
ProtonVPN - endijs
https://protonvpn.com/blog/free-vpn-service-launch/
======
hedora
I have mixed feelings about protonmail. On the one hand, they tend to be on
the right side of political / legal issues, and this transparency report is
nice:

[https://protonmail.com/blog/transparency-
report/](https://protonmail.com/blog/transparency-report/)

On the other hand, they recently reduced the level of detail in the
transparency report.

There is also the fact that they are Swiss, and their privacy laws were
severely weakened by a recent referendum. In particular, the Swiss government
can now monitor all cross border traffic without a warrant.

ProtonMail fought the referendum, but hasn't updated this "Why Switzerland?"
page:

[https://protonmail.com/blog/switzerland/](https://protonmail.com/blog/switzerland/)

They also haven't moved to a more appropriate legal jurisdiction.

[edit: clarify links]

~~~
gtirloni
What would be a good jurisdiction for them?

~~~
AdamN
Germany has very strong privacy laws which is one of the reasons Amazon
dropped an AWS region there. Customers are paying a premium for the
jurisdiction.

~~~
chrisseaton
If customers are paying a premium why would Amazon drop the region? Were the
privacy laws too complex for them?

~~~
nawgszy
I think he means "dropped" as in "the rapper dropped his mixtape today", not
as in "the service provider dropped their service due to lack of
profitability".

~~~
chrisseaton
Well that's confusing :) Given your example is out of context and counter-
example is perfectly in context.

~~~
nawgszy
Yes, because I agreed with you that it was perhaps a poor time for a
colloquial usage of "dropped" considering that, in the context, it was fairly
likely to be interpreted as my counter-example, or your initial
interpretation.

I'd like to think my wording was completely unambiguous to make up for any
context-switching your brain might have tried to pull on you, and if not I
apologize.

------
vgfgtffcf
I would be interested in hearing what the security pros think about
this..tptacek, grugq, dguido, idlewords. At this point, these are the guys I
trust with security advice.

Worth mentioning their VPN recommendations: algo by trailofbits and freedome.
There is another paid service they recommend but I can't recall the name.

~~~
dsacco
I have a few concerns about the cryptosystem.

First of all, there does not appear to be a whitepaper available that
describes the security architecture in any detail. This is an immediate red
flag.

Second, they do have a "Security Features" page which is rather light on the
details; it mentions that ProtonVPN uses AES-256 (encryption), RSA 2048 (key
exchange) and HMAC-SHA256 (auth).

I'll start with RSA: the fact that they use RSA at all for a new cryptosystem
in 2017 is a red flag for me. I also can't see any details of how they use
RSA, so I don't know if they have implemented padding. If they haven't
implemented padding (and done so correctly!), the VPN is insecure and we can
stop right here. Honestly, they should be using ECC. I'm assuming they're not
using something like ECDSA because RSA is faster (but not so much so to
justify the potential security tradeoff, even in a VPN client).

On to AES: they commit the common marketing-mandated-security-page sin of
focusing on the key size instead of the block cipher mode. They don't explain
which block cipher mode they're using for AES at all - another red flag. For
all I know they're using ECB (in which case, the VPN is insecure and we can
stop right here). This is putting aside the question of whether or not they
correctly implemented AES in whatever mode they're using.

With regards to HMAC-SHA256: in theory this is fine, but again we have no
details. I'm going to go ahead and dock another point here because they're
choosing to use separate primitives for encryption and authentication, when
the best practice would be to use authenticated encryption like AES-GCM or
AES-CCM. I admit this is bikeshedding a bit: respectable cryptographers (like
cperciva) have a preference for separate construction. However, this _is_ a
VPN we're talking about, and an authenticated encryption mode would be faster
than separate encryption and authentication.

A few caveats to my points: I'm quarterbacking their cryptosystem design based
on one paragraph of the security page, because that's all I can find that
describes their crypto. It doesn't describe it in detail, so it _might_ still
be secure. I have no knowledge of their implementation, so I can't critique
that. That said, if I had to weigh the red flags I've observed here against
their "developed by scientists from MIT and CERN" marketing and nothing else,
the red flags win out.

