> The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the datacenter provider, which NordVPN said it was unaware that such a system existed.
This screams for clarification and I'd love for someone more knowledgeable in the area to elaborate on it. Is this common practice for data-center providers? Do I now not only have to worry about my own infrastructure security but also worry that my IaaS provider hasn't installed some backdoor to my servers?
I work for a web hosting company in the US and at least in our case, it's quite common for remote management to be enabled on pretty much all of our dedicated hardware. However, because of the inherent dangers in opening this up to the public internet, unless explicitly requested by the customer (or Managed Colocation), the NIC used for Dell iDRAC or HP iLO is on an isolated network unique to the physical datacenter. Remote access for our techs is managed through a secured bridge that requires all sorts of security hoops on our company intranet, and remote access for general internet traffic is not available due to the firewall restrictions. While it's plausible for remote access to be gained this way, it is extremely unlikely and would require several exploits at different points along the path.
I cannot speak for the industry as a whole, but remote management systems like this are bound to be common; any large enough physical datacenter is going to need a more efficient way to access a misbehaving system than sending a tech physically running to the box to plug in a keyboard and mouse. It should be extremely uncommon to have these management interfaces open to the public though, and I'll bet that's what NordVPN is surprised by. Generally these systems should be private and isolated due to the power that an attacker can wield through them.
IPMI does not have to be open to the internet to be open to a wide audience. Many of these out of band management interfaces are hosted on an internal network, but not isolated by customer.
Cheap datacenters are favored by VPN providers for their unlimited bandwidth and lax abuse policies.
Many of them allow access to IPMI only over a VPN, but do not isolate each customer’s IPMI to a customer VLAN. I personally know at least three large budget datacenters which allow all customers access to each others’ “private” IPMI IP addresses.
Generally speaking, there are four (4) tiers of "public" data centers are on the market, ranging from essentially a big room with some alright AC and a line out, to huge, highly secure (cameras, fingerprint readers, SSAE certifications, etc.) buildings with redundant power and HVAC systems.
The higher end ones are usually newer-ish, but there are lot of older "computer rooms" that offer acceptable-level benefits for a reasonable price. Lots of legacy customers and ISPs in these rooms, for the record. You get what you pay for but a lot of older DC spaces are just fine for most users; everyone thinks they need 99.999 but most don't.
There are also re-sellers and managed services companies who take out a footprint in data centers and then lease space in their cabs, sell bandwidth, IPs, etc. Using a series of resellers you can often get around restrictions as to what you're doing -- small fry MSPs don't ask a lot of questions -- but still get a data center footprint. These are sometimes one-man shows, and their quality and professionalism are often sub-par, which is how you end up with default iDRAC creds and the like.
Check out Data Center Maps or WebHostingTalk for some examples.
Source: data center ops manager for several different companies.
Maybe it wasn't open to the public Internet, but the VPN exit is inside the datacenter and connects out to the public Internet. Is it feasible that NordVPN provided their customers with a secure tunnel into their own datacenter's management software?
User root, password calvin. That's the default. And, if I had a dime for every time I've seen one of these in a data center, I'd be a rich man. I have literally begged sys admins to change the default password, but they say, "Why... we're behind a firewall using RFC 1918 addresses. No one can get to these." The rest, as they say, is history.
This is the dumbest thing I've ever seen... unless your firewall is between your host versus every other host and there's no multi-tenancy, this will suck.
In well maintained networks the management interface (IDRAC, etc.) for each server is placed on a separate VLAN which the servers cannot access. This isn't to say that cheap providers actually do this, or that the VLAN can't be accessed by a compromised technician's workstation/laptop.
Yes, this kind of firewall is always supposed to be between the management hosts and everything else. Only the sysadmins at the data center a very limited set of applications is supposed to be able to access it. The very real risk is misconfiguration.
Depends on what kind. In case of idrac, yes; but it's weird that it was insecure by default in the first place. Usually credentials are configured and provided to the customer. Makes me think there might have been some other interface. Clarification is definitely needed.
There were many IPMI/iDRAC/etc. exploits published in the past few years. Throw a dart at a list of them, and you'll probably find one that was unpatched in most systems as of March 2018.
If you can reboot it without anyone noticing? Really, really easily: iDRAC gives you access to the local console, like a remote KVM. Reboot into single user mode, change a password, done.
Oh, IPMI and friends are a total mess. Some implementations allow one to take control of a running server remotely especially if they use a shared ethernet for management ( popular in supermicros ). I once had our security geek demonstrate it by taking over the running server, rebooting it using network emulated USB stick, adding a file into /etc and rebooting the server again.
In secure environments one pulls IPMI module from the server or only uses the modules that have their own dedicated NICs that have to be wired to their own management network.
The first time I booted a server using a virtual CD-ROM (iso on my laptop shows up as a hardware CD-ROM on the server) over IPMI I was simultaneously relieved (because I could fix the machine remotely) and absolutely totally horrified.
iDRAC is a full onboard whitehat rootkit manufactured and supported by Dell. It runs independently of any OS and has control over the system. It is intended to be a substitute for physical access.
In certain configurations, iDRAC gives you an rdp connection. If idrac is left at default, windows admin login not being changed isn't too much of a stretch.
It doesn't make much sense to me, even with iDRAC/some other console access you don't really have access to OS unless you reboot & go to single user mode etc at which point they should be noticing their servers rebooting etc. would love more info
Just set up your code as a boot-once config and wait for the owner to reboot their machine. Make your code end by booting the installed OS (or even by just rebooting again, most people will just curse about the damn slow server boot process).
You can't do that as you don't have any access until it's being rebooted. It's basically like you're standing in front of the machine so there's not really much you can do when you're just looking at a login prompt, you have to be able to stop grub from just booting with the default options and instead boot up using init=/bin/bash or maybe if the server supports iPXE you can just chain load some payload off the internet.
You can manipulate boot settings using BMC commands. No need to mess with Grub or the running system. Instead, tell the system to boot up from an emulated USB drive (image can be attached from some remote server, often including your web browser).
Now wait for the machine to get rebooted (or do it yourself using the BMC, e.g. 'racadm serveraction powercycle' for Dell/iDRAC machines).
Even SecureBoot won't help as you can just turn it off using the BMC.
See here for a bunch of examples for Dell machines using the BMC's HTTP API:
When someone gets notified by their monitoring system that a server was unavailable (because it rebooted) they might investigate and see that the IPMI logs don't mention power loss
Power failure would require both of the power feeds in the DC failing simultaneously and would be easily verified by contacting the DC and asking if they had any power outages reported at the time. Of course there are cheapskates who don't go for redundant power supplies so it's possible but would be indicated in the IPMI logs
Servers can reboot for any reason. There are tons of kernel issues, especially since Meltdown & Spectre, that cause machine reboots in Linux especially on high traffic machines.
I've worked in production environments with thousands of machines and random reboots are a completely normal event for some workloads. Combination of hardware issues & kernel issues with hundreds of thousands of lines of code makes it inevitable. I would be surprised if NordVPN even noticed and their architecture wasn't designed to automatically start everything at boot.
You can't be perfect at scale - you just need to design your work loads to be redundant and fault tolerant.
It opens an exploit chain, in a normal circumstance you are correct. In a malicious circumstance, it is always feasible irrespective of the likelihood.
""All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.
"We have many clients, and some large VPN service providers among them, who take care of their security very strongly. They pay more attention to this than NordVPN, and ask us to put iLO or iDRAC remote-access tool inside private networks or shut down access to this tool until they need it. We bring [iLO or iDRAC] ports up when we get requests from clients, and shut them down when they are done using this tools. NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders.""
Of course you have to worry about all of that! When you don't self host you have to assume whoever you are renting from hirers the lowest paid employees they can get to manage infrastructure for you. That's how they get profitable. You are not outsourcing expertise.
Yes, network KVMs are expected of any co-location center. You want to be able to access the console and the power switches of any real physical server without having to send someone out to the center, and is a common feature of most high end data centers.
Even a lot of VM/cloud systems have some kind of virtual management console (Linode has their LISH system that lets you SSH in to console and Vultr/Digital Ocean have similar web based consoles .. AWS surprisingly doesn't. You can get console output but can't send VMs any console input).
Not only should have NordVPN been aware of this hardware KVM, they should have secured it and had version checks on its firmware as an essential part of their security. I could see this oversight with other companies, but not with one whose primary business claims to be security.
> Yes, network KVMs are expected of any co-location center. You want to be able to access the console and the power switches of any real physical server without having to send someone out to the center, and is a common feature of most high end data centers.
Power on/off should be done via APIs that issue commands to a PDU, like Atlantic.net started doing in the early 200s.
And there's nearly zero reason to access "console" - configure your server to always but off PXE and fall through to disk if that intercept is not needed.
Yes, software that runs on the instance can learn instance metadata. No, that is not a problem. Running e.g. user-supplied scripts on the instance would be "pretty damn dumb", but no one is that dumb. Any widely distributed software that did something shady with instance metadata would get busted PDQ. Just like any widely distributed software that did something shady with e.g. root credentials, which is about the same threat scenario.
It's crappy design which bypasses important security mechanisms of the OS (lower privileged users) by allowing every application with network access to access such critical functionality. One sane approach would be passing this information to the OS through the hypervisor which then exposes it as a properly ACLed file system.
This is like an author of a website vulnerable to CSRF (because it relies on IP for auth) blaming browsers for allowing cross site requests instead of require proper authentication. Except that Amazon is powerful enough to get away with pushing all the effort onto developers and admins.
You can use iptables to limit metadata access to certain users but that takes effort so no-one does it.
I guess a machine-local service that takes ownership of the metadata service and implements additional restrictions (such as limiting access keys to privileged users) might be doable.
Yes, in some situations it will take effort to not allow network access to untrusted software and/or users. For those situations, EC2 is not a good fit.
How is it “obviously” the right policy? If implemented, console input would presumably be part of the AWS API, guarded with IAM permissions like everything else. If you have full IAM permissions, you can already take over any instance by temporarily attaching its disk to a different instance and modifying the data from there. (That requires rebooting, but so would takeover via console input.) Indeed, I’ve had to do exactly that on multiple occasions to fix broken config files on my personal instance; it would have been much more convenient to have console input.
FreeBSD has an interactive kernel debugger that you can use with a serial console. Super useful to track down some things, not usable on AWS -- you'd need to (somehow) do a core dump and hope you can figure it out from there.
If they're going with a bottom-dollar host, it's possible that the out-of-band server management tools were exposed. It's less likely to be a software backdoor, and more likely to be Supermicro IPMI or other baseboard management controller.
I know that public cloud providers like Rackspace and Azure insert their own accounts and services into cloud servers and VMs mostly under the guise of being able to support said servers and monitor them and their health.
True data centers where you own the hardware shouldn't... they give you an ethernet cord and everything is on you.
Very few people go to "true data centers". Those are very expensive because you are buying power, space, cooling and cross connects. Racking machines, replacing hard drives, building a PXE-boot infrastructure, building a remote access infrastructure that bypasses the customer facing network is expensive and time consuming.
Full Disk Encryption is an option, but that’ll entail needing the use the IPMI console to enter the password at every reboot, essentially turning it into a manual operation.
However, if the attacker gains RCE many IPMI implementations theoretically allow for DMA, but this is a significantly more complex attack to mount in practice with no public PoCs available.
On Supermicro hardware and maybe others, IPMI has a very dangerous default setting: if you're not connecting the dedicated IPMI port to a network (typically some closed network dedicated to management), it will use the first ethernet NIC on the motherboard (sharing it with the host), possibly making it accessible through the internet (with default, insecure credentials adding insult to injury) or at least neighbouring machines.
Leaving default creds on IPMI/iLO is not uncommon,some providers don't allow internet access,you have to login on the web console and use a java applet to access it iirc. I can't imagine a well reputed provider exposing ipmi to the internet but the nature of their business means they have to diversify server and network providers.
Not sure if it is still the case but a while ago it was standard on OVH servers for them to put some public keys in their root-like's user authorized_keys. I think they used that to perform tasks requested from the web management system.
Most (not all) servers have out-of-band management; of which IPMI is just one of many such solutions.
It's also worth noting that the hack could have been against in-band management if the Nord used an OS image provided by the DC hosts. However OOB feels more likely given their description (as vague as it was).
Typically data centers have compliance requirements like SSAE 16 specifies controls around physical access. Most any major retail data center would have that certification and others.
One presumes that because of NordVPN's business, they're colocating a server or two in many very many "POPs", presumably not all of them have tight controls on physical access. Its likely that there are none available in many areas where they seek to maintain a point of presence.
To the person / people down voting, can you share your ideas for how you can go about providing at-scale management of large estates of physical machines? I've never seen anything else that's both as practical and as affordable as IPMI / IDRAC / ILO systems that ship with servers, that doesn't introduce weird new failure conditions that can impact significantly more than a single host.
If you care less about the pseudo-anonymous-but-not-really shared-IP aspect of using a VPN, and care more about the this-lan-is-sketchy use case, I have had good experiences with Algo [0]. You can just paste in an API key and spin up your own VPN on something like DigitalOcean. And it uses WireGuard!
You choose the business model to trust. VPN serve customers who to pay to be private. That seems like a high value target. ISPs serve connectivity, but apparently in the US, spying on their users is part of their core business and have strong local monopolies. Due to fierce competition and trust being pretty much one of the business requirements (I'd expect a lot more due diligence in b2b), hosting providers seem like the least big evil to me.
Whether it grants you any significant anonymity is debatable, but it works well for evading content filters and tunneling your traffic onto a more trustworthy network.
I use sshuttle all the time when working from "restricted" networks (car dealerships, airports, etc.) For some reason, my local Honda dealer has a guest WiFi that restricts outgoing traffic to a small number of ports, and apparently SSH isn't on that list, so I can't push/pull to GitHub. Firing up sshuttle on port 80 punches right through the filter and allows me to do real work while I wait for my oil change.
Shadowsocks is more resistant to censorship from adverse actors (such as the Great Firewall) than OpenVPN.
Outline's user experience is the best I've seen among self-hosted VPN solutions, as it includes apps for both the server and the client. The server app is suitable for use in organizations, and can manage VPN profiles for multiple individuals.
It's an alternative for sure and has specific use cases, but calling Outline a VPN is disingenuous. It's just a Socks proxy with some obfuscation built in.
Shadowsocks handles all of the use cases of a VPN. When all of a device's internet traffic is routed through Shadowsocks, there is no functional difference to the user. This is the default behavior for all Outline clients (desktop and mobile).
