Search the Community

Hello, In the "Guide to Getting Started + Links for Advanced Users" under "Which other steps can I take to increase my privacy and security" it states: If you're looking for a technical challenge, you can install pfSense on a very powerful computer, to make it act like a router, so that all devices connected to your Wi-Fi will be covered by the VPN.If you're a geek or networking enthusiast, you can also check out things such as the Turris Omnia router, which offers very powerful hardware & software. So my question is: What is the functional difference between the two? One's a small computer you recommend turning into a router. The other is basically a supped up open source router running openWRT. Upon inspection, I'm not quite sure why this router (Turris Omnia) was recommended over something like the Asus RT-AC5300. I'm essentially looking for the most secure router possible.

I'm looking for the best anti-malware protection on my windows 10 computer, HP. What would you all recommend? I'm doing a general setup for tightening security. I'm bought the VPN through AirVPN, Email through StartMail Search engine through Startpage (utilizes Google search but sends anonymous queries through their server, under Dutch Law) Thanks.

https://arstechnica.com/tech-policy/2017/03/senate-votes-to-let-isps-sell-your-web-browsing-history-to-advertisers/ Comments, questions, concerns.

The House of Representatives is expected to vote to allow Internet service providers (ISPs) like Comcast, Verizon, and AT&T to sell your sensitive personal information to advertisers without your permission. https://www.savebroadbandprivacy.org/?link_id=0&can_id=b5f25476933de4520652da14a95ae0c5&source=email-vote-is-tomorrow-5&email_referrer=vote-is-tomorrow-5&email_subject=vote-is-tomorrow Comments. questions,

Protonmail launched a Tor Hidden Service, any comments or questions? https://protonmail.com/blog/tor-encrypted-email/ onion link https://protonirockerxow.onion Onion server Certificate should be verified before logging in. Sha256 D6:D5:26:07:F9:5F:41:D3:92:AD:EE:59:CE:29:AB:E0:B3:E8:2F:30:EA:1E:6B:8F:9D:12:09:42:F0:35:BB:65

Hi, I have a suggestion that should increase security for Air and customers. My suggestion is for Air to configure an optional system of multifactor/two-factor authentication for logging in to the AirVPN website, as well as for the initial setup of the Eddie software (entering login details). This can be enabled or disabled by the user and accomplished by either: a smartphone app such as FreeOTP (which is open source and available for iOS/Android).a hardware device such as Nitrokey (which is open hardware) or a similar USB one time password generator (Yubikey, etc.) The user will be prompted on their phone or mobile device with a number to enter in additionally to their password. This makes sure nobody but the authorized user has access to the account, profile, etc. Air would probably be the first VPN provider to have this as an option. Regards, anonym

Hello, I have been reading about the differences between UDP and TCP and they basically say that TCP is more reliable, as it does some extra "error-checking stuff", while UDP does no such thing. From that I can inferr basic things for example: TCP guarantees that your downloads are not corrupt in case of connection problems and so on. But as a newbie, i am not sure how to interpret that in another context: Do these extra error checkings also protect your privacy and anonymity against (theoretically) any kind of hacking, like intercepting and compromising the packets, or sniffing them ie spying on your activity online (from the government for example) ? And would i be at a disadvantage when using UDP in that case? Thank you

