Jump to content


Photo

Rebuttal of article "Don't use VPN services."


  • Please log in to reply
22 replies to this topic

#1 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7568 posts

Posted 30 March 2018 - 11:33 PM

Hello!
 
DISCLAIMER: this post has been written by an AirVPN co-founder (Paolo) and merges the information and the points of view elaborated by the Air founders in more than seven years. Other Air VPN staff members might add additional comments in the future.
 
We have been asked via Twitter to reply to the following post:
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
 
We see that the issues raised by the aforementioned article may be of general interest, so we have decided to post a detailed rebuttal here, meant to fix the remarkable amount of technical misunderstandings and errors which have led the writer to astonishingly wrong conclusions and worrying generalizations.
 
The rebuttal is based on AirVPN only; we can not and we do not want to write in the name of any other service, since most of the considerations you will read here may or may not (and sometimes we know that they will not) apply to other "VPN services". Anyway, it is our right to reply as if the writer were talking about us too, because he/she repeatedly claims that ALL VPN services act in the same way.

 

Why not?

Because a VPN in this sense is just a glorified proxy.

 
 
A "VPN in this sense" is NOT a proxy. Our service encrypts and tunnels all of the client system TCP and UDP traffic to and from the VPN server. Moreover, our service, when used with our free and open source software, also makes additional steps to prevent traffic leaks outside the VPN tunnel.
 
A proxy tunnels (and not necessarily encrypts) only TCP traffic (proxies can not support UDP), and only the traffic of those applications which are configured to connect to a proxy. UDP traffic, system traffic and traffic of applications which may be started by the system and that you failed to configure (or that you can't even configure in Windows, in some cases) are not necessarily tunneled to the proxy. Not even your system DNS queries are necessarily tunneled over the proxy.

 

The VPN provider can see all your traffic, and do with it what they want - including logging.
There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

 

If we were really interested in logging our clients traffic, we would not allow connections to and from Tor, proxies and other VPNs. We have always made very clear how to bypass the problem of "trust us" when you can't really afford to do that, and our answer has always been "partition of trust".  Please see for example our post dated March 2012 (!) about it:
https://airvpn.org/topic/54-using-airvpn-over-tor/#entry1745

 
There's more. We work under a legal framework where the safe harbors for the mere conduits are very rigidly and clearly defined (specifically, by the 2000/31/EC, the E-Commerce Directive, articles 12, 13, 14 and 15).
https://eur-lex.europa.eu/legal-content/en/ALL/?uri=CELEX:32000L0031
 
The liability exemption for the mere conduit status would not exist if we were not mere conduits. If we inspected traffic and/or modified traffic (e.g. through content injection) and/or selected source and destination of the communications, we would not be mere conduits and we would lose the legal protection on liability exemptions.

We have also two decisions of the Court of Justice of the European Union which clearly define indiscriminate data retention as infringing the fundamental rights of the citizens of the EU:
https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-04/cp140054en.pdf
https://curia.europa.eu/jcms/upload/docs/application/pdf/2016-12/cp160145en.pdf
 
Therefore:

  • under a legal point of view, logging and/or monitoring and/or inspecting and/or modifying the content of our customers traffic without the customers explicit and written consent would be a criminal infringement, also subject to civil prosecution by the customers themselves
  • under a business point of view, that would be simply suicidal (more on this later)

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

 

 

It is enigmatic how the writer can make such claims.
 
We charge less than 10 USD per month for our services and we can pay a whole legal firm, 250 servers (physical, bare metal servers), the whole staff, including a tiny team of programmers. We also regularly donate money to organizations and projects whose activities are compatible with AirVPN mission.
https://airvpn.org/mission
https://airvpn.org/status
 
We're not here only for the money, but if the writer wants to talk about money, so be it. He/she may rest assured that we have planned seriously a business model which remains robust if not rock solid.
 
It is obvious that we must keep our business model solid, because our infrastructure has become large and we have duties toward the people working with us and toward our customers. At the same time we never forget that our customers have transformed into reality the dream to build a rather big project based on and aimed to privacy protection in a time when the whole world was going to the opposite direction. By changing now direction and pointing to a business based on privacy infringements and personal data commerce would not only betray our beliefs and mission and customers, but we would become a goldfish in an ocean of sharks, we could not even think to compete.
 