~~~
chimbosonic
If you download the ovpn config file you can see what crypto they employ.
According to the ovpn config file for Android it's AES-256-CBC and auth is
done with SHA512 hope this helps.

------
tptacek
Using public commercial VPN providers for serious security/privacy is a very
bad idea. Get someone to set up Trail of Bits "Algo" for you (or do it
yourself, if you're comfortable with Ansible).

~~~
aktau
Looking at Algo ([https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-
th...](https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-
works/)), it seems like it provides an easy way to setup a (secure) VPN on a
piece of hardware you own or one of the supported public clouds. In that
respect, I'm not sure if it gives a lot of privacy. As you're the only one
using that VPN, the traffic may not be too hard to trace back to you.

~~~
problems
Algo isn't that much better than any other VPN - arguably it's slightly better
security wise, though I'd argue Wireguard tops it by far on cipher choices and
security margins.

Ultimately VPNs just aren't for hiding anything that could cause you
significant problems. If you want that, Tor, i2p, or piles of hacked boxes are
your only options really if you must interact with the clearnet.

~~~
Loony2
The security of Wireguard is completely unknown. Sure, it might be more secure
after a formal release and a security evaluation.

They even state themselves that they should not be used if security is
required.

~~~
tptacek
I don't know anyone working in the field who believes Wireguard is likely to
be _less_ secure than StrongSwan or OpenVPN, and Wireguard is something that
gets talked about _a lot_.

It's early days for Wireguard, to be sure, but it's one of the most promising
security projects there is right now.

~~~
Loony2
I work in the field and anybody that says that a piece of software is secure
before it has even had a security evaluation by a third party does not know
what they are talking about.

I think what you have seen is security people saying that the design of
Wireguard seems to be equal or better than other, current, options, that
doesn't mean that the implementation is just yet.

~~~
tptacek
I've spent my career doing third-party software security evaluations --- among
other things, I founded the NCC Cryptography Services practice --- and I will
tell you right now that the Wireguard security story is far more compelling
than any third-party audit.

It's not simply the protocol design, which is superior in pretty much every
conceivable way to IKE or TLS, but also the code, which is carefully written
to minimize attack surface and increase reviewability.

Choosing OpenVPN or StrongSWAN over WireGuard to minimize exposure to
vulnerabilities would be a dumb bet. Sometimes dumb bets pay off, but it's
still dumb to make them.

~~~
jwfxpr
Could you unpack your statement about the careful code writing, or link to an
explanation? We would usually expect a formal third-party audit to
substantiate such a claim, but if there is other good evidence for their
code's secure implementation I'd love to see it.

~~~
tptacek
First, I'm going to try not to go into this in detail right now, but HN has
very weird ideas about the potency of third-party code audits, particularly
for things involving cryptography. A short summary: most third-party audits of
cryptographic software written in systems languages don't accomplish anything.
Most crypto software you depend on has never had a full-coverage audit from
third-party auditors qualified to evaluate crypto.

You can watch any talk about WireGuard to see what I mean about the way
WireGuard's code is written, but the short answer is that the thing was
designed from the bottom up to be simple. WireGuard's feature selection was
influenced strongly by what would keep the codebase smaller and easier to
review. It was also designed to simplify the object lifecycle inside the code
itself. All its state is preallocated at initialization.

WireGuard's cryptography is essentially an instantiation of Trevor Perrin's
Noise framework. It's modern and, again, simple. Every other VPN option is a
mess of negotiation and handshaking and complicated state machines. WireGuard
is like the Signal/Axolotl of VPNs, except it's _much_ simpler and easier to
reason about (cryptographically, in this case) than double ratchet messaging
protocols.

It is basically the qmail of VPN software.

And it's ~4000 lines of code. It is plural orders of magnitude smaller than
its competitors.