Hi! I would like to start a discussion on the following paper on IPv6 and DNS security issues, in particular because it explicitly mentions AirVPN as vulnerable: (STAFF EDIT: by a gross mistake) "A Glance through the VPN Looking Glass: IPv6 Leakage and DNS Hijacking in Commercial VPN clients" http://www.degruyter.com/view/j/popets.2015.1.issue-1/popets-2015-0006/popets-2015-0006.xml (click on "Full Text PDF") The paper discusses two separate attacks: 1. IPv6 Man-in-the-Middle through Router Advertisement This has been discussed for years and there are several exploitation tools available to mount an attack yet awareness of the problem seems to be very very low. Essentially the problem is that most OSes have IPv6 enabled and prefer it over IPv4, yet almost all local networks are IPv4 only. An attacker can advertise himself as an IPv6 router, and your OS will start sending all your traffic to him because IPv6 is preferred. He only needs to be on the same local network as you are, which is the case for public WiFi etc. There are several news items giving an easy explanation of the attack, e.g. https://www.virusbtn.com/blog/2013/08_12.xml The attack is also known as "SLAAC Attack" as dicussed already in 2011 here: http://resources.infosecinstitute.com/slaac-attack/ Tools to try it out: - SuddenSix (Linux bash script) https://github.com/Neohapsis/suddensix Presented at DEFCON 21 (2013): https://www.defcon.org/images/defcon-21/dc-21-presentations/Behrens-Bandelgar/DEFCON-21-Behrens-Bandelgar-MITM-All-The-IPv6-Things.pdf - Evil FOCA (Windows, also does DNS Hijacking) https://www.elevenpaths.com/labstools/evil-foca/index.html Also Presented at DEFCON 21: http://www.slideshare.net/chemai64/defcon-21-fear-the-evil-foca-mitm-attacks-using-ipv6 - THC-IPV6 with fake_router6 (Linux) https://www.thc.org/thc-ipv6/ Defense against the attack is very simple: Turn off IPv6 on your machines! Windows: https://support.microsoft.com/en-us/kb/929852 Linux: http://www.binarytides.com/disable-ipv6-ubuntu/ Mac: http://osxdaily.com/2014/04/18/disable-ipv6-mac-os-x/ Android: https://play.google.com/store/apps/details?id=de.lennartschoch.disableipv6&hl=en AirVPN can help by adding functionality to the AirVPN client to set IPv6 routing tables as well and make sure IPv6 traffic goes to the VPN interface. 2. DNS Hijacking through route injection This more advanced attack also comes with more prerequisites, the attacker needs to control the WiFi router. Given generally poor router security this is not too much to ask though. When the attacker sees you are connecting to a VPN, he notes the VPN provider you are connecting to and creates a virtual interface on the router with the IP address of the DNS server used for the VPN. With a low DHCP lease period he forces you to renew your DHCP lease and now gives you the virtual interface as default gateway. This messes up your routing tables enough so that all your DNS requests will now go to the attacker-controlled router and not go through your VPN tunnel. A proposed way to detect the attack would be for the AirVPN client to do repeated DNS checks for specific domains that only the AirVPN DNS servers can resolve. A way to fully mitigate the attack seems to be to have the default gateway for the VPN also be the DNS server. If it's any consolation, of the 14 VPN providers tested, only four had clients that protected against IPv6 leaks and only one was not vulnerable to DNS hijacking.

I was testing my security using this site: https://ipleak.net/ While the IP and DNS is secure, and even torrents. It still got through with the WebRTC check. Is there any way to stop this leak?

I would like to request that AirVPN change the gift voucher system so that we can purchase by a time period instead of by an amount. A good example of why length is a better system is that we could take advantage of the current sales to buy time to use for 6 months at the sale rate and then give it as a gift. When we can only purchase by amount, then giving someone a gifted amount means they get less time because they purchase at the regular rate. Personally I want to add credit to my account but there is no point if I have to make a new account afterwards so I can have new certificates. On that second point, please allow us to regenerate new certificates. Its a good idea to regenerate your certificates every 3-6 months and currently the only way to do that is to create a new account.

Hi, Like it says in the documentation, and as is usual, upon the first connection to a ssh server to open a ssh tunnel, the authenticity via the ECDSA key fingerprint is stated. The documentation says to just accept it. But this is dangerous as it allows any intermediate to open a MITM attack. So please compile a list of all servers (with their IPs) and their fingerprints so we can match them on the first connection. Thanks!

A few days ago, Obama supposedly gave control of the Internet's global Domain Name System from ICANN (where it's been FOREVER) to the United Nations... thoughts? - http://www.foxnews.com/politics/2016/06/09/obama-administration-backs-plan-to-relinquish-internet-control.html - - -