After 7 years, we have the right and knowledge to claim that a privacy protection mission is not incompatible with the price the writer mentions and with a strictly agnostic network where no traffic inspection or monitoring is enforced.
 
We can also claim confidently that any business plan based on data protection and privacy infringements not declared in the terms of service would crash dramatically in the short-term in the EU: remember the legal framework we live in and feel free to do your own research on real cases and incidents in the recent past.
 
Last but not least, please do your own math and compute the costs to store and "hand a customer traffic data over": they imply costs of losing the mere conduit status, added to the costs of civil lawsuits from that and potentially other tens of thousands customers. Then compare them to the "costs" (in reality benefits) of no monitoring at all added to the peace of mind to strictly act in a legal/lawful way.
 
Given all of the above, you can easily discern that the quoted assumption is false for AirVPN. The logical, unavoidable conclusion is that AirVPN best interest, even under a purely cynical, business point of view, is to NOT log (in the most extensive sense of the term) customers traffic and not commerce with their data.
 

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it

 
This is partially, only partially, true. HideMyAss was really risking to go out of serious privacy protection business soon after the incident occurred: check the massive uproar caused by the event. The AVG acquisition, with the disruptive marketing power of AVG, has probably covered the issue, but the old HideMyAss management hurried to sell the whole Privax company. Who knows, maybe just in time, maybe before the value could be hit too seriously by the incident. We can't know for sure, and the writer can't as well. Anyway, if the writer wants to claim that marketing is powerful, we agree (what a discovery!).
 
The logical jump from HMA incident to the assumption that every service does what HMA did is long. Do not forget that what HMA did would pose a huge amount of legal problems to us, as explained.
 
HideMyAss targeted the same persons who are happily using the new Facebook VPN. We respect the intelligence of our customers and we don't have the arrogance to think that we can change people mind and competence all over the world in a few years (or ever), and we don't even think that we can oppose the marketing power. More importantly, that's a problem pertaining to HideMyAss. It is not only unfair, but even defamatory to surreptitiously imply that the behavior (good or bad) of certain services is the same behavior of any other service, in the same field or not.
 
We have been providing AirVPN services since 2011, when we offered the service as a beta version totally free. Now we challenge the writer of the article to provide any single proof that any single user identity has been compromised by us through a betrayal of our terms of service and our mission and/or through traffic logging or inspection and/or by any infringement of the EU legal framework on privacy and personal data protection. 
 

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

 
False. We provide our users with any tool to never make their "real" IP address appear to our servers. We have also integrated AirVPN over HTTP proxy, AirVPN over SOCKS proxy, and AirVPN over Tor usage in our free and open source software. We don't even block connections from competitor VPN servers. Finally, we accept not only Bitcoin, but Monero and ZCash as well, which are designed to provide a robust anonymity layer on the transactions.
 
If you really don't trust us, you can easily make your IP address never visible to our servers.
 
This is particularly important even if you trust us, but you can't afford (for the sensitivity of the data you need to transmit, for example) to assume that our servers are not monitored by hostile entities, an event that can happen with ANY service, not only VPN services. The fact that we have made every human effort to provide effective and easily usable protections against such occurrences is a proof of our interest in the protection of our customers privacy.

 

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

 
This is ambiguous, because we would need the writer to define security scope and context exactly. Is he/she referring to integrity and security of data between your node and our servers? Or security of your system? Surely, our service is not meant as a security tool to protect against virus and spyware, and this is clearly stated at the very beginning of our Terms of Service. AirVPN can't do anything if your system is compromised.
 
However, the above does not imply in any way that our service is a glorified proxy. See the reasons we mentioned above and verify how a loose security mention does not change anything. Additionally, while OpenVPN is the core of our service, it is complemented by an important series of features aimed to protect privacy and data in all of those cases which OpenVPN alone has not been designed for.
 
Even if you don't run our free and open source software, we and our community have made any effort to provide guides and insights on how to get the most from our service to integrate it in a comprehensive environment aimed to protect your data and identity. We are very grateful to our community for the invaluable contributions throughout the years.
 
If we were a "malicious VPN provider", does the writer really think that we would have allowed our forums to become a golden source of information for privacy, identity and data protection? Do you really think that we would have been provided monetary support to TorProject, OpenBSD, European Digital Rights, Tor infrastructure, etc. etc.?

