
Firefox partners with ProtonVPN - spac
https://premium.firefox.com/vpn/
======
JackC
I'm really excited about this idea, but I also think it isn't fully baked yet.

I'm excited because VPNs are all about _shifting_ trust: I'm no longer
trusting Comcast not to sell my data, I'm now trusting SketchyVPN. If
SketchyVPN turns out not to be trustworthy, then I'm paying for something that
is worth less than $0 to me, and there's no way to detect that as a user. It's
like paying more for organic food in a town where farm stands are paid to lace
organic food with arsenic -- why would you?

For VPN service, I trust Mozilla more than to just about anybody: they're
nonprofit, have clear and transparent governance, have many mission-driven
employees, and would lose more than they could possibly gain by breaking the
terms of service on a VPN. They also have a big enough profile that it takes
no extra effort to stay up to date on how trustworthy they are -- they do make
missteps, but every misstep hits the front page of HN, which is exactly what I
want. If they run a VPN, I'm sold that it's worth more than $0.

But the service isn't fully baked yet for me, because they're not explaining
how they're enforcing the trustworthiness of ProtonVPN. I have no idea if
ProtonVPN is as trustworthy as Mozilla -- maybe it is, but I don't want to
learn and stay on top of that. Instead I want premium.firefox.com/vpn/ to
convince me that, if I use Mozilla's service, I'm fully benefiting from their
trustworthiness.

~~~
Yoric
So if I understand correctly, you would want to know the details of how
Mozilla audited ProtonVPN, is that it?

~~~
krn
Everyone in Vilnius, Lithuania knows, that both, NordVPN and ProtonVPN, are
being developed here by the people related to Tesonet, which has been recently
sued in Texas Eastern District Court for the patent infringement in "Large-
scale web data extraction products and services with residential proxy network
( [https://oxylabs.io/](https://oxylabs.io/) )"[1] by Luminati Networks, an
Israeli data mining company behind HolaVPN[2].

The section from the "About" page of Tesonet (26 Apr 2018)[3], which was
suddenly removed in June 2018 after the connection between ProtonVPN and
Tesonet was made public by the co-founder of PIA[4]:

"For the latest project, Tesonet is working together with an international
brand from Switzerland to create a security product that helps users protect
their network traffic. As part of this technical partnership, we are
collaborating on datacenter and network infrastructure that can easily supply
10 Gbps worth of bandwidth to users around the world. The product is developed
using the latest authentication encryption methods and the best practices in
the security world."

As late as September 2018, NordVPN and ProtonVPN still become affected by the
same extremely rare Windows security bugs at the same time[5], even though the
CTO of ProtonMail claimed here on Hacker News, that they used Tesonet, a data
mining company, for developing ProtonVPN, a _free_ VPN service, only as "an
office space provider"[6].

[1] [http://litigation.maxval-
ip.com/Litigation/DetailView?CaseID...](http://litigation.maxval-
ip.com/Litigation/DetailView?CaseID=Epee88Womxg%3D&logstat=false&Party=Luminati%20Networks%20Ltd.%20v.%20UAB%20Tesonet)

[2] [http://fortune.com/2015/05/29/hola-luminati-
vpn/](http://fortune.com/2015/05/29/hola-luminati-vpn/)

[3]
[https://web.archive.org/web/20180426161609/https://tesonet.c...](https://web.archive.org/web/20180426161609/https://tesonet.com/about/)

[4]
[https://news.ycombinator.com/item?id=17258203](https://news.ycombinator.com/item?id=17258203)

[5] [https://www.pcmag.com/news/363619/protonvpn-and-nordvpn-
bugs...](https://www.pcmag.com/news/363619/protonvpn-and-nordvpn-bugs-left-
windows-vulnerable-to-hacker)

[6]
[https://news.ycombinator.com/item?id=17258538](https://news.ycombinator.com/item?id=17258538)

~~~
kup0
1 only shows Tesonet being sued and does not prove that both Nord and Proton
services are being developed by Tesonet people, and even if they were Tesonet-
adjacent people, further proof would be needed to link these services directly
to Tesonet the entity. 2 is contingent on 1.

3 and 4 are the only things I can see with any weight to them, yet they were
brought up by a competitor (red flag), and vague enough not to be considered
"evidence".

5 and 6 prove absolutely nothing. Both of these products use OpenVPN, which is
what the vulnerability was in.

The vulnerability has nothing to do with Tesonet and I have not seen proof
otherwise. Presumably other VPN services that also use OpenVPN could have
encountered the same vulnerabilities. What makes you think that both having
the same bug, because they use the same open-source system, is any kind of
"proof"?

It's interesting how one can seem to provide a huge body of quotes and
evidence for something- yet the majority of it easily deflates when viewed
directly. We're gonna need more than this, much more. I'm not willing to 100%
disbelieve you or dismiss your concerns outright- but if you're trying to
convince people, this is a pretty weak effort.

You've made these claims before, you say ProtonMail's response is inadequate-
could you elaborate on why? I thought it was relatively thorough and
convincing, but am willing to see any holes poked in it