Came here to post this. I’ve been using streisand for a long time with no problems. I’ve given out logins to a few trusted friends / colleagues and all have had good experiences as far as I know.
Plus I really enjoyed learning about the in’s and outs of setting it up. I poke around in the VM just for giggles.
Ive done this but have found that most services (Netflix, etc) recognize DO as a VPN. Does anyone know of a hosting provider that isn't blacklisted but I can still setup wireguard on?
The problem with this is that jumping out onto the net from a VPS-allocated IP causes all sorts of trouble for "normal" internet use. For example you won't be able to use Netflix doing something like this.
I can see why Netflix would try to block it, but I haven't run into any issues with it myself (OpenIKEd on OpenBSD on a $3.50/mo Vultr server as detailed here: https://www.snazz.xyz/how-to/2019/09/13/vpn.html). A lot of websites seem aggressive towards Tor users, but my VPS IP address was treated the same as my home, work, and LTE addresses. Are there any other documented cases I should be aware of?
Vultr is a lesser-known VPS, ymmv. I had issues with several websites using Linode. I don't have a list, but iirc it was some gaming related service that took issue with the IP.
Is Algo really 1 ip = 1 user? I always assumed multiple things could be running on one IP since IPv4 is getting scarce, but bare metal networking is not my expertise.
I use Algo for the exact reason you mention ("this lan is sketchy") and have been pleased, but I always assumed even if my traffic was mingling, one (possibly secret) court order would out me since I paid with a CC tied to my real name.
Nothing on this page or on the trailofbits blog article tells me why I should actually use this. Why should I trust DigitalOcean more than <insert VPN provider here>? Especially when it says "Does not claim to provide anonymity or censorship avoidance" - why would I use a VPN if it can't even attempt to provide some measure of anonymity?
I was getting ready to paste the same thing; the command-line instructions make Algo, effectively, a somewhat technical solution, but it really does just work.
And for those who have used various VPN solutions over the years but not Wireguard: it really is pretty magic. It Just Works, with fantastic performance.
What about the data-mining and selling infrastructure of NordVPN, known as Tesonet? Are those intact? Also interesting to know how their legal departments are doing, such as the Panamanian shell and the Lithuanian headquarters.
Thanks for sharing these. I was familiar with the Protonmail business but did not know this all connected to a bigger picture. I never trusted NordVPN... they spent way too much money on advertising and snake oil advertising at that, focusing on meaningless numbers and distractions.
Hopefully you don't have similar news to share about Mullvad...
In no world is it excusable to have your ostensible competitor sign your binaries or certificates. They can make all the excuses they want, but it doesn't dissolve their incompetence, and shows they are unfit for running such a user-critical business.
No third party signed their certificates. Just a contracted employee who worked for Tesonet typed in his company name instead of ProtonVPN. That's just the Android keystore, nothing else. Google supports keystore rotation only starting with Android 9.
It's actually not even a contracted employee actually. It was a Proton employee who in 2016 was getting payroll through another company before we had our own corporate entity. Keystore rotation is still not yet available yet in Android, so the old key (which we solely control) can't be changed or modified. Android actually also hashes with the certificate metadata so even that can't be edited separately.
On principle I am not impressed with what happened and I think it's very sloppy. After the Lavabit fiasco we have to be extra scrutinuous about the leadership in privacy-oriented companies. That said, I still have a few accounts with Protonmail and I think the service itself is pretty good.
There's a couple ways to look at this.
On one hand, there's an anonymous website and hundreds of Twitter bots pushing a story that is demonstratively false (just check public records).
Then, on the other hand, you have Mozilla and the EU (which has access to all European corporate records) vouching for Proton (since they partially fund Proton). We also operate in a highly transparent way, so all information debunking this is actually in public record, details here: https://protonvpn.com/blog/is-protonvpn-trustworthy/
Proton definitely has an office and subsidiary in Vilnius, it's not a secret because it's on Instagram: https://www.instagram.com/p/BxMz62oHb6K/ The office is inside a 30 storey building, so it is not surprising the address is shared with quite a few other companies. But that doesn't mean Proton on a whole is based in Vilnius.
The people spreading the false information are also falsely implying that Proton's subsidiary controls the Swiss parent company, which is never the case as it's always the other way around (parent controls the subsidiary). And its super easy to disprove because unlike most companies in the VPN space, the directors of Proton's Swiss parent company are in public record, and are all well known people who have been in the public eye for years (e.g. at TED: https://www.ted.com/talks/andy_yen_think_your_email_s_privat...)
Can you explain how Mozilla entering into a partnership is the same as vouching? Did they do any particular vetting or analysis, or was this just a marketing partnership?
Quoting from the blog post:
"We therefore set out to conduct a thorough evaluation of a long list of market-leading VPN services. Our team looked closely at a wide variety of factors, ranging from the design and implementation of each VPN service and its accompanying software, to the security of the vendor’s own network and internal systems. We examined each vendors’ privacy and data retention policies to ensure they logged as little user data as possible. And we considered numerous other factors, including local privacy laws, company track record, transparency, and quality of support."
It was quite intensive, with on site visits to our office in Geneva and discussions with Mozilla technical leadership.
The thing that scares me here is that these keys were leaked May 2018, and it's becoming public knowledge now.
Someone found certificates for those three VPN providers and posted them to 8chan with a message like "I don't recommend these VPN providers lol"
The good news is that they're only certificates, and they have now expired, but theoretically they could have been used for the past year without anyone noticing.
During the spate of health care information leakage, someone invented a MTBCA, meaning "Meantime to CEO Apology" for the time between the breach and the CEO apology. At that time, it was running on the order of 8 months.
What this article is missing is that the hackers had root access and had NordVPNs private key for their HTTPS cert for several months in 2018. This went undetected for months and they're only now publically admitting what happened due to press attention. Their public response seems to be "it's not a big deal guys, mitm is hard".
> The key wasn't set to expire until October 2018, some seven months after the March 2018 breach
Someone is probably going to ask what other HN users recommend as an alternative. Personally, I use Private Internet Access because they're the only provider I've found with a track record of demonstrably not being able to turn your records over to someone asking for them [1].
I've been using Mullvad for a while now and I have nothing but praise for them. Only complaint is they're more expensive than some of their competitors.
What aspects of a VPN provider would you praise? Customer service, consistency of connection speed? Seems almost like a utility where it's hard to differentiate.
I would say transparency/security, quality of the client(s) and customer service, in that order. It's one thing to offer a VPN service, but to make sure you have a nice app on both iOS, Android, MacOS, Windows and Linux seems like quite an investment.
If we're offering recommendations, then I'll go ahead and recommend Mullvad. They've got great clients for most common operating systems, good customer support, good performance, lots of servers to choose from, the ability to open ports, etc.
Something I find pretty neat about them from a technical standpoint is their account creation, user authentication, and payment processes. Sign-up literally takes less than a second, so even if you don't plan on using their service, I recommend you try creating an account.
I've been using Private Internet Access (PIA) since 2016 and can also recommend it from a usability point of view. I'm not a security expert so I defer to others on PIA's security.
While the helpdesk software PIA used to use years ago did have that potential vulnerability, fortunately, Private Internet Access never exposed the support desk via plain http, and therefore, PIA itself did not have the vulnerability in its helpdesk.
>- We haven't used that machine since that exploit was made public.
So what? You were exploited before kayako patched this bug, it was glaringly obvious to anyone who ever looked at the cookies set by your site.
>- We were never exploited.
This simply isn't true, either you're misinformed or lying.
>- The specific machine was a backup helpdesk test server without any real user data.
The specific machine (Which you took down really fast after I pointed it out! :P) I linked probably did not even exist in 2015, I was talking about your prod env.
I don't have a horse in this race, there's no incentive for me to lie about this. I know what you are saying isn't true.
The claims there have been thoroughly debunked, most recently by Mozilla and the European Commission as part of their due diligence, details here: https://bit.ly/35RDKzB
There's a historical, almost accidental connection dating back to the infamous November 2015 DDoS against Proton, but zero connection today, and certainly not in the way it has been portrayed by people seeking to attack Proton. Android certs are permanent and can never be changed so that is why there is still one mistakenly issued Android cert out there today.
For a company based in Switzerland to be "accidentally" connected to a company in another country they claim to have no connection to such that their permanent google cert lists the name of the company they are supposedly not connected with - that doesn't seem odd to you?
That fact that this had to be slowly pried out with changing explanations along the way?
When you say the claim that has been debunked - I expect the claim not to be confirmed.
Given all that is going on with VPNs, your caution is warranted, but one should also critically examine the claims that are being made.
Proton definitely has an office and subsidiary in Vilnius, it's not a secret because it's on our Instagram: https://www.instagram.com/p/BxMz62oHb6K/ The office is inside a 30 storey building, so it is not surprising the address is shared with quite a few other companies. That doesn't mean Proton as a whole is headquartered there, or that the subsidiary somehow controls the parent company in Switzerland, or that there is somehow data mining going on.
Those are the claims that have been clearly debunked. The fact that Proton has a subsidiary in Vilnius, or the fact that we outsourced our HR back in 2016, are not secrets, and is on our Instagram and the Reddit thread linked above. This is the truth, and this is not some wild EU-funded data mining conspiracy as some would have you believe.
It's against almost all certificate standards for the certificate holder - Tesonet to allow an unrelated third party to use a certificate with their name on it. Or for a third party (proton) to use a certificate that has another companies name on it.
If you would like, I can pursue this issue further given what seems to be confirmation here of a certificate violation.
You're being downvoted because people believe in propaganda being pushed by competitors, but ProtonVPN / ProtonMail are very good options. Plenty of links and reports by Mozilla in this thread will lend credence to that.
but was conveniently never denied by PIA that I could ever find. If it was a lie, it would be easy for them (PIA) to prove under libel laws in the discovery phase of a trial. I'd argue if it was a lie from ProtonVPN, it would have been in PIA's best interests to clear their name. After all, PIA and ProtonVPN are a few of the only providers who've proven in courts they don't have logs of users. We know they're legit because they said so in court under penalty of perjury. Also, the European Commission has investigated these exact claims, and would have privileged access to a lot of the business documents, and found the claims without merit.
Me? Just a happy protonvpn user who finds the oft repeated shilling for PIA dull. If you really want to hate protonvpn, use PIA, or use someone else. Better, don't trust any of them! Setup algo on a digital ocean droplet of your own: https://github.com/trailofbits/algo
However, this is meant for running over an untrusted network, not for maintaining internet anonymity. Use Tor for that.
ProtonVPN has a large history of being connected to TesoNet, a company providing among other things data mining(!). An extra cherry on top of that is the CEO of TesoNet also being the CEO of CloudVPN, which more or less controls NordVPN.
Now that doesn't mean ProtonVPN is automatically compromised but I feel with stuff like no-log VPNs one should always err on the side of caution.
This has been thoroughly debunked, most recently by Mozilla and the European Commission as part of their due diligence.
ProtonVPN is 100% owned by the company behind ProtonMail, which in turn is funded by the European Union, so this has been verified by the European Commission. Details here: https://bit.ly/35RDKzB
Over the course of the disclosure of the connection between NordVPN, Tesonet, and possibly ProtonVPN, Proton's story kept changing. They said contradicting things multiple times. They locked the Reddit thread. Why did Proton keep changing their story if they had nothing to hide? I will keep reminding this every time the issue gets raised. There is a compilation [0] of changing Proton's responses and them successively admitting more and more things not in their favor. The compilation starts at the part called "Online accusations fly".
Both Mozilla and the European Commission have looked into the accusations being made on anonymous websites, and determined that they are false. The EU in particular, has access to records which allow independent verification.
There is also an abundance of public record which demonstrates this is false. The bad faith of those spreading this information is also apparent from the hundreds of fake Twitter accounts used to spread the rumors.
There's a historical, almost accidental connection dating back to the infamous November 2015 DDoS against Proton, but zero connection today, and certainly not in the way it has been portrayed by people seeking to attack Proton.
I mean this[1] is pretty convincing and not directly from the accused company's blog. The only thing it gets wrong is framing ProtonVPN Lithuania as the main ProtonVPN company instead of as a subsidiary.
Regardless of that, there is so much mud being slung I recommend anyone to just search for 'protonvpn nordvpn tesonet', read a few articles on the topic and form your own opinion. Like I said, you can decide if you want to err on the side of caution or if it's a risk you're willing to take.
In case anyone wants VPN recommendations, I have good experiences with TorGuard and Private Internet Access and can also recommend Mullvad. Other people (that I trust) say iVPN and Tunnelbear are also solid.
On one hand, there's anonymous websites, competing VPN companies, and hundreds of Twitter bots pushing a story that is demonstratively false (just check public records).
Then, on the other hand, you have Mozilla and the EU (which has access to all European corporate records) vouching for Proton, which also operates in a highly transparent way, examples here: https://protonvpn.com/blog/is-protonvpn-trustworthy/
Proton definitely has an office and subsidiary in Vilnius, it's not a secret because it's on Instagram: https://www.instagram.com/p/BxMz62oHb6K/ The office is inside a 30 storey building, so it is not surprising the address is shared with quite a few other companies. And that doesn't mean Proton on a whole is based in Vilnius.
> On one hand, there's anonymous websites, competing VPN companies, and hundreds of Twitter bots pushing a story that is demonstratively false (just check public records).
I agree, the VPN industry is rife with shady business practices. But the story being pushed isn't 'demonstratively false'.
* TesoNet offers data mining services
* You did contract TesoNet employees
* Due to an error and unyielding policies by Google TesoNet holds your Android app signing keys in name
* There is a lot of intermingling between TesoNet and NordVPN and to a lesser extent TesoNet and ProtonVPN.
Like I already stated, it's very unlikely you are compromised. But unlike, say, a billing company that handles my energy or water provider (where I care much less if they have tenuous links to data mining) my standard is extremely high for a VPN. Internet traffic is supremely personal and for me to trust a company handling that there cannot even be the slightest sheen of misconduct.
For me to trust you you would have to completely cut out your Lithuanian subsidiary and any employees, board members, etc. that were or are related to TesoNet, as well as any reliance on their infrastructure. Obviously businesses don't operate with such 'scorched earth' policies and I don't expect you to gut your company based on a HN comment, but it is what it would take for me and many other privacy-conscious individuals to regain our trust.
Definitely appreciate your concern here, but there's still a lot which is being confused.
Proton does not today, and has never, used contracted (outsourced) employees. As is common with startups, in the past we did not always do all our HR in house (it's all in house today), but employees were always working on Proton and for Proton.
