Jump to content
Not connected, Your IP: 3.235.24.23

LZ1

Moderators
  • Content Count

    2069
  • Joined

    ...
  • Last visited

    ...
  • Days Won

    74

Reputation Activity

  1. Like
    LZ1 reacted to zhang888 in AirVPN.exe Unknown Publisher   ...
    They can.
    The higher danger is usually with bigger brands that have many distribution platforms.
    For example, it is really hard for popular P2P or music apps to verify their integrity with
    their potential users, since any *torrent client downloaded from some 3d party location
    can be bundled with adware/malware, just like happened before with CNET and SourceForge.
    AirVPN however has only 2 official locations, the SSL website and Github source tree.
     
    This is why you have to download it only from https://airvpn.org/windows or from Github,
    and then verify the hashes.
    Any other builds should be considered untrusted.
  2. Like
    LZ1 reacted to zhang888 in AirVPN.exe Unknown Publisher   ...
    This requires to obtain a special "Code signing" certificate from a trusted Certificate Authority (CA).
    While most trusted software packages want to have this kind of a signature for their installer
    packages, the fact that AirVPN is providing a free, open-source client actually makes this a little
    redundant.
     
    Let me try to explain why.
    The code signing certificates can be potentially issued to anyone claiming to have a brand. There
    are many examples where a person can obtain a certificate for an entity he doesn't control, just for
    example, if you now register a domain such as AirVPN.nl, and would like to have a code signing
    certificate for this entity, you will most likely be granted to have it for something like ~$100/year.
     
    So you have to check even signed executables very carefully, they don't mean anything except
    that the publisher was partially verified by a CA. Just like you cannot trust a site with SSL green
    "lock" not to be malicious, for the matter. This is only a small part of the bigger picture.
    A Windows "code signing" certificate is relatively easy to obtain (unlike the Windows Driver
    signing certificates that are much harder and require physical contact with Microsoft).
     
    There are many examples of Adware programs that do have a code-signature, just to name
    a few, anything you download from these shady "Registry/PC cleaning" websites will be signed,
    usually by some east-European or Asian company, like one of the hundreds examples:
    https://forums.malwarebytes.org/topic/165518-adware-digitally-signed/
     
    What you have to do, if you want to maintain security, is to verify the hashes of the AirVPN client
    you are downloading, and the hashes are available just near the download button, you can't miss it.
    This will not only ensure that you download the trusted, unmodified installer, it will also mean that
    every time you upgrade it you can still rely on the new hashes that are published by the authors.
    The way software is distributed in other platforms, such as *nix, already have this imlementation
    for years, and usually the package manager does the signature verification for you transparently.
    This process ensures integrity on much higher levels than just checking the issuer brand/email.
     
    So, to summarize, the code signing certificate only adds a cosmetic "trust", where the real trust should
    be based on what you download, from which origin, and the best of course is - is this software really
    open source and can be built on your own system, producing the same executable? (deterministic builds).
  3. Like
    LZ1 reacted to Staff in What's the point of VPN over TOR?   ...
    Hello!

    Thank you for the nice discussion.


    Absolutely not: Air has been designed exactly with the purpose to leave the option to customers to NOT allow the admins to know the identity from the login credentials. It is well explained in the link given in the previous post: if you buy a code with Bitcoin from an independent reseller and you connect over TOR, there's no way in this world that Air admins can get to know your identity.


    Unfortunately not. If you use only TOR, you anyway need to trust:
    - that the exit node is not malicious or compromised;
    - that your adversary does not control the relevant portion of the TOR network you connect to. Control over the TOR network is possible by an adversary with enough power (for example a well determined government which controls the ISPs and the border routers).

    Bypassing the trust on one single party requires partition of trust. So, with VPN over TOR you defeat a malicious exit node and an adversary which has the power to control your line AND (the Air server you connect to OR the relevant portion of the TOR network). With TOR over VPN, you can't defeat this type of adversary and you don't defeat a malicious exit node.

    Kind regards
  4. Like
    LZ1 reacted to OmniNegro in network connection issue   ...
    Try resetting your home page to airvpn.org, and if that fails, then you probably have one or more trojans messing things up for you.
     
    Consider a reinstall of Chrome, or even better a replacement of Firefox instead of Chrome. Go here to make a profile for Firefox that will get rid of all the privacy and security junk you do not want.
    Firefox Profilemaker
     
    If you stick with Chrome, I cannot really help you since I have never tried it.
  5. Like
    LZ1 reacted to Staff in 90% of All SSL VPNs Use Insecure Or Outdated Encryption   ...
    Hello,
     
    AirVPN is in that 2.94% of VPNs put in "A" (best) grade and PCI DSS compliant (according to their own tool at least).
     
    Kind regards
  6. Like
    LZ1 reacted to snapz in How do you use your VPN?   ...
    I use it for everything but I don't use social media.
    I'm a customer of Telenet (https://www2.telenet.be/nl/) which is the largest provider of cable broadband services in Belgium. But since 2007, an American company, Liberty Global own a 57.8% stake in Telenet (correct me if i'm wrong). Shorly after i started with VPN. And i'm a bit allergic concerning USA companies. U know, patriot act and other shit.
    I'm shure my isp logs metadata.  So i feel save behind my AirVPN connection.
     
    @ AN566, love your signature  
  7. Like
    LZ1 reacted to GMPSQ in AirVPN does not recognize ICANN authority anymore   ...
    The United States is an enemy of the Internet. More and more our technology and communications are captured illegaly and stored for many years and then used against us in court. The government seems to sincerely believe that it owns the Internet and regulary hacks into foreign servers to retrieve data, seizes domain names, etc. and any citizen who can be considered a hacker under broad laws will be thrown in prison.
     
    My warning as a US citizen is to watch out, encrypt, keep everything secure, keep data offshore, and avoid any US-influenced entities such as ICANN.
     
    Thank you AirVPN for the great continued service. I've been using multiple VPN connections almost constantly for the past year everywhere and as far as I can see that will continue
×
×
  • Create New...