VPN Encryption
privateinternetaccess.comI've been a happy PIA subscriber since the Snowden controversy. However every time I see them becoming more popular (at least 4 of my friends have signed up with them in the past few weeks) and earnestly trying to make themselves more secure, I also realize that someone, somewhere within the NSA (and yes, other intelligence agencies around the world) is elevating them on a list of VPNs to break.
I've said this before, but PIA and other similar VPN providers are great security against most drive-by hackers. I am a happy customer for this reason.
But if your threat model includes "NSA/CIA/FBI/DEA", you are going to have to spend more than $4 a month to remain secure.
Okay, I'll bite. My budget is more than $4 a month, but not thousands. Is there any way to keep myself secure from the NSA/CIA/FBI/DEA/etc in a simple VPN-way?
> if your threat model includes "NSA/CIA/FBI/DEA"...
I think there are two vastly different threat model within that - (a) large-scale and indiscriminate vacuuming up of the average citizen's Internet usage data to fill up datacenters and do analytics, and (b) active targeting of a specific subject.
I'm hoping a VPN will insulate me against (a) too. But for (b), I don't think I stand much of a chance even if I spent $400 a month.
Yes. In fact, I'm not aware of a failsafe method to guard against digital surveillance at any price save not using computers.
"Failsafe" is unnecessary. Come on, we call ourselves engineers here, right? A cardinal rule of engineering is to not let "perfect" get in the way of "good enough".
Yes. I perhaps should have said that price for granted security scales exponentially.
Doesn't their business location in the US negate the need to be cracked?
They don't store any user logs (I have no reason to suspect they'd lie about that). So there's not much stored data to break. Which means the focus will be on breaking their traffic encryption protocols.
Not necessarily. There's no need to break the encryption or have logs if the NSA can monitor all the traffic going in and out of the proxy server. They just have to correlate your incoming encrypted connection with the outgoing unencrypted data to remove the layer of anonymity. I'd frankly be a little surprised if they weren't doing this or something like it.
I would guess that using PIA makes you less secure against NSA snooping since it makes you more of a target and provides weak anonymity.
> I would guess that using PIA makes you less secure against NSA snooping since it makes you more of a target and provides weak anonymity.
So you're saying not using encryption and VPN services is a safer choice as regards Internet usage today? You seem to be going against the grain of most of what's been discussed around privacy & Internet surveillance on HN recently.
I wouldn't make a blanket statement like that. Depends what VPN and how you're using it and what you're doing on the internet and (in particular) what threat you're trying to protect yourself against. PIA will do a good job of protecting the contents of your messages from someone sniffing your wifi hotspot, but is useless against someone with the ability to monitor all internet traffic. The data leaving the PIA proxy is just as unencrypted as it would be if you weren't using a VPN, except your attempt to secure it will likely draw extra attention. There's strong evidence [1] that the NSA has special rules that allow enhanced collection and analysis of encrypted traffic.
[1] "...the NSA is allowed to hold onto communications solely because you use encryption." https://www.eff.org/deeplinks/2013/06/depth-review-new-nsa-d...
If your adversary includes the NSA, you have to consider the possibility that the NSA has required that they store logs and not tell anyone about it.
Hypothetically, I believe a US entity could be forced to start logging and simultaneously be forced to not mention that logging had been turned on (and, indeed, to lie if asked about it).
Based on their sites, I believe they're UK-based company (and US endpoints are just endpoints, in case someone wants to have US-located exit to access US-only services), so it makes somehow reasonably harder (but not impossible) to correlate between the client and their traffic.
Still, I don't see any significant difference between NSA and GHCQ, except that we have (thanks to Snowden) some details of former's operations leaked, but the latter's remain secret (or I didn't pay enough attention to the news, maybe).
We're still talking about PIA? Definitely US-based.
From https://www.privateinternetaccess.com/pages/contact-us
"Q: Where are you located? A: We are located in the US. Being in the US is optimal for VPN Privacy services since the US is one of the few countries that does not have a mandatory data retention policy. Countries in the EU are forced to log, even though some claim they do not."
