We check 7 popular VPN providers for privacy
First, let's define the criteria that we will look at. I suggest making such demands.
- SSL certification of domains. If there are problems with it, then MITM attacks are possible.
- No substitutions in the license agreement. A provider that sees user privacy as a big deal should not try to force you to agree to anything.
- Support for strong encryption and modern protocols. In some countries, standard connection types such as PPTP, L2TP IKEv1, OpenVPN UDP, and others are successfully blocked using DPI equipment. A self-respecting provider must provide workarounds. As for encryption, everything is individual here. I will only note that the PPTP Protocol used in conjunction with MS-CHAP was hacked in 2012. Since then, anyone who pays $ 17 has the ability to decrypt the traffic.
CyberGhost VPN
CyberGhostVPN is a German-Romanian service that has been operating since 2007. Few people stay afloat that long. This service offers three types of connectivity: L2TP, OpenVPN, and IPSec.
There are no ways to bypass these restrictions. There is only the possibility of connecting via TCP on port 443 when using OpenVPN, which is already inefficient in countries with DPI. The SSL certificate for the resource was issued by Comodo and is valid until 23.02.2019.
Two years ago, CyberGhost was at the center of a scandal. One of the updates to his client installed a root SSL certificate on the user's machines. What's wrong with that? The fact is that when you establish an HTTPS connection, your data is protected by the SSL/TLS Protocol, which is confirmed by a special certificate issued by an authorized company. The browser checks the list of OS certificates and, if everything matches, allows you to log in to the site. The CyberGhost update added its certificate to this list, which opened up the possibility of a man in the middle attack.
The company was quick to issue a rebuttal, but later another problem was revealed: the proprietary Windows client logs the computer's system data, such as the name of the video chip, processor model, and user name. What can I say? My reputation is ruined.
As for the Privacy Policy, everything is very interesting here. In an article from their knowledge base, the server management clearly and without antics States that logs
are not being kept. However, looking at the "privacy policy" gave me some questions.
The" anonymization " of IP is hard to believe, and the rest does not cause warm feelings. Any data collection contradicts the answer in the knowledge base, where it is stated that there are no logs.
NordVPN
NordVPN is a rapidly growing service registered in Lithuania. It has been operating since 2013. In the column "Our partners" it was previously indicated that the office received a CCNP certificate from CISCO, but then this information disappeared from the site.
CISCO certificate from the web archive.
Why did the certificate information disappear from the site? How did you manage to get this certificate without any merit? There are no answers, and they were clearly removed for a reason.
In "
Privacy policy" also found problems. One point says that logs are not kept at all, the other tells us that the service has the right to store a limited amount (how much?) personal information for two years.
The site claims that the server pool consists of 5,178 units located in 62 countries. Connection methods used: OpenVPN, L2TP, and IPSec. A nice bonus is the ability to bypass DPI via stunnel.
With NordVPN, everything would be fine, if not for the history with the CISCO certificate and the license agreement, which allows service owners to collect information, but does not specify what exactly.
But there is another interesting point. Two Reddit users undertook
an independent study, according to which NordVPN belongs to the well-known datamining company TesoNet.
It seems that this is what allows the service to spend half a million dollars a month (just think about this figure!) to buy reviews and ads for your product. So, according to the site adweek.com NordVPN spent $ 497,000 on advertising in February 2018 alone. Where does this money come from? I think the answer is obvious.
It turns out that using this service is extremely dangerous: instead of anonymity, you can provide detailed logs for datamining. And finally, one more unpleasant story. In an advertising rush, NordVPN employees increased the rating of fake reviews on the site trustpilot.com. This fact was confirmed by the resource administration.
Private Internet Access
Private Internet Access is a well-known VPN service among foreign pentesters. Among its analogues, it stands out for its detailed encryption settings (you can change the connection port, encryption type, and key), the presence of built-in DPI bypass methods, as well as its own SOCKS5 proxy and SSH tunnel. In a word, at least now give a medal, but alas…
First, web.archive.org it doesn't know anything about the time of this service's existence or about older versions of the site. It seems that the administration has asked to remove them, and this is a worrying sign.
I was able to find out that this provider is located in the United States, and also belongs to a certain pseudo-conglomerate, whose area of activity ranges from VPNs to boutiques.
Yes, Private Internet Access has the ability to encrypt with a 4096-bit key. Yes, he calmly puts DPI on the shoulder blades, but what is the point if at the first call of Uncle Sam all the data will be in the hands of the authorities?
Let's try to search for information about the host company-London Trust Media. My search quickly led me to
an articlestating that mark Karpeles was appointed Executive Director of this company, with the full connivance of which the Japanese crypto exchange Mt.Gox was robbed. I have no confidence in this comrade and cannot be.
HideME VPN
HideME is the most well-known VPN service in Runet. It has been operating since 2007. You can only log in if you have a digital code that Google can easily find on thematic forums.
One of the types of connection to HideME VPN is PPTP, which in itself is not good-the Protocol is vulnerable. In addition, in 2016, at the request of the Russian authorities, HideME disabled the anonymizer for Russian users. We could leave it at that, but I suggest you take a closer look at the privacy policy.
Yes, they may have refused to register, but keys that are absolutely not hashed can be picked up in three days with proper skill. In addition, pay attention to the first paragraph, as well as how the RCN request was processed. Using this service for anything other than accessing Spotify should be avoided at all costs.
Hide My Ass! VPN
Hide My Ass is one of the most famous providers in the world. It belongs to Avast. Many people will be put off immediately, but we will continue to study. The service has existed as an anonymizer since 2005, and the VPN function appeared in 2009. The great difference between Hide My Ass and all the providers reviewed is the huge number of output countries. However, unfortunately, there is nothing to be happy about.
In 2011, this provider turned over to the US authorities one of the members of the LulzSec group - Cody Andrew Kretzinger. Moreover, the administrators also wrote a long post in their defense. The issue of logs was allegedly justified. But this person could have been any journalist or human rights activist in a totalitarian country.
The conclusion suggests itself: Hide My Ass will at any time give out the very thing that it promised to hide safely, and therefore it is not suitable for serious applications.
PureVPN
PureVPN is another popular provider created in 2008-2009. Standard set of protocols: OpenVPN, L2TP, and IPSec. PureVPN became famous for turning over annoying cyberstalker Andrew Lin to the authorities (we
wrote about this story). From the point of view of morality, you can treat this story as you like, but the fact is obvious: the logs are stored.
VyprVPN
VyprVPN became active in 2010. Registered in Switzerland. It has a standard set of protocols: OpenVPN (AES-256), IPSec, and L2TP. I am glad to have a crawl through stunnel, which marketers proudly call Chameleon - let's leave this on their conscience.
We are also interested in the license agreement, which is quite sufficient for conclusions.
The input (real) IP address is stored for thirty days, and that says it all.
Conclusion
It turns out that none of the popular VPN services we studied passed even a basic check without applying a technical audit. For me personally, this means that there is no faith in such providers and can not be. Therefore, anyone who is concerned about anonymity and privacy, I advise you to still study the documentation and raise your OpenVPN server. And to bypass DPI, you can add tunnel yourself.