 

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

 
A part of this has been widely rebutted in our previous reply. Here it will be sufficient to add that even if you don't use end-to-end encryption, even if you don't use Tor on top of an AirVPN connection, a MITM who sniffs the packets in any point between the VPN server and the final destination (including the final destination itself of course) will see those packets coming from the VPN server exit-IP address, NOT from your real IP address and NOT from the entry-IP address of the VPN server you connect to. This is a paramount point which is incompetently (intentionally?) ignored by the writer. It is so important that in some extreme cases it makes the difference between imprisonment and freedom, or even between life and death.
 
Imagine the case of a whistleblower giving out relevant information via VoIP or other applications relying on UDP to a self proclaimed journalist who then betrays the confidentiality of the source, or even to a serious journalist who is unaware of the fact that his/her computer is compromised, or that his/her line is wiretapped. The whistleblower can't use a proxy reliably. The journalist, or the wiretapping entity, can trace the source IP address and the identity of the whistleblower can be disclosed (just to make a trivial example which does not require any wiretapping or compromised system, think of Skype exploit, for which any party could discover the IP address of the other party). In most of these cases, end-to-end encryption would have been irrelevant for the whistleblower.
 
Whenever the source can't trust the destination integrity, whether the recipient is in good faith or not, our service makes a vital difference.

 

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

 
True. We have never said or written the contrary. In addition to changing IP address, which is anyway important in spite of the writer claims, further steps are strictly necessary to prevent profiling, from "separation of identities" to script blocking, from browser fingerprint changes to system settings obfuscation. Our community has widely covered this issue and provided precious suggestions.
 
Here the writer makes a totally irrational shift: first he/she wants to make you think that our service is just a "glorified proxy", then he/she wants to insinuate that our service is useless because it is not some sort of supernatural system capable to protect users from their own behavior and from every possible tracking system which exploits the user system, not the service.


 

So when should I use a VPN?
There are roughly two usecases where you might want to use a VPN:

You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

 

The first case is true, and it is very important.

 

However, it is totally false that you can safely rely on a proxy for the second case purpose. Many applications, including torrent software, can:

In the aforementioned cases, correct usage of our service will fulfill the purpose to never disclose your real IP address and/or the UDP traffic and/or the DNS queries. A proxy will not and you can be potentially tracked back, either by copyright trolls or any hostile entity.
 
Additionally, our service has many more use cases:

  • tunneling UDP traffic (not available with a proxy or Tor)
  • circumventing censorship based on IP addresses block
  • circumventing censorship based on DNS poisoning
  • preventing injection of forged packets (not necessarily available with a proxy even in TCP, and surely not when you need UDP flow integrity)
  • using Tor anyway when Tor usage is blocked or triggers interest of ISP or any hostile entity about you
  • protecting your identity when the final recipient of your communications is compromised (not available with end-to-end encryption alone, and not available with Tor when you need UDP, imagine if you need to stream a video in real time which requires source identity protection)
  • making your services (web sites, torrent clients, FTP servers for example) reachable from the Internet when your ISP does not allow port forwarding (not available with a proxy), without exposing your IP address
  • having a static exit-IP address
  • bypassing various types of traffic shaping
  • tunneling simultaneously the traffic of all the devices in your local network, even with remote port forwarding, and even those which can't run OpenVPN provided that you have a device acting as a gateway to the VPN (typical examples a pfSense box or a DD-WRT / AsusWRT / Merlin / Tomato etc. router or any computer configured to work as a router)

and maybe you can see more use cases which we have missed here.
 
The fact that the writer omitted all of the above says a lot about his/her competence and/or good faith.

 

So, then... what?
 
If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox.

 
This is hilarious, and not only because the whole point of the writer's post ends up into advertising LowEndBox. :)
 
We will not insult our readers' intelligence with an explanation of why that is a terrible idea when you seek more privacy and some anonymity layer in your interactions with the Internet.

 

Draw your own conclusions.
 
Kind regards and datalove
Paolo

AirVPN co-founder



#2 LZ1

LZ1

    It's nice to be nice to nice people

  • Moderators
  • 1840 posts

Posted 30 March 2018 - 11:52 PM

Hello!

 

This is absolutely fantastic Staff/Paolo. Thank you for taking the time to write that up, with the usual clarity of mind.

