
ProtonVPN and NordVPN Bugs Left Windows Vulnerable to Hackers - axiomdata316
https://www.pcmag.com/news/363619/protonvpn-and-nordvpn-bugs-left-windows-vulnerable-to-hacker
======
dguido
And people always criticize me for avoiding OpenVPN in AlgoVPN. Here's the
entry from my FAQ:

OpenVPN does not have out-of-the-box client support on any major desktop or
mobile operating system. This introduces user experience issues and requires
the user to update and maintain the software themselves. OpenVPN depends on
the security of TLS, both the protocol and its implementations, and we simply
trust the server less due to past security incidents.

source:
[https://github.com/trailofbits/algo/blob/master/docs/faq.md#...](https://github.com/trailofbits/algo/blob/master/docs/faq.md#why-
arent-you-using-openvpn)

Stop using OpenVPN! Use whatever client ships with your operating system for
IPSEC or use Wireguard.

------
craftyguy
> Hackers could have used the bugs to execute code via an OpenVPN exploit

That seems to imply it's not specific to ProtonVPN and NordVPN, but _any_ VPN
service (including self-hosted) using OpenVPN...

~~~
Dylan16807
Normal OpenVPN puts the configs inside Program Files.

~~~
craftyguy
I see, thanks for the clarification.

I don't use Windows, but putting configs in Program Files seems just.. weird.
It would be like putting user configs under /usr/share or /bin on Linux, I
would think.

~~~
Dylan16807
It's an admin-controlled config, so it's kind of like /etc. Windows has
separation for user configs, but per-system stuff is all a mess.

------
RantMan
Not even surprised. I have had issues as well with the premium VPN brands such
as Nord and Express related to logs. I use Ivacy VPN now. Its far cheaper and
so far haven't troubled me in any way. Ivacy VPN: www.ivacy.com

------
retox
Non-AMP link; [https://www.pcmag.com/news/363619/protonvpn-and-nordvpn-
bugs...](https://www.pcmag.com/news/363619/protonvpn-and-nordvpn-bugs-left-
windows-vulnerable-to-hacker)

~~~
craftyguy
I know folks around here hate AMP stuff, but tell me which one of these is
more readable than the other:
[https://imgtc.com/a/XyS61Ej](https://imgtc.com/a/XyS61Ej)

~~~
client4
My hate for walled gardens exceeds my annoyance at non-optimized mobile sites
;)

~~~
craftyguy
I actually agree with you. My point is not that the original is not optimized
for mobile, but that it sucks hard for desktop.

I wish there were an open, non-AMP way to remove the crap that AMP removes.

~~~
kijin
Reader view on Firefox does this beautifully without the need for any
middleman. Client-side solutions are the way to go.

------
solomondrix
But this is old news and that vulnerability is already fixed, at least in
NordVPN. Here's a blog post explaining it: [https://nordvpn.com/blog/cve-
vulnerability/](https://nordvpn.com/blog/cve-vulnerability/)