There are no board members, directors, shareholders, or employees, related to Tesonet beyond the fact that a couple employees might have been employed there previously. This in itself is not strange, we also have some employees who previously worked at Google, the ultimate data mining company, but clearly decided they preferred to work for the other side. People can and do change jobs.
Proton has also always run our own infrastructure, and for ProtonVPN, this is publicly verifiable.
So, we don't have to "gut our company" to remove any "intermingling" because there was little to none to begin with, and certainly nothing today.
Indeed trust is super important, but it seems odd to trust anonymous internet accusers or those with a clearly vested interest in harming Proton, as opposed to reputable third parties like the EU or Mozilla who don't have a vested interest here and are independent.
Proton is still to this day, the only VPN company that has an address clearly published on our website, where you can show up, and find company management and board members, and that means something.
Slightly off-topic but I am delighted by the generally non-abrasive way this thread is going. Dialogue is good!
I realized another way that would work for you guys (but is out of your hands) is fighting a court case about this. You'd be legally compelled to tell the truth and very screwed if you deny but then it comes out there is logging or mining going on. It's not ironclad but it is how most VPNs end up being considered 'solid'.
We have indeed retained lawyers to look into our options to fight the online defamation, but its hard to take anonymous accusers to court. However, as we have discussed here (https://protonvpn.com/blog/is-protonvpn-trustworthy/) there is already a lot of ironclad legal evidence.
First, were we to lie in our privacy policy, we would be subject to GDPR fines of up to 20 million Euros, since we have both European customers, and a presence in the EU.
Second, there has already been a court case. We were ordered by a Swiss court to hand over logs, and we stated truthfully (under penalty of perjury) that we did not have the logs requested. This case was previously disclosed here: https://protonvpn.com/blog/transparency-report/
'January 2019 – A data request from a foreign country was approved by the Swiss court system. However, as we do not have any customer IP information, we could not provide the requested information and this was explained to the requesting party.'
I'm not terribly well-versed in the international (or Swiss) legal system but are portions of that request public record, or would it be possible to put portions of it online, verbatim?
It would really strengthen the case to your customers because whilst claiming you had a request when you didn't isn't illegal, falsifying court documents definitely is.
No public indictment was issued because in this case the accused could not be charged since they couldn't be identified. Generally there are only documents if police decide to move forward with a prosecution, which is unlikely since we do not have logs that can identify users.
Anyone can set up an anonymous website and make spurious accusations and/or take money to post glowing reviews. The VPN segment is full of shady tactics like this. Never trust any VPN review site.
Trust serious organizations such as Mozilla and the EFF.
Mozilla trusts ProtonVPN enough to officially partner with them. That means a lot more than some random anonymous reviews.
There are pros and cons to this, we think it's positive (aligns the EU with privacy), but we provided all the details in the below link so people can draw their own conclusions: https://protonmail.com/blog/eu-funding/
Don't use Tunnelbear, they're known compromised. Honestly it's hard to beat Mullvad right now but that does make them a hot target, so keep your eyes peeled and know when to jump ship.
Cloudflare's Warp is not an anonymising VPN as far as I know. It is just a way to speed up Internet speeds, especially in poorly connected areas. They make no effort to hide the origin IP. So it is not in the same class as other VPN providers.
This is interesting to read that Cloudfare is suggested here... shows that the term VPN is still thought of as private. (I know it is Virtual Private Network - but the termination is almost never private).
I've had fantastic experience with airvpn. They're cheap, fast, reliable, and support all the configuration types you could want. I'm not affiliated with them but I'm surprised nobody here has mentioned them yet. By far the best VPN provider IMO.
Any provider that offers that many IP addresses? I found NordVPN to be the only reliable service if you need to run requests from many IPs from different countries (web scraping).
The thing is, almost all of these providers share infrastructure and IP blocks. Lookup MicFo and the associated lawsuits (not even including their lawsuit with arin). They provided the exact same IP blocked systems to dozens of the top VPN providers.
The reality is, if someone else owns the infrastructure you're just pushing the risk to a different location.
EDIT: I said I used IPVanish mostly because the EFF endorsed them, but someone pointed out below they got caught logging. I suppose that would explain why they're not endorsed on the EFF VPN page anymore. So, I guess time to find a new VPN. :(
Used IPVanish for a few years, it was great the first, sucked the 2nd. I switched. These days I use VyprVPN. I like their Chameleon encryption that hides the VPN (although some data still leaks and some sites still detect it) and the killswitch option (prevents connections out if VPN not active)
... this site is awful. It doesn't address the actual reason why people use VPN's. They don't want all their activities to be recorded/tracked by their ISP's (which depending on jurisdiction log everything for at least 6 months if not more) or other actors. And if somebody wants to deanonymize your traffic, they have to go to extra effort, whether it's by exploiting or establishing a relationship with your VPN host or whatever else. Or there are other use cases, like wanting to torrent in a country that is very liberal with serving fines (Germany).
And frankly, his alternatives are just absurd. Tor? Really? Has he ever tried to use Tor for usual daily browsing? Does he expect people to try to use Facebook, Instagram, Youtube over Tor? Really?
Nobody should be using a VPN provider, full-stop. It is structurally impossible for anyone to verify their claims, they have more incentive to lie than your ISP does, and they're cheap and easy to set up, so the industry is a cesspool.
You should assume that all of them are behaving badly.
Also, hasn't CloudFlare been audited to verify their no log claims? I know while Mullvad hasn't been audited to verify their no log claims, they have at least been audited to verify the security of their app.
Plenty of people using VPN for: pirating, get an IP from a foreign country to bypass some content limitation etc., so they still need one, secure or not.
>NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
So instead of allowing their customers to do their own damage limitation, they left their customers in the dark and continued to expose them to a breach they weren't sure they had fully contained.
I wonder when that sort of thing will become a criminal offence.
I don't think they ever wrote anywhere that they have 6,000+ physical servers. Calling a VM (like an EC2 instance) a server is not unusual. For the customers it was important that the resources, bandwidth and different IPs were available. For that it doesn't matter if it's a physical server.
> RADIUS secret key also leaked, so propably it is possible to break into EAP session which infers session secret key for StrongSwan.
Could you elaborate on this? I am familiar with PKI so the first part makes sense, but I am not familiar with the intricacies of VPNs so I am not sure what this means.
When StrongSwan EAP-RADIUS plugin is in use, authentication delegated to RADIUS server. Actual EAP handshake occurs between VPN client and RADIUS server. [1]
Some EAP authentication methods (namely, EAP-MSCHAPv2 and EAP-TLS) export Master Session Key, which is exported to StrongSwan via MS-MPPE-Send-Key/MS-MPPE-Recv-Key EAP attributes. [2] So, MSK derived on RADIUS side and sent to StrongSwan. Eavesdropper with knowledge of RADIUS secret key capable to intercept and decrypt such EAP payload.
Assuming their IPsec was enabled with it (and OpenVPN should be enabled by default), them leaking their keys does not matter. The sessions can not be decrypted even if the master key is leaked.
TLS also has perfect forward secrecy by default.
Impersonation is an issue, but the article stated the CA keys have already been rotated and are out of date.
EDIT: I meant to reply to the post below me, but this is fine. Sorry about that!
> Impersonation is an issue, but the article stated the CA keys have already been rotated and are out of date.
They were not rotated back then in 2018, so we can only guess if MITM had place. Their line of defence appealing to keys which are NOW outdated is just ridiculous.
> The sessions can not be decrypted even if the master key is leaked.
It's not true. PFS provides cryptographic isolation between long-term keys and session key used to encrypt data. Obviously, if MSK compromised it is irrevelant, how it was inferred: with PFS or not.
> They were not rotated back then in 2018, so we can only guess if MITM had place. Their line of defence appealing to keys which are NOW outdated is just ridiculous.
MITM could have taken place anyway because the attacker was on the machines. They did not need the key.
> It's not true. PFS provides cryptographic isolation between long-term keys and session key used to encrypt data. Obviously, if MSK compromised it is irrevelant, how it was inferred: with PFS or not.
PFS implementations have the session key rotated automatically in software and dependent on the implementation multiple session keys are in use at any given time dependent on flow. The PFS session key would also be different for every VPN server in the NordVPN environment. The only possible way to compromise a session on another VPN node (that was not compromised itself) would have been to intercept it at the time of the session being created and MITM by injecting your own PFS session key.
That is why it is called "Forward secrecy": the session can not be decrypted in the future, only in the present.
Unless your assumption is that this is a state actor with the ability to MITM connections in the first place, or a rogue ISP BGP hijacking that would have been obviously seen on something like BGPStream [https://bgpstream.com/], it is safe to say that no other VPN node's traffic was compromised. Only traffic on this single host in this single location.
"Instead of making use of the DH Keys Calculated during Phase-1, PFS forces DH-Key calculation during Phase-2 Setup as well as Phase-2 periodic Rekey. The PFS ensures that the same key will not be generated and used again."
OpenVPN (using TLS) also uses PFS by default. There is a reason it is called "Perfect."
EDIT 2: I am not defending them as well. I just believe extrapolating the technical details is fear mongering at best. Believe it is best to focus on the facts as it makes for a stronger argument.
I've lost track of discussion and maybe some misunderstanding takes place, but I'll attempt to synchronize.
There are two distinct severe security issues. First one is leaked CA key, which allows to certify any key as a valid key for NordVPN server certificate key. I think it is not necessary to argue about this: traffic decryption to any Nord OpenVPN server became simple as network MITM. Not likely a state-level BGP hijack, but local attack targeting channel of small group of users. Anyway, we do not have cryptographical guarantees since this point.
Second issue is leaked RADIUS key. Why it is a problem for encryption? Because EAP authentication and key derivation runs between VPN client and RADIUS, and VPN server receives derived keys as attributes of EAP message: https://wiki.strongswan.org/projects/strongswan/wiki/EAPRadi...
> The eap-radius plugin does not implement an EAP method directly, but it redirects the EAP conversation with a client to a RADIUS backend server. On the gateway, the EAP packets get extracted from the IKE messages and encapsulated into the RADIUS protocol, and vice versa. The gateway itself does not need special support for a specific EAP method, as it handles the EAP conversation between the client and the RADIUS backend more or less transparently.
> For EAP methods providing an MSK, the RADIUS server must include the key within the MPPE-Send/Receive Keys; Unfortunately, FreeRADIUS before 2.1.10 did not include these attributes when used with EAP-MSCHAPv2.
So, despite session encryption key is not bound directly to long-term secrets which server possesses, they can be extracted from communication between StrongSwan and RADIUS server.
PFS has nothing to do with all of it. In first case it is possible to issue VALID certificate for eavesdrop VPN server and redirect users traffic to it. In second case MSK probably can be extracted communication between VPN server and RADIUS server (I can't say if it will require MITM of RADIUS session or it is possible to decrypt EAP payload with passive sniffing and posession of RADIUS secret key).
i find it surprising that none of the threads in this topic mention the very serious threat this breach might have for users in countries like china. the fact that nordvpn neglected to tell its users for months after the breach quite possibly endangered people's lives. unforgivable.
From the article:
"“One of the data centers in Finland we are renting our
servers from was accessed with no authorization,” said
NordVPN spokesperson Laura Tyrell."
I believe that would be the section they're referencing.
“We failed by contracting an unreliable server provider...”
They are casting blame on the provider. Providing remote access tools is not a fault. Failure by NordVPN to disable said access is the issue, yet they passed the blame on.
Within 72 hours According to GDPR I thought?
“ The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.”
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The tinfoil hat would argue maybe this was a leak that happened, but it was shared by design. It’s an HK company with questionable relationships and owners.
> I wonder when that sort of thing will become a criminal offence.
If they have EU customers then article 33 of GDPR should see to that.
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
Unless the authorities in EU accept the explanation they are in trouble, but I think you shall report even if you think there has been a breach.
> Your IP address is a largely irrelevant metric in modern tracking systems.
I don't believe this for one second.
Your IP address on its own is not sufficient to identify you. That doesn't mean your IP address is not helpful in identifying you.
If you have Javascript disabled, it is a heck of a lot easier to identify you with a combination of an IP address, user agent, and OS than it is to identify you without the IP address cutting down the pool of potential visitors.
On top of that, if you're targeting me and do a geo-location of my IP address, it will get you within 5 miles of my house. That's close enough that you'll know which county I'm in, which with a few other easily-obtained pieces of information will let you pull up my voter registration, which will give you my exact street address.
Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.
This argument comes up all the time, and I have never heard anyone explain it in a way that passes my sniff test. If you want me to stop using a VPN, you need to do a lot better than just claiming that IP addresses don't matter -- you need to show some kind of evidence to back that up.
Eh. If you're enabling JS because you think it's going to help you blend into the crowd, I am skeptical that you understand how powerful JS fingerprinting actually is, particularly around cache abuse and super-cookies.
You don't need to go all the way, but the very least I would advise turning on the resist-fingerprinting config in Firefox. At a minimum, block things like canvas/webGL. You're making yourself more identifiable by doing so, but the alternative is worse.
Now, if you're not using a VPN, and you're in a rural area, and you're on Linux/Firefox with Javascript disabled -- sure, I definitely buy that I could do some pretty decent correlation with that info. That's why VPNs (for all their flaws) still matter.
Sure, I do understand that, and yes IP hiding does matter. I'm merely pointing out that disabling Javascript (and eventually enabling some set unique to you, to un-break a broken site) is just another way to leak some bits one might want to be aware of. Faking the common fingerprinting vectors known to expose you uniquely is possibly a better way... until the new ones are found. I don't know. The leaking bits need to be carefully accounted for, and you don't know the site userbase for sure to blend into the largest cluster possible. I don't think that fingerprinting is something that can be fought by the end user efficiently, besides the very obvious things like blocking the major vectors.
> Faking the common fingerprinting vectors known to expose you uniquely is possibly a better way...
I wish there was more research being done around this. I appreciate what Firefox is doing, and I assume there are good reasons for their fingerprinting strategies. They know more than me about this stuff. But... it still sets off some alarm bells in my head. It seems like it would be strictly better to spoof location/canvas/microphone data instead of only blocking it.
But who wants to put in the effort to develop tracking for non-JS users? In reality, most will just ignore the few users that don't want to be tracked. Even ublock origin should be enough for most.
However, IP is certainly used. I know of a few cases where IP is at least used as a filter. Most websites won't see that many users from one IP address.
> Your IP address on its own is not sufficient to identify you.
