
TunnelBear Publishes Security Audit - benjyclay
https://www.tunnelbear.com/blog/tunnelbear_public_security_audit/
======
orf
Report PDF: [https://cure53.de/summary-
report_tunnelbear.pdf](https://cure53.de/summary-report_tunnelbear.pdf)

The test looks good, down from 3 criticals and 3 high to just 1 high. I'd be
interested if they could expand on the 4 medium findings found. It's not the
full report.

~~~
codefined
It appears to be down from 3 criticals and _3 high_ , not 1 high?

~~~
orf
Fixed, thanks :)

------
minxomat
Some time ago, decompiled the Windows client and presented my findings here:
[https://hackernoon.com/poking-the-bear-is-tunnelbears-
client...](https://hackernoon.com/poking-the-bear-is-tunnelbears-client-safe-
to-use-5960f756f4ea)

~~~
molestrangler
I still have issues with a VPN provider who insists on using their VPN client.

~~~
bg0
Are there any nice free VPN Clients out there? I haven't been very lucky in
finding any in the OS X realm

~~~
fancy_pantser
You can use the MacOS Network settings to connect to most types of VPN (hit
"+" and fill in the forms to add a new connection). For free, open-source
clients, Tunnelblick is very common.

~~~
xorbyte
macOS and iOS don't support OpenVPN with the built-in client. You can use
strongSwan-based VPNs (e.g., as would be deployed through Algo) or Cisco, but
for OpenVPN you'll need a custom client which, unfortunately, very likely
brings along its own .kext.

~~~
X-Istence
TunnelBlick comes with a tun/tap kext that is signed. This is not required on
systems where Apple already has tun/tap support compiled in (not sure when
that started, but it's been a long time)

From the known issues page:

"If you are running on OS X 10.6.8 or higher and using OpenVPN 2.3.4 or higher
and using a TUN device, the default Tunnelblick setting to "Load Tun
Automatically" (on the "Advanced" settings window) will avoid this problem by
not loading the tun kext — OS X's built-in "utun" device will be used instead
of a "tun" device."

------
huhtenberg
Can official binaries be independently reproduced from published sources by
members of the public?

If no, then an audit has little to no value as it still implies trusting the
vendor not to fudge the binaries or, more broadly, be malicious.

~~~
lfam
I think your judgment is too harsh.

Very few software deployment systems make it possible for binaries to be
independently reproduced from published sources by the public. AFAIK, it's
limited to systems like Nix, Guix, recent Debian, and other participants in
the Reproducible Builds project.

However, even within those systems, if you are downloading a compiled binary
instead of building it yourself, how can you be sure that you get the "right"
binary every time? Does the binary download system periodically "challenge"
the binary provider by building from source and comparing with the downloaded
binary? If so, does it report its findings anywhere?

It seems to me that even within a software deployment system that enables
users to reproduce binaries, you still end up trusting whoever runs the
deployment system, because there are no methods of challenging the
reproducibility in a meaningful way. The systems I mentioned above sign the
binaries, which means that you implicitly trust the holder of the signing key
to send you the right binary. But it doesn't mean anything about the
relationship of the binary to some source code.

Having said that, if I am using some program by downloading binaries, I am
trusting whoever provides the binaries. If I trust them, then a source code
audit is valuable to me, even though I can't be sure the compiled binary is
related to the source code.

~~~
huhtenberg
There's NO value in 3rd party vouching for the security (read, quality) of
some specific version of the software, because this opinion will be rendered
null and void with the next software update.

There is some value in 3rd party verifying the system design (the
architecture, the protocol, etc.) and general engineering practices in the
company, but this still hinges on the need to trust this company not to be (or
being coerced to be) malicious. TunnelBear hasn't established the latter, so -
yes, there's little to no value in former. There is some marketing value in it
though.

PS. Zimmerman's original secure VoIP project was rooted in the idea of
reproducible builds. It was open source, but with a license that prohibited
any use except for verifying binary builds. It was 20 (?) years ago.