~~~
krn
What PIA co-founder proved in June 2018 on Hacker News[1], and what happened
after:

\- ProtonVPN UAB lists Tesonet's CEO as a director [after: the company's name
was changed multiple times in 2 months, and the director's name was hidden
from the public view]

\- ProtonVPN UAB is operated from Tesonet's HQ in Vilnius, Lithuania [after:
the company's address was changed to a co-working space's located a few
streets away, which doesn't require to relocate to use it]

\- ProtonVPN UAB uses previous Tesonet's technical employees [after: still
true]

\- ProtonVPN uses IP address blocks that belong to Tesonet [after: these IP
address blocks were assigned to ProtonVPN]

\- ProtonVPN Android mobile app was signed by Tesonet [after: still true]

The ProtonMail's response on reddit was modified multiple times and locked, to
prevent people from picking the holes in the narrative.

[1]
[https://news.ycombinator.com/item?id=17258203](https://news.ycombinator.com/item?id=17258203)
["showdead" must be enabled in settings to see the entire thread]

~~~
protonmail
These points are either incorrect or already debunked here:
[https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...](https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn_and_tesonet/)

There are even photos from Mozilla's visit to Proton HQ in Geneva:
[https://www.instagram.com/p/BpR7ungAi6Y/](https://www.instagram.com/p/BpR7ungAi6Y/)

Proton does have an office in Vilnius (one of 6 offices globally), but the
bulk of our staff works in our two Swiss offices.

~~~
krn
Why didn't you invite Mozilla to the real office in Vilnius, Lithuania where
ProtonVPN was actually being developed?

~~~
protonmail
Because the senior team members who developed the ProtonVPN partnership with
Mozilla were all in our Geneva HQ, because that's where we're actually
based...

~~~
krn
Could you post some pictures from your office in Vilnius, Lithuania, where
ProtonVPN UAB with 19 technical(?) employees is currently based? Are they
still working from Tesonet's HQ, just like they did in 2017, and for the most
of 2018?

Is Tesonet's CEO still the director of ProtonVPN UAB, more than 2 years after
the incorporation in July 2016? I can no longer check it myself, because the
public record is now hidden. But it was still true in June 2018.

And how do you feel about partnering on a _free_ VPN service with a company,
which has been sued for multiple patent infringements in "Large-scale web data
extraction products and services with residential proxy network" by the
founders of another _free_ VPN service, HolaVPN, who have publicly admitted to
using it for exactly that?

------
gpm
I only use firefox. But I don't feel like I can strongly recommend it because
of the long list of bad decisions.

\- Google analytics baked into about:addons

\- Sending data to Cliqz

\- Pocket, as a service being added to the topbar

\- Pocket, as a service being added to the default home/newtab page

\- Firefox hello

\- Completely banning unsigned addons

\- Mr. Robot advert

\- And now probably this

I want a browser that is reliable, high quality, respects my privacy, and
nothing else. I don't want addons baked into it. I don't want to be spied on.

~~~
nmy
Don't throw the baby out with the bathwater. These are minor things compared
to having no other good choice but the Google browser.

~~~
craftyguy
I've never found the "choose this, because the other option(s) suck more" to
be a particularly flattering argument for web browsers, programming languages,
cars, or politicians.

~~~
kibwen
The modern aversion to "lesser of two evils" is a thinly-disguised post-hoc
rationalization for apathy (or worse, nihilism). It's not even false
equivalence, because that would suggest trying to paint both "evils" as equal;
no, this is simply saying that, when presented with two choices where one is
better than the other, we might as well make the _worse_ choice, because who
cares?

~~~
gpm
Disagreed.

You should personally should choose the lesser of two evils when those are
your only choices. Promoting the lesser evil is not such an easy call though.

From a practical standpoint, promoting an evil, even if it's a lesser evil,
has the potential for harming your own reputation as a reliable source.