Wasnt there a story yesterday that FBI tracked some a guy who had logged into Jihadi forums with the IP, knocked on the door with a copy of a passport of the guy's dad.
Pick a cloud provider you trust. I was thinking of moving from Digital Ocean (US) to Hetzner (German) and setting my own VPN up through a normal server.
I've pondered this before, but I don't see much advantage in having my traffic which currently comes from many IP addresses as I roam about the world, many of them shared and constantly changing, all come from one IP address that is absolutely only me.
Plus browsing the web from a hosting provider is a worse web; you'll get more sites rejecting you or putting you through bad CAPTCHAs all the time because the same service you can rent a server from, so can all the spammers and scrapers and other bad actors, so you're pretty likely to end up in an IP space with bad reputation.
If anyone can argue me out of this position, go nuts. I want this to work and do something useful, I just can't convince myself it does even with that bias.
No, that's a different web. I live in the "google bullying" web between my combination of using Firefox + uMatrix on desktop, Brave on Android, and DuckDuckGo as my search engine. Google gets very little of my desktop info and fragmentary mobile use only. I do a few extra CAPTCHAs but it's not too bad.
The "I think you're a bad actor" web is much worse. Ask Tor users.
It's not that they're more trustworthy it's that you have more control. They could be feeding traffic to the NSA as well but you can encrypt it yourself -- with VPN services like Nord you're relying on other people to do that for you but often VPN services can offer convenience services like country switching etc but if security is what you're after then cloud providers and setting up your own VPN seems like a more reliable alternative.
To the people looking to setup a simple http proxy in three steps:
1. Set up a server instance who's IP you know and have configured ssh.
2. In Browser: Manual SOCKS Proxy: 127.0.0.1: your_chosen_port
3. In terminal: ssh -i ssh_key -D your_chosen_port user@ip_address
I'd rather trust an at least somewhat trustworthy VPN provider with my data than a random coffee shop and clients who happen to be on the same network at the time.
I feel like that's crazy. There should be no traffic entering or leaving your machine that's not end-to-end encrypted already. Trusting some fly-by-night VPN provider because they buy a lot of YouTube ads is no substitute for proper end-to-end session level encryption.
Simply seeing what servers you connect to can reveal a lot about you. Where you work, what social media accounts you have, what apps you have installed, what you are interested in reading etc. HTTPS doesnt help you with that.
Yeah much better, a server that the user will probably not be talented enough to secure and will forget to patch the OS, libraries or application itself.
/s
Analogies are imperfect, but I think the intention was more like "If for some reason you cannot do that, here is a simple meal you can make in your own kitchen."
This article tries to enumerate the use cases for use of commercial VPN services, but misses out my only use case of these services: evading geoblocks. It seems fallacious to me.
The article is slightly more nuanced... know when and why to use VPN is more accurate. As mentioned near the end of that article, using known or suspected hostile networks, like public WiFi is a good reason to use VPN.
The problems addressed by avoiding a locally hostile network by connecting to another, globally hostile network is solving a very limited, nuanced set of problems.
Unless you're VPNing to your home or office, these public providers are just asking for trouble. They're too cheap to run well.
Yes, you can run your own VPN... that’s a great solution.
Also public WiFi attracts low hanging fruit sort of exploits. Incentives for the VPN company that already makes money, to actively hack and exploit your machine are significantly less.
I don't understand the obsession with VPN providers. Funneling all your Internet access through a single entity no matter where you connect from just seems like a fundamentally bad idea to me, especially if that entity's business is getting people to funnel all their traffic through, making them a juicy target for governments or hackers.
One very explicit reason to not trust your ISP with your internet traffic is that since 2017 [1], they are allowed by Congress to sell your internet history.
As a cherry on top, they were also the ones that successfully lobbied the government to allow that in the first place [2].
To be fair, they can't actually see more than hostnames & IP addresses (assuming the use of TLS, which is becoming ubiquitous), so implying that they sell your "Internet history" makes it sound worse than it is.
I've always assumed VPN providers sell whatever data they can too.
I’m not a network expert, but doesn’t TLS just cover your connection with a specific website? Since your IPS is often also your DNS, can’t they still see which specific websites you’re trying to connect to? Wouldn’t TLS just obfuscate what you’re specifically sending to and receiving from that site? I’m under the impression that my ISP can (and probably does) see every website I visit, which is in the least browsing history.
I also remember that Comcast did (and might still do) inject code onto websites to display a “pop-up” indicating that you’re reaching or have reached your datacap. It would even pop up on Steam because most of Steam is really just a webview. I’m not sure exactly how they did/do that.
Again, I’m not a network or security expert, so I’m not really sure of how TLS protects your internet history, which I take to mean a list of websites you visit and when.
You're correct - TLS / SSL operate above the IP layer, so they know which servers you're talking to, when and approximately how much, and if they can see your DNS requests it makes it that much easier to know which sites that maps to. TLS stops them from seeing the actual data you're sending them (like passwords), which pages you're viewing, and it also prevents them from manipulating the data (unless they've subverted the PKI, like if your company laptop has a certificate installed that trusts your company VPN, you company VPN can do a Man-in-the-middle attack to subvert TLS).
By looking at side-channel data it was possible to correlate the page being viewed on SSL, IIRC researchers could calculate the page viewed about 70% of the time.
That’s what the parent said: they can still see “hostnames and IP addresses.”
But, for most people, that means that the ISP will just see:
• google.com
• facebook.com
• reddit.com
• somebignewspaper.example.com
Etc.
And there’s really nothing much too valuable about that. They won’t even be able to figure out if you’re shopping for something (unlike every other nosy channel provider), because most shopping traffic today just looks like Google + Amazon.
While it's true that the big platforms dominate web use today, don't forget that the concept of metadata includes when you actively surf on the information superhighway. That's valuable information for advertisers.
So is every DNS lookup related to the API backends of specific apps you use. And every random website outside the massive platforms.
These might reveal tons of information about you. Like:
Are you doing research on politics (and which flavor)? Do you worry about health? When do you access online banking? Which banks? Any tax filing software? Invoicing apps? Do you use shitty payday loans? Are you looking for dates? Are you gay? Which games do you play? Which car dealerships do you consider? Do you gamble? And of course, any particularly.. specific porn sites? Do you access banking, travel/flight booking, investment, shitcoin trading, adult or gambling sites in a specific pattern that might indicate mania or other mental health issues?
With metadata alone, your ISP has a thick dossier on your habits, with stuff therapists don't know about their clients.
I see. As someone who has practically zero knowledge of networking, I had misconstrued hostnames for something else, which I’m now too embarrassed to mention.
... and request sizes, relative times, and time of day. It would be foolish to not assume that the complete history of your sessions can be inferred from how this data clusters, everything but the actual text of your messages.
Of course the people that find this problem worthwhile to solve then go on to work for or found surveillance companies, rather than publishing proof of concepts to security lists.
We also already know the type of molds the surveillance companies are trying to fit us in, from their own marketing materials (eg https://www.experianintact.com/content/uk/documents/productS...). Do you really think there isn't enough metadata being leaked to bucket people into these categories?
And yeah, IP proxying is a hack. But it's seemingly the best we can do to mitigate the utterly broken HTTPS/JS protocol stack.
There are other straightforward advantages too, like having location targeting miss the mark which breaks up the coherency of their manipulation. I've got zero intrinsic interest in local/news events for elsewhere.
TLS has optional padding. In TLS 1.3 clever design means the padding is "free" (each byte of padding adds exactly one byte of data transmitted) so if you would like the sizes transmitted to be misleading you can choose how much.
We can't solve for you the question of how much to use. If you want a snooper to not know if you retrieved file A of 14583 bytes or file B of 14621 bytes maybe a very small amount of padding will get the job done. If file B was 800 Mb that's a lot more padding you're asking for.
Sure, but that doesn't really address how clients/websites use it right now, or even scale up to solving the fundamental problem (the best you can do is hide bits by padding requests/responses to a discrete set of lengths).
If you're responding to my characterization of HTTPS/JS as "broken", I'm referring to the fact it needs to make a connection to a well-known centralized-authority server every time it wants to retrieve a resource, leaving you at the mercy of your transit (and the server itself, which is obviously another major source of surveillance). Whereas something based on ideas like content-centric networking (eg Freenet) allows a user agent to retrieve those resources from peers or broadcasts, perhaps even over virtual constant-bitrate links.
I am guessing #1 is mot wanting your internet provider (eg. AT&T) knowing what you are doing, then Netflix, Torrents, getting better deals on tickets and such, maybe activities of questionable legality?
Personally, I don't like the idea of my mobile provider profiting off knowing which applications I am using and what sites I visit.
Because it's easy to change a VPN provider if you don't like their actions, but most of us are stuck with an ISP and have no control over what they do with our data?
What exactly can they be doing with your data other than selling a list of which DNS queries you make and which IP addresses you connect to? (Which the VPN provider can also do.)
I have had this situation in-flight a few times. I just used wireguard to a server I have. If I didn't already have that set up, I would have used an SSH+SOCKS tunnel to route around the damage. No need to send all my traffic to some shady VPN provider.
They can do active attacks on you, as most people don't actively attempt to ban and absolutely block unencrypted connections (and there are also sometimes attacks on SSL stacks anyway); and like... SSL isn't really designed to protect the content of your connection anyway: due to size and timing attacks, people have deployed practical implementations of stuff like "figure out where I am looking at on Google Maps" and "figure out what movie I am watching on Netflix", and while I haven't seen a practical implementation of it yet, "learn too much about my search queries due to find-as-you-type".
(Also, if I see you making requests to some websites I can correlate it to others, just on hostname, which I would get from SNI/TLS, not DNS: like, you go to news.ycombinator.com followed by some other websites that are currently on the front page of Hacker News, I can now guess with high likelihood you are clicking on specific website links you just saw.)
As for "the VPN provider can also do that", that is like saying "what can a random stranger do with your secrets that someone you know well can't?", which is "true" sure, but not really interesting: being able to choose the company on whom you rely for security is extremely useful: I don't really have choice over my ISP, but I have choice over my VPN, and so you can't really say "these VPNs are shadier than my ISP" unless you can show the best of all VPNs is shadier than my ISP.
Meanwhile, for many people, your "ISP" on a given day might be "the local coffee shop" or "an airport" or "your brother's friend Bob": people talk about "ISP" as if it always means "AT&T", but I see even extremely technical people who "should know better" happily using WiFi provided by conferences, which is just crazy to me... you are way more likely to get messed with in some scary way by people close enough to you for it to matter than by some random entity.
> SSL isn't really designed to protect the content of your connection anyway: due to size and timing attacks, people have deployed practical implementations of stuff like "figure out where I am looking at on Google Maps" and "figure out what movie I am watching on Netflix", and while I haven't seen a practical implementation of it yet, "learn too much about my search queries due to find-as-you-type".
A VPN won't protect you from these sidechannel attacks.
Not by default, but it could. Send a monolithic stream of 1500 byte packets with some padding to obfuscate transfer rates and you can really disrupt that kind of thing.
Where did location history come into this? (IP addresses are generally not correlated to location at much more than city level.)
My point is simply that using a VPN provider doesn't change the fact that an actor has access to your DNS queries and which IPs you connect to (and where you connect from). It just changes that actor from your ISP to a VPN provider, and most VPN providers seem a hell of a lot more shady than any ISP I've dealt with.
The ISP knows who you are and where you live; the VPN provider only knows your source IP address and information gleaned from your payment method (which in many cases can be "not much", as VPN providers support pseudo-anonymous payments).
If you're doing something illegal in your own country, that seems like a good idea. If you're not, that would seem to achieve nothing other than making it much more difficult to enforce any action against the VPN provider for selling your private data.
If my VPN provider trades user data, the service will quickly deteriorate and it won't be a VPN provider for long. But even if that is the case it wouldn't be my primary concern.
I don't even live in a country were I have to fear much at all from malicious authorities, but they wouldn't even blink before trading privacy for perceived security.
I might change my opinion if there were actual consequences for sharing user data. I believe it when I see it.
Otherwise I just like privacy, information is power and I don't like to share with the state.
Well your ISP knows more about you than your VPN necessarily does. Your ISP probably has your credit card on file, with your real name, and they have your precise street address too. The VPN may have none of that, except your IP address. If somebody were to purchase your history from your VPN, they would have to also purchase the IP->name/address/etc mapping from your ISP and JOIN the two. That seems marginally better than a one stop shop.
(Of course, some people give their VPN their credit card info, so the above rationale doesn't apply for them.)
I feel like the only good reasons to use a VPN are if you're torrenting or if you want access to sites from different countries (foreign Netflix libraries, streams from state-run media channels, etc). Most VPNs worth a damn aren't going to sell you out just for torrenting movies/music/games while your ISP will.
Any (large?) ISP will report your torrenting and/or terminate your internet usage if you torrent anything they deem copyrightable. Both Comcast and Spectrum do this, at least.
They don't. What you're describing would take them out of common carrier status and make their business unworkable. What they do is respond to notices from copyright holders.
Agreed - I was oversimplifying. A better way to put it would be to say that ISPs automatically participate in the reporting of alleged copyright infringement, as well as mete out punishment for alleged infringement when they decide it is appropriate, whereas (most?) VPNs do not.
My friend's VPN emailed him saying Comcast asked them for his info because he torrented something and the copyright holder contacted Comcast. The VPN provider didn't give Comcast any info.
OK, I was not aware of this. I have been known to occasionally torrent things (not just Linux distros!) and having done this semi-regularly while living in four different countries I'm yet to hear anything from any ISP about it, but I am sure there are places where it's taken more seriously.
What's the purpose of that? Genuine question, I'm trying to understand the threat model of another torrent user seeing the IP address that is currently allocated to your router. Is this related to those letters that people sometimes get sent threatening legal action for torrenting?
quite simply evading copyright strikes or legal filings. I don't know which providers still disconnect your internet after 3 strikes. But I am guessing that's the "threat" here.
"I don't understand the obsession with VPN providers. Funneling all your Internet access through a single entity no matter where you connect from just seems like a fundamentally bad idea to me, especially if that entity's business is getting people to funnel all their traffic through, making them a juicy target for governments or hackers."
Agreed - especially when it is so very, very cheap and easy to fire up a handful of VMs - around the world - and run your endpoints any way you like.
By far my preferred technology is 'sshuttle'[1] which allows you to use any host, anywhere, running ssh as a VPN endpoint. That cuts the setup time for your VMs down to almost zero.