IPredator: "There are no traffic logs, we do not look into your traffic."
http://www.wilderssecurity.com/showthread.php?t=331316 – "Sweden - Data retention law going into effect in May 2012, but (presumably) not applicable to VPNs"
While I've heard good things about PIA, you're still trusting someone else with your data. Whether you trust them or not is entirely up to you, but it's not that hard to set up your own VPN tunnel. We posted about it a few weeks ago here: https://www.tinfoilsecurity.com/blog/dont-get-pwned-on-publi..., and there was some good HN discussion on it here: https://news.ycombinator.com/item?id=6285458
> Whether you trust them or not is entirely up to you, but it's not that hard to set up your own VPN tunnel.
While I agree that trust is a _giant_ issue, speed and price (due bandwidth needed/used) is also a major concern if you're one looking for an always-on VPN solution.
I personally used PIA for a few months mostly due to cost and it is at or near my speed cap at all times. I have also rolled my own VPN using a VPS at the same price point, however, considering that bandwidth would be limited and speeds were not as stable, it's hard for me to choose that route for my use cases.
Sure, if I need absolute security I wouldn't use PIA and I'd reconsider using a VPN on any VPS on US soil. But then, one would have to consider if it will be worth it.
You still have to trust somebody to host your VPN endpoint.
(Although, it's probably less risky to use some relatively obscure VPS/dedicated/colocation ISP than major VPN service which certainly attracts some attention of TLAs)
Fair point, but your personal VPN is also a lot less likely to attract scrutiny and be attractive to snooping than PIA. It's just a much bigger surface area, more popular, and potentially has a lot more useful data than your single box.
Also, public VPN services like PIA mix the traffic, i.e. multiple VPN users' traffic is coming from one IP address.
" On your CA's environment (hopefully elsewhere):
openssl x509 -CA cacert.pem -CAkey cakey.pem -CAcreateserial \ -days 730 -req -in vpn.csr -out vpn-cert.pem "
What does the author mean by 'hopefully elsewhere?' It's no longer a simple one server solution, no?
Your CA doesn't have to be (read: shouldn't be) the same box. Also, it doesn't have to be (read: shouldn't be) connected to the internet. I recommend a USB key you keep around your neck or on your keychain, but it's really up to you.
Note: ECC-521 is not a typo. It is really 521-bit curve.
Standard: http://www.secg.org/collateral/sec2_final.pdf
Explanation: http://crypto.stackexchange.com/questions/6219/why-do-the-el...
I use this service, and have been thrilled with it for a long time. They do no logging whatsoever, and their encryption and endpoint options are great.
they are also by far the cheapest truly secure option in this space - $40/year
FYI, this is the info page for our new (beta) OpenVPN based client which supports multiple encryption options:
https://www.privateinternetaccess.com/forum/index.php?p=/dis...
Interesting to note that you've hosted your beta clients on Kim Dotcom's Mega service. This is the first time I'm coming across a legit & popular service hosting its public client files on Mega.
I've bought some digital art from a freelancer and received it via there.
I love PIA but I was too afraid to use it at Black Hat / DEFCON this year. If you use L2TP (required for iOS, handy for OS X because there is a native client) there is no certificate to prevent a MITM. Is there any way to address this? Can you use a certificate instead of a pre-shared key?
Here is a way some of our customers are using OpenVPN on iOS:
https://www.privateinternetaccess.com/forum/index.php?p=/dis...
nitpick: There is a native OpenVPN client for iOS in the AppStore. I don't know how they managed to, but it's plugging into the native iOS VPN functionality and it works perfectly well.
To my knowledge, there are 7 companies including OpenVPN who have been granted access to private VPN APIs. I personally use the OpenVPN iOS client for "always-on" phone VPN.
I see now. I didn't know there was a private API for App Store VPN clients. Cool, I will have to switch to using OpenVPN.
It should be noted that while they use curves generated by Certicom, Certicom is now a subsidiary of BlackBerry.
a friend of a friend is a happy customer of PIA for over 9 months now. their customer service is actually really good.
How is this different from other commercials VPNs? If you really want privacy choose offshore VPN that doesn't keep logs.
VPN providers would make great honeypots.
I was a bit surprised OpenVPN still doesn't support GCM mode.
Pretty bogus preset choices, what is this? If the provider isn't providing the expertise to ensure a safe connection for every customer, what the hell are they doing?
@HNmods, any reason this was removed from the first page?
or, you could just use https://airvpn.org/
Though they do NOT allow multiple simultaneous connections, and are not as inexpensive.
I hear airvpn is awesome. They have many different options to encrypt your connections.
Yeah, that was helpful.