Jump to content
Not connected, Your IP: 44.192.107.255
Guest

Independent Audits

Recommended Posts

Guest

IVPN just did an audit by Cure53 on their clients and there were security issues found which now can be fixed.
https://cure53.de/pentest-report_IVPN_2022.pdf 
IVPN has a no log audit, proving their no log claim by an independent company.
https://cure53.de/audit-report_ivpn.pdf

Mullvad did several audits in the past:
https://cure53.de/pentest-report_mullvad_2021_v1.pdf
https://cure53.de/pentest-report_mullvad_2020_v2.pdf
There are others provider too:
https://cure53.de/pentest-report_mozilla-vpn.pdf
https://cure53.de/pentest-report_lightway.pdf
https://cure53.de/pentest-report_tunnelbear_2020.pdf

So why doesn't AirVPN have any audits? There is a big difference in "trusting" a company that they don't log vs. an independent audit proving it. Also, no software is perfect that's why an audit on Eddie would be very useful to find security problems. Curios about the answer.

Share this post


Link to post
Guest
Literally the second link is a " IVPN Privacy & No-Log Audit Report".

"To give more details, the main focus of the audit placed on a set of two major claims
made by IVPN and aggregated to the following items:
• Claim 1: IVPN performs no logging of traffic, IP addresses or DNS requests.
• Claim 2: IVPN does not carry out any statistical logging of customer-traffic"

Share this post


Link to post
Guest

Absolutely nothing speaks against having these claims verified. They could publish the results on the website and attract more potential customers. If the no-log audits are too complex and expensive for AirVPN, then they should at least do the pentest for Eddie. From what I've seen, Cure53 has found serious security holes in every audit. What's wrong with offering your customers a more secure App?

 

Share this post


Link to post

Doesn't it appear 'odd' to say the least it seems cure53 are in the market of auditing VPN companies? Quite frankly this is nothing more than marketing fluff only designed to trick the most gullible of users. Those with the paranoia of Snowden know not to trust such feeble attempts at trying to 'prove' their claims. AirVPN knows the best method is to practice what they preach and verify outwardly in everything they do - notice that, for as long as I've known AirVPN I can't remember any single major controversy in how they have acted, or concerns regarding their conduct/behavior.

Most importantly, however, is that AirVPN is the undisputed king of OpenVPN software by a long distance. A VPN company is both a software dev (clients for ease of access) and a network provider (servers, configuration). I consider both Air and Mullvad pioneers in this regard (Mullvad for example is experimenting with diskless servers and allows users to pay in cash which is a payment method I'd love to see Air support).

Thing is, AirVPN offers unrivaled support for virtually any OS/configuration you can think of - apps for Windows (even XP!), Mac, Linux, Android...They have made their service accessible to as many people as possible, even those from hostile regimes. From what I can see, they offer the ability to change the protocol from a choice of TCP, UDP, SSH->TCP, and all on various ports to attempt to thwart blocks by ISPs, I can't think of a single other VPN provider in this space that offers such extensive means of accessing their servers, in addition to very carefully considered Wireguard support (note they were not the fastest or even first on the scene, but took their time understanding the protocol carefully before adding support for it in their clients). One thing to remember is it took them over 500 days between stable Eddie releases, and over a year between Android eddie releases, sure it's frustrating but it shows their dedication to 'getting it right' and ensuring and prioritizing stability. A user commented on why it took so long and well, the Staff's honest reply speaks for itself ([2]) in how seriously they take their software development.

ALL of their clients code is open source, builds are reproducible and verifiable so you don't need to trust their binaries, they published in-depth guide (see [1]) to how their infrastructure works  allowing anyone to essentially re-implement their clients and quite frankly affords the most transparency of ANY major VPN provider. They also support Linux natively in ways not a single other VPN provider does, not even Mullvad offers such in-depth, integrated Linux support AND AirVPN's software supports other providers too!

So with all that being said, what use would an 'audit' provide? It's pathetically easy to design an aduit to reveal a favorable outcome, the Staff would even say the same thing if you know the aduit was happening. It'd be trivial to only give access to 'select' servers, or make a script to change some settings. Remember, an audit proves for only a few seconds whether or not a provider logs. Imagine the following:

config.sh:

logging: /user_logs.txt -> /dev/null

There, done. Now I do not log!

Once the aduit is complete, time to change it back again.

If this is what you want then AirVPN is not the choice for you, people choose AirVPN because of their unparalleled hacktivist work and the essential fact at no point in the last 10 years of their operation have they been under scrutiny for a mistake or caused doubt that they are not trustworthy. In fact, the opposite is true, their work on OpenVPN-AirVPN branch shows their commitment to advancing the privacy cause, by adding new features (all open-source so you know they didn't add a backdoor for example, and if they did, someone, somewhere would reveal such information).

How many other providers changed OpenVPN? Or even have a developer who is able to? It requires in-depth, expert knowledge to change the fundamental protocol their service is built on.

This is why I use AirVPN and why they have explicit trust.

An "audit" would cause me to cancel and leave because it'd be a pathetic attempt to try and somehow convince users they are to be trusted.

But hey, the choice is yours if that makes you happy and you purchase a multiple years-long subscription then it worked.

(Oh, btw, AirVPN also supports Tor over AirVPN [3] or AirVPN over Tor, seamlessly integrated into their client so you can even hide from AirVPN your 'real' IP address, which again I can't think of a single other provider offering and reaffirms their commitment to true, total, 100% privacy as much as they are able to).

[1]:
https://airvpn.org/forums/topic/49671-bluetit-developers-reference-manual/

[2]:
https://airvpn.org/forums/topic/49638-eddie-desktop-221-beta-released/?do=findComment&comment=174856


[3]: https://airvpn.org/tor/

Share this post


Link to post
Guest

Cure53 did much more audits than just for VPN companies.
https://cure53.de/#publications

They did pentests for Mozilla, 1Password, Threema, F-Droid, crypto wallets, etc.
They are a really reputable company in the Industry. Also, it doesn't even have to be Cure53, it would be just as good if AirVPN did a pentest from some other reputable company.

As for the other points. I agree that the no-log audit is maybe not really necessary, because the VPN provider could start logging after the audit completed.
Yes, AirVPN is opensource, but so are IVPN and Mullad. Cure53 still found critical security issues in their software. Opensource doesn't mean 100% secure. There could be plenty of security issues in Eddie.
Therefore, absolutely nothing speaks against doing a pentest on Eddie to fix security issues.

I only see 3 reasons AirVPN wouldn't want it:

1. Too expensive.
2. They don't care.
3. They are afraid that a pentest would find lots of issues and hurt their reputation.

 

Share this post


Link to post

An independent audit paid by the audited is de-facto dependent. A truly independent audit would be a crowdfunded audit, where users are both the payer and the stakeholder. Wouldn't that be a revolutionary idea of a VPN audit, where auditors, users and the VPN provider sit at a round table and steer the audit collectively, keeping everyone in the loop? :)

I tend to agree with some points Mr. airvpnforumuser made.
 

4 hours ago, AirUser#63567 said:

1. Too expensive.
2. They don't care.
3. They are afraid that a pentest would find lots of issues and hurt their reputation.


With the development of the AirVPN-Suite and the in-dev TUI and GUI for Bluetit I'd say, yes, 1: The costs far outweigh the benefits right now. There are no plans posted anywhere for that I believe, so it's a personal assumption, but I think Eddie will be replaced sooner or later by this suite on macOS and Linux, then a general code cleanup must be done for Eddie to focus on functionality and security on Windows and .NET instead of also taking care of the eventuality that it may be running in Mono.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...