You can fire up VMs, but then issue becomes the VM provider, which definitely has their own logs. Doing torrents through a VPN you setup on a VM provider usually gets the automated emails being forwarded to you.
Regardless of anonymity or privacy, my ISP almost certainly deprioritizes some traffic (video), so a VPN at least ensures I can use my full bandwidth for whatever I want to access on the Internet.
I use one when I have to connect to a public access point, or really any network that's not owned by someone I know and trust. It's not a perfect privacy/security plan -- you're right that I can't completely trust the VPN provider either -- it's just better than the alternative.
> Funneling all your Internet access through a single entity
You don't have to funnel it all, only data crossing hostile networks like free wifi hotspots (The only real use-case for VPNs in the first place). Alongside this is choice of geolocation so you can watch things like HBO even when in Europe.
Nord (and perhaps others) seem to have been compromised for months/years - lifetime accounts have been available on the DN for significantly cheaper than other VPNs: https://news.ycombinator.com/item?id=20094946
Doesn't seem like a smear - glad this is coming to light.
Nord specifically has a retailer system, I wonder if accounts can be created 3rd party and sold greymarket like that without any nefarious hacking scandals?
Maybe they should spend more money on security than throw at people like PewDiePie to advertise them ... by also giving false claims like protecting you from hackers and making you magically "secure", whatever that's supposed to mean. Doesn't give the impression they know what a VPN actually is. Considering that most likely the phrasing comes from NordVPN themselves I always questioned them as a whole. Good to have some positive feedback (from my point of view) on that now.
I was just thinking yesterday that people might be overly paranoid about that, I’ve always agreed that if security were important you shouldn’t share space but lately I’ve begun to question it since a lot of these data centers are pretty carefully controlled.
I’m glad I didn’t speak my mind on that I guess since I was wrong.
>It's odd that NordVPN, VikingVPN and Torguard all got their private keys leaked here.
Good reminder to set up FDE and not give your host logins for your servers. Unexpected reboots are rare enough that they're worth switching hosts over.
For dedicated servers this would work, especially for VPN where data-loss is "acceptable".
But if it where based on containers like LXC or OpenVZ, then the host can force root access via a command without even changing the root password of the container.
I doubt serious VPN provider are using LXC/OpenVZ containers. They don't even work with OpenVPN without special setup from provider, I don't know how about other protocols.
>For dedicated servers this would work, especially for VPN where data-loss is "acceptable".
FWIW there's no need for data loss when you ditch the server, just download the encrypted data and decrypt using a clean environment elsewhere.
>But if it where based on containers like LXC or OpenVZ, then the host can force root access via a command without even changing the root password of the container.
You should never do this, unless you truly don't give a shit about whatever you have on the server.
I mean that encryption puts the entire data-store at risk, I've seen it happen more than twice due to RAM being faulty (In one incident it was using ECC RAM) and a power-failure.
Even the backups where corrupt due to being backed up in encrypted images. When encrypted volumes and images are corrupted by RAM or power-failure, they are locked forever.
Of course one should never force root access, I'm saying that you can't keep out the hosting from access the server in that case.
> Even the backups where corrupt due to being backed up in encrypted images. When encrypted volumes and images are corrupted by RAM or power-failure, they are locked forever.
That sounds more like issue with backup procedure (and testing of backups), even if it was amplified by encryption.
> Of course one should never force root access, I'm saying that you can't keep out the hosting from access the server in that case.
LXC and especially OpenVZ containers seems to be replaced by KVM in hosting/cloud. Of course, it's still possible to attack VM as host has control over VM's memory. Even dedicated servers are potentially vulnerable to attacks like cold boot.
> In one incident it was using ECC RAM
Did it at least warn about issues or was it ignored?
> I mean that encryption puts the entire data-store at risk, I've seen it happen more than twice due to RAM being faulty (In one incident it was using ECC RAM) and a power-failure.
How can this cause data loss? Header containing encryption key should not change during normal work. Did it just corrupt writes?
Yeah this sounds so weird. Data loss due to bad RAM will be extremely similar with or without encryption, it's not going to corrupt the header of the disk.
The catastrophic data loss you describe almost certainly resulted from you doing something horribly wrong, and not encryption.
You should probably ask for a refund, then set up your own VPN.
Commerical VPNs are, for the vast majority of cases, simply not a good bet for your privacy. You're changing your network traffic path from a diffuse and byzantine series of paths to once centralized collection point. The payoff for an attack on a VPN rises very quickly. Meanwhile, you're also conditioning yourself to say, "My traffic is secure while my VPN is on."
It works for when you need to use untrusted WiFi, because the alternative is worse. Beyond that, it forms a nice defense against unsophisticated attackers. (e.g. it breaks a single datapoint (ip address) used by Google and FaceBook).
And no, it doesn't break analytical by Facebook or Google in any substantial way. I know some people use them to evade Netflix region exceptions, and that's about all they're good for.
You can’t always ensure that all traffic goes over SSL. DNS traffic is an example. I always assume that hostile public networks like free WiFi have agents actively trying to man in the middle any connections they can. If your device has a known exploit and a single connection not going over SSL you drastically increase your exposure on a public WiFi, hence the one use case for VPN.
If your privacy concerns include your DNS requests then a commerical VPN isn't a realistic choice. And unlike some rando pseudo-bespoke brand-less coffee shop wifi, commerical VPNs are a big target.
> I always assume that hostile public networks like free WiFi have agents actively trying to man in the middle any connections they can.
And VPNs just move that problem. If you're not demanding and forcing SSL, you're not actually addressing this problem.
> If your device has a known exploit and a single connection not going over SSL you drastically increase your exposure on a public WiFi, hence the one use case for VPN.
I regret to inform you that none of these things you've described stop thise sort those attacks. Forcing SSL on your browser is a realistic option for most threat models. If you're at a level where you're actually being surveilled by a nation-state-level actor, a commercial VPN won't help you. Short of that scenario, forcing SSL will cover most cases.
Try running a traffic or packet monitor on a WiFi network. Now tell me how much of that traffic is going over SSL
And even if I don’t run my own VPN, I’d prefer to “move the problem”. It’s so much easier to attack machines on public WiFi than compromise a VPN provider... and much more anonymous, and less likely to incite law enforcement activity. Public airports, libraries, etc are hotbeds of nefarious activity.
I use plugins to force SSL to all connections. I block outbound non-SSL http traffic.
So, 0%? But personally I don't go to many sites that dont have full SSL coverage. Do you?
I highly recommend you do this.
> It’s so much easier to attack machines on public WiFi than compromise a VPN provider... and much more anonymous, and less likely to incite law enforcement activity.
Do you think there will be a successful law enforcement follow up to this breach? I doubt it.
> Public airports, libraries, etc are hotbeds of nefarious activity.
As are VPN data centers, as evidenced here.
If you really want to just shift your egress point, lots of self-hosted VPN options exist. These are much better able to do the things you want to do, without being as vulnerable to corporate VPN attacks.
Well I agree with you on the self hosted VPN option being the best. I’m just saying there’s not zero benefit to hosted VPN in some cases.
And it sounds like your just looking at http traffic and web browser traffic. Your computer is communicating over lots of other ports and protocols that are often not encrypted. Are you blocking all outbound traffic?
Let’s take the recent iTerm vulnerability. ( https://www.kb.cert.org/vuls/id/763073/ ) I’m guessing you don’t have a plug-in to force curl to use https? What if you execute a script that curls http and you don’t realize?
Now you could say well “I just make sure all my curls are https.” The problem with that approach is it requires unrealistic levels of vigilance, about every outgoing service you may use, and that all your software on your machine is patched or bug free.
The easiest and quickest place for a hacker to learn their tools and skills is simply public WiFi. Want to try that iTerm exploit out... you go to the coffee shop and wait for a programmer to accidentally curl something over http.
VPN is not perfect, but it does provide some protection in certain circumstances that can’t be ruled out.
Best course, force https for web browser, and use your own hosted VPN anytime you are on a public network.
But how can a DIY VPN serve you if you want to, say, avoid geoblocked pages? usually with those VPN services you can choose where your exit node is. I don't feel like using a multi-region setup for this (well, now that i think of it using Terraform + Algo it could be neatly automated...)
I'd keep in mind that cloud providers have well-known IP blocks that can sometimes be rate-limited by various internet sites/services, primarily to combat botting. You might inadvertently get caught in the IP range that's being actively rate limited by e.g. Instagram. YMMV.
Prepare to have to deal with their "Customer success team", I had to email a few times back and forth before they actually closed and removed my account. There is/was no way to do this in the web interface itself. This was over a year ago though so I don't know if they still operate that way.
I can't help but notice that NordVPN is one of the most heavily advertised VPNs from what I've seen (which raises the question, as one researcher pointed out in the article - are they not spending enough money on their security and infrastructure to protect their users?). They are claiming that: "no-one could know about an undisclosed remote management system left by the [data center] provider".
Apparently the hacker was able to find out - so while it may be unknown, it's not an impossibility to detect it. Beyond whether or not sensitive information was accessed, what will NordVPN do in the future to eliminate or mitigate the possibility that this will occur again?
I find NordVPN's marketing reprehensible. Too many claims and broad strokes about the "anonymity" their service can provide.
While I certainly would recommend that US consumers use a VPN router to prevent their ISP from selling data, I think NordVPN really overplays the role of changing IP addresses in the age of browser fingerprinting.
A claim that really, really bothered me was something along the lines of "use us and no one will be able to read your email!" Every mainstream email provider (Google, Yahoo, Microsoft, Apple) now require HTTPS for emails. No one was ever going to be able to read your emails.
I normally don’t mind YouTube ads all that much, and I don’t see them on desktop browsers anyway.
However, I was bombarded with ads for NordVPN and their crap made me so angry it pretty much sold me a paid YouTube membership.
Hard to relax with some totally not weird ASMR when my blood pressure is through the roof because some chirpy ad agency dude wants to show me how much a VPN is like an umbrella or whatever.
> However, I was bombarded with ads for NordVPN and their crap made me so angry it pretty much sold me a paid YouTube membership.
For me it was those incessant Grammarly ads. A service, by the way, that has its own serious security and privacy concerns[0].
(I feel like YouTube Premium ($18/mo for up to 6 people) is a better deal than Spotify Premium ($15/mo for up to 6 people) for a household like mine where we listen to a lot of music and use YouTube a lot. I don't know how YouTube compares to Spotify when it comes to music selection however.)
Yeah, Grammarly is creepy as hell. I've explicitly banned it (and similar services) at work.
As for Youtube music, yup, that's undeniably a good deal. The music services should watch out, especially in younger demographics (I'm already 30+, Spotify premium user since 2009). Apple will probably push Music even harder and bundle that with their new video streaming. Spotify's really trying to become the defacto podcast service, which sucks in its own right (unlike Apple Podcasts, no user facing RSS support for indie premium content etc. Podcasting is the last free rich medium on the internet, largely thanks to Apple).
As for music, I'm too deep in the Spotify ecosystem myself, with stuff like proper Last.fm integration, recommendations and consistent audio quality.
I can't really enjoy music with that mushy sound typical for content that has been lossy-lossy transcoded tons of times. Of course, I have to deal with that for all the awesome live takes[1] available on Youtube, and there I'm of course just grateful they exist.
Spotify's audio didn't use to be all that great, except with the normalization turned off. Now with their 'quiet' normalization option, that doesn't compress quiet tracks (a clear edge over Apple Music), it's starting to sound transparent to me, as -q 9 encoded (~320 kbps) Vorbis should.
Youtube doesn't allow disabling of normalization at all, and it's not super clear to me when tracks are clean encodes sourced from the proper music distribution ecosystem that stocks Spotify, Apple Music, Tidal et al.
This isn't a comparison test. There's only one version uploaded. With only one version, it's hard to tell if many flaws you hear were introduced by sloppy uploading or if they were present in the master.
Yes! Which is why you won't hear me waste a whole lot of breath yammering about lossy compression.
I'd sure pay Spotify extra for lossless, because I'm weird in ways I'll reveal below, but I agree that people should give lossy compression a break. Well-encoded AAC and Vorbis averaging over 256 kbps are very transparent-sounding, in ways that never was possible with mp3. If I put in time, I get 5/6 right in this famous test from NPR's website[1], just because mp3 is awful and ancient.
But I double dare anyone to blind test Opus as low as ~128 and ~160 kbps and working upwards, with decent gear. Having grown up with shitty mp3s, it feels like magically good. And it's free software.
Even lossy-lossy transcoded AAC and Opus, which Youtube uses for a lot of stuff, sounds shockingly fine, most of the time, on most equipment, if the original copy was ok to begin with. All this is mostly passable, especially as background music.
That is, until you run into special circumstances, like listening attentively with halfway-decent equipment. Spotify's default normalization mode sometimes can adds dynamic compression, which sounds bad in itself. But this can make artifacts stand out in ways shouldn't (thank god for the 'quiet' setting, added sometime in 2018). This is especially true with poor source material, for example the stupidly bright 90s Led Zeppelin remasters, which still float around on tons of curated Spotify playlists, despite being superseded by really good releases.
So what I'm trying to say is that I want to maintain a music library I can pull up on any device and expect consistently good quality during playback. Take my little hobby I discussed here as an example (that is, me and my friends independently inventing the Japanese audiophile parlor/café concept) https://news.ycombinator.com/item?id=20583900
Just because I can't hear a guitar riff getting slightly distorted or hi-hats smeared when I listen at work, doesn't mean I won't hear it with in an acoustically outstanding room with 5k worth of audio gear. This problem is very pronounced with Youtube material when there's a poor supply chain, so I won't add a bunch of random garbage from Youtube in a playlist on the tram and expect to actually enjoy it later as I'm leaning back in a proper listening room.
Spotify, on the other hand is relatively close to providing a universally sane way to access music on any device.
> Spotify's audio didn't use to be all that great, except with the normalization turned off. Now with their 'quiet' normalization option, that doesn't compress quiet tracks (a clear edge over Apple Music), it's starting to sound transparent to me, as -q 9 encoded (~320 kbps) Vorbis should.
What annoys me is they're mixing together two features (namely normalization and dynamic range compression) and putting them behind one toggle.
I want normalization, it's hugely annoying playing music on my PS4 because the Spotify client doesn't have it there and I constantly have tot tweak the volume.
I do not want compression.
But on my phone and computer I have to use their 'normal' normalization level and take the compression because 'quiet' means I am constantly turning up my sound level when listening to Spotify and turning it back down when I do anything else so my ears don't get blasted.
Sigh, yeah, that's actually a great point. Wonder how many great pairs of ears have been ruined by opening a random youtube tab while Spotify is playing with the quiet normalization mode enabled.
And just like the PS4 example, it's just insane to me that Spotify Connect doesn't mandate normalization.
I'm torn for this reason: I want to avoid ads, but I don't want to give Google any more money. It's unfortunate that YouTube is really the only one of it's kind.
For the moment, I get around this conundrum using a combination of uBlock Origin[0] (Firefox) and NewPipe[1] on Android. Not 100% sure what I'll do about the latter when I switch to iOS.
I guess I'm on the opposite side of the spectrum. I want to opt-out of being the product and instead be a customer by paying for "Google Premium" or whatever. It would be an "all things Google" subscription, not just YouTube. Any place there would normally be a Google-curated ad... there wouldn't be one. No more ads at the top of my Google searches. No ads embedded in web pages I visit (rather, Google pays the content provider some fixed amount from my account balance or whatever -- after prompting me to authorize it). No tracking, no "value-add," nothing. Just, "Here's my money, provide me an equitable and reasonable Internet experience that makes sure content providers get fair compensation, and otherwise leave me the fuck alone."
And, most importantly, that would mean that I could never be locked out of my GMail account without a fucking handwritten letter on Crane & Co. stationary with a direct phone number to a human being who I can talk to about whatever is going on.
You could argue that you'd just be paying a gestapo-like figure for the "privilege" of doing stuff that "should be" free. But you're already paying, in the sense that you're the product, and your time and attention is the currency.
I haven't bothered with music lately but last time I did I just went to my pc grabbed an updated version of Youtube-dl and went to my playlist and downloaded all the songs. Then I put those into itunes and synced them to my phone. It was pretty straight forward and youtube-dl is great it works on other video services as well.
I'm curious what your thought process was on this. It sounds like you're saying you want to use their service but you don't want to pay for it. Is this a moral argument for you, then?
You don't have ad-blockers on all devices or for their app.
I'm on iOS and I like using the app since Premium allows for playing stuff in the background, plus downloading stuff for offline viewing. You can't get that in Firefox with uBlock.
I find some of the anti-Google arguments to be really, really weird and I've been speaking against Google on this website countless of times.
If you don't want to be tracked, you're going to be tracked for as long as you're a free user. uBlock Origin will not save you, since you're on their website and you can't block "youtube.com".
Also Google is a big target and subject to laws such as GDPR. I actually trust Google more than I trust any startup advertised on HN, because Google is a big target with a lot of eyes watching. When you go to your profile and turn off the data collection, you can probably trust Google more than you can trust DuckDuckGo.
This isn't to say that you should trust Google. Not what I'm saying.
But paying a membership is voting with your wallet against ads. By not paying you're simply encouraging them to serve more ads. And the break you're getting via uBlock Origin is only temporary. If the audience using ad-blockers on Android grows, I expect them to simply block browser access, problem solved. And because you used YouTube anyway, it means you haven't payed for their competition either, which means you directly contributed to YouTube's monopoly, without encouraging them to give up on ads in favor of Premium memberships.
It's basically how software piracy used to work. Piracy was never a problem for the big companies like Microsoft, piracy being responsible in part for Microsoft's monopoly. And when piracy became a problem, software companies simply moved to online subscriptions. There's always a solution for milking free loaders later.
> I like using the app since Premium allows for playing stuff in the background
I remember vividly the day (sometime in 2013?) when they removed that feature from the base app. I had been streaming music or casts from YouTube in the background since day 1 of my iPhone 4, and suddenly it became a paid feature.
"Bastards", I thought with a smile, "but hey, fair enough! Ok, now where do I pay?..."
Except that outside of the US, premium wasn't available. So they had removed background play but offered no alternative. It lasted until 2017!! Took them 4 years to bring the premium offer to Europe... what a shame. That fueled some resentment, as a wannabe customer. Any gave more than enough time to find better alternatives (Spotify, youtube-dl...) and never look back.
When they finally introduced premium in my country, I took the free 3 months offer and cancelled immediately thereafter. They don't want my money, 4 years made that emphatically clear.
I may reconsider after 2021, on the condition that management has changed at YouTube and Google. Right now, I'm just not feeling it.
Google is just awful at marketing stuff and customer service. They plain and simple don't care. That's monopoly for us: customers lose, always. So I find it both logical and "the right thing to do" to spend my money to directly support creators and alternative platforms whenever I can.
> I like using the app since Premium allows for playing stuff in the background, plus downloading stuff for offline viewing. You can't get that in Firefox with uBlock.
But on firefox you can get play in background with this:
I’m on iOS and I just deal with the ads. There’s a lot and I guess it would be more annoying if you were used to no ads, but it’s manageable. I’d pay for a video service if the company didn’t track me, but I’m resistant to paying for services and also being tracked.
Do you think they would get more money by monetizing you with a credit card than they do by monetizing with ads? I hear this argument that people don't want to pay with money as opposed to attention, and I always feel the opposite.
I feel like I would love to pay for a video service that didn’t support surveillance and mass data collection. Or that provided user transparency on what they did track (obviously some level of user tracking can improve a service meaningfully). That said, I don’t for example pay for Vimeo so I suppose there are network effects. I’m on YouTube because everyone else is. That said I regularly publish YouTube videos but have not enabled monetization. Not all youtubers can afford to do that but it’s a small thing I can to do help.
I realize this is probably not the point of the preceding two comments, but does nobody here use an ad blocker? uBlock Origin is great, or NewPipe for YouTube specifically.
We were just complaining the other day about tech companies being run by the marketing folks.
If you were a State, wouldn’t you be attracted to organizations that seem to be market driven? First, they have brand recognition, so they’re a fat target. Also they’re signaling hard that the engineers aren’t in charge. Probably more likely corners are being cut and morale is low.
I speak Finnish, and if I'm 'google cancelled my main account'-level pissed, I just might pick a username very much like that for a site I don't really want to be on in the first place. Maybe a cultural thing. So that argument is moot.
Agree with ryanlol's comment here next to mine on the rest. I'd really want more clarifications before I touch third party Youtube clients while logged in (which I want to be, for recommendations etc).
FWIW I don't think there's necessarily any link between his account getting suspended and the youtube client. Google suspends accounts for all kinds of weird reasons.
It seems really weird to me to assume that this is a troll, the other issues created by the user over a couple of weeks seem legit. I think this is just some slightly confused person trying to figure out why their account was suspended.
I get lots of legit bug reports from customers with strange inconsistencies like this mixed in, they definitely aren't trolling.
I don't think "confusion" can explain his claim to have received emails attributing his ban to his use of a youtube video downloading software. He's not provided any evidence of such emails and numerous people who've been banned by google seem to think it unlikely that google would deign to explain why they banned somebody in such detail.
I don't think the emailed explanation exists, and I don't think confusion can explain why he'd say it exists, which leads me to conclude he's lying.
(And really, if such bans were genuinely a threat, more than one person would be complaining about it happening. Tons of people use youtube-dl and newpipe (including many youtube creators who do commentary on other youtube videos) and there's this single guy claiming to have been banned for it. It doesn't pass my sniff test.)
IDK, I see weird claims like that from customers all the time! They see non-existent error messages with ridiculous texts. There's constantly weird inconsistencies like this in descriptions of real bugs.
I just assume that these people are very confused and not good at english.
Well, maybe he's a troll or maybe he's just confused or delusional, but either way I don't think the claim that google is banning people for using youtube-dl or newpipe should be taken seriously at this moment. I'm certainly not going to stop using youtube-dl.
>First I got an email from Google saying that I was using 3rd party app outside of Play Store to go around Youtube ads
I absolutely do not believe this part, but I'm willing to dismiss this as confusion on the users end.
However, the rest of the comments by the user accurately describe how google account suspensions work. The same user had also created some rather reasonable issues before this one.
> No one was ever going to be able to read your emails
As long as no one practiced a trivial mitm attack on your network and that you have a browser that does not try http first when you type in your webmail.com or that no one rubber duckied a custom CA certificate in your browser ...
> I certainly would recommend that US consumers use a VPN router to prevent their ISP from selling data
I wouldn't. Much of the web is moving over to https, VPNs are hit-or-miss on whether they route DNS requests, and having to deal with blocked websites because of abuse isn't worth it. That, and you're trusting the VPN to not sell your data.
> browser fingerprinting
I mean...your IP address changes on cell networks all the time. Browser fingerprinting is still an arms race, but if you're actually concerned about something, either do whatever Torbrowser does or use the most popular iPhone.
A VPN isn't itself secure. It's only a secure tunnel. If the VPN's exit is insecure, then you're insecure. DNS-Over-HTTPS hasn't reached ubiquity yet but VPNs are very useful but are having a reckoning with serverside attacks and governments demanding "oversight" and backdoors (like the recent move by China on foreign owned but China-located companies VPN usage).
>either do whatever Torbrowser does or use the most popular iPhone.
Using a iPhone does not preclude you from being blindsided, as illustrated by a NordVPN bug, which was exposed a couple of weeks ago.
Here's how it works:
The user first connects to 1.1.1.1 with Warp, then disables the app without turning off Warp. Then, when connecting to a NordVPN server with ikev2 protocol, the iOS device will report as being connected to NordVPN and secured, without actually being connected. In other words, you're connected and protected, but you're not.
HTTPs will not stop Google from logging your IP + activity on their services. I'm not convinced that ad-blockers are 100% effective in disabling trackers either. One of the appeals of VPNs is that you have multiple points of exit and they rotate.
Google can track you fairly effectively even if you’re behind a VPN. I’m not sure if they choose to at this time, but if a significant population switches to hiding behind VPNs, they will turn on the finer fingerprinting means.
>Google can track you fairly effectively even if you’re behind a VPN.
You don't know anything about my setup, so you have no basis for claiming this.
On the other hand, if you have an exclusive sticky IP, you will be tracked all the time. And even if they don't do extensive fingerprinting right now, they can always go back and look at basic HTTP logs.
> You don't know anything about my setup, so you have no basis for claiming this.
Sure, but the discussion isn't specifically about your setup, it's about the advertising claims that a VPN will help prevent tracking. Which is totally bunk.
> On the other hand, if you have an exclusive sticky IP, you will be tracked all the time. And even if they don't do extensive fingerprinting right now, they can always go back and look at basic HTTP logs.
Tracking with IP is honestly hardly tracking at all. With local network NAT and CGN your device IP will not be unique at all. With modern tracking, your IP will be just another couple bits of entropy, and most certainly not enough to pinpoint traffic to individuals in a robust and scaleable way.
The only tracking protection that a VPN offers is preventing your ISP from seeing your traffic, and making it harder to pinpoint web traffic to you as an individual (assumging you VPN provider doesn't have logs)
Yes, but US consumer ISPs, to the best of my understanding, still have this nasty habit of tracking and injecting code whenever they feel like it. HTTP is still a thing.
Also, if the point is to avoid an ISP snooping on metadata for profiling, HTTPS adoption is good, because it encrypts real session data, but it does not stop data collection.
Remember that DNS goes in the clear, until browser and OS vendors decide to turn on DNS over HTTPS by default on consumer devices. The ISP industry, being assholes, have already started to make DoH appear somehow controversial, and they're probably going after google on antitrust grounds. [1] [2]
But even with DoH, we're still going to be stuck with SNI, which spells out the target domain of every HTTPS connection in the connection metadata. And whenever encrypted SNI is in place, services on the internet that aren't behind a CDN are still going to have identifiable IP addresses.
That's user data perfect for profiling and reselling.
So, to really give ISPs the finger, the user must use a VPN.
> VPNs are hit-or-miss on whether they route DNS requests
Major consumer VPNs, even clowns like NordVPN, have gotten pretty good at ensuring sane confs in their provided clients. I wouldn't rely on their kill switches etc for serious opsec, but it's enough to give the finger to an ISP.
On the other hand, the point of a VPN router is precisely to have everything go over a tunnel, including DNS.
It's not ideal to tunnel everything, but it's up to US consumers to make that choice. My suggestion would be to campaign to drive up VPN use on consumer broadband connections, just to fuck with the ISPs.
> That, and you're trusting the VPN to not sell your data.
This is an important point, and also why one would choose a VPN that relies on a reputation of not selling data.
> Browser fingerprinting is still an arms race, but if you're actually concerned about something, either do whatever Torbrowser does or use the most popular iPhone.
Yes, it's an arms race, and the point is to make life as hard as possible for the tracking industry. Nothing is perfect.
Tracking cookies don't go anywhere in a convenient to use browser setup, despite the shoddy claims from clowncar VPN companies.
While Tor is great, it's slow and not advisable as a daily driver browser connected to the user's normal online identities. For most users, sane use of Tor Browser would be special purposes, like researching medical concerns you don't want tracking companies to connect to you, and similar.
For awhile, my brain conflated it with [OpenVPN-NL](https://openvpn.fox-it.com/about.html), a publicly-available, hardened version of OpenVPN used by the Dutch government.
You can't really blame NordVPN for that (I mean, the Netherlands aren't even a Nordic country, my brain is just broken), but it's a data point.
That supplier may be in violation of their contract. If Nord put in that there are to be no undisclosed methods to access the supplier system they're renting, and there are, this doesn't change any facts about the incident here.
If I was a Nord user, I wouldn't care that the supplier will refund Nord their service charges.
I don't think "no one could know" is ridiculous on it's own. Think about the level of access you have to ensure AWS or Azure is truly secure... none.
AWS has external auditors verify their policies, procedures, and actual methods meet a wide variety of compliance requirements from many different agencies. The level of access those auditors and other verification methods have to AWS is not none but very significant.
Yea, but my example wasn't access that auditors have, it's you, as a client.
Now on topic... You could argue that Nord perhaps was a bigger client than you or I am to AWS, and maybe they should have had better access, but the fact of the matter here is that it's absolutely possible that Nord is being accurate when they say "[we] could not have known".
Contract violation or not, you should never have full 100% confidence in someone else's system. If I was Nord and renting cloud I would absolutely assume there were undisclosed accesses, as I bet they are viewing everything now.
As a client I can ask for policies, records, 4th party audit reports, etc and choose your vendor based on their ability to answer and the quality of answers.
It's not about contract violations if something like that happens you don't know about, it would have to be willful deception and incompetence of several organizations.
"we could not have known" is an answer you get when what you really mean is "we didn't think to look". If something like this happened and you had done the right things the message would be "vendor X violated their policy, our contracts, and auditors A, B, and C failed due diligence requirements here and here"
"We could not have known" as a response means no one should trust NordVPN because clearly they think they're helpless which means they aren't clever enough to trust my data with.
