Hacker News new | past | comments | ask | show | jobs | submit login
When Proxies Lie: Verifying Locations of Proxies with Active Geolocation (2018) [pdf] (sigcomm.org)
36 points by tptacek 21 days ago | hide | past | web | favorite | 12 comments

So if the VPN providers are not entirely honest about where their servers actually are, what about their other claims, such as no logging?

They can submit to independent audit. ExpressVPN and IVPN have been audited by Cure53.[0,1]

0) https://www.expressvpn.com/blog/browser-extension-audit-and-...

1) https://www.ivpn.net/blog/ivpn-no-logging-claim-verified-by-...

Devils advocate. A VPN provider competent enough could make it appear they aren't logging during the time of an audit and then go "back to normal" afterwards.

True, but I've known Nick Pestell (IVPN CEO) for several years, and am confident about his integrity.

One note from the IVPN report is telling--not so much about IVBN, but of the limitations of an audit:

> While Cure53 has faith in the proper handling of privacy and the absence of logging on the IVPN project, the auditors empirically only confirm that the systems that they had access to displayed no evidence of logging.

Also keep in mind that the audit specifies the situation at a single point in time. There is no way to tell if things changed the next month. Or if law enforcement installed something that nobody could talk about.

I would be interested to see on the ones that don’t match the continent to see a traceroute on them. While it’s far from accurate I have had good success at geolocating IPs based on rdns of transit/ISPs

Very interesting. I always assume VPN providers are dishonest at best and hostile at worst.

Does anyone know which VPN/proxy provider is the one labeled "A" (with claimed proxies in almost every country)?

I played with this approach last year.[0] HMA was the worst. At most half of their servers could possibly be where claimed. So they could well be "A".

0) https://www.ivpn.net/privacy-guides/how-to-verify-physical-l...

It must be HMA. They list two servers in the Vatican. No chance they have two servers in the Vatican.

Pitcairn Island is even more of a tipoff. The nation's Internet access is provided through a 5 Mbps satellite link, and the electricity shuts off at 10 PM. [1] There's no way a company has colocated a VPN server there.

[1]: http://visitpitcairn.pn/already_booked/

PureVPN, Ivacy, and a few others (unsure if IAPS still exist in 2019) are large liars

We’ve stressed the importance of using a no-log VPN service countless times here at Cogipas. If a VPN provider logs your data, it creates a vulnerability that could later come back to bite you. Unfortunately, while most VPN providers claim they don’t log, it’s not always true. That’s why these independent audits are so valuable in establishing which services can be trusted. Here is a list of VPNs that have been audited multiple times and are true to their words.

Nord VPN Private VPN Ivacy VPN Ghost VPN

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact