Torrentfreak 2014 Privacy VPN's - AirVPN not listed

[Samad 2]

Heya, I was wondering why AirVPN didn't participate in this years Torrentfreak privacy-focused VPN list, it's how I found the service and they've expanded it to include some more questions. I am sure if you responded now they'd post an update including the service, and I must admit I'm interested in some of the answers to the new questions.

 

Link to Article: http://torrentfreak.com/which-vpn-services-take-your-anonymity-seriously-2014-edition-140315/

 

Questions:

 

1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?

2. Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?

3. What tools are used to monitor and mitigate abuse of your service?

4. In the event you receive a DMCA takedown notice or European equivalent, how are these handled?

5. What steps are taken when a valid court order requires your company to identify an active user of your service?

6. Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?

7. Which payment systems do you use and how are these linked to individual user accounts?

8. What is the most secure VPN connection and encryption algorithm you would recommend to your users?

[Staff 9751]

Hello!

 

We ALWAYS respond to ANY inquiry by private citizens, blogs, forums, etc. This year we did not receive any question from TorrentFreak, though, otherwise we would have gladly answered as we have always done. We were aware of this article only when we saw it on TorrentFreak, after publication.

 

Kind regards

[Atheena 2]

Could you give us here a reply to those answers, or send them your reply's so they can update their post? Please

[Staff 9751]

Could you give us here a reply to those answers, or send them your reply's so they can update their post? Please

 

Hello!

 

Sure. We're publishing the answers here, although it is supposed that those who read our forums are already well-aware about the answers to those questions.

 

1. No, we don't.

 

2. Italy. We do not share any information with any 3rd party.

 

3. Automatic triggering based on patterns to detect and if possible block as soon as possible various types of attacks (including UDP floods) against or from our servers.

 

4. They are ignored. Now and then we reply asking for a more substantiated proof and asking to disclose the technical method according to which a takedown notice has been prepared, but so far none of the entities we queried disclosed such information, in absence of which the notices pertaining to p2p are simply vague and unproven claims from some private entity.

 

5. No help can be given "ex ante" because we don't log, monitor or inspect our clients traffic, and we don't and can't require a proof of identity from our customers. However, if the court order pertains to presumed actions which infringe our Terms of Service and in particular that in any way violate, directly or indirectly, or aid the violation of, the ECHR, we can try to help the court in the best way we can with "ex post" investigations and if possible with the help of proper and competent authorities.

 

6. Yes. p2p protocols are perhaps a set of the most exciting protocols invented in the last 12-13 years, so they are actively encouraged on every server. We do not discriminate against any application or protocol, in compliance with our mission and to stay a mere conduit of data.

 

7. We accept Bitcoin, many credit cards, PayPal. Each payment is linked to an account in order to provide service delivery.

 

8. We recommend our setup, based exclusively on OpenVPN with the following features:

 

Data Channel: AES-256-CBC

Control Channel: HMAC SHA1

RSA keys size: 2048 bit

PFS (Perfect Forward Secrecy): yes. TLS re-keying is performed by default every 60 minutes through DHE as well as at each new connection.

 

The client key is used to authorize the access to the system, not to encrypt the data channel, so that even if an adversary catches the client key, the client traffic (past, present and future) can't be decrypted.

 

Kind regards

[OpenSourcerer 1359]

Heya, I was wondering why AirVPN didn't participate in this years Torrentfreak privacy-focused VPN list, it's how I found the service and they've expanded it to include some more questions. I am sure if you responded now they'd post an update including the service, and I must admit I'm interested in some of the answers to the new questions.

 

Well, your answer is written at the end of the article...

 

Note: several of the providers listed in this article are TorrentFreak sponsors

 

AirVPN is not a sponsor AFAIK.

[s2u9p7aq5wciel7ko8o07 1]

Hey Staff, It seems that to top the list on TorrentFreaks VPN List you need to 'sponser' them.

Have you ever been asked by TF to sponser them to appear on this list? Or alternatively would you ever sponser them in order to appear on their list?

[Staff 9751]

Hey Staff, It seems that to top the list on TorrentFreaks VPN List you need to 'sponser' them.

Have you ever been asked by TF to sponser them to appear on this list? Or alternatively would you ever sponser them in order to appear on their list?

Hello!

 

We have never been asked by TorrentFreak to sponsor them.

 

About your 2nd question, we can't answer now, an answer should come from the Air founders collective agreement. We have never invested a cent in direct advertising. We preferred to invest very much on supporting compatible with our mission, independent projects, and on quality of service, but things of course are not immutable, and nowadays all types of investments can be no more mutually exclusive.

 

Kind regards

[Lee47 23]

Thanks Air for the answers

 

I was wondering if you could provide some input on one of the quotes mentioned from the same article from another vpn provider :

 

"5. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there."

 

Any truth to this? since just about every other VPN provider mentioned on that article the complete opposite as in no logs so nothing to give...

[briancarnell 0]

"5. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there."

 

Any truth to this? since just about every other VPN provider mentioned on that article the complete opposite as in no logs so nothing to give...

 

I'm also curious about this, but the company that gave that reply is also using a self-hosted cert for its website, so they may be swimming in the shallow end of the pool...

[Staff 9751]

UPDATE: we have just received, a hour ago, an e-mail from TorrentFreak with the questions. We will reply very soon.

 

Kind regards

[Staff 9751]

Thanks Air for the answers

 

I was wondering if you could provide some input on one of the quotes mentioned from the same article from another vpn provider :

 

"5. If we get a court order to monitor a specific IP then we need to do it, and this applies to every VPN company out there."

 

Any truth to this? since just about every other VPN provider mentioned on that article the complete opposite as in no logs so nothing to give...

 

Hello!

