Jump to content
Not connected, Your IP: 3.14.132.178

Recommended Posts

Posted ... (edited)

What do you think about IVPN encryption, amount of servers, policies and any other comments about three servce.

Here is the encryption they use, I got this information from the logs when I connected to there VPN

Edit.

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

 

Data Channel Encrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Data Channel Decrypt: Cipher 'AES-256-CBC' initialized with 256 bit key

Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication

Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 4096 bit RSA

Here is there website https://www.ivpn.net

Edited ... by Keksjdjdke

Share this post


Link to post

Hello !

 

As per: https://www.ivpn.net/privacy

 

Some things which caught my attention:

 

  • They say they keep no logs.Yet that can be both true and false, if for instance you do real-time analysis and pass it on. Then you didn't "log", but you did analyse, which is still bad.
  • For a service which says they keep no logs, there's an awful lot of questions about which data they keep; surely they'd be able to answer this in one go, no? Unless there's more to it.
  • About DMCA's they write "Since we store no connection logs, we couldn't associate", so unless that's a mistake, does that mean they actually can now? Details matter.
  • It's also worth noting that they expend time and resources on DMCAs, while AirVPN by comparison just ignores them flat-out. Do you know how hard it can be to respond to every DMCA request? Ask Google.
  • Which means they could potentially end up using more money on legal fees than maintaining and upgrading their hardware. Which is more important, in a VPN?

 

Then there's this seemingly large contradiction:

 

 

How do we react when requested by an authority for information relating to a customer?

The company is incorporated in Gibraltar. If a court order is received from a recognized legal authority with jurisdiction over IVPN then the company will comply with that order. However, the company cannot be compelled to hand over information which it does not have. When a customer signs up we request the minimum information possible, a valid email address. If it ever becomes required by law for us to keep a persistent log of our customers connections or any personal data relating to their network activity, we will immediately notify our customers and do everything in our power to move jurisdictions or close the service to protect those who entrust their privacy to us.

 

Well, you don't need to change the laws of the country, if you can just issue an NSL, which usually comes with 2 parts:

 

1 - Data-request and/or compromising the service

2 - Gag order. Don't tell anybody we're making you do this.

 

So it's not clear to me what they'd do then.

 

  • Then there's the fact that they do use analytics on their website. AirVPN doesn't. But then they say: "Piwik is open source software that is hosted on our own server infrastructure to ensure your privacy"
  • But it fundamentally doesn't matter where it's hosted, that's missing the point. The point is, that they're absorbing/stealing/analyzing data about their customers, when they shouldn't. It's not a little data either.
  • It includes: "browser user-agent, language, screen resolution, referring website, IP address etc." That "etc." also adds a whole lot of ambiguity. What does etc cover, in their view?
  • Then at the end, there's the usual legal copy/paste about taking "reasonable" steps to notify people if policies change. These policies can also change whenever they want. Unlike Air, which has firm and set policies.
  • That whole page seems like it's a giant sign saying "we dont collect anything in theory, but if we did, then it would be blablabla, but we care about your privacy, so we don't, except for this, that and the next".
  • Heck, they even write at the start "To ensure your privacy we collect only your email address to facilitate password resets and send important security updates relating to our service."
  • But that's proveably untrue, if you scroll further down, regarding the website analytics, which is hosted on their servers. So what if that analytics data is requested then?
  • For mobile devices, they offer L2TP/IPSec, which is not secure. I can get better security on mobile with AirVPN, without suffering much in speed, so what's their excuse?
  • For a VPN, they seem to be really shy about actually stating hard facts about the tech they use. Even in their FAQ

Nah, I'm not buying it. But their privacy guides are pretty neat.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

 

    - Then there's the fact that they do use analytics on their website. AirVPN doesn't. But then they say: "Piwik is open source software that is hosted on our own server infrastructure to ensure your privacy"

    - But it fundamentally doesn't matter where it's hosted, that's missing the point. The point is, that they're absorbing/stealing/analyzing data about their customers, when they shouldn't. It's not a little data either.

AirVPN uses Piwik as well, and that means in your words, AirVPN is absorbing/stealing/analyzing data about their customers, when they shouldn't.

 

It includes: "browser user-agent, language, screen resolution, referring website, IP address etc." That "etc." also adds a whole lot of ambiguity. What does etc cover, in their view?

 

Piwik covers all the basics an analytics suite is able to collect. They give a very good overview, which of course is not a complete list. Geolocation is a feature, too, and with the last two bytes hidden it can locate you in a specific country. You can of course do it more accurate with hiding only the last byte or not hiding anything at all but it's only processing the country your IP was located in. So while you are right with "etc" being ambiguous, the full feature set can always be looked up on piwik.org or Piwik's wikipedia page since, they name it, it's open-source.

 

For mobile devices, they offer L2TP/IPSec, which is not secure. I can get better security on mobile with AirVPN, without suffering much in speed, so what's their excuse?

