Jump to content
Not connected, Your IP: 18.191.27.78
Maggie144

Trust Through Transparency (confirmed VPN)

Recommended Posts

Hello!

 

I think it's an interesting concept and I've often imagined something like it, so in overall terms, the idea or intent is good I think.

 

To me, it does seem like there's many many things buried in their methodology, which seems somewhat suspicious.

 

In a sense, turning everything into an exercise in transparency is a gimmick. Because it needs to be followed up with real technical know-how and integrity in order to actually mean something.

 

So perhaps ironically, the only ones who will probably use that stuff, are the gullible customers whom can't utilise the apparent transparency to make informed judgments.

 

While the technical crowd can and will raise the necessary and hard questions and resolve to stay away. But of course, I hope they keep developing.

 

Some things I find less likable about it:

  1. They've essentially made their own framework and then branded themselves as the first to follow it. That's cheap enough, but their standards are essentially what Air has been doing since the beginning. Except Air didn't make it a central theme in this way and yet still has FOSS software, high transparency infrastructure, closed-loop systems and so forth.
  2. Simply being open, does not in itself ensure that high security and privacy standards are followed. According to their audit, they seem to mainly use IPSec tunnels. The audits seem a bit worrying too.
  3. We store and process the information that we collect in the United States in accordance with this Privacy Policy (our subprocessors may store and process data outside the United States)

     

  4. While it's fantastic they don't use social media or buttons on their website, they still pin things to some of the worst privacy offenders, so there's no .ovpn files or similar flexibility for example:

    For mobile users, we require an App Store or Google Play receipt, which contains no personally identifying information. The sole purpose of this data is to to validate that the account has an active subscription for the Confirmed service.

     

  5. I get that it's a small company, but I hope this will change:

    Each Account is limited to one individual on up to either three or five devices, depending on your Service plan. After substantial activity, we reserve the right to reasonably throttle the speed of your access to the Service to protect the experience of other users of the Service.

     

  6. In their quest for security through openness, they may be exposing themselves to danger, by assuming that everything must be publicly available. But there are things that even a VPN would probably be wise not to be sharing and assuming this is true, the quest for transparency undermines the very security it was meant to create.
  7. Why?

    We do not log or track any usage of our website, except for error messages on our server (such as accessing a page that does not exist). For these cases, we log the error (i.e., the URL attempted) and the time that it happened, but no personally identifying information such as a user’s IP address.

     

  8. They may be into transparency, but there's issues with their Privacy Policy, where Air by contrast at least allows the use of Bitcoin without any middlemen:

    For desktop users, we require a valid credit card that is processed and stored by Stripe, Inc., a PCI-compliant payment processor. We do not store your credit card number on our servers, nor can we access it. Stripe also will also store metadata related to your financial transaction that we can access, such as zip code and country of origin, primarily to validate the authenticity of the transaction and pay applicable local taxes (i.e., Value Added Tax in the European Union).

     


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post
Guest

I like this idea, and it's something I wish Air (or another high value VPN provider) would do (although it would obviously be detrimental to their business). As LZ1 states, they're 'open', so they're hiding nothing or leaving nothing to the imagination. Their logging is clear and nobody in their right mind would use them (hopefully) but the concept is desirable.

 

> Except Air didn't make it a central theme in this way and yet still has FOSS software, high transparency infrastructure

 

I'm confused what you mean here, how does Air have 'high transparency'? I mean sure, we can see the status of servers, issues, and a few other pieces of information, but I don't agree it makes them transparent, far from it. We don't know Kernel versions, patches, what software they have on the server, how it's maintained, who has access, how access is granted, whether they have active monitoring/hardened against attacks, if they've been attacked and whether their server security is up to an acceptable standard.

 

AirVPN (as far as I am aware) has not done a public aduit, and does not have audit logs that are viewable, so in that regard, they're not 'transparent'. We can see from their software they've got competent developers, but there's more to the story behind every VPN.

 

> But there are things that even a VPN would probably be wise not to be sharing

 

Is there anything in particular you can mention? It's highly desirable to have a VPN willing to share everything and anything so we can (finally) learn how these services operate (because it all seems a closely guarded secret) and see if there are improvements that can be made by the community.

 

It's ironic that VPNs utilize and rely on the foundational trust of software like OpenVPN of which they make all of their profits, yet in the same breath they do not seem willing or keen to share information about their infrastructure which is very much 'closed sauce' and the secret ingredient nobody wants to talk about. Why? Why not share a little bit more information. If OpenVPN decided to close their source tomorrow we'd all be wanting to know why and (probably) demanding them to reconsider...

Share this post


Link to post

Hello!