WireGuard isn't a panacea. In particular: clientside support for it isn't
there yet! But it's pretty clear to me at least that WireGuard should
_imminently_ be replacing OpenVPN and IPSEC.

~~~
jwfxpr
That's an excellent brief answer, thank you for your perspective and time!

------
saintfiends
How does this compare to TunnelBear [1]?

\- TunnelBear is a bit more expensive (4.99$/mo, paid annually vs 4$/mo).

\- TunnelBear supports up to 5 connections per account vs 2.

I use TunnelBear regularly for my browser and phone. Both works great.

My subscription is going to expire soon and I'll be open to try other VPN
providers, not that there is anything wrong with TunnelBear. Any
recommendations?

This site [2] has feature comparisons but experience using VPN services is
another story.

[1] [https://www.tunnelbear.com/](https://www.tunnelbear.com/) [2]
[https://thatoneprivacysite.net/vpn-
section/](https://thatoneprivacysite.net/vpn-section/)

~~~
tyoma
HN gets regular "what VPN should I use?" questions and my answer is always the
same: Algo [1]. It is designed to be simple to set up, simple to tear down,
and usable with numerous cloud providers or your own Linux server.

[1] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
chc
In terms of privacy, doesn't it kind of let the cat out of the bag if you host
your own VPN server? It's not your home address, but it's still just as much
an address associated with you, isn't it?

~~~
rbritton
It's less private for some forms of traffic, but for me, my main goal is to
avoid ISP tracking and provide encryption on potentially malicious networks,
which it works well enough for.

~~~
DKnoll
Your ISP in the DC, the DC itself, whoever owns the box your VPS is on or your
fellow tenants could be malicious.

------
newscracker
The free tier is in a waiting list right now. I thought I shouldn't try the
paid one without getting a feel for how good and fast the service is (had bad
experiences with another highly popular VPN provider in the past and canceled
within a few days).

I also wondered why ProtonVPN doesn't list any trial period in the paid plans.
So I went to the support page and found that it has nothing about payment,
trials and cancellations. I then went to the Terms of Service page [1] and
found that one can cancel within 14 days and get a full refund. If anyone from
ProtonVPN is reading this, please move this information to the signup page and
also list it on your support pages. Those are the places for this important
piece of information. _Almost nobody reads the terms of use on any website._

Quote from the Terms of Service page (typo "Guaranty" ought to be
"Guarantee"):

 _> Money Back Guaranty

> You may cancel your account with a full refund within 14 days of the initial
> purchase. Refunds or credits beyond the 14 day window will be considered,
> but at the sole discretion of ProtonVPN. The Company is only obligated to
> refund in the original currency of payment and refunds will be processed
> within 14 days of the request. To request a refund under our Money Back
> Guarantee, send an email with your request to support@protonvpn.com._

[1]: [https://protonvpn.com/terms-and-conditions](https://protonvpn.com/terms-
and-conditions)

~~~
marcopol
You can test the Plus account by signing up for the Free plan on the Windows
client. You have 7 days Plus ProtonVPN trial
[https://protonvpn.com/](https://protonvpn.com/)

------
simonvc
Great that there's more options out there. Will there be an option to signup
over TOR, and pay with ETH or BTC?

I run free privacy/security classes for journalists, and some of them have
said that their sources can't use paid VPNs because they're afraid of the
purchase showing up on their credit card statement.

TOR is great, but doesn't yet work for things like video chat (yes i tell them
not to use Skype...)

~~~
Kroniker
Looks like they accept CC, paypal, and BTC, no ETH yet.

~~~
simonvc
It only shows CC and Paypal for me :thinkingface:

~~~
Kroniker
Strange. I'm finding the page via the "upgrade" tab of my protonmail, maybe
they don't accept BTC for exclusively VPN?

Looks like they also accept "Cash" if you contact them.

------
shaggyfrog
Would you trust a service that knowingly pays ransoms to protect your personal
data when it really counts?

[https://arstechnica.com/security/2015/11/crypto-e-mail-
servi...](https://arstechnica.com/security/2015/11/crypto-e-mail-service-
pays-6000-ransom-gets-taken-out-by-ddos-anyway/)

~~~
teekert
Come on, that was a stress situation, their data center was shared and many
other companies were feeling the pain. Yes I would also tell them "don't do
it", but they made a decision under very high pressure from many sides at
once. They since started protecting themselves and I'm sure they won't pay
anymore now. I don't see why people keep bringing this up with all the
positive things they also do.

By the way, the party that initiated the ddos did stop the attack but a much
bigger one took over. Probably state sponsored.

------
atmosx
Looks the time has come for a small country to create a _data haven_ like the
fictional _Sultanate of Kinakuta_. I believe that the idea will attract
foreign investment quickly.