Those protocols are natively supported by most operating systems, on iOS/Android as well. We covered the question on why OpenVPN is not impletented this way already. Short version, because of OpenVPN Technologies' demand for payment.

At this point I start to question the purpose of your argumentation. It's all explained on their Android page:

 

Android natively supports the L2TP/IPSec protocol without having to install any 3rd party software. However the L2TP/IPSec protocol is not secure when using pre-shared keys so we only offer it for applications where security is not important e.g. if you are using the VPN to access geo-restricted content in another country. It may also be effective for defeating broad-scale non-targeted surveillance/data retention performed by many ISP's.

For customers who require some level of security we strongly recommend using the OpenVPN protocol. Please review the table and select the appropriate setup guide below. For a more in-depth comparison see L2TP/IPSec vs OpenVPN.

 

You've got an explanation on why they offer those two protocols and a recommendation for OpenVPN. I don't expect more than that. They even link to a comparison in which they use a healthy mix of easy to understand words and facts/names.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Oh yea, I forgot Air does it too; I actually knew that. However Air seem to word things much more precisely, to remove ambiguity.

I guess it's because I like the "all or nothing" kind of approach and they just don't seem to be as uncompromising about their setup as Air is.

Piwik is better than google for sure, but when you pair it with their, in my view lacking, wording on their privacy policy, it's not very comforting.

Like, they write "Piwik may also set a web cookie to facilitate the identification of users who revisit the site.", while Air writes "Cookies are stored only for technical reasons and can be deleted anytime by the user.

Cookies are specifically meant for technical help. Under no circumstance does Air use cookies to track and/or profile users."

 

Air also says stuff like "Air servers and software procedures acquire only personal data which are strictly necessary for the technical functioning of the service, for example IP address.

These data are not collected to identify, through elaboration or any other technique, users' personal identities. These data are not transmitted to third parties."

 

So while Airs limited collection of data puts me at ease (even though I'd of course prefer zero, even on the website etc.), I feel decidedly more suspicious with the way IVPN wrote it.

I didn't check their Android section either, I'll admit.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Oh yea, I forgot Air does it too; I actually knew that. However Air seem to word things much more precisely, to remove ambiguity.

I guess it's because I like the "all or nothing" kind of approach and they just don't seem to be as uncompromising about their setup as Air is.

Piwik is better than google for sure, but when you pair it with their, in my view lacking, wording on their privacy policy, it's not very comforting.

Like, they write "Piwik may also set a web cookie to facilitate the identification of users who revisit the site.", while Air writes "Cookies are stored only for technical reasons and can be deleted anytime by the user.

Cookies are specifically meant for technical help. Under no circumstance does Air use cookies to track and/or profile users."

I found something concerning in there openvpn configuration file

Some of the ciphers they use are not very secure.

tls-cipher TLS-DHE-RSA-WITH-AES-256-CBC-SHA:TLS-DHE-DSS-WITH-AES-256-CBC-SHA:TLS-RSA-WITH-AES-256-CBC-SHA

 

Air also says stuff like "Air servers and software procedures acquire only personal data which are strictly necessary for the technical functioning of the service, for example IP address.

These data are not collected to identify, through elaboration or any other technique, users' personal identities. These data are not transmitted to third parties."

 

So while Airs limited collection of data puts me at ease (even though I'd of course prefer zero, even on the website etc.), I feel decidedly more suspicious with the way IVPN wrote it.

I didn't check their Android section either, I'll admit.

Share this post


Link to post

I didn't check their Android section either, I'll admit.

 

Hahaaaa, got you.

 

I feel decidedly more suspicious with the way IVPN wrote it.

 

But I agree to this. IVPN should use more precise wording to eliminate doubts.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Hello !

 

As per: https://www.ivpn.net/privacy

 

Some things which caught my attention:

 

  • They say they keep no logs.Yet that can be both true and false, if for instance you do real-time analysis and pass it on. Then you didn't "log", but you did analyse, which is still bad.
  • For a service which says they keep no logs, there's an awful lot of questions about which data they keep; surely they'd be able to answer this in one go, no? Unless there's more to it.
  • About DMCA's they write "Since we store no connection logs, we couldn't associate", so unless that's a mistake, does that mean they actually can now? Details matter.
  • It's also worth noting that they expend time and resources on DMCAs, while AirVPN by comparison just ignores them flat-out. Do you know how hard it can be to respond to every DMCA request? Ask Google.
  • Which means they could potentially end up using more money on legal fees than maintaining and upgrading their hardware. Which is more important, in a VPN?

 

Then there's this seemingly large contradiction:

 

 

 

How do we react when requested by an authority for information relating to a customer?