 

This is what makes it worth staying here. I saw that post a long time ago too and I know it has been circulated widely in some places, so it's absolutely stellar that you decided to reply with your usual savagery. Well done! :good: :up: :clap:

 

I was surprised you didn't mention that you recently made it possible to accept Bitcoin directly, as well.

We feel that  this is an important step, since some payment processors have taken or are taking steps which are not totally privacy friendly. Moreover, cutting out any intermediary is very coherent with Bitcoin spirit and unleashes the potential of the cryptocurrency


Hi there, are you new to AirVPN? Many of your questions are already answered in this guide. Its Guides Section has guides on Linux/Torrenting/Blocked sites & many other topics too.
Moderators do not speak on behalf of AirVPN. Only the Official Staff account does. Please read the First Questions section in the link above for more details, thank you.
Did you make a guide or how-to for something? Then contact me to get it listed in my new user guide's Guides Section, so that the community can find it more easily.

Tired of Windows? Why Linux Is Better.

#3 serenacat

serenacat

    Advanced Member

  • Members
  • PipPipPip
  • 238 posts

Posted 31 March 2018 - 02:37 AM

Covers many "common issues/questions" with logic and fact in depth. Deserves linking from airvpn.org Home page to FAQ or Privacy or About Us so it does not get "lost" in the News and Announcement forum thread. Of value for potential subscriber researching short list, or existing client needing reassurance as to why cheapest/most-marketed/most-reviewed is not the best choice.



#4 bluesjunior

bluesjunior

    Advanced Member

  • Members
  • PipPipPip
  • 117 posts

Posted 31 March 2018 - 04:18 AM

You go, Paolo, in AirVPN we trust.



#5 Sweden78

Sweden78

    Member

  • Members
  • PipPip
  • 17 posts

Posted 31 March 2018 - 12:40 PM

Great answer from AirVPN on this one!  :good:

I also see in the post a refer to another interesting article about a similar topic: Are VPN providers more trustworthy than your ISP?



#6 nick75

nick75

    Advanced Member

  • Members
  • PipPipPip
  • 164 posts

Posted 31 March 2018 - 03:30 PM

Imagine the case of a whistleblower giving out relevant information via VoIP or other applications relying on UDP to a self proclaimed journalist who then betrays the confidentiality of the source, or even to a serious journalist who is unaware of the fact that his/her computer is compromised, or that his/her line is wiretapped. The whistleblower can't use a proxy reliably. The journalist, or the wiretapping entity, can trace the source IP address and the identity of the whistleblower can be disclosed (just to make a trivial example which does not require any wiretapping or compromised system, think of Skype exploit, for which any party could discover the IP address of the other party). In most of these cases, end-to-end encryption would have been irrelevant for the whistleblower.
 

[...]

 

However, it is totally false that you can safely rely on a proxy for the second case purpose. Many applications, including torrent software, can:

[...]

 

In the aforementioned cases, correct usage of our service will fulfill the purpose to never disclose your real IP address and/or the UDP traffic and/or the DNS queries. A proxy will not and you can be potentially tracked back, either by copyright trolls or any hostile entity.
 
Additionally, our service has many more use cases:

  • tunneling UDP traffic (not available with a proxy or Tor)
  • circumventing censorship based on IP addresses block
  • circumventing censorship based on DNS poisoning
  • preventing injection of forged packets (not necessarily available with a proxy even in TCP, and surely not when you need UDP flow integrity)

@Staff you state multiple times that proxies don't support UDP (therefore DNS lookups) which is FALSE.

 

Excerpt from Wikipedia (https://en.wikipedia.org/wiki/SOCKS)

The SOCKS5 protocol is defined in RFC 1928. It is an extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The initial handshake consists of the following:

 

Excerpt from RFC 1928:

This new protocol extends the SOCKS Version 4 model to include UDP,

 

However I agree with the rest of your post!



#7 WaNNaBEAnoNymoUs

WaNNaBEAnoNymoUs

    Advanced Member

  • Members
  • PipPipPip
  • 37 posts

Posted 31 March 2018 - 03:38 PM

Hahaha! Just a another Joe's show off!

