Staff

A good re-collection of the leaks so far. It partially answers to our initial questions. http://www.forbes.com/sites/andygreenberg/2013/06/25/take-a-break-from-the-snowden-drama-for-a-reminder-of-what-hes-revealed-so-far/ Kind regards

Hello, far from defending our competitors, but everything you report points to severe problems on your end. Connections stability with OpenVPN and best datacenters is nowadays "an industry standard". It's mathematically impossible that you experience instability with every and each of Air and Air's competitors servers if it was not a problem on your end (or on your ISP, hopefully not). Just look at the servers monitor top connection times from clients to have an idea about OpenVPN and our servers stability. We have clients continually connected since weeks! Think about it: how could it be possible that 38 servers in more than a dozen completely separated and different datacenters connected to tier1 providers are ALL so unstable? Please do not hesitate to open a ticket, we will do our best to try to detect the problem. Kind regards

Hello, you should disable the DNS re-bind attacks filter, it's clearly a false positive probably due to the fact that speedtest.air is resolved into an address within the private network, an address which is also the VPN DNS IP address (when you connect to 443 UDP). Kind regards

Hello, please follow the guide https://airvpn.org/ios (click "iPhone", iPad screenshots are slightly different). About Safari, just make sure that it runs in full-mode, not in mobile-mode. If you wish to transfer files from PC to iPhone, you'll need iTunes, or you can e-mail to yourself the files (and open those e-mails on the iPhone). Anyway, using Safari in full-mode will allow you to download the configuration files directly with and into your iPhone, as described in the instructions. Kind regards

Hello, in this very moment your account is connected and exchanging data, can you please check what you see on your "Client Area" and on the central bottom box (important: browsing from a machine connected to the router and logging in with the same Air account you use to connect from the router)? Kind regards

Hello, with Comodo firewall it's easy and quick to check that, look at the "View Active Connections" window. Traffic to/from your VPN IP (10...) is tunneled. Traffic to/from your computer physical network card IP address (for example 192.168...) must be only to/from the server entry-IP you're connected to (normally only openvpn.exe will have such established connection). See also here about how Comodo can help you prevent any possible leak, even when system processes running with high privileges try to bypass the tunnel (see svchost.exe for DNS leaks) or even when the VPN disconnects unexpectedly: https://airvpn.org/topic/3405-windows-comodo-prevent-leaks/ Kind regards

Hello, TLS 1.1 and 1.2 are available on 212.117.180.25. If you wish to use them right now you should resolve airvpn.org to that IP address and force the browser to TLS 1.1 or 1.2. AES-256 is available as well. TLS 1.1 and 1.2 on the other two public frontend servers are planned to be implemented within the next 24 hours. Please note that TLS 1.0 and SSL 3.0 will remain available at the moment, in order not to cut out of the system Firefox, Chromium, Chrome, Iceweasel and many other browsers versions that do not support TLS 1.1 and 1.2 (perhaps more than 3/4 of our users) or that support them but require explicit user configuration to enable them. Kind regards

Hello, yes, that's correct, because if you run a browser configured to connect over the SAME TOR proxy to which OpenVPN is connected as well, that browser will tunnel its traffic over TOR only, not over OpenVPN over TOR. If you wish OpenVPN over TOR use a browser NOT configured to connect over TOR. If you wish TOR over OpenVPN, first connect OpenVPN then launch TOR and use a browser configured to connect over the TOR proxy. If you wish to connect over TOR, while connected over OpenVPN over TOR, connect a host over OpenVPN over TOR, then launch a VM (attached to the host via NAT, not bridged) and use TOR on the VM (so that on the VM you'll have connections over TOR-variable circuit over OpenVPN over TOR-another fixed circuit). Kind regards

Thanks! We'll investigate on Cassiopeia. Kind regards

Hello, please input ALL those commands (in that order, starting from ipconfig /flushdns) and send us the output at your convenience. Kind regards

Hello, if DropBox was hogging all your bandwidth, it could have caused a timeout in the TLS "handshake"... just speculation anyway. Kind regards

Hello, your account is now successfully connected, is it alright now? Kind regards

Hello! Your account is still successfully connected to some Air server. Stopping the VPN service will cause the connection to drop... if there's something wrong (for example Tomato does not really stop the service for some reason), go to your "Client Area" while logged in with the same account you use for VPN connection, and click "Disconnect Now" button. Your account will be forcefully disconnected in a few seconds. Kind regards

