Independent Audits

[Guest]

IVPN just did an audit by Cure53 on their clients and there were security issues found which now can be fixed.
https://cure53.de/pentest-report_IVPN_2022.pdf 
IVPN has a no log audit, proving their no log claim by an independent company.
https://cure53.de/audit-report_ivpn.pdf

Mullvad did several audits in the past:
https://cure53.de/pentest-report_mullvad_2021_v1.pdf
https://cure53.de/pentest-report_mullvad_2020_v2.pdf
There are others provider too:
https://cure53.de/pentest-report_mozilla-vpn.pdf
https://cure53.de/pentest-report_lightway.pdf
https://cure53.de/pentest-report_tunnelbear_2020.pdf

So why doesn't AirVPN have any audits? There is a big difference in "trusting" a company that they don't log vs. an independent audit proving it. Also, no software is perfect that's why an audit on Eddie would be very useful to find security problems. Curios about the answer.

[flat4 79]

I may be  i wrong here, but those are penetration test, how does it test to see if they have logs?

Those test are to make sure hackers cannot get into there network.

[Guest]

Literally the second link is a " IVPN Privacy & No-Log Audit Report".

"To give more details, the main focus of the audit placed on a set of two major claims
made by IVPN and aggregated to the following items:
• Claim 1: IVPN performs no logging of traffic, IP addresses or DNS requests.
• Claim 2: IVPN does not carry out any statistical logging of customer-traffic"

[flat4 79]

oh, not sure that having a audit will make  airvpn more credible than it already is. Air has a reputation of  shutting down servers when a data center or climate is not living up to the standards.

[Guest]

Absolutely nothing speaks against having these claims verified. They could publish the results on the website and attract more potential customers. If the no-log audits are too complex and expensive for AirVPN, then they should at least do the pentest for Eddie. From what I've seen, Cure53 has found serious security holes in every audit. What's wrong with offering your customers a more secure App?

 

[Guest]

Cure53 did much more audits than just for VPN companies.
https://cure53.de/#publications

They did pentests for Mozilla, 1Password, Threema, F-Droid, crypto wallets, etc.
They are a really reputable company in the Industry. Also, it doesn't even have to be Cure53, it would be just as good if AirVPN did a pentest from some other reputable company.

As for the other points. I agree that the no-log audit is maybe not really necessary, because the VPN provider could start logging after the audit completed.
Yes, AirVPN is opensource, but so are IVPN and Mullad. Cure53 still found critical security issues in their software. Opensource doesn't mean 100% secure. There could be plenty of security issues in Eddie.
Therefore, absolutely nothing speaks against doing a pentest on Eddie to fix security issues.

I only see 3 reasons AirVPN wouldn't want it:

1. Too expensive.
2. They don't care.
3. They are afraid that a pentest would find lots of issues and hurt their reputation.

 

[OpenSourcerer 1435]

An independent audit paid by the audited is de-facto dependent. A truly independent audit would be a crowdfunded audit, where users are both the payer and the stakeholder. Wouldn't that be a revolutionary idea of a VPN audit, where auditors, users and the VPN provider sit at a round table and steer the audit collectively, keeping everyone in the loop?

I tend to agree with some points Mr. airvpnforumuser made.
 

4 hours ago, AirUser#63567 said:

1. Too expensive.
2. They don't care.
3. They are afraid that a pentest would find lots of issues and hurt their reputation.

With the development of the AirVPN-Suite and the in-dev TUI and GUI for Bluetit I'd say, yes, 1: The costs far outweigh the benefits right now. There are no plans posted anywhere for that I believe, so it's a personal assumption, but I think Eddie will be replaced sooner or later by this suite on macOS and Linux, then a general code cleanup must be done for Eddie to focus on functionality and security on Windows and .NET instead of also taking care of the eventuality that it may be running in Mono.