 

Way to go Paolo & everyone in Air! \o/


"You don't have to be a genius to sound like one." - BDS


#8 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7568 posts

Posted 31 March 2018 - 05:01 PM

@Staff you state multiple times that proxies don't support UDP (therefore DNS lookups) which is FALSE.

 

Excerpt from Wikipedia (https://en.wikipedia.org/wiki/SOCKS)

 


The SOCKS5 protocol is defined in RFC 1928. It is an extension of the SOCKS4 protocol; it offers more choices for authentication and adds support for IPv6 and UDP, the latter of which can be used for DNS lookups. The initial handshake consists of the following:

Excerpt from RFC 1928:

 

Hello!

 

In general the comparison was made with proxies which could offer encryption, so in reality only with HTTPS proxies, which do not support UDP at all. Sorry for the imprecision. Just out of curiosity, anyway the UDP support of SOCKS5 proxies is quite problematic on the "client side", even if you decide that your UDP stream does not need encryption.

 

The initial handshake must be in TCP, not in UDP. This cuts out any application which can send and receive UDP only.

 

An additional application (a proxifier) needs to tell the SOCKS5 proxy (in TCP) to forward UDP packets (on behalf of the application which speaks only UDP) until the TCP connection is closed, and it also needs to tell the proxy where to forward those UDP packets to. The proxifier application (or maybe in the future the built in proxifier included in an UDP software) would therefore need to do a lot of more job. So not only you need a SOCKS5 proxy correctly configured to forward UDP packets according to the instructions received in TCP, but you would also need a proxifier that implements such support, which is currently unavailable.

 

It is very problematic and inefficient, because you still have a TCP "channel" that must direct operations. It's tested. more secure and faster to just wrap UDP into UDP with OpenVPN, forget TCP and not worry about re-implementing timeout handling, packet re-ordering etc. (all features widely peer reviewed with OpenVPN).  And above all you don't send out an UDP stream in clear text.

 

See here for a more detailed analysis:

https://stackoverflow.com/questions/20976189/how-can-we-set-up-proxy-server-dealing-with-udp-packets

 

Kind regards



#9 Alter94

Alter94

    Member

  • Members
  • PipPip
  • 10 posts

Posted 31 March 2018 - 05:27 PM

I like how most of the anti-vpn "OPSEC" guys out here never really have a good answer for not using a VPN. Using Tor over VPN, will prevent a VPN from seeing what you do on the Tor network, even if they're logging. All the can log is a Tor connection, that's it. So this can't really be used as a weak point. Besides, I personally rather trust a paid employee at a legit no logging VPN as my first hop rather then a Tor guard node that is some random volunteer with my real IP. Privacy is not a simple fix now days. Besides Tor and VPNs you're also probably going to want a fully encrypted Linux distro along with supported privacy apps like bleachbit, veracrypt, and learn how to sandbox your web browsers. You also need to learn how to spoof your MAC address. Antivirus is generally not needed for Linux but getting something open sourced like Clamav or F-PROT can help you out. You should also probably get chkrootkit to scan for rootkits. Also, stating the obvious, keeping your system patched with the latest security updates is advisable. There's a lot that needs to be done to assure your privacy and security. And a VPN is a tool to help you get there, but VPNs are not responsible for your bad OPSEC. By the way I wonder if the person that wrote that piece owns a smart phone or a social media account?? At any rate it even goes beyond locking your own computer down. You probably want to harden your network and patch it, learning how to pen test would really help your security out.



#10 iwih2gk

iwih2gk

    Advanced Member

  • Members
  • PipPipPip
  • 276 posts

Posted 31 March 2018 - 06:18 PM

Paolo,

 

What a great response/post to general stupidity.  I have been here for many years under several different names.  I do elect to let my IP be seen by your servers on my raw account here.  This forum account, which is different than my log in account, and all other VPN activity has TOR over Air configuration for my workspace.  I am not sure I could be any happier with the professionalism of Air!



#11 nick75

nick75

    Advanced Member

  • Members
  • PipPipPip
  • 164 posts

Posted 31 March 2018 - 06:33 PM

@Staff obviously I knew you meant http(s)/socks4 proxies which are what most VPN/proxy providers work with. But the (small) lack of precision was really annoying me. As for the problem with proxy software not really supporting UDP. I only had to use a SOCKS5 proxy once. My ISP had a peering problem and I used my VPS to have good connection using SSH. It never gave me any problem. I don't know about the software in the link you gave but it's probably more a problem with implementation rather than the protocol itself.