Hi guys, ​ ​Just want to firstly say thank you for the services you provide. I just have a few questions that I would like some discussion on if possible. My setup for using Tor through Airvpn's client is a s follows, my OS is Ubuntu, Mate, Mint or Windows as the base OS which I use to connect the VPN. I then use VMware or virtual box, mostly virtual box due to it not being proprietary to launch a fully contained Tails instance from an .ISO file without persistence, which I then use to connect to Tor. In the Eddie client I have Network lock active at all times, I remove the default gateway and even block ping and the private network access. I have however noticed that if you use DHCP, the default route is reconfigured after a few minutes even though network lock has removed it. I switched to static addressing and this issue hasn’t come up since. I am not sure if you are aware of this. I use this setup because Tor and Eddie's network lock feature isn’t compatible as yet and I do not like the idea of using the VPN without it. I would just like to know any views on this setup and any suggestions on improving security even further. ​ ​I also stumbled on this new feature in Firefox network.dns.blockdotonion, a new preference setting introduced in Firefox 45.0. Any thoughts on this? Why would they want to block .onion dns queries or dns results?

First day on AirVPN. After about 30 minutes I changed server. Reconnect in infinite loop. Shut down AirVPN and restarted - no change. Shut down everything, ran CCleaner, and rebooted. AirVPN came back up without any loops. Changed servers several times - no problem connecting. Another issue showed up when changing servers. Before changing servers ChilliTorrent speed display was close to AirVPN. After changing to a different server with faster response time, ChilliTorrent increased in speed (more than doubled to 900+ Kb/s and fairly steady. AirVPN download displayed 0-100 b/s (most of the time at zero). Upload speed was also near zero. My first thought was that the torrent was not going through the VPN. Leak tests and IP verification passed. Changed again to another server with same results. Shut down AirVPN and logged in again. Same results. Changed to another country. Same results. When everything is shut down, system cleaned and rebooted then AirVPN displays approximately the same as torrent client. This speed indicator issue does not happen on every server change. But when it does is doesn't matter what server is connected including the previous server. It was noticed that AirVPN speed sample is not filtered like the torrent client. When the torrent client is uploading at 40 Kb/sec and the VPN display consistently shows less than 200 b/s and torrent is downloading at 900 Kb/s and VPN shows less than 200 b/s, and mostly zero, something seems amiss. Should there be concern about the traffic not going through the VPN? The lock is always activated before connecting to a server and in all cases the closed lock is displayed. A little more data. On the resource monitor, listening ports are confined to my computer LAN address, two 10.xxx.xxx.xxx addresses, and fe80::d8a:d521:4fd6:1a30 from svchost.exe (localServiceAndNoImpersonation). On TCP connections, only my computer and a single 10.xxx.xxx.xxx addresses are displayed. Remote addresses are as expected - all over the map. Anyone have any thoughts on what to look at next? This doesn't seem to be a leak. Any concern on my part is the initial setup was almost too easy. I chose open VPN and was up and running in a few minutes. Nice job on a good customer interface.

Update. The FBI falls 2 votes short of viewing our browsing history without a warrant http://thenextweb.com/insider/2016/06/23/fbi-falls-2-votes-short-of-viewing-our-browsing-history-without-a-warrant/ But this has not been made final yet.{ http://www.decidethefuture.org LESS THAN 24 HOURS REMAINING: The Senate is about to vote on an amendment that would give the FBI your browsing history without a warrant.} I saw this very important info and thought that the community at airvpn should know. This would effect vpn's. The U.S. government wants to use an obscure procedure—amending a federal rule known as Rule 41— to radically expand their authority to hack. The changes to Rule 41 would make it easier for them to break into our computers, take data, and engage in remote surveillance. These changes could impact any person using a computer with Internet access anywhere in the world. However, they will disproportionately impact people using privacy-protective technologies, including Tor and VPNs. https://noglobalwarrants.org/#take-action ALSO http://www.decidethefuture.org LESS THAN 24 HOURS REMAINING: The Senate is about to vote on an amendment that would give the FBI your browsing history without a warrant. Please post any comments you have about these possible rules/bills

AirVPN OSX client is using an OpenVPN binary version 2.3.8, according to the changelog it has several vulnerabilities that has been corrected in newer versions https://community.openvpn.net/openvpn/wiki/ChangesInOpenvpn23. Replacing the binary inside the App for the OpenVPN 2.3.10 Binary (Brew version) works fine, so probably it would be easy to update the client. Thanks!