 

It's not true for sure in Italy and some other EU countries. A court order does not have the power to make a citizen immune from committing crimes which would be implied by such an order. Additionally, such an order would presume that the VPN administrators have the technical knowledge to inspect the traffic (which is not trivial in a VPN service) and that the data they will provide are not biased or manipulated and can be accepted in a court (totally absurd).

 

But that's anyway pure theory. A magistrate does not need that. Such an order could destroy an investigation. A magistrate for example can simply order the server to be wiretapped by the specialized police personnel or competent authority. The magistrate will very probably not even notify the VPN admins about the wiretapping, especially when such a notification might compromise the investigation.

 

Kind regards

[Miami12 0]

Thanks to OP for starting this thread, and thanks to AirVPN for posting the answers to the questions. I hope TF includes your answers in their March 2014 report.

[iwih2gk 92]

And that reminds security aware users of your suggestion that a partition of trust would be a great addition to their online profile.  Especially if it was TOR or a VPN located in another jurisdiction.  At least in this scenario multiple three letter agencies would be needed to de-cloak what is going on.

[iwih2gk 92]

Staff wrote: A magistrate does not need that. Such an order could destroy an investigation. A magistrate for example can simply order the server to be wiretapped by the specialized police personnel or competent authority. The magistrate will very probably not even notify the VPN admins about the wiretapping, especially when such a notification might compromise the investigation.

 

 

Wouldn't that only log the IP of the connection to the datacenter?  Questioning whether the transmissions are encrypted and beyond their view, unless I don't understant the process or what you are saying.  In a one hop with Air would a user be safe against the "monitoring of the datacenter" with reference to actual text?  I know the IP can be externally logged by adversaries with datacenter access.  I am referring to their actually reading the payloads.  For me, using a strong partition of trust where needed is unquestionably the way to go.  For learning's sake I ask about the issue of external datacenter logging with reference to "plain text" for those NOT employing a partition of trust.

[Staff 9751]

UPDATE: we have just received, a hour ago, an e-mail from TorrentFreak with the questions. We will reply very soon.

 

Kind regards

 

This is the text we sent to TorrentFreak a few minutes ago:

 

Hello Ernesto and thank you for your inquiry.

 

1. No, we don't keep any log that might be exploited to reveal customers' personal data during connections, including real IP address. For example OpenVPN logs are sent to /dev/null (Air is based on OpenVPN). Our privacy policy is available here: https://airvpn.org/privacy

 

On top of that our VPN servers do not maintain any account database.

 

2. Italy. We do not share any information with any 3rd party.

 

3. Automatic triggering based on patterns to detect and if possible block as soon as possible various types of attacks (for example UDP floods) against or from our servers.

 

4. They are ignored. Now and then we reply asking for a more substantiated proof and asking to disclose the technical method according to which a takedown notice has been prepared, but so far none of the entities we queried disclosed such information, in absence of which the notices pertaining to p2p are simply vague and unproven claims from some private entity.

 

5. No help can be given about past connections because we don't log, monitor or inspect our clients traffic, and we don't and can't require a proof of identity from our customers. However, if the court order pertains to presumed actions which infringe our Terms of Service and in particular that in any way violate, directly or indirectly, or aid the violation of, the ECHR, we can try to help the court in the best way we can with subsequent investigations and if possible with the help of proper and competent authorities.

 

6. Yes. p2p protocols are perhaps a set of the most exciting protocols invented in the last 12-13 years, so they are actively encouraged on every server. We do not discriminate against any application or protocol, in compliance with our mission and to stay a mere conduit of data.

 

7. We accept Bitcoin, many credit cards, PayPal. Each payment is linked to an account only in order to provide service delivery and to comply to our refund policy.

 

8. First of all it is mandatory that the key exchange is not exploitable. Even the strongest encryption is useless if the key exchange is flawed.

 

In light of the most recent releases about how NSA attacks VPNs and VoIP,  it is essential that you pick a service which relies on ephemeral key exchange, that correctly implements Perfect Forward Secrecy and that correctly implements a robust key exchange procedure.

 

That's not trivial: for example H.323 VoIP protocol could be "broken" by NSA and other entities because, even though it employs DHE, which is a very wise choice, the implementation is wrong: vendors skip the TLS/etc. encryption of the signaling channel and the Diffie-Helmann keys are unprotected.

 

Finally (and this might be a surprise for some people) we would not recommend ECC (Elliptic Curve Cryptography) at the moment.

 

We momentarily avoid ECC (Elliptic Curve Cryptography) in Control Channel, Data Channel and in key exchange, according to Bruce Schneier's suggestions and keeping into account reasonable suspects of deliberate poisoning and weakening of ECC (with possible backdoors) by NSA in cooperation with industry.

 

We put into practice the recommendations of security expert and best practices on our setup, based exclusively on OpenVPN with the following features:

 

Data Channel: AES-256-CBC

Control Channel: HMAC SHA1

RSA keys size: 2048 bit

PFS (Perfect Forward Secrecy): yes. TLS re-keying is performed by default every 60 minutes through DHE as well as at each new connection. As an additional option the re-keying time interval can be lowered by the client unilaterally.

 

The client key is used to authorize the access to the system, not to encrypt the data channel, so that even if an adversary catches the client private key, the client traffic can't be decrypted.

 

Kind regards

Paolo Brini

AirVPN co-founder

[Lee47 23]

And that reminds security aware users of your suggestion that a partition of trust would be a great addition to their online profile.  Especially if it was TOR or a VPN located in another jurisdiction.  At least in this scenario multiple three letter agencies would be needed to de-cloak what is going on.

 

100% agree with you, would recommend AirVPN always but its good just in case to use other partitions of trust, spread your trust between multiple systems that do not relate to each other or exist within the same area code