connection whenever VyprVPN is disconnected.

Additionally and perhaps most importantly, we are constantly investing in our talent to ensure that they are experts in their fields and prepared for any potential challenge. We truly work to guarantee our customers are getting the best, most secure service available.

Invincibull adheres to industry standard security protocols, backed up by a strong privacy policy, https://ulm.finjanmobile.com/app-privacy-statement/ clearly available to all, and to which we adhere. Our goal is to protect customer information and we are continually improving and updating our protocols. We use WPENGINE to host the site and they are a leader in hosting, security, data integrity, monitoring, etc. (http://www.wpengine.com). We further secure the site with a number of security related plugins that require secure passwords, HTTPS security/ encryption, oauth2 API tokenization, blacklisting suspected IPs, etc. Invincibull launched in September of 2018 and was independently audited by CybeRisk upon launch. We will continue to conduct periodic security audits of the site.

How does Finjan and Finjan Mobile secure and safeguard your information and notify you of a data breach?

Finjan uses, and requires that its service providers use, commercially reasonable physical, technical, administrative, and other safeguards designed to prevent unauthorized access to, use of, alteration of, or destruction of your information. In addition, we limit the use and disclosure of your personal information, and work to ensure that anyone with whom we share such information treats that information with the privacy and security it deserves.
To the extent applicable law requires that Finjan notify you that your personal information was, or is reasonably believed to have been acquired by an unauthorized person, Finjan will provide that notice by email (using the latest available address in our records) or as otherwise required by applicable law.

Additionally, Invincibull VPN adheres to these additional signals of trust through the use of open source code where possible, as stated in our End User License Agreement: https://www.invincibull.io/eula/.

The post Unedited Answers: Signals of Trustworthy VPNs appeared first on Center for Democracy and Technology.