~~~
ryaneager
It doesn't need to be a country. Just get some container ships, sail to
international waters dragging a fiber cable with you and bam, data haven. You
could also operate as a secure key storage. No worries about governments
requesting keys as there is no government.

~~~
illumin8
Yes, but it's fairly trivial to drop a "Seal Team 6" in and physically seize
whatever they want, or just sabotage your equipment. Also, they could pressure
your mainland circuit provider, or simply cut your cable every time you
repaired it, which would put you out of business fairly quickly.

I'm not sure a data haven works unless you have a sovereign military that can
defend itself against the rest of the world (good luck!)...

~~~
ScalaFan
A satellite in geosync orbit? Sure, much smaller but definitely harder to
reach.

~~~
illumin8
Good idea, but any government that can launch satellites can also shoot them
down. It's actually much easier to shoot one down than it is to launch one in
the first place.

~~~
nyolfen
blowing up a satellite in orbit is a _massive_ escalation over even something
like a commando raid -- i believe it would qualify as a violation of outer
space treaty as well. a great deal of 'space junk' was generated by china's
(one, individual) test of an antisatellite missile in 2011, and it caught a
lot of critical international attention over it because it puts other
satellites in danger -- thousands of tiny pieces zipping around like a 3d
minefield. this hazard would potentially apply to US military satellites as
well.

besides this: there are many, many ways to spy on satellites. the US is
believed to have at least one satellite that sits 'above' a major middle
eastern comms satellite with a football field-sized antenna, passively
snooping everything shot at it. you can encrypt it, sure, but do you have high
enough trust in your crypto implementations to deal with an adversary like
that?

what i'm getting at is, i don't think they would shoot down the satellite.

------
teknologist
Does anyone know why they require existing ProtonMail users to enter their
account's password AND the decryption password? Fair enough, they're linking
my account, they require the account password. But the key that encrypts the
email data too?

~~~
bartbutler
Your access token to the service is encrypted with your primary public key as
an extra security measure, thus your client needs to decrypt it to use it.

~~~
teknologist
OK, makes sense. Thanks!

It might be a good idea to mention that on the page as (I'd guess) many tech
literate people use the service.

------
blunte
Too bad they're focused on new and shiny at the expense of real (paying) email
users. After a year of Visionary, I finally went back to Google. PM just isn't
designed for large mailboxes, real search, or navigation. Plus they still have
not provided any way for you to export your emails out. They're locked up
forever, unless you want to forward each one, one at a time.

~~~
vabmit
Search has been dramatically improved. Difficulties with large mailboxes are
often a complex function of many variables with things like client side
javascript decryption speeds often playing a large role. While testing is done
with large mailboxes as part of the development process, the ultimate solution
for people with extremely large boxes will likely be the use of the Bridge
program with an IMAP mail client such as Microsoft Outlook. There are
unofficial export programs available that call pull all mail out through
Proton's API. An official, supported, export (and import) program is planned
for the future.

~~~
blunte
Unless this was introduced within the last couple of months, I never had the
option to do IMAP. I wanted it... I would have happily offloaded all that to a
local mail client. Plus I would now possess copies of all my email for the
year.

------
Tepix
With the small number of nodes they can offer (compared to the tor network
exit nodes), traffic analysis seems relatively easy, especially with standard
VPN software that may have no fake traffic generator capability.

------
zx2c4
From their security page: "We exclusively use VPN protocols which are known to
be secure (OpenVPN and IKEv2)."

OpenVPN and IKE both have terrible track records in terms of implementation
security.

------
mnm1
I've been using the beta now for many months. For my use case--hiding from
ISPs / other malicious non-government actors who want my IP--it's been pretty
good and plenty fast. Not really sure what they plan to do with our beta
plans, but I'd pay a couple of bucks a month for their speed / reliability
(haven't been knocked off once). Or maybe this is just normal service and all
the other VPNs I've tried in the past have been shit. Hard to tell really.

