OpenVPN 2.4 Audit Moving Forward

Private Internet Access, which is a VPN provider, announced this week that it is going to fund an audit of OpenVPN 2.4. The audit will be led by Dr. Matthew Green, assistant professor at the John Hopkins Information Security institute. According to PIA’s announcement,

Private Internet Access has contracted Dr. Green as an independent consultant to do a comprehensive evaluation of the version of OpenVPN that is currently available on GitHub and search for security vulnerabilities. Once OpenVPN 2.4 is out of beta and released, the final version will be compared and evaluated to complete the security audit.

The OpenVPN 2.4 audit is important for the entire community because OpenVPN is available on almost every platform and is used in many applications from consumer products such as Private Internet Access VPN to business software such as Cisco AnyConnect. Instead of going for a crowdfunded approach, Private Internet Access has elected to fund the entirety of the OpenVPN 2.4 audit ourselves because of the integral nature of OpenVPN to both the privacy community as a whole and our own company.

Once the independent audit is completed, Private Internet Access will share the final report with OpenVPN prior to releasing the results to the public. Furthermore, we will work with OpenVPN to ensure that any discovered vulnerabilities are fixed before publishing.

This is excellent news. Nice to see a company that relies on these open Internet systems to put some money up to ensure their users are secure.

AirVPN’s Responses to TorrentFreak’s VPN Questions

Back in 2011, TorrentFreak did a survey of third party VPN services in response to some high-profile incidents in which companies running VPNs ratted out their customers. Recently, TorrentFreak did a similar survey that had a fairly striking omission–TorrentFreak didn’t include and apparently didn’t bother to even ask its questions of AirVPN, which I and others concluded was the best VPN available based on its 2011 survey. TorrentFreak hasn’t explained why AirVPN was left out, but AirVPN went ahead and answered TorrentFreak’s questions in their user forums, and TorrentFreak finally got around to updating its original story to include AirVPN’s answers.

Anyway, since I don’t like the format in which TorrentFreak offered up the answers, here are their questions with AirVPN’s answers, which  highlight why I continue to be a loyal AirVPN customer.

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

No, we don’t keep any log that might be exploited to reveal customers’ personal data during connections, including real IP address. For example OpenVPN logs are sent to /dev/null (Air is based on OpenVPN). Our privacy policy is available here: https://airvpn.org/privacy

On top of that our VPN servers do not maintain any account database.

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

Italy. We do not share any information with any 3rd party.

3. What tools are used to monitor and mitigate abuse of your service?

Automatic triggering based on patterns to detect and if possible block as soon as possible various types of attacks (for example UDP floods) against or from our servers.

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

They are ignored. Now and then we reply asking for a more substantiated proof and asking to disclose the technical method according to which a takedown notice has been prepared, but so far none of the entities we queried disclosed such information, in absence of which the notices pertaining to p2p are simply vague and unproven claims from some private entity.

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

No help can be given about past connections because we don’t log, monitor or inspect our clients traffic, and we don’t and can’t require a proof of identity from our customers. However, if the court order pertains to presumed actions which infringe our Terms of Service and in particular that in any way violate, directly or indirectly, or aid the violation of, the ECHR, we can try to help the court in the best way we can with subsequent investigations and if possible with the help of proper and competent authorities.

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

Yes. p2p protocols are perhaps a set of the most exciting protocols invented in the last 12-13 years, so they are actively encouraged on every server. We do not discriminate against any application or protocol, in compliance with our mission and to stay a mere conduit of data.

7. Which payment systems do you use and how are these linked to individual user accounts?

We accept Bitcoin, many credit cards, PayPal. Each payment is linked to an account only in order to provide service delivery and to comply to our refund policy.

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

We put into practice the recommendations of security expert and best practices on our setup, based exclusively on OpenVPN with the following features:

Data Channel: AES-256-CBC
Control Channel: HMAC SHA1
RSA keys size: 2048 bit
PFS (Perfect Forward Secrecy): yes. TLS re-keying is performed by default every 60 minutes through DHE as well as at each new connection. As an additional option the re-keying time interval can be lowered by the client unilaterally.

The client key is used to authorize the access to the system, not to encrypt the data channel, so that even if an adversary catches the client private key, the client traffic can’t be decrypted.

TorrentFreak Overview of VPN Services and Anonymity Policies

TorrentFreak published an interesting survey in which they asked various VPN providers about what, if any, logging of customers they do and what legal jurisdiction the companies operate in.

Not surprisingly, the worst for logging were StrongVPN and VyprVPN. I’ve used both in the past primarily because I wasn’t doing any file sharing while using the VPNs, but rather was using them to avoid being spied on locally over wireless and wired Ethernet.

That is still my primary goal with a VPN service, but it is also becoming more and more difficult to determine what is and is not illegal to do on the Internet, even in the United States.

Using the TorrentFreak overview as a starting point I looked over the various options and finally settled on AirVPN. AirVPN doesn’t maintain any logs, and is surprisingly cost-effective — I paid just $21 for a three month subscription.

AirVPN is OpenVPN-based, and the connection speed is generally good. The difference between something like AirVPN vs. StrongVPN — aside from the excessive logging of the latter — is the difference in server choices. StrongVPN had numerous servers I could choose from in the United States. AirVPN has just two.

Personally, though, I never had a need to switch servers while I was using StrongVPN. I’ve never seen the servers at AirVPN at capacity or had any problem connecting, so they’re keeping their capacity at an appropriate level which is all I care about.

Assuming the next couple months go as smoothly as October went, I’ll be going for the year’s subscription which cuts the cost to $6/month.