It is also fundamentally morally questionable, of course what is morally right
and wrong is a matter of much debate. Suppose a psycopath calls you up and
says "I'm going to do one of two things, shoot a random 5 year old named
Joseph, or shoot two random 5 year olds named Kate, which should I do?".
Assume for the hypothetical that you know they are telling the truth, and
there is nothing you can do about the situation but choosing what you say
back. In my view of the world saying "shoot Joseph" still makes you morally
culpable, even though you were avoiding a worse situation.

~~~
craftyguy
Alternatively, you can lobby for a different choice, or pressure the 'lesser
evil' to improve themselves. Rarely do folks bother to do this though after
they've made their choice.

------
4aceb14e
I feel Firefox could be quite a bit more attractive, if it did less. I don't
want my browser integrated with one particular VPN. I don't want Pocket on by
default and hard to get rid of.

~~~
snek
damned if they do, damned if they don't

~~~
TheCraiggers
It's almost as if giving users options and letting them opt out of things is
the way to go. Who would have guessed.

~~~
detaro
Apparently not, since the opening comment complains about an optional VPN
offering and a service integration you can turn off.

~~~
itsreallyme
You can already opt into Proton VPN. See, it's right here:
[https://protonvpn.com/](https://protonvpn.com/)

So that's the point; don't bake features into my browser that point me to one
company when the whole purpose of a browser in the first place is to be able
to visit web pages... like [https://protonvpn.com/](https://protonvpn.com/).

This is about only one thing: money (affiliate sales).

~~~
TheCraiggers
While I'm sure some money exchanged hands, this is obviously not just a
marketing move.

We live in a world where VPN are a must if you want to have any expectation of
privacy. Giving people easier access to these services is not a bad thing.
Mozilla has a privacy-minded vision for the internet. Regardless if you agree
with their vision, they are at least following it.

Also, if it's true that Mozilla is auditing ProtonVPN, that is a huge benefit
to everyone. The biggest issue with VPNs are you're forced to trust this new
company that they'll do as they say with your data (namely that they don't
harvest or store any of it). To me, that's a huge thing.

------
newscracker
I trust Mozilla, and if this helps Mozilla (and Firefox) further, I'm all for
it. From a different angle though, I'd prefer more decentralized solutions
than centralized ones like a single VPN provider. That could be in the form of
more Tor infrastructure coming up to make the Tor network faster (I myself am
not capable of setting up and running nodes).

My other concern with centralized VPN is that _Cloudflare, with its appetite
seemingly focused on being the biggest pipe (by a large measure) for Internet
traffic,_ might soon come up with a free VPN service and kill most others. I'm
certainly not a fan of large companies becoming large enough and entrenched
enough to put up insurmountable barriers against disruption (this could end up
being a futile hope).

------
woodrowbarlow
when considering different VPN services based on privacy criteria, this site
is helpful:

[https://thatoneprivacysite.net/vpn-comparison-
chart/](https://thatoneprivacysite.net/vpn-comparison-chart/)

for example, i can see the ProtonVPN is hosted in Switzerland, and that
Switzerland cooperates with Five-Eyes countries (according to Privacy
International) by sharing intelligence information regarding citizens of Five-
Eyes countries (including the US). this is a relatively mild concern, compared
to VPNs hosted in one of the Fourteen-Eyes countries.

i can also see they use AES-256 for all data encryption. good. however, their
terms of service and marketing material contain conflicting language regarding
what information is logged, and details are not provided about how long logs
are kept and whether these logs are personally identifiable. (running a truly
"no logs" VPN service isn't really possible.)

at the network level, they appear to follow open standards and everything is
implemented in a predictable manner. bandwidth looks good, but speeds and
pricing are sub-par.

i've used ProtonVPN. i appreciate that they expose the details necessary to
configure VPN using the built-in OS-level or router-level configuration
screens, rather than requiring that you use their custom app. ultimately, the
low speed (compared to similarly-priced VPN services) is what turned me away.
it is neither the most privacy-conscious, nor most capable, nor highest value
solution in the VPN market and i'm surprised to see this offering come through
Mozilla. it's a weird endorsement.

~~~
notamerican
That being said, you don't need to provide your real identity to sign up; in
fact, you're encouraged not to. So, it's a lot harder to identify a particular
user.

Switzerland has _extremely_ good banking privacy laws so they can't be
required to disclose credit card details, so that's an identifying link not
available to Five-Eyes. Plus, you can pay in BTC.

I'm not sure about what's required for a company in Switzerland to be
compelled to share information with Five-Eyes but I expect they would have to
be ordered to by the Federal government; a hard feat given how privacy
friendly they are, and how the Cantonal government of Geneva have additional
privacy laws.

------
markstos
I generally distrust VPN providers and appreciate a recommendation from a
brand that I generally do trust.

------
tenryuu
Links to the homepage for me, is this article region specific?