------
Veratyr
For anyone wondering, their speed claims aren't inaccurate. I ran a quick
iperf test on a server in Hurricane Electric Fremont 2 with a gigabit port and
it did ~500Mbit/s. DSLReports backs it up:
[http://www.dslreports.com/speedtest/17167172](http://www.dslreports.com/speedtest/17167172)

This was to their us-07 server in SF.

------
homakov
What are security features of their VPN or email that are not in other VPNs or
emails, that I can measure? I.e. I don't care how military grade is their
server side encryption or I don't care that they decrypt in my JS, as long as
threat model remains the same.

What they changed in the model? Is it trustless?

------
chippy
I'd pay for a VPN with integrated tracker / ad blocking. I currently have a
low cost VPS with a VPN where I set the hosts with a couple of block lists,
but I think it could be good to have a proper VPN service with that option.

The reason is using it on mobile unlocked devices, rather than desktop.

------
bitL
Anyone knows how to use Protonmail to send/receive attachments encrypted by a
different PGP key than Protonmail uses for one's account? It never allows to
download such an attachment and I surely won't upload my private key there...

~~~
vabmit
Please report your difficulties to the Support Team:
[https://protonmail.com/support-form](https://protonmail.com/support-form) You
don't need to be a paid user to do this. They will respond to your ticket. I
have done this before - some time ago. But, perhaps a bug was introduced
somewhere in the code or there is some other issue that you are running into
(perhaps some configuration with the local platform). It should be possible
and work correctly.

------
sjclemmy
A bit OT, but the kerning on the headline font in iOS safari is awful,
especially between the 'o' and 'w'. It looks like a 'missing' font in a PDF.

------
pacuna
I'm currently using hide.me under Linux and even though the speed is great, I
have issues all the time. Will try this during this month to see how it
compares.

------
vr46
Been using the beta for a while now, it's been excellent to the extent that I
leave it permanently on, even for watching video. Will be subscribing.

------
zsj
I saw that they use OpenVPN protocol[1], then I stopped reading other things.
Although the encrypted connections can not be decrypted, the OpenVPN protocol
is easy to be detected and banned in some highly censored network.

I recommends the shadowsocks protocol[2] which I used in the censored network,
which is hard to be detected and decrypted.

[1] [https://protonvpn.com/secure-vpn](https://protonvpn.com/secure-vpn)

[2] [https://github.com/shadowsocks](https://github.com/shadowsocks)

~~~
Tepix
Not everyone has to fear censorship, there's a market for people who "merely"
want to evade tracking and mass surveillance.

------
akerro
ProtonMail is doing what I expected Mozilla would do. I expected Mozilla to
promote online privacy with their browser and Tor nodes and more...

~~~
brians
Mozilla's made a couple of bet-the-company decisions in the last couple years,
including Firefox OS and the phone. Given the results of those, it's a miracle
of luck and effective management that they're still in business.

But that would be another bet-the-company prospect, and I don't see them
likely to try that for a couple years.

~~~
eugeniub
Their non-profit model probably helped.

------
sandGorgon
I wish they would add dedicated IP option. We need a dedicated IP address to
test whitelisted API callbacks.

------
tjbiddle
Free VPN? Not a single reference to their log retention policy in this
release.

~~~
sbouafif
In their pricing page

"ProtonVPN is a no logs VPN service. We do not track or record your internet
activity, and therefore, we are unable to disclose this information to third
parties."

[https://protonvpn.com/pricing](https://protonvpn.com/pricing)

------
rebelidealist
Will this work in China?

------
nthcolumn
what a dreadful buggy site, failed to signup. gives up as does not auger well
for the reliability of the service. is it some pointless phishing thing?

~~~
bdcravens
Their reputation is well established. Possible the site is under heavy load.

~~~
nthcolumn
hmm ok benefit of doubt given - refused every possible username and does not
say what is wrong with them, did not appear to work, then did unexpectedly,
then tried username recovery but got 404s. Genuinely I'd never heard of them
before now so I was like - 'wait what is there something else going on? like
some shell thing posted to hackernews'...

I just tried again and it completed and is working okay now - bit of a fiddly
registration process but actual vpn seems to pretty good and there are lots of
endpoints, so great too.