> you should never have full 100% confidence in someone else's system
That page looks impressive but there is no way to casually verify that what they are talking about actually happens (on a quick check). There is simply so much info there you'd have to spend considerable time trying to track down what is needed to make sure it's actually legit. [1] Of course with 'assume' with AWS it is and it's meaningful but my point is if someone else were doing that people might simply 'check the box' and say 'ok they have this handled'. Might not be the case.
[1] Edit: Story today about Amazon and expired baby formula:
As for [1], the FTC etc. do a bad job of regulation, especially of Amazon. I actively do not trust Amazon to sell me things I ingest.
>there is no way to casually verify that what they are talking about actually happens
I have first hand experience working in more than one organization with security departments which did this sort of verification of vendors. Usually as required by law.
And the opposite was true as well, working in organizations which were beholden to those kinds of compliance requirements and to customers (and investors) verifying them.
It is indeed a long process with a lot of work. That kind of "box checking" tends to happen sometimes but not in an inventing reality way but a cargo cult way. There is enough surface area of these regulations though that you can't just get away with a song and dance, you end up actually having to do the right things.
Rereading your comment, here is one easy verification method for one of the programs: literally a marketplace of compliant services by the group which does the verification.
Honestly, I don't think it's exclusive to NordVPN, I've found that all VPN advertising has increased significantly in the last year or two. Noticeably, ExpressVPN is also everywhere. Almost every podcast or youtube video has some VPN ads in it. It seems like with the recent focus on privacy, they are really these two companies and others are really trying to make a run for it.
Is VPN advertising increasing due to content restrictions from online streaming services?
If you travel overseas, you can't access Netflix, AmazonPrime Video, etc. so a VPN service allows you to still use your service while you're away from home.
And then sports streaming. You can sign up for a yearly subscription to watch sports, but not the teams closest to your physical location due to local blackouts.
Utah is in a terrible place too. No NFL, MLB, or NHL team. But the closest teams are all blacked out from streaming services.
I've found that using a VPN reduces my streaming ability. Using Private Internet Access in the past I was forbidden from watching anything on Netflix. Also I was forbidden from editing Wikipedia even on an old account with positive editing history.
Netflix (et al) are blacklisting some common VPN's IP ranges. If that fails, they use some DNS tricks to route the requests to your nearest geographical API and if there is a discrepancy between your IP's location and endpoint's location, they block the requests too. It is possible to overcome, but with some work.
Maybe it's one of things where there's hundreds of "dedicated server providers" but really it's all the same thing just rebranded/resold, sometimes under one entity[0]. I've seen this rebrand/resell behavior with proxy services, people search engines, etc. I don't know much about VPN providers but I'm guessing they share or pipe into each other since there's so many of them.
The fact that NordVPN advertise so heavily, and get so many youtubers to sell it, is exactly why I will never use the service. It is way too on the nose. They heavily sponsor PayMoneyWubby who also does a great job at de-anonymising a group of youtubers.
The last VPN you ever want to use is the one that is heavily on the market.
while I don't disagree with you, I am wondering why you would think that? I don't understand what "way too on the nose" means. Are you saying that because they are big makes them a bigger target?
If anything, I would think the larger the provider the more resources they would have to provide a stable and secure service.
If someone hacks a VPN, what are the implications for the users?
As long as you're using HTTPS, you don't have to worry about your passwords or session tokens being stolen, right? Is it just your DNS records and unencrypted HTTP traffic?
It depends on what you mean by 'hacking' a VPN. One assertion in this breach is that the NordVPN certificate private key was leaked, allowing anybody to spin up a NordVPN server that would pass HTTPS certificate validation (the cert is expired, it's currently unknown if the cert was valid for a period of time after it was compromised). This kind of an attack would let an attacker convince most users to download viruses, input credentials, etc.
Nord says that the above issue was caused by a data center breach. Depending on the company this may mean a leak of user info (account details, emails, etc) and password data (generally secure hashes, but often insecure/near-plaintext passwords).
There's a lot that can go wrong here even before considering the MITM vector. As far as that goes, you can generally trust that well-secured sites (Google, Facebook, etc) won't allow someone to steal your session tokens/passwords. There is a high likelihood that a malicious VPN would achieve script execution on your machine in a short period of time.
Let’s not forget that if they’ve got to a point where they can breach a private key they’re at a point where they’ve probably dumped hashed user creds and contact details, and probably gained persistence on breached hosts, too.
NordVPN is being recommended a lot to people who don't know better by influencers on social media, especially on YouTube. This kind of endorsement is recklessly negligent and needs to stop.
Edit: note that I don't blame these influencers for their ignorance on the risks of using a VPN; rather I blame the shady VPN providers for overselling the security value of their product and leading users into a false sense of security.
I'm pretty sure they're "recommending" it because they're getting paid for it - it's a sponsor segment. After demonetization became common YouTubers looked for other sources of revenue and there are rather few companies that try to contact them directly for ads, so you see them appear over and over again.
Yeah it's diffidently not being recommended, it is being advertised. I wonder how many money they have spend. Every freaking channel mention them at some point.
You start to wonder where their money is coming from - their retail prices are already cheap, the discounts the influencers offer make it basically free. How's that sustainable?
But do they even have to pay much to youtubers for those ads? If you get 50k to 100k views per video then you'll likely make around the range of $50-$150 for the video. Paying the youtuber $50-$100 per video would already have a significant impact on their income, so they'd probably consider it. That would be 50k-100k people who will see the ad, because adblock can't block it.
If somebody is getting $50-$150 per video, they're probably doing it for the passion of making videos, not for the income, and they probably have another source of income that dwarfs what they're getting from youtube.
Not necessarily. If they put up a video every day then that's $1500 a month minimum. That's decent income in most countries, even in many EU ones. Now imagine if sponsor segments doubled that for you - now it's $3000 a month, which is already on the lower end of decent even in the richest countries.
Yesterday I saw a discount with an extremely cheap 3-year plan (under 30$ and no data limit, iirc). The price didn't offer confidence that the service would be available for all three years.
Snake oil salesmen have been around for centuries. When you have an audience of hundreds of thousands or even millions of viewers it's your moral responsibility to not betray their trust by recommending them bullshit. Unless you personally evaluated the claims of the product (definitely not the case as most of these people don't understand how a VPN works beyond "it somehow protects your privacy") and are happy to stand behind them, don't say anything.
In my opinion there's also another problem that needs to be considered, regardless of security skills: none of these VPN providers' business models are sustainable; they offer "lifetime" plans for cheap to begin with but also tack on extreme discounts (I once saw 83% off) in addition to paying influencers money to promote those discounts. There has to be a catch.
I have a non technical friend who did this citing CNET. It felt like kind of a shit thing based on how it was being advertised, but I couldn’t actually see anything that warranted saying nord was bad.
How would have expressed this in laymen terms (before this compromised thing was revealed obviously)?
You have to take your choice of VPN seriously. When you use a VPN, they can read all of your internet traffic, so choose a company you can trust with that information. If they screw up, like NordVPN did, then anyone can read all of your internet traffic even when you think you're safe. You're often better off without a VPN than with one.
This seems like an overstatement. Five years ago, mostly true, but can they mitm my ssl connections? (I'm getting mixed answers on StackExchange, but it seems like generally no.)
They can see what sites I visit, but for most of those sites, they still shouldn't be able to see the content.
(This might be more nuanced than the layman explanation needs to be. Just curious for my own sake.)
It's likely that they cannot trivially MITM SSL connections but for that to be true you're relying on a bunch of things which are not trivial to verify:
1. All of the apps and sites you care about are HTTPS-only and don't rely on, say, an HTTP-to-HTTPS redirect which can be bypassed.
2. The VPN client doesn't do something like configure a proxy.
3. Your OS, apps, and browser don't have exploitable bugs or weak software update mechanisms, or that the VPN provider or whoever compromised them isn't going to try exploiting them.
Obviously the third one is a relatively low probability since it's noisy but it's the kind of thing which would be hard to rule out since VPN providers have a market incentive to cut corners if they think it won't be noticed and by their nature it's easy to imagine a law-enforcement or intelligence agency thinking it'd be a good service to compromise to get access to a userbase which contains people who are trying to hide something of interest.
Depends, if they have a root (or a wildcard) certificate, they can show you that, and your browser will happily show you a green lock. However, the list of root CAs in your browser is public, for Firefox see [0], and hopefully someone would notice if a VPN provider has access to such an certificate.
(However, that is something that also applies to ISPs, at least Telekom has a CA and therefore a root certificate.)
The article I linked in my original comment goes into a bit more detail and is aimed at the layman, but it's a bit more in depth than a comment you can make in a conversation.
I also don't blame them, and in fact I'm a bit bullish on the fact that these influencers are bringing greater awareness to using VPNs to an audience that might otherwise not use them / understand them.
Two days ago I deleted my old Digital Ocean VPN (built using the OpenVPN tutorial I found somewhere), then opted for a discounted 3-year NordVPN plan. Looks like I'm going to have to ask for a refund. facepalm.
"On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN."
If I had root, can't I just find out what crypto libraries are in use? and trigger an uprobe to decrypt the traffic on that crypto library ?
Every user connection handled by that vpn server would have been plain text for me.
I think they are downplaying the importance of this hack
"no-one could know about an undisclosed remote management system left by the [data center] provider"
Why not? I'm generally familiar with the services offered by dedicated-server/co-lo/vps providers, and remote management systems are very common. This includes out-of-band (OOB) access when using dedicated systems. Seems like the sort of thing that solid due diligence would pick up. Even if it's completely undocumented, designing a robust security checklist to be completed by the vendor should find this sort of thing.
This excuse also makes NordVPN look extremely bad for future use: If you say "nobody could have known" then you're also saying "it could happen again" because if you can't know about it, you can't know if other vendors do the same. If you can stop it from happening in the future by implementing additional measures, that means those additional measures could have been used to prevent it the first time. So either you're inherently unsecure, or the issue was preventable.
Did NordVPN know about this hack when they were offering their deal for something like $88 for 3 years? I went back and looked at their prices from 2017 and it was something like $69 to $83.99 billed annually (https://www.pcworld.com/article/3200777/nordvpn-vpn-review.h...). I've been a NordVPN customer for a while but have been thinking of switching due to some articles touching on nefarious marketing practices and/or questionable data practices. Then I see this deal for $88 for 3 years and it was tempting to re-up. Coincidentally, when the deal ran out the news broke several days later about the hack. I for one will be finding a new VPN provider, but I can't help to think they were trying to rope in as many existing customers as possible before news of the hack broke. Suspect at best.
There's a bittersweet irony with this story. They were recently pushing ads claiming that "Ain't no hacker can steal your online life. (If you use VPN)."
> However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.
However crt.sh shows
> Validity
> Not Before: Oct 6 12:53:38 2015 GMT
> Not After : Oct 6 12:53:38 2018 GMT
What exactly were these keys for if they were only usable in such a manner according to nord?
Nord has a couple thousand severs, and each has their own key. In order to decrypt traffic, you'd have to intercept some traffic to decrypt, which would require a MitM attack unless you're an ISP/state actor.
When I want to secure a shady connection in a coffee house, I have a raspberry 3 at home that I use only for that purpose with an openVpn setup with https://www.pivpn.io/ - super easy to use. Downside, I rely on my isp not to spy on me. Upside, it's mine and unless I'm specifically targeted it's unlikely someone will mitm me.
To hide my location for various purposes, I have used TigerVPN. They have been reliable so far, but I wouldn't trust entirely any third party when it comes to privacy. Upside - somewhat reliable and not my isp. Downside - for all I know someone in Czech Republic is watching what I stream with a bucket of popcorn
A while ago I read that there was a potential smear war going on between some of the larger VPN providers. Is there any chance that this is related? (I'd prefer more than just a tweet)
This sounds suspiciously like the Supermicro BMC bug reported here a while back[1], and while it actually can be hard to make sure the IPMI stuff doesn't take over a NIC you don't want it to[2], there are things you can do to prevent that, such as explicitly setting IPMI interface and address information so it won't use "smart" behavior to negate all your security.
As to whether "no-one could know", well, I knew after I read that HN submission, and at work we made sure to double check all our configs. This ended up being mostly a known problem, but the extra context helped us find another edge case I believe.
It's not great that you have to be aware of the latest security problems and how they may interact in obscure ways with system configs, but that's the nature of security and state of the industry right. Not much to do except buckle down and pay attention. To everything.
Apart from deanonymizing customers and potentially reading the traffic of customers they sent over the VPN what are other risks for customers?
What I'm thinking about is that the VPN essentially tunnels through my firewall so a malicious VPN provider may possibly be able to do things that, for example, an arbitrary web server cannot.
This is difficult to track, as it is really just a sentence attached to some screenshots, with some commentary but no technical detail... but this seem to be a website key, not an OpenVPN key?
(edit: And, in fact, this is confirmed by NordVPN's statements on the matter: "The expired TLS key was taken at the same time the datacenter was exploited. However, the key couldn’t possibly have been used to decrypt the VPN traffic of any other server. On the same note, the only possible way to abuse website traffic was by performing a personalized and complicated MiTM attack to intercept a single connection that tried to access nordvpn.com.")
I remember last week's episode on Darknet Diaries where NordVPN was offering 3y plans for a hefty discount. My first reaction was "Are they going out of business ?"
So what does this mean for an every day consumer? I had been debating using the 30-day money back guarantee as I realised I didn't use it as much as I thought I would. I want to stay protected on public Wifi. Added anonymity occasionally would be good too, as well as accessing US Netflix from here in the UK.
Now my 30 days is up. What would be the best course of action? Should I email and say that I'm not comfortable being their customer any more, and asked to be reimbursed? Carry on, for my use case? I'd never connected to a Finnish server.
It's so hard to understand what is correct (I'm aware this is a problem with every news story) between the people telling me that they're almost certainly evil, keeping logs and selling data and those that are telling me that it's a smear campaign by the competing VPN providers.
My gut tells me that the level of advertising and incredibly low prices is too good to be true...
Now with this hack it's the same problem, how bad is it, does it affect me and should i be concerned?
Why would their website's SSL certificate be on one of their VPN servers? Do all of their current 3000 servers have the private key for their website right now?
I'm frankly blown away that the comments I'm seeing here don't suggest to just roll your own.