#12 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7568 posts

Posted 31 March 2018 - 06:53 PM

@Staff obviously I knew you meant http(s)/socks4 proxies which are what most VPN/proxy providers work with. But the (small) lack of precision was really annoying me. As for the problem with proxy software not really supporting UDP. I only had to use a SOCKS5 proxy once. My ISP had a peering problem and I used my VPS to have good connection using SSH. It never gave me any problem. I don't know about the software in the link you gave but it's probably more a problem with implementation rather than the protocol itself.

 

Hi,

 

SSH is over TCP, so it's not relevant in this case. Again sorry for the annoying lack of precision with SOCKS5. Well, at least it does not change the essence and the meaning, i.e. you just can't tunnel the traffic of an UDP only application with a SOCKS5 proxy, because you need TCP to establish the connection and give the SOCKS5 proxy all the instructions on how to route the subsequent UDP packets etc.

 

If you come to know about a working proxifier that implements real UDP support with a remote SOCKS5 proxy feel free to let us know.

 

Kind regards



#13 telemus

telemus

    Advanced Member

  • Members
  • PipPipPip
  • 59 posts

Posted 31 March 2018 - 11:27 PM

Hi there.

This is a fantastic post. Thank you so much for taking the time and effort to make it.

I think I saw in a news article on the SNOWDEN documents that the 5E (and 7, 9, 14 as well) were having difficulty compromising some VPNs. ToR is more or less compromised, it seems, according to the documents and multiple court cases.

It seems if you want security a good VPN is required. Anonymity may be a little more difficult....



#14 Nasdaq

Nasdaq

    Member

  • Members
  • PipPip
  • 17 posts

Posted 02 April 2018 - 09:56 PM

Fantastic answer and, moreover, you make me understand a lot of nebulos parts of VPN services and encryption.

 

You're a very good teacher, Staff! :yes:



#15 giganerd

giganerd

    I shall have no title

  • Members
  • PipPipPip
  • 2522 posts
  • LocationGermany

Posted 05 April 2018 - 01:49 PM

The comments below the gist mostly condemn the article, stating that it's written out of hate and a misunderstanding for topics and technology. Air's not alone in this, I think.

 

Your rebuttal is to be enjoyed with caution, though, since you are, after all, a VPN provider who developed a business model based on what the gist criticizes. This doesn't make you an independent party, whether you want it or not. I had little reason in the past to doubt your resolve and your intentions, but still I think you should not have written this whole thing at all. Especially when seemingly "normal" GitHub accounts started to question the author's intentions as well.

 

One thing, though.

I think a VPN service like yours has certain similarities with proxies. After all, your servers are middlemen in all connections, getting decrypted there before being passed on to our destination networks. Your strongest argument is the direct comparison to proxy servers and its tech and you like to say "See? This is not us!". Granted, I agree, a proxy server is not a VPN server. Fine, here, have a donut.

What I don't like, and didn't like for quite some time now, is that you seem to ignore the similarities you share with classical proxy servers. You are not permitting contact between all the clients connected to a given VPN server but this is what a VPN does - connect a client to a secure network over insecure channels so that the client can access the network and all the devices in it. You don't set up this kind of access. You forward packets on, in your name. As a proxy in our path. Please translate this into your favorite language and don't look up the technical translation. In german this would be "Stellvertreter", a "deputy", "substitute". Which semantically describes what AirVPN is and does.

 

It doesn't help the author, though. :P


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs is the proper way to heaven.
Same issues are rare! Search for solutions and if not successful open your own threads.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

 


#16 Nasdaq

Nasdaq

    Member

  • Members
  • PipPip
  • 17 posts

Posted 09 April 2018 - 06:18 PM

@ "I shall have no title"

 

"You are not permitting contact between all the clients connected to a given VPN server but this is what a VPN does"

 

May you give us an example or name a VPN provider doing that ?



#17 Staff

Staff

    Advanced Member

  • Staff
  • PipPipPip
  • 7568 posts

Posted 09 April 2018 - 07:23 PM

Your rebuttal is to be enjoyed with caution, though, since you are, after all, a VPN provider who developed a business model based on what the gist criticizes.