Hello! With reference to this: https://airvpn.org/faq/locations can you tell us if you need a French server to access some French services only (if any, which ones?) or you need a French server in general? We ask because we have privacy problems with some datacenters we have contacted in France, they seriously fail comply to some of our non-negotiable privacy requirements; on the other hand, such compliance is not necessary for routing servers. Kind regards

Hello, as already quoted, "During SSL/TLS rekeying, there is a transition-window parameter that permits overlap between old and new key usage, so there is no time pressure or latency bottleneck during SSL/TLS renegotiations." By the way, you can use the reneg-sec directive (default is 3600 seconds) to disable it (not recommended). https://community.openvpn.net/openvpn/wiki/Openvpn23ManPage --reneg-sec n Renegotiate data channel key after n seconds (default=3600). When using dual-factor authentication, note that this default value may cause the end user to be challenged to reauthorize once per hour. Also, keep in mind that this option can be used on both the client and server, and whichever uses the lower value will be the one to trigger the renegotiation. A common mistake is to set --reneg-sec to a higher value on either the client or server, while the other side of the connection is still using the default value of 3600 seconds, meaning that the renegotiation will still occur once per 3600 seconds. The solution is to increase --reneg-sec on both the client and server, or set it to 0 on one side of the connection (to disable), and to your chosen value on the other side.

Hello, do you know whether contents are the same from Sweden, Finland, Norway, Denmark, or not? Kind regards

Hello, yes, understood, all the previous message by a staff member was built assuming your hypothesis was true AND assuming that the final node was monitored as well AND assuming that a powerful correlation system is in place. Sorry if it wasn't clear. Kind regards

Hello! How to determine which versions and service pack levels of the Microsoft .NET Framework are installed: http://support.microsoft.com/kb/318785 How to check your Windows version: http://windows.microsoft.com/en-us/windows/which-operating-system Kind regards

Hello, does anybody else experience the same problem? Currently no problems are reported, neither from users nor from our monitoring system. Kind regards

Hello! Not really, furthermore there are crucial missing data, among which, relevant to this argument: correlations. Are correlations performed? If so, how? Assuming that a certain degree of correlations is actually performed, for example (just an example) timing attacks against a datacenter, some precautions are necessary to transmit sensitive data or anyway to keep the anonymity layer: connect to a VPN server which is located outside your country and outside the countries of the adversaries and use end-to-end encryption (to enhance content protection). Additional protection: connect over OpenVPN over TOR https://airvpn.org/tor - then launch a VM and connect the VM over TOR. Finally use only the VM to receive/transmit data, so that: VPN server will receive data from a fixed TOR circuit ; when the data get out of the VPN server, they will enter ANOTHER TOR circuit. As before, end-to-end encryption is applied. In this way you have astronomically high chances to defeat an adversary which is monitoring and correlating connections both from your node AND the destination node; or you can defeat two adversaries that co-operate with each other, one monitoring your node and one monitoring the destination node (which is a worse scenario than that currently one described by the leaks). Content is absolutely protected just by end-to-end encryption; correlations are made extremely difficult, the adversaries should have an incredible stroke of luck in being able to correlate with a high degree of confidence data from two different TOR circuits + VPN server staying in a different jurisdiction. Kind regards

Hello, according to the currently available data, a VPN would be more than enough to protect your privacy against PRISM etc. However chances are that important information are still missing. Besides, some information should be technically clarified. Please read this article, written more than a year ago, to identify which adversaries can be defeated and how: https://airvpn.org/topic/54-using-airvpn-over-tor/?do=findComment&comment=1745 Note that the service is able to defeat adversaries with the currently known NSA abilities and adversaries with higher power as well. About the linked articles on GCHQ, according to the currently available information, end-to-end encryption alone (for example gpg for e-mails, encrypted end-to-end VoIP (with keys owned only by the ends, never by the VoIP servers) for voice/video communications) is sufficient to defeat the system on the content side. As a precautionary measure, however, it should be assumed that the effective abilities are higher than those publicly leaked, therefore additional protections should be taken: once the content is protected, a combination of VPN+TOR can be used to prevent the disclosure of the origin of the encrypted content. Kind regards

@Baraka Hopefully momentary problems from your ISP or somewhere between your node and the server. We don't detect any particular problem with that server. Kind regards

Hello, we don't have a routing server in Norway, but we'll discuss about it during the next week. Kind regards

Hello! We're sorry, it's a glitch related to timezones, it will be fixed in the next client release. It does not affect VPN connectivity in any way. Kind regards

Hello StarDuck, we confirm that Winpkfilter is not included in OpenVPN package. You must have had it from somewhere else. Kind regards