$5/mo is the typical price nowadays for a 1 GB VPS with 1TB upload. Cancel at any time. Save image, redeploy monthly/weekly/daily to protect from longer term IP address tracking. Use scheme of your choice (e.g., SOCKS proxy, VPN, standard HTTP port for everything, etc.)
People have been talking about using VPN's because of "dangerous" public wifi, but I have to admit, I don't understand the risks.
Let's say you go to a coffee house and sign-in to their wifi with their password and use it browse https websites, like gmail or you favorite social media... what's the main risk? What can happen? What does happen?
I only use NordVPN to get around GeoIP blocks on a couple of streaming apps. So I'm not too worried about my data being compromised, but I don't like the way they handled this. Think I'll start looking for another provider?
Looks like you can side load OpenVPN onto a FireTV. Maybe I'll go the roll my own this time.
Wasn't NordVPN the one that was created by a marketeer? I wouldn't be suprised if this was just cover for them to sell their customer's data indirectly. If anybody finds a dump of the data they sold they could just claim it was from the breach.
From my understanding, that really depends what you're using it for. My friends mostly use Nord to get around region locks for Netflix etc. I think impact for them is minimal.
If you were using NordVPN in Hong Kong, to cover your involvement in the protests, then it could be a lot more serious. I wouldn't use Nord (or any comparable provider) for that anyway, since their holdings tend to be pretty opaque. That doesn't mean nobody did use it for stuff like that though.
> And someone just mentioned to me that past encrypted sessions may be able to be decrypted, which is a much bigger issue!...I haven't researched enough about OpenVPN to know if it's using forward secrecy, though you'd hope so
Any idea where that claim is coming from? Nord's site mentions having forward secrecy in place, so presumably most historical stuff is safe unless they botched that. Of course, somebody in e.g. Hong Kong could still have gotten a MitM attack if they were active while these keys were being used, which is reason enough to worry about exposure.
This is a feature in my eyes. Just stack a bunch of these hacked by different people who don't cooperate with each other. Now any user has plausible deniability over anything that happens on these networks. No?
The interesting thing about OOB on most modern servers is that its a separate, physical NIC. Not only is that easily VLAN able, a more security conscious datacenter could even air-gap the out of band LAN!
> The interesting thing about OOB on most modern servers is that its a separate, physical NIC. Not only is that easily VLAN able
On lower grade servers OOB is using main NIC. It's still possible (in all implementation I have seen, which is not too many) to have OOB in VLAN.
> a more security conscious datacenter could even air-gap the out of band LAN!
1. If you air-gap remote management, you take away it's function.
2. It's not possible to truly air-gap OOB if servers with OOB are not air-gapped (it's theoretically possible to use server to get into OOB network by exploiting/flashing custom OOB from OS).
From the amazing service providing “Double VPN” (yes, really) for extra privacy and “Onion VPN” (with the Tor bit being behind NordVPN, not the other way around) for ultra extra privacy!
Buy a $5/month VPS and run your own VPN on that (popular setup script: https://github.com/StreisandEffect/streisand). It'll cost you a little bit of time in setup and maintenance (mostly just upgrading packages), but it has many benefits:
- Cheaper than most VPN providers
- You won't be using a known VPN IP
- VPN providers are more likely to snoop on your traffic or be targeted by snoopers (such as the government), specifically because they seek out traffic from people trying to hide
- You get to pick the port/protocol/software you use, rather than being forced to accept the provider's ones
- You can run other small servers you may need on the VPS as well
But then your security rests on your ability to manage a server. I mostly agree with you, but, I don't run one because I'm not a seasoned Ops. At least, not enough that I want to put my security on the line.
In all but the most hostile networks I trust another VPN or my ISP more than I trust my ability to keep a server secure.
1. You have to keep two ports locked down. If you can secure your own laptop, you can secure a cloud instance. The cloud instance you're basically just using as a proxy is a lot less important than what's on your phone or computer.
2. Only you are using the system, and you're not logging. Have an issue? Tear it down and start another. Automated scripts out there generate unique keys every time.
3. A commercial VPN is a honeypot in a way -- it's a ripe target. Many people are tunneling through it, doing sketchy things that certain parties want to track -- and your traffic could get caught in a dragnet (this, of course, depends on your use case: you may want to blend in).
4. Your ISP tracks and sells your data. I mean, the entire reason I use a VPN is because I was sick of my ISP routing my searches through their servers before my intended search destination, snagging my Netflix info and using it to create advertising profiles. Why would you trust them?
5. It literally takes less than 10 minutes (5:59 from an iPhone, the last time I launched one) to launch and connect to your own VPN instance to play with (https://github.com/jenh/sevenminutevpn is mine, but there are others, like Streisand or Algo) -- if nothing else, you become a more educated consumer and can better understand your threat model AND what to look for in a paid provider.
I would hope that isn't what they thought and I'm sure it's not what they thought.
Launching a personal-use ephemeral cloud instance running OpenVPN to hide your personal traffic from your ISP is absolutely nowhere the same as running a paid VPN service for millions of users across the world.
Using this for scary public WiFi makes some sense. Beyond that, the real question is ISP vs VPN.
ISP advantage over VPN:
- More regulated
- Bigger, thus could have better focus on security
- Less of a tasty target, because ISP customers do not specifically seek out to hide themselves, whereas VPN customers do.
Advantages of VPN over ISP
- Choice of jurisdiction (i.e. who can force the company to do stuff)
- Company claims a focus on security
- Choice of point where plaintext becomes available (for if you don't trust the beginning of your pipe)
I think this is a wash in general, but the jurisdiction point could matter if you don't like your local jurisdiction. Similarly, if you do like your local regulator, probably better to go with the ISP.
It's not like you're running a website on there - all you have to keep secure is SSH and your VPN. Keeping up to date with security updates and using a strong password (or better yet, private key) is essentially all you need to do.
I wouldn't necessarily recommend it to random non-technical people, but I figure most HN users could figure it out.
I've seen "infosec professionals" say they don't trust themselves to secure their own VPN server. It blows my mind...if you can't do that, why are you even in this business? How do you even use a personal computer?
I've heard the same thing from cryptography authorities in regard to rolling your own encryption and it makes sense to me.
Having specialized knowledge opens your eyes to all the gotchas and gottahaves that most people wouldn't think about. While you certainly can take the time to set everything up exactly the way it should be and keep it updated, I'd rather spend my time doing/thinking about other stuff and am happy to pay the $120/year or whatever to let someone (vetted) else deal with it.
Rolling your own encryption is an entirely different animal. I agree with that sentiment for encryption.
When you use a VPN service, though, you really don’t have any real insight into what’s going on on their servers. Run your own and you can be sure you’re running the most recent, audited version of OpenVPN on an updated operating system.
You're right and I don't disagree with your core thinking, except to say that everyone draws a line beyond which they'll be happy to trade some risk for some time. I understand why someone would run their own VPN, but I also understand why someone wouldn't.
Yeah, I totally agree -- and there are a lot of very valid reasons someone might choose a service over a DIY solution.
My main point up there was just that I'm always kind of surprised and honestly have trouble believing it when I hear someone whose career is in network security say they don't trust themselves to secure a VPN server. If a person can tout creds securing an entire organization, a little ephemeral Linux instance that you can blow away and rebuild at will should be cake.
But this buys you nothing in anonymity to the sites you visit. The IP you use to access the internet is still a single IP tied to you via a billing account with your cloud provider. A commercial VPN service NATs your connection out with thousands of other customers.
So it all depends on what you want to use the VPN for.
I would look at one of the cryptoanarchist aligned providers like Cryptostorm, Mullvad, or AirVPN. Of course, no one is immune to a hack but they don't have any shady connections or financial incentive to deprioritize security.
Yeah been on PIA myself for 5 years. Amazing speeds and service. No issues at all and they have been in court twice where they showed they have no logs.
Its great - i use it on my work PC to reroute my personal traffic, on my families personal devices, when traveling abroad etc. That said, there is a no 100% guarantee so use it responsibly.
A compromise is a compromise, don't get me wrong, but it can happen to absolutely anyone. If you're paying ~$5/month for anonymous browsing with unlimited bandwidth, then you're probably not getting top tier security researchers running your servers.
Except this isn't their fault because their infrastructure provider messed up and didn't even disclose this possible backdoor. If anyone the provider should be named and shamed, not NVPN.
> NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
Giving realtime public status updates makes your attacker privvy to your actions and how much you know.
Fix first, publicly announce when safe to do so.
Same reason why SWAT etc. don't want media crews covering their actions in real time. It's broadcasting your view of the situation and intent to the opponent.
If you're making a living selling a secure channel, where the whole point is to be more secure then other channels, you better fucking secure that channel. You can't outsource the underlying hardware and then wash your hands of what happens.
There are quite a lot of anti NordVPN and VPN in general experts pontificating here. A quick scroll down through all comments and I note a distinct lack of green handles.
This is a 500+ comment article with hardly any near null comment commentards. My analysis is not very rigorous.
No, that is not true. We run our own infrastructure for ProtonVPN and also own the hardware for our core servers: https://protonvpn.com/support/secure-core-vpn/ This can be verified by inspecting our VPN endpoints which are all public.
We have no connection with Nord or any other VPN. ProtonVPN is however owned and operated by ProtonMail, with some support from the European Union.
Could this be another marketing trick to lure more customers? Last time I checked, companies are actually favourable when they "get slightly hacked". They get front page from top tech websites, magazines, forums...
The best thing NordVPN can do right now is make a statement that clearly and honestly describes how its users are affected. No bullshit marketing language, no trying to hide facts, just a short and simple explanation of what this means for users and what they should do next.
> “The server itself did not contain any user activity logs; none of our applications send user-created credentials for authentication, so usernames and passwords couldn’t have been intercepted either,” said the spokesperson. “On the same note, the only possible way to abuse the website traffic was by performing a personalized and complicated man-in-the-middle attack to intercept a single connection that tried to access NordVPN.”
> According to the spokesperson, the expired private key could not have been used to decrypt the VPN traffic on any other server.
> NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
Regular people who are NordVPN’s customers can’t possibly understand that. A highly technical explanation is not good enough. They need to put out a statement that explains clearly and concisely what this means for their users, something that all people can understand.
"To recap, in early 2018, one isolated datacenter in Finland was accessed without authorization. That was done by exploiting a vulnerability of one of our server providers that hadn’t been disclosed to us. No user credentials have been intercepted. No other server on our network has been affected. The affected server does not exist anymore and the contract with the server provider has been terminated."
Not sure what you're asking for? If someone doesn't understand that, then they probably aren't using a VPN.
Ok, I’m going to pretend that I’m a NordVPN customer who is 50, works as a plumber, and has installed a VPN on their phone because they were convinced that it’s very good for privacy. Here goes…
“What is a datacenter? How was it accessed? Like in that Mission Impossible movie? What are server providers? What role do they play in all this? Credentials? That’s like my passwords? What about my browsing activity? All I want to know is if my traffic was spied on.”
Have you used Nord VPN? These aren't questions users would have. I could be wrong, but I'm confident that a plumber that has used Nord would know what a datacenter is, just from using the app. My tech illiterate Dad (70s) sure does.
VPNs are advertised a lot on all kinds of YouTube channels. It is reasonable to believe that they have a bunch of customers who know almost nothing about VPNs or the Internet in general.
Those are also the customers that won't even know that this hack ever happened, or won't care, because "everyone gets hacked anyways".
You said you wanted them to give a clear explanation, which I believe they did, but you don't. Let's just leave it at that.
These companies are giving all their customers the idea that they have reasonably good anonymity with a public VPN service, which is arguably false depending on how they use it. I feel like that's where you should be targeting this concern. Not an expired key leak.
MitM-ing a VPN does not break HTTPS. Hence, any passwords send over HTTPS are still safe. You could speculate that a VPN MitM is a nice way to get an MitM position for a further attack on TLS. But that requires a lot more speculation.
What isn't safe is your browsing history. True, any HTTP data isn't safe, but trusting that to be safe is baaaaad anyway.
In short. This leaked browser behavior, and could be a single step in getting a MitM possition on users.
NordVPN's advertising has deliberately downplayed the significance of HTTPS, as part of their fear mongering campaign about public wifi and residential ISP connections, so it's not really surprising to see such misconceptions raise their heads when NordVPN screws the pooch like this.
While I agree with you - I do think it's slightly less bad than you make it out to be. For example, if I connected to my bank over this VPN I would only be as concerned as my HTTPS connection. So my VPN still doesn't know my bank login, assuming my TLS was sound, right?
This would hypothetically be as bad as logging into my bank on a public wifi.
Am I paranoid enough to not log into my bank on a public wifi? Yes. So I should be concerned here. But, it's at least not immediately insecure.
TLS is probably not sound, judging by history, even if exploits aren't known. But apart from that, there may have been ways to infiltrate a target client from the VPN host and make their TLS moot.
A MITM attack of a VPN allows attackers to collect unencrypted traffic.
Most people access email over a webmail interface, like gmail, that uses modern TLS encryption. All that's sent unencrypted is the SNI header, e.g. "mail.google.com", and roughly how much traffic total is transferred, e.g. "20 MB of browsing on mail.google.com".
A VPN can't easily defeat TLS. It would require the user to ignore many scary warnings from the browser.
You're still right that a user should change their passwords for any websites that do not use TLS (very few these days), or for any that use old versions of TLS if their threat model includes someone with close to nation-state resources attacking their connections individually.
It also probably doesn't hurt to be paranoid and rotate anyway, but it should be with a proper understanding of the threats, not because of some ridiculous "the sky is falling" incorrect information like this.
Everyone is discounting one thing - State actor possibility behind this attack.
With state actor comes completely different ball game - totally different budget and capabilities to crack things. NOBODY knows what their unpublicized capabilities could be! So it is good practice to stay vigilant!
Only to the existent that any other ISP already could.
Banking info, email, etc would all be protected by encryption in transit (HTTPS or TLS), so an MItM attack shouldn't affect them. The attacker would only know what hosts you were communicating with, any unencrypted headers (ex. TLS SNI), but not the actual data itself.
No, we just hadn't seen it yet. They're merged now.
If you want to let us know about something, it's best to email hn@ycombinator.com. We don't see all the comments—I only saw this one by accident—but we do see all the emails. (Well, except possibly a few that go into spam. We comb through the spam folder and rescue most, but a few with unfortunate subject lines probably get missed.)
This screams for clarification and I'd love for someone more knowledgeable in the area to elaborate on it. Is this common practice for data-center providers? Do I now not only have to worry about my own infrastructure security but also worry that my IaaS provider hasn't installed some backdoor to my servers?