What if the FBI raided one of your USA servers?

[slammin_bulu_whack 1]

I've read a bunch of your articles and posts, especially those that arose when HideMyAss handed over account details of one of their customers to a judge.

It's nice to know that you don't necessarily feel obligated to behave in the same way, and I understand the basic approach towards customer data that the EU data protection directives has.

But what is to prevent an enforcement agency from simply taking away Sirius or Vega at LeaseWeb... walk into the colo, disconnect the server and have at it with all the information in those boxes? Wouldn't that circumvent all the "anonymity by design" philosophy of your service? Would the anonymity still be preserved? How?

And as you know, this is not a hypotethetical, it happens - http://blog.instapaper.com/post/6830514157

Many thanks for an otherwise excellent service.

[Staff 9762]

@slammin_bulu_whack

Hello!

Yes, your assumption is not purely hypothetical. It may happen to any VPN provider anywhere in the world, not only in the USA. Let's be clear, if the action is authorized by a judge under alleged, direct or indirect, violations of human rights (in particular human trafficking, child exploitation, export of monitoring technology) we will fully cooperate with the authorities.

First of all, no account data are kept on the VPN servers, and anyway we encourage not to use identity disclosing information in your accounts with us. With a seized, offline server, forensic analysts work would be impaired. Much more effective would be real time wiretapping on the servers. This, potentially, might be done not only by legal agencies, but also by criminal organizations, although it might be difficult to cover their traces.

For this reason, as we have said in the statement you cite, we strongly recommend to use AirVPN over TOR if you need to send critical information (for example, a whistleblower who sends something to a journalist), and to encrypt those information. In this way, even real time wiretapping would be ineffective to disclose both origin of the transmission and content information. Using AirVPN over TOR instead of TOR alone has a series of significant advantages, amongst which to solve the problem of malicious TOR relays (the traffic is still encrypted when passing through a TOR relay, and the TOR relay can't see the final destination IP of your communications).

Also, AirVPN (thanks to OpenVPN) supports VPN over http-proxy. In this case, you have to use the TCP protocol and you will be able to establish an AirVPN over proxy connection. The proxy server will see your real IP but not the real destination, our servers will not see your real IP address. Furthermore, the packets payload will still be encrypted by OpenVPN when passing through the proxy node.

Another scenario with physical access to the server is the possible correlation between account codes and IP address. Suppose that you connect via AirVPN over TOR to one of our servers to send critical data. Then, you connect with the same account to the same server but without TOR. At this point, it is possible to correlate your previous connection over TOR with this new one connection (same account code), disclosing therefore your real IP address to those who have physical access to the server and are wiretapping in real time.

So, for critical transmissions, you should also take into consideration to use a specific account, aimed to be used only with AirVPN over TOR, even only one time for additional security, so that it would be impossible to make correlations between account codes and your real IP address, even with real time wiretapping.

Trial free codes available on Twitter or sent by us via e-mail are perfect for this purpose (they have a maximum duration of 4 days). Just make sure that you use an e-mail account which can't be exploited to reveal your identity and perform the registration and the activation on our website via TOR.

Please do not hesitate to contact us for any further information.

Kind regards

P.S. Vega is not with Leaseweb.

[reitou223 0]

Hi,

 

If any wiretapping were to be done can they see the packet payload or only the source and destination IP address?

 

Cheers.

[Staff 9762]

Hi,

 

If any wiretapping were to be done can they see the packet payload or only the source and destination IP address?

 

Cheers.

Hello!

 

We have covered in depth this, a (very) executive summary:

if you connect over OpenVPN over TOR they can't see your real IP address but can see the packets payload.

If you connect over TOR over OpenVPN they can't see any packet payload but can see your real IP address.

If you connect over OpenVPN over TOR over (proxy|VPN) they can't see neither your real IP address, nor the packets payload.

Kind regards

AirVPN Support Team

[reitou223 0]

I thought all packets in and out of the VPN were encrypted. I do not want to use TOR as it is horribly slow but I was under the assumption that wiretapping would not be effective since the packets are encrypted.

[Staff 9762]

I thought all packets in and out of the VPN were encrypted. I do not want to use TOR as it is horribly slow but I was under the assumption that wiretapping would not be effective since the packets are encrypted.

Hello!