~~~
michaelmior
"NO value" is a huge stretch IMO. Sure, it's entirely possible for gaping
security holes to be introduced in future releases, but if past versions have
been consistently vouched for as secure, that's still going to increase my
confidence in future versions being secure. Or if I'm paranoid, then where
possible I can just stick to a specific version which has been vouched for as
secure.

------
brndnmtthws
TunnelBear is a great product, one which I've been using for a few years, and
I trust them with my business. I wish services like Netflix didn't blacklist
their IPs, but it's easy enough to get content off alternative sites when I'm
traveling outside the US.

Thanks for the good work!

~~~
sunsetMurk
What do you do when you want to watch Netflix while traveling outside of the
US?

~~~
pandemicsyn
I just used Cloak while in Poland a few weeks ago with HBO Go (don't think i
watched in any netflix).

~~~
sunsetMurk
thanks - I'm going to try that. I'm in Italy right now and a show I was
watching isn't available!

------
sigjuice
The claims of transparency would be a bit more meaningful if they simply
published their source code. It is hard to imagine anything too precious to
disclose in the code.

Instead what we have is a pdf (4 pages long) with the title "TunnelBear
Security Assessment Summary 07.2017" and an equally long web page claiming how
awesome and transparent this is.

------
aphextron
Never trust a 3rd party VPN for anything sensitive ever, period. Words of
assurance and "security audits" are completely meaningless. HTTPS interception
and forwarding is a trivial thing to do. For the public who are unable to
setup their own VPN, they will have to accept that everything they do is being
monitored by a random internet company rather than their ISP now.

There can be some use for these services if you are very careful with
everything you do while connected. But the risk of transmitting usernames,
emails, passwords, and CC numbers accidentally while still connected is too
great IMO.

~~~
ehxcaet
I'd rather give my internet traffic to a company that doesn't sell my info
versus my ISP, which almost certainly would sell my info.

~~~
drdaeman
A VPN provider is no different than ISP.

Seriously. Both get paid and provide Internet connectivity. Both have
incentives to do something to your traffic, would it have no negative
consequences (financial, legal or just moral) for them.

The only non-technical difference is that VPNs have a lot of competition (so
free market actually works) and _in some countries /areas_ telcos have near-
monopolistic positions.

That doesn't mean that VPNs are universal friends of your privacy and ISPs are
its foes. Just that there is some disbalance.

~~~
ehxcaet
Yeah, I agree. I don't think there's an intrinsic good guy/bad guy. But I have
pretty much zero faith in ISPs in Canada. Maybe it's better where you live.

------
ericzawo
Tunnelbear is a dead-simple VPN (like, "so easy Mom can do it" simple) and
their branding is killer. Who doesn't love cuddly privacy bears?

------
preinheimer
GetCloak has also done a 3rd party audit, and is planning their next one:
[https://support.getcloak.com/faq/technology/#have-you-had-
an...](https://support.getcloak.com/faq/technology/#have-you-had-any-third-
party-security-audits)

~~~
ehxcaet
Are there results anywhere? Can't seem to find anything on their link to
[https://www.securityinnovation.com/](https://www.securityinnovation.com/)

------
5706906c06c
Great, what happens to the release iterations between now and when the next
test is going to be conducted? Show me the build logs, what changes, etc.

------
clamprecht
Is there some way to be notified of a TunnelBear ownership change? For
example, if Facebook buys them, how would we know?

~~~
iraklism
Google news alerts. Alternatively you can pay someone to do it for you.

------
cJ0th
OFFTOPIC: Does anyone know whether TunnelBear will be available for Linux (or
at least Firefox) one day?

~~~
melanus
[https://www.tunnelbear.com/blog/linux_support/](https://www.tunnelbear.com/blog/linux_support/)

Their Linux support is limited (ie no client), but it is there. You just need
to do the configurations (somewhat) manually. Works pretty well when I used it
a few months ago on my Mint box.

------
tolgahanuzun
Ironic, I cant even enter the tunnelbear website in my country. (Turkey) :/