DANE (DNS-based Authentication of Named Entities) is one more attempt to replace the reliance of web browsers on Certificate Authorities. DANE leverages the downsides of security in TLS, allows to specify which CA is allowed to issue certificates for a certain resource and to certify the keys used in the domain's TLS servers by storing their fingerprints in the DNS record. For this the DNS record must be signed with DNSSEC. I request opinions and thoughts on the implementation of DANE for the AirVPN website.the consideration of implementing this feature in the future.AirVPN could be the first VPN service wordwide to offer this security feature (as far as my information is correct). Like Posteo who is the first mail provider in Germany who implemented it - and maybe worldwide.

Some of the popular vpn's pre-shared Secret keys. Read this article talking about there simple keys. https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

Hi, I have a Mofi 4500-4GXeLTE-SIM4 V2 4G/LTE Router (this is a router combined with the cellular radio) connected to Verizon (ISP). First question I hope it's an easy one, can I configure AirVPN on the Mofi router itself, so any device connected will always use VPN? Second question is about port forwarding. To this router I'm planning to connect a surveillance camera system that it's a dedicated appliance (not an actual computer from what I can see) and I need to be able to access from outside. I need to open ports 80, 5445 and 5446. Reading some information it seems that AirVPN cannot do port forwarding below port 2048, is there any workaround so I can see port 80 from outside? Third question is about the static public IP address, I assume I don't get a static address from AirVPN, so I guess I have to use a Dynamic DNS to gain access to the camera system, right? Your help is much appreciated.

I came across a xkcd comic once (I hope it was not here, this would be a duplicate, then) and wanted to link it here. It's about password strength. I see lots of names here on the forums which are actually no names at all since they look randomly generated. I can imagine lots of you randomly generate your passwords as well. I've also done this in the past, using Kaspersky's Password Manager to store them. One day I downgraded back to Internet Security, and since the only version with the Password Manager is Kaspersky's Total Security Suite, I needed to save all of them. There was no export button so I needed to either change them or write them down. Some were changed, some were written down. And of those I wrote down a few went missing, including the password to my Bitcoin wallet. There was no trying to remember it, it was a 16+ character salad with letters (both uppercase and lowercase, of course), numbers and symbols. I learned and changed my tactics. I'm now compiling sentences, take the first letter of all words and make a character chain out of them, including all numbers and symbols. The sentences you compile that way heavily rely on what information they contain and how you express yourself, therefore, they contribute to the uniqueness of a password. By taking facts about the website you enter the password to you create unique passwords without the need to directly remember it: Look at the website, remember what you were writing about and you've got your password again. And the PIN codes in the title? I just wanted to link a blog post about PIN number analysis. Interesting read.

https://www.perfect-privacy.com/blog/2015/12/21/wrong-way-security-problem-exposes-real-ip/ @AirVPN Does your client handle this problem with the Network Lock?

Hello, I just stumbled across this very interesting paper comparing VPN vulnerabilities of commercial VPN services: http://www.eecs.qmul.ac.uk/~hamed/papers/PETS2015VPN.pdf It is a very interesting read. Relying on tests performed between Sep and Dec 2014, the researchers found that all 14 commercial VPN providers examined are vulnerable to either IPv6 leakage or DNS hijacking, therefore failing to provide the privacy they advertise. I apologize if this has been discussed before, but I am concerned that those vulnerabilities could give away my IP address even if I use AirVPN. So my questions to the AirVPN provider: - are you aware of these issues? - what is your plan to close the vulnerabilities? - is there a way for us, the end user, to verify whether we are subject to those issues? As a countermeasure to IPv6 leaks, I have disabled IPv6 on my OS X and Linux clients (iOS is not affected). I am not sure how to counteract the DNS hijacking. I hope we can have an open discussion on this forum and thanks for any suggestions.

Hi, Should we be worry about this new vulnerability ? Thanks. reference url https://thehackernews.com/2015/11/vpn-hacking.html

Dear members, As i live in the country x, is it safer to choose a server that's not in country x? Many thanks

I was browsing with AirVPN running and I saw this HTML injection on a site (see attached InjectedHTML), when I turned off the VPN it was gone (see NoVPN_HTML) - this seems to indicate that your VPN node was compromised. Has anyone had this happen and what does it mean for all of my other private data