 

 

Hello,

 

this a logic flaw or a typo. Probably you meant "on the opposite of what the writer of the rebutted article meant", i.e. the writer claims that it's mandatory to build a business model based on false, lying "no traffic logging / inspection" policy in consideration of our prices, while the rebuttal shows how the legal framework and the working infrastructure of AirVPN prove the contrary after more than seven years of operations. The rebuttal also explains why lying on the no logging and no inspection policy would be catastrophic under a purely business view.

 

This doesn't make you an independent party, whether you want it or not.

 

This is obvious, and actually the rebuttal has been written with the account of AirVPN Staff, so there is total transparency and no ambiguity. It's not that the rebuttal has been written in the name of someone who pretends to be outside AirVPN or anyway super-partes in disguise.

 

 

I had little reason in the past to doubt your resolve and your intentions, but still I think you should not have written this whole thing at all.

 

Luckily the fact that we fight for freedom of expression does not prevent us to exercise such fundamental right whenever we wish so.

 

 

What I don't like, and didn't like for quite some time now, is that you seem to ignore the similarities you share with classical proxy servers. You are not permitting contact between all the clients connected to a given VPN server but this is what a VPN does - connect a client to a secure network over insecure channels so that the client can access the network and all the devices in it.

You don't set up this kind of access.

 

 

In reality we do. In a VPN where all clients are known and trusted, a client might like to share its devices with any other client, but this is a special case which does not happen normally, not even in corporate VPNs. It would be a paramount security hazard. A more common usage of shared resources in a VPN is sharing some resources not belonging to each client.

 

This is what happens in AirVPN too, where you share some resources inside the VPN, without never going out of the VPN itself. Specifically, a client in AirVPN can use DNS inside the VPN (no query of the client gets out of the VPN itself), and access other (different than ICANN) namespaces. A client accesses also other resources (geo-routing / micro-routing etc.), always inside the VPN. We might also add additional shared resources inside the VPN in the future.

 

With a proxy, you never share resources inside a virtual network, simply because you are not in a virtual network.

 

The similarity you mention might be born by a confusion. When the VPN offers also a gateway to other networks, as AirVPN does, the client traffic passes through different private and public IP addresses before its traffic is routed to the final destinations from the public, exit-IP address.

 

What happens with a proxy is profoundly different, and the similarity is misleading: the traffic that's sent through a proxy never enters a virtual network, is not necessarily encrypted between your node and the proxy node, is only a part of your system traffic (only TCP), and continues its route to the Internet from the very same public address some application in the system sends the packets to. Your system default gateway and routing table remain the same and your system does not have another network interface to rely on. Some significant examples which show how this difference in behavior is very important are also mentioned in the rebuttal and cover the predominant usage of our service, if not the totality of it.

 

As an additional, side note, it remains to be seen how and if a proxy can prevent spoofed packet injection in your DNS queries and in incoming traffic content with the same effectiveness provided by our service, as well as in fake personification based attacks.

 

Kind regards



#18 giganerd

giganerd

    I shall have no title

  • Members
  • PipPipPip
  • 2522 posts
  • LocationGermany

Posted 09 April 2018 - 07:52 PM

You're absolutely right, in every point. Sorry for all the mistakes.

 

Keep going. :)


Always remember:
There's a guide to AirVPN,

Amazon IPs are not dangerous here,
running TOR exits is discouraged,

using spoilers for your logs is the proper way to heaven.
Same issues are rare! Search for solutions and if not successful open your own threads.

~ Furthermore, I propose that your paranoia is to be destroyed. ~

 


#19 RaineyPass

RaineyPass

    Member

  • Members
  • PipPip
  • 27 posts

Posted 13 April 2018 - 04:36 PM

Facebook VPN?   HAHAHAHAHAHAHAHA!!!!!!  Facebook's malware, that's too funny.

 

Uh, sorry.  Keep it up Air, still the fastest and most reliable of the three I use: Air, Windscribe and Mullvad.



#20 timeless420

timeless420

    Newbie

  • New Members
  • Pip
  • 2 posts

Posted 29 May 2018 - 11:46 PM

Great information.  Well written.  On point.

 

Thank you.


Peace and love, always. 

-timeless420





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Servers online. Online Sessions: 15537 - BW: 59667 Mbit/sYour IP: 54.224.247.42Guest Access.