You are right, that's true. However, the considered context was much more extreme, it was assumed that an entity puts physically a wiretapping device just outside the server, captures all the incoming and outgoing streams and correlates them. Such a powerful adversary can only be defeated with partition of trust, with OpenVPN over TOR for example.

Kind regards

[reitou223 0]

Hello!

You are right, that's true. However, the considered context was much more extreme, it was assumed that an entity puts physically a wiretapping device just outside the server, captures all the incoming and outgoing streams and correlates them. Such a powerful adversary can only be defeated with partition of trust, with OpenVPN over TOR for example.

Kind regards

 

OK lets say that happens and one of your VPN servers is wiretapped. Can they see incoming packet payloads from the customer? It would be easy to see data from the destination to the VPN server. But what about from the client to the VPN can any of those packets be seen by wiretapping?

 

Cheers.

[Staff 9762]

OK lets say that happens and one of your VPN servers is wiretapped. Can they see incoming packet payloads from the customer? It would be easy to see data from the destination to the VPN server. But what about from the client to the VPN can any of those packets be seen by wiretapping?

 

Cheers.

Hello!

 

They can't see the packets payload from the client to the VPN server, no. Not even if they get your user.key.

 

Kind regards

[reitou223 0]

Hi,

 

So they can see the un-encrypted traffic coming into the vpn and then they can see the traffic going to the end user encrypted. So in reality they don't need to break the encryption as they can see the data from it's source and correlate that with the destination IP address?

 

Correct?

[huiliqwr 0]

 ok so to clarify:

 

if i use vpn -> tor my isp doesn't see anything.... but if i use tor -> vpn, my isp and my entry node what kind of data see in details?

[Philiberti 9]

Hi,

    I always check for DNS leaks after connecting to AirVPN but today is the first time I have seen the warning about the owners of the site being able to log names of websites visited (DNSleaktest.com - I tried to post a screencap but it was not authorised). Is this just a general country warning or has AirVPN changed something regarding anonymity?

Sorry if this seems like a silly question but this new development has concerned me.

 

Regards

 

Philiberti

[Staff 9762]

Hello,

 

we don't understand, can you please elaborate?

 

Kind regards

[Philiberti 9]

Hi,

    I copied/pasted the detail below from DNSleaktest.com - the sentence highlighted in red concerns me. AirVPN policy is not to log info - has this changed or is the statement above part of a general policy by DNSleaktest.com to comply with the law in the countries concerned?

 

Your DNS test results

This page shows the DNS servers that your computer is using to resolve DNS names. The owners of the servers listed below have the ability to log the names of all websites you connect to.

WARNING: If you are connected to a VPN service and ANY of the servers listed below are not provided by the VPN service then your DNS may be leaking. (You should be able to recognise them based on the hostname, ISP and location). This is not an issue if you trust the owners of these servers with your private data.

 

We detected the 1 DNS server listed below.

 

IP: 95.211.169.45 Hostname: hosted-by.leaseweb.com ISP: LeaseWeb B.V. Country: Netherlands

 

 

Regards

 

Philiberti

[Staff 9762]

Hello,

 

our policy did not change, we don't log, monitor or inspect our customers' or users' traffic.

 

Kind regards

[Philiberti 9]

Thanks for that - it must just be a general warning that not all VPN providers take anonymity as seroisly as AirVPN.

 

Cheers

[Baraka 30]

 

Hello!

You are right, that's true. However, the considered context was much more extreme, it was assumed that an entity puts physically a wiretapping device just outside the server, captures all the incoming and outgoing streams and correlates them. Such a powerful adversary can only be defeated with partition of trust, with OpenVPN over TOR for example.

Kind regards

 

OK lets say that happens and one of your VPN servers is wiretapped. Can they see incoming packet payloads from the customer? It would be easy to see data from the destination to the VPN server. But what about from the client to the VPN can any of those packets be seen by wiretapping?

 

Cheers.

 

Nope. All of that (from the client to the VPN) is encrypted. That's why you're using a VPN right? Even the bad VPN services who sold out their customers' privacy were not able to hand over any information except the logged connection time, origin IP and destination IP addresses that were hit by the customer (irrelevant for Air, since they don't log). Nothing else, since it's all encrypted. As for decrypting information, that would not be practical or even possible. That's one of the problems with VPN services. It's very difficult to break strong, open source encryption. AES-256 certainly qualifies.