The company is incorporated in Gibraltar. If a court order is received from a recognized legal authority with jurisdiction over IVPN then the company will comply with that order. However, the company cannot be compelled to hand over information which it does not have. When a customer signs up we request the minimum information possible, a valid email address. If it ever becomes required by law for us to keep a persistent log of our customers connections or any personal data relating to their network activity, we will immediately notify our customers and do everything in our power to move jurisdictions or close the service to protect those who entrust their privacy to us.

​Detals matter indeed. Here's another quoute from their Privacy Policy:

​"Due to the nature of our logging practices VPN servers do not contain any personally identifiable information and thus, if seized, could not be used to identify users."

In my opinion very clear in what's important.

"We do not store any connection logs whatsoever. In addition we do not log bandwidth usage, session data or requests to our DNS servers."

Another good point they are making.

​Here is the whole DMCA snippet which makes more sense when read in it's full form:

​"

What happens if you receive a legal notice such as a DMCA for copyright material that I have downloaded?

Since our customers are using an IVPN issued IP address when using our service, such notices are directed to IVPN and our legal department will issue an appropriate response. Since we store no connection logs, we couldn't associate a request with a customer identity even if legally compelled to do so."

 

At least from my understanding it looks correct, english is however not my first language so i am a bit unsure if they are using "couldn't" correctly.

Well, you don't need to change the laws of the country, if you can just issue an NSL, which usually comes with 2 parts:

 

1 - Data-request and/or compromising the service

2 - Gag order. Don't tell anybody we're making you do this.

Yes. But their current country is Gibraltar - not the US which is the country where National Security Letters applies. Gibraltar could in a way be considered a 14-eyes country (just like Italy where AirVPN is based out of) so in the end a NSL might not matter.

Share this post


Link to post

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

@Necro

Well I didn't mean just american ones, I meant to say whatever they use in Gibraltar. Like, it's much the same with the UK increasingly getting worse and

so they might get or might already have their own version of NSLs. The equivalent of an NSL. It's also just that if they don't keep logs, why does it have

to be so long? I find it very strange to say:

 

- We don't keep logs

- Question: Which logs do we keep?

- However we don't track people

- Question: Do you collect or store stuff?

- We don't

- Question: What information is collected on the site?

 

Etc. Instead of like: We don't store stuff, but we do a bit of analytics on the site. Period lol, if you get me.

 

@giganerd

Baaah, my post might look elaborate, but I didn't check everything in depth. I just browsed through at one point, wherein it then said L2TP for mobile

and I thought it could've been elaborated better. I still feel they ought to put more hard specs out front. Y U Laugh @ me ;(. I guess it's because I'm spoiled on AirVPN, where they don't even offer stuff like that up front lol.

It's like when PIA says well, we recommend SHA256, but you can have SHA128 lol (apparently it's the default). But hey, we're all extremists in the NSAs eyes right? So who cares...


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

@Necro

Well I didn't mean just american ones, I meant to say whatever they use in Gibraltar. Like, it's much the same with the UK increasingly getting worse and

so they might get or might already have their own version of NSLs. The equivalent of an NSL. It's also just that if they don't keep logs, why does it have

to be so long? I find it very strange to say:

 

- We don't keep logs

- Question: Which logs do we keep?

- However we don't track people

- Question: Do you collect or store stuff?

- We don't

- Question: What information is collected on the site?

 

Etc. Instead of like: We don't store stuff, but we do a bit of analytics on the site. Period lol, if you get me.

 

@giganerd

Baaah, my post might look elaborate, but I didn't check everything in depth. I just browsed through at one point, wherein it then said L2TP for mobile

and I thought it could've been elaborated better. I still feel they ought to put more hard specs out front. Y U Laugh @ me ;(. I guess it's because I'm spoiled on AirVPN, where they don't even offer stuff like that up front lol.

It's like when PIA says well, we recommend SHA256, but you can have SHA128 lol (apparently it's the default). But hey, we're all extremists in the NSAs eyes right? So who cares...

 

I see what you mean, but these answers on the torrentfreak vpn article will clear things up - even though the homepage should be just as obvious!

 

4. Our legal department sends a reply stating that we do not store content on our servers and that our VPN servers act only as a conduit for data. In addition, we never store the IP addresses of customers connected to our network nor are we legally required to do so.

5. Firstly, this has never happened. However, if asked to identify a customer based on a timestamp and/or IP address then we would reply factually that we do not store this information, so we are unable to provide it. If they provide us with an email address and asked for the customer’s identity then we would reply that we do not store any personal data. If the company were served with a valid court order that did not breach the Data Protection Act 2004 we could only confirm that an email address was or was not associated with an active account at the time in question.

Share this post


Link to post

Baaah, my post might look elaborate, but I didn't check everything in depth. I just browsed through at one point, wherein it then said L2TP for mobile

and I thought it could've been elaborated better. I still feel they ought to put more hard specs out front. Y U Laugh @ me ;(. I guess it's because I'm spoiled on AirVPN, where they don't even offer stuff like that up front lol.

 

I'm sorry, I didn't mean to expose you.


NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...