~~~
cift
Searching around turned up this blog post, looks like it's US only
[https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...](https://blog.mozilla.org/futurereleases/2018/10/22/testing-
new-ways-to-keep-you-safe-online/)

~~~
MordodeMaru
How can one subscribe to this?

~~~
nothrabannosir
By using a VPN :)

~~~
MordodeMaru
It's prolly me that I am dumb and don't get it but I am already a Proton VPN
paid user. On top of that I have to pay $10? What the fucking fuck?

------
cift
Did they take the page down? I'm getting redirected to the Firefox homepage

~~~
planderos
This is a US-only test. You’re only supposed to get the link through an offer
inside Firefox. Direct access to the website just redirects if you’re outside
the US at the moment.

------
nykolasz
There are multiple extensions and VPN products out there (some better and some
worse), so why are they choosing who wins or loses here. I know it is because
of $, but I hate the direction they have been taking lately.

~~~
gpm
If they did something like search engines, where they have a large list with
someone as the default and the ability to add more, I might be ok with it. But
certainly not with this sort of advertising.

The number of people installing adblock should tell them that their users
don't want to see advertising.

------
threatofrain
1\. --

2\. Also, is ProtonVPN such a stronger contender than the rest of the field
that Mozilla would endorse them?

3\. And what is Mozilla's final relationship between you and ProtonVPN? Why
are they relevant as a middleman?

~~~
Yoric
It's actually exactly the same price, if you untick the "Anually" button on
the ProtonVPN page.

Also, Mozilla actually audited ProtonVPN. I have no idea whether any other VPN
have been audited by independent third-parties.

------
kgwxd
I assume this still works at the network level and not the browser level? If
so, the association with Firefox is just confusing things. If not, it's dumb.

------
AndrewConn
I started using ProtonVPN in the last few weeks. If you run Little Snitch, you
can see they're sending data to Google Crashlytics. Doesn't inspire
confidence. [https://www.dropbox.com/s/t5ciujv55g7l2dj/ProtonVPN-
Google-C...](https://www.dropbox.com/s/t5ciujv55g7l2dj/ProtonVPN-Google-
Crashlytics.jpg?dl=0)

~~~
Kaveren
They confirmed this [0]. I don't like it, but I don't think it's the worst
thing in the world if there's no user data being sent.

[0]
[https://www.reddit.com/r/ProtonVPN/comments/a0qiuu/protonvpn...](https://www.reddit.com/r/ProtonVPN/comments/a0qiuu/protonvpn_app_for_os_x_questions_regarding/eamstn5/?context=0)

~~~
AndrewConn
Good to know - thanks! As a privacy company, it seems like a very odd decision
by the ProtonVPN product team to use a Google service in the first place and
have their brand anywhere close to Google... a company that is the exact
opposite of privacy. Regardless, definitely glad they're fixing it.

------
portmanteaufu
I was really bummed to see that the partnership only allowed you to subscribe
to ProtonVPN at the full $10 per month price. It's $8 per month if you
subscribe for a year and $4 per month if you get the Black Friday / Cyber
Monday deal. I would love to support Mozilla this way, but I would also like
to benefit from a 60% discount.

------
yarrel
If you want to see this page from outside the US, you'll need a VPN. :-)

------
silon42
Do these services actually provide a (virtual) private network. For example:
can I see my home machine and my phone on the same private network? And then
connect them using ssh/scp?

~~~
velcrovan
First question: yes, they provide a virtual private network between you and
the service endpoint.

Second question: no, it's not a general-purpose VPN. It's purely for cloaking
traffic to and from anywhere on the internet.

~~~
0-_-0
Is there a service that can do the second?

~~~
krisnelson
ZeroTier ([https://www.zerotier.com/](https://www.zerotier.com/) ) does this.
I use it successfully on Windows, Linux, Mac. I've heard positive things about
Tinc as well ([https://tinc-vpn.org/](https://tinc-vpn.org/)).

------
markstos
If you click Subscribe, you'll see the money goes through Firefox. Why not
point directly to Proton's own subscription page?

