Hacker News new | past | comments | ask | show | jobs | submit login
UFO VPN claims zero-logs policy, leaks 20M user logs (comparitech.com)
589 points by DyslexicAtheist on July 17, 2020 | hide | past | favorite | 233 comments

Unsecured Elasticsearch, once again.


So ES has insecure defaults, I get that and it's been discussed to death.

But who the heck, in this day and age, exposes clusters directly to internet traffic? I don't care what the defaults or security measures you have. DONT EXPOSE SERVERS.

Place them inside a VPC, preferably a private one(in AWS parlance, behind a NAT GW). Use _something else_ to send traffic to them. If you are on AWS or similar (but not Azure I guess), add a load balancer to it. So now access would require creating a new load balancer, pointing to the servers in question, adding listeners on the desired ports, and configuring the appropriate security groups. Only then you can send external traffic. On the specific ports you configured on both listeners and security groups only.

Do this everywhere and you are in a much better shape. You still need to configure servers correctly, but if you mess up, nothing happens, unless you mess up many other things in an error cascade.

Even doing the official Elastic training - Elasticsearch Engineer 1 gives you everything you need to hurt yourself to set up, use and admin a cluster, but no security is covered unless you sign up for the next course and pay another couple of thousand dollars. Security really should be covered as a default in EE1.

I'm a huge fan of beginner tutorials that include security as a default, rather than having it as the thing you do last - and then commonly in actual project work all the development gets done against an insecure cluster in dev, then someone turns security on at the end, it all breaks and you now have a group of stressed-out people only incentivized to remove the thing that is now delaying the project at the very last moment. Makes for some easy mental gymnastics.

With RavenDB, you cannot setup a unsecured server unless you are _really_ trying. And we worked on getting secured setup to be a click through process with under 10 minutes to setup a whole cluster.

You can see it here: https://www.youtube.com/watch?v=K-2iZ_lJVag

That was done explicitly because of issues like that. Security isn't a feature, and the fact that your product keep leaking details is not the fault of the user the 100th time this happens.

This is completely unrelated, but I remember your blog about dotnet development. I followed it about 10 years ago and remember when you started with RavenDb. I haven't done any dotnet development in about 7 years, but you taught me a lot about programming properly. Thanks.

I'm glad RavenDb is still going well.


I think a big part of it is there are so many "here's how easy it is to set up!!!" guides out there, none of which actually tackle security first, or in a way that reflects the training (or lack thereof) many of these folks who are actually doing the work have.

It's nice to assume that everyone setting up backend services for the multitude of companies out there have gone through accredited training and have years of strong production experience with security chops.

The reality is that because the gap between technically inclined and technically clueless is so large, anyone who can stumble through an online tutorial can be seen as "experienced" to someone who isn't.

I'm not sure what the answer is, but this is going to keep happening - maybe a 3rd party service that evaluates "Getting Started" guides for backend services? If basic security protocols are not covered, they get a red mark, and business owners could use that as an indicator of whether their tech folks could potentially screw it up.

Also, don't use in a security group rule!

P.S. Azure has load balancers and security groups too- in fact their security groups are better than AWS's in some ways such as supporting thousands of rules instead of only 50.

Azure can even configure mutual authentication between the LB & the underlying servers, which would cause any direct server access to result in a 401[0].

0 - For API servers. I'm not sure if you could configure this with services like Elasticsearch.

>Azure can even configure mutual authentication between the LB & the underlying servers

You can achieve a