kennwhite/vpn_psk_bingo.md

@PacketSmuggler: Well, despite I have nothing against Cryptostorm. They can still "log" you: you are still connecting to their servers with your IP address and your traffic is still routed through their servers.

@schutzsmith TunnelBear provides OVPN config files. While they don't appear to be distributing a light PSK, they are distributing a non-user-unique private key. You can take a look at that here: https://s3.amazonaws.com/tunnelbear/linux/openvpn.zip

This piece makes some very harsh yet vague accusations about the lack of security in VPN services in general. Reading between the lines, as well as through the comment section, I get the sense that the level of security depends largely on what software and protocols are used and to what degree you trust the service provider. But this still leaves the possibility that some VPN services, properly configured, can provide a reasonable level of privacy for online activity, assuming you're not being individually targeted by a sophisticated adversary.

The author's comments and background also suggest he is more on the side of content owners than end users in the ongoing battle between Draconian copyright laws and fair use. This is especially striking in his endorsement of US-based VPN providers over foreign-based ones, considering this goes against prevailing wisdom in security and privacy circles. Given this bias, I would take his recommendations with a large grain of salt.

@PacketSmuggler
I don't think your list gives a very good picture about how trusty a VPN is. There are VPNs where you can subscribe without any data, and even pay with bitcoins. If you use your VPN for all your data traffic a bad willing VPN could snoop it all, just like uour ISP could and does. You pay and trust a VPN to provide you security on the web. Therefore there methods and reputation are your main concerns, like if for example are there any examples of them getting hacked or lawsuits where they refuse to give bad guy data info to FBI, which indicates that they protect their customers data.
The only type of threat model i can imagine in which you are really concerned about the points you mentioned would be when you use a VPN for one very specific task and make sure you don't sent any data over the VPN connection that could tell anything about you, like login to your email. And if that would be the case you are that paranoid or your threat model is that significant that you would use more secure channels like tor and/or built your own VPN server.
So my conclusion is that your points are mainly related to ways to make their VPN service looks badass, but thats it.

@kenkeiter Interesting find on Tunnelbear; Is there any documentation online illustrating how a non-user-unique private key could be used by an attacker?

Perhaps would be nice to mention those providing a per-user PSK. No link with them, just try a lot of them to waste my time :o)

VPN Unlimited - 20 alpha-numeric characters.

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes.

lol, is that a priority for you? Or is this some PC rant you had to thrown in there? Grow up.

As far as those commercial VPNs are concerned, I'm not trying to hide from the NSA or am that paranoid. Hiding from Comcast or any ISP will do just fine, thank-you-very-much.

Besides, using something like Tor will only attract attention from the NSA since they figure that just by you using it, you have something illegal to hide from anyway. They now have you in their sights.

Besides, using something like Tor will only attract attention from the NSA since they figure that just by you using it, you have something illegal to hide from anyway. They now have you in their sights.

The NSA, by that logic, is also scrutinizing the U.S. military since it's a major user of TOR. And yes, the NSA does do that, admittedly or not. It's the CIA's hacking team that now really needs to be considered, however, since it's budget is larger than that of the NSA's in its entirety. It's also completely unbound by even what little law still applies to to the NSA's activities. Or what little law supposedly still restricts it in any way, which is likely none. Still, likely none is possibly more than definitively none.

@gwt10 "Grow up" LOL how ironic

@PacketSmuggler:

The only Zero Customer Knowledge VPN provider in operation is Cryptostorm.

Mullvad also doesn't require any identifiable information or email, and accepts Bitcoin.

Hi Kenn,

The URL for Streisand has changed, is now https://github.com/StreisandEffect/streisand.

Cheers.

nothing is absolutely anonymous on the web, in china, using a good vpn probably is the most efficient way to access websites blocked by cn gov, these are the good VPNs which work effectively in china.

Just say: “Hi Kenn, are you aware of Sentinel VPN yet? -
https://Sentinel.co | Medium.com/Sentinel | @Sentinel_Co”

Mike Kuketz found that NordVPN app for Android sends your email address plus the Google Advertising ID to the third party Iterable Inc. during the registration process.
Exodus Privacy confirms that the app contains several wide-spread trackers.

https://www.kuketz-blog.de/android-nordvpn-uebermittelt-e-mail-adresse-an-tracking-anbieter/
https://reports.exodus-privacy.eu.org/en/reports/55961/

Lastly, a VPN Hall of Shame honorary mention goes to DoubleHop.me* on general principle for blatant sexism and utter insincerity. Their privacy/legal policy section includes LGBT slurs and literally has your-mom jokes.

Do you have a source for that? I don't find it on their website.

Yes. It's literally in the sources listed.

they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs.

Do you mind explaining how that puts users at risk, or link to a page that explains that?

@kennwhite Can you comment on Cyberghost VPN? I've been using it for few years now and it worked well for me and so far I haven't found anybody putting them in the spotlight for something. It was the case for the very famous NordVPN too.. up to now. So now I'm curious about your opinion on Cyberghost.
Thanks!

This strikes me as rather exaggerated. It's not great that some of these VPN services are providing instructions for using a known IPSec PSK in some cases but I'm going to hazard a guess that the majority of VPN customers are using the native app from their service provider, not following those instructions. In NordVPN's case at least, the Windows app is a wrapper around OpenVPN and the Linux client has Wireguard support, so the IPSec PSK isn't relevant. And even in the worst case where someone's using L2TP/IPSec with a known PSK, it's still better than nothing because IPSec provides forward secrecy if you're not being actively MITM'd. As for no-logs policies, I wouldn't necessarily trust them but "possibly logs" is still better than your ISP which "definitely logs."

It seems that PIA does specifically note that if you're in a particularly sensitive position you shouldn't use L2TP or older protocols. They say that you should default to OpenVPN if possible, On my desktop (PIA v2.2 on the latest Win10), the only available protocol options are OpenVPN and a beta version of Wireguard.

Hello,

Can you provide insight into perfect-privacy? I remember using them long, long before VPNs were thought of something for consumer use.

I also knew back then it was the preferred VPN by fraudsters. There are news articles about one there server locations being raided and them unable to find logs.

Thanks!

Doublehop SCAM stole my money and blocked me.

22 Nov: I bought a yearly subscription for $33. I made a payment of 0.00176325 BTC to 18ZcmBksf9GEVxfABYUXUp39oryF7CJkHG for Order ID: 17uGMc. The order did not process.

I sent an e-mail to them. I sent them a WhatsApp message. They said they'd process my order by the weekend.

25 Nov: I pinged them back. They blocked me on WhatsApp.

Scammers took my money and ran away. DO NOT BUY FROM THESE PEOPLE.

I know this list might be old stuff already (?), but what about these ones, anything?

AzireVPN
IVPN
Surfshark

I have been focusing on reviewing the VPN connection speed, it's surprising to read about the pre-shared key issues. I am wondering how to verify is it still a issue in 2022 as this gist was reported in 2016. Now most VPN provider advertise their Wireguard VPN mode. Will this implicitly resolve the disclosed pre-share key issue?

Many countries do not allow the use of VPNs, and it has to be said that the security of VPNs is an issue that many companies should consider.

some VPNs sell your data connection to other customers.

The best VPN recommendations

Thanks, kennwhite, for the heads-up on VPNs! It’s scary that some well-known ones aren’t safe. I’ll look into Algo, Streisand, and Signal. It’s important for us to pick the right one, especially considering using VPN in places like China. And, wow, DoubleHop.me really needs to check their behavior! We all need to pick services that are honest and respect all users.

Thank you for sharing. I believe these free VPNs are the most reliable options.

What's your take on 12VPX?