Jump to content
Not connected, Your IP: 18.216.174.32
Guest

Independent Audits

Recommended Posts

Guest

IVPN just did an audit by Cure53 on their clients and there were security issues found which now can be fixed.
https://cure53.de/pentest-report_IVPN_2022.pdf 
IVPN has a no log audit, proving their no log claim by an independent company.
https://cure53.de/audit-report_ivpn.pdf

Mullvad did several audits in the past:
https://cure53.de/pentest-report_mullvad_2021_v1.pdf
https://cure53.de/pentest-report_mullvad_2020_v2.pdf
There are others provider too:
https://cure53.de/pentest-report_mozilla-vpn.pdf
https://cure53.de/pentest-report_lightway.pdf
https://cure53.de/pentest-report_tunnelbear_2020.pdf

So why doesn't AirVPN have any audits? There is a big difference in "trusting" a company that they don't log vs. an independent audit proving it. Also, no software is perfect that's why an audit on Eddie would be very useful to find security problems. Curios about the answer.

Share this post


Link to post
Guest
Literally the second link is a " IVPN Privacy & No-Log Audit Report".

"To give more details, the main focus of the audit placed on a set of two major claims
made by IVPN and aggregated to the following items:
• Claim 1: IVPN performs no logging of traffic, IP addresses or DNS requests.
• Claim 2: IVPN does not carry out any statistical logging of customer-traffic"

Share this post


Link to post
Guest

Absolutely nothing speaks against having these claims verified. They could publish the results on the website and attract more potential customers. If the no-log audits are too complex and expensive for AirVPN, then they should at least do the pentest for Eddie. From what I've seen, Cure53 has found serious security holes in every audit. What's wrong with offering your customers a more secure App?

 

Share this post


Link to post
Guest

Cure53 did much more audits than just for VPN companies.
https://cure53.de/#publications

They did pentests for Mozilla, 1Password, Threema, F-Droid, crypto wallets, etc.
They are a really reputable company in the Industry. Also, it doesn't even have to be Cure53, it would be just as good if AirVPN did a pentest from some other reputable company.

As for the other points. I agree that the no-log audit is maybe not really necessary, because the VPN provider could start logging after the audit completed.
Yes, AirVPN is opensource, but so are IVPN and Mullad. Cure53 still found critical security issues in their software. Opensource doesn't mean 100% secure. There could be plenty of security issues in Eddie.
Therefore, absolutely nothing speaks against doing a pentest on Eddie to fix security issues.

I only see 3 reasons AirVPN wouldn't want it:

1. Too expensive.
2. They don't care.
3. They are afraid that a pentest would find lots of issues and hurt their reputation.

 

Share this post


Link to post

An independent audit paid by the audited is de-facto dependent. A truly independent audit would be a crowdfunded audit, where users are both the payer and the stakeholder. Wouldn't that be a revolutionary idea of a VPN audit, where auditors, users and the VPN provider sit at a round table and steer the audit collectively, keeping everyone in the loop? :)

I tend to agree with some points Mr. airvpnforumuser made.
 

4 hours ago, AirUser#63567 said:

1. Too expensive.
2. They don't care.
3. They are afraid that a pentest would find lots of issues and hurt their reputation.


With the development of the AirVPN-Suite and the in-dev TUI and GUI for Bluetit I'd say, yes, 1: The costs far outweigh the benefits right now. There are no plans posted anywhere for that I believe, so it's a personal assumption, but I think Eddie will be replaced sooner or later by this suite on macOS and Linux, then a general code cleanup must be done for Eddie to focus on functionality and security on Windows and .NET instead of also taking care of the eventuality that it may be running in Mono.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...