ANSWERED [FUD] Why does AirVPN send non-https requests to Amazon AWS for authentication?

[somerandomdude 0]

So when you want to authenticate to AirVPN, it uses the following IPs:


 <urls>
      <url address="http://xx.xx.78.166" />
      <url address="http://xx.xx.66.85" />
      <url address="http://xx.xx.175.114" />
      <url address="http://xx.xx.116.50" />
    </urls>

Taking xx.33 gives a hostname of:

ec2-xx-33-78-166.eu-west-1.compute.amazonaws.com

Meaning EVERY time you login, Amazon's AWS is collecting data about every single login, likely the IP address of the user logging in (likely to be the ISP IP) and AirVPN doesn't seem to have this documented anywhere at all.

Nowhere in their privacy policy does it say the users will be making a non-TLS request to an American entity which may include the users IP address which is something they may not want Amazon of all places to know about,

AirVPN might as well make their authentication route via Facebook's servers, they're all as bad. At least give users the option of a more secure system that doesn't rely on hostile American companies.

I'd like to request further technical information from AirVPN about these IPs, how their systems work, how they're configured, what information Amazon is storing about each login attempt and why they're using Amazon at all knowing that's detrimental to their so called "mission".

Thank you.

[Staff 9748]

Hello,

the bootstrap servers are contacted in encrypted form over HTTP, and not HTTPS, to try to be more effective against blocks and certificate replacement for nodes behind certain proxies. For encryption details we invite you to consult Eddie Android edition source code (in Eddie desktop edition source code you will not find some parameters in explicit form). The fact that the transport is HTTP does not imply that the stream is unencrypted obviously as explained various times in the past 7-8 years.

Amazon EC2 Ireland has been chosen for uptime reasons and is only one of the variety of datacenters where bootstrap servers live. The bootstrap servers do not communicate directly with the backend servers and have no relation with the VPN servers, anyway that's very irrelevant.

There are no privacy concerns at all. Do not spread false information and FUD. Why did not you contact us first? Do you REALLY think that such a macroscopic disaster would have been really implemented in AirVPN and kept for so many years?

Kind regards


 

[Staff 9748]

On 8/26/2019 at 10:44 AM, somerandomdude said:

Nowhere in their privacy policy does it say the users will be making a non-TLS request to an American entity which may include the users IP address which is something they may not want Amazon of all places to know about,

AirVPN might as well make their authentication route via Facebook's servers, they're all as bad. At least give users the option of a more secure system that doesn't rely on hostile American companies.

I'd like to request further technical information from AirVPN about these IPs, how their systems work, how they're configured, what information Amazon is storing about each login attempt and why they're using Amazon at all knowing that's detrimental to their so called "mission".

Thank you.

Hello,

as the data processing responsible person in AirVPN I will gladly answer publicly to your question:

1) We do not collect any personal data.

2) If, intentionally or not, you have entered personal data in any part of your account data I would recommend you ask for deletion, but anyway no data is ever sent to any third-party.

3) Amazon does not get any data, personal or not, at each login attempt or under any other circumstance.

It's very singular that you have opened an account specifically to publish a collection of false, fake and bogus information, and you missed to contact us in advance before going public with your smearing. It tells me that you are not in good faith. I call moderators to curb and disrupt such an abusive behavior.
 

Quote

how their systems work

They work very well, thank you.

Kind regards
Paolo (pj)