 

It's a delicate matter. The suggested method, which is a trademark if you didn't notice :D, will harm customers security and AirVPN industrial secrets as well.

 

"Security through obscurity" is "the reliance on the secrecy of the design or implementation as the main method of providing security for a system or component of a system.". It is trivial and obvious that when secrecy is not the only security method, it can be extremely helpful for security as well as other purposes. It's a macroscopic and logical mistake to believe that to not rely on "security through obscurity" you must have no secrets at all.

 

Under the current terms, the whole matter looks like marketing fluff aimed to promote a trademark and maybe gain some more customers. Ironic that those who promote access in read-only mode into their servers and recommend publication of all algorithms implementation feel the need to trademark two common language words. On top of that, it looks like you can't even access their service if you don't run their software. If you are in mobility, you also need an Apple or Google receipt, so they force you to use either Apple or Google stores. Wow, that's openness and respect for users' privacy, sure.

 

To get into more details:

 

1) Our industrial secrets are not rocket science. However, we have seen that our competitors in many years have not been able to have an infrastructure working on a par with AirVPN architecture, so our industrial secrets are valuable and we will not throw them away by allowing access in read-only mode inside our servers or by documenting our secret algorithms or in any other way.

 

2) Harm customers security. By allowing inspection or documenting the exact implementation of our security features and algorithms we will remarkably lower our customers security. For example, backend servers will become of public domain as well as the reverse proxies allowing indirect communications to service and VPN servers up to the backend servers. The whole path would be discovered and having compartmentalized databases (which, alone, is an important security feature) on servers unknown to the public, would be destroyed at once.

 

The architectural security principles are already documented in the Privacy Notice, in strict compliance with GDPR, which would enforce such documentation and implementation in case we handled personal data. We do not even handle personal data so the additional security features are a proof of our commitment to your security.

 

That said, knowing in details the technical implementation of said features, the exact locations, addresses and non-root access credentials from the Internet of our strategic servers, and the original algorithms, invented for a wide variety of purposes, which make AirVPN unique, is a dangerous madness.

 

Kind regards

Share this post


Link to post

I'm confused what you mean here, how does Air have 'high transparency'? I mean sure, we can see the status of servers, issues, and a few other pieces of information, but I don't agree it makes them transparent, far from it.

Because it's relative. The VPN industry is unregulated and so it must necessarily be in relation to what is the norm. The norm, from all that I've seen, is:

  • Using some closed-source client. Sometimes with several attendant bad practices, in the form of bloat or tracking or other things.
  • Using several trackers on the main website. Usually social buttons.
  • Using an array of world flags to seem impressive, but without detailing them much more than this, because the locations are fake and the performance isn't something to brag about.
  • Using unknown standards for choosing locations and so opening new locations without concern for security, privacy or quality.
  • Using all sorts of marketing gimmicks to seem more impressive than they are, which obscures things further. What's a "3D Stealth Server" for example?
  • Possibly not even having a forum in order to discuss issues openly.
  • Possibly not even having owners with a good technical understanding and therefore leaving customers with a knowledge blackhole.

So in relation to things like the above, I think it's accurate and true to say that Air has high transparency by comparison. I didn't say total transparency and I was therefore still pleased with their idea .

 

AirVPN (as far as I am aware) has not done a public aduit

The only recent audit I'm aware of, is the funding provided to help audit OpenVPN and do a bug bounty.

 

Is there anything in particular you can mention?

I was trying to find a post I read earlier about this. But now Staff has answered, so hopefully that's sufficient. As Staff stated, there's compelling security and business concerns to take into account and if (perhaps especially in a VPN context) security is not done properly and transparency simply becomes another way of virtue signalling, then the security it was meant to foster will be undermined. Or put another way: if Air offered to share something meant to be secret, in the name of transparency, with the added explanation that it would undermine security for users, would you want it?

 

It's ironic that VPNs utilize and rely on the foundational trust of software like OpenVPN of which they make all of their profits, yet in the same breath they do not seem willing or keen to share information about their infrastructure which is very much 'closed sauce'

 

We should definitely start saying "closed sauce" instead, that'll spice things up .

 

I understand what you mean. In regards to trust, I think it's also relevant to remember that AirVPN at least, actively encourages "partition of trust" for some of those reasons. Because trust is a weakness in this scenario. So if you/I/we don't *need* to trust AirVPN in order to use it or at least won't be completely compromised if Air was, then we all benefit. While the Openly Operated model, while great in so many ways, still makes users rely on the service and therefore trust it. While if they had more anonymizing features it would be more compelling.


Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please also do not run Tor Exit Servers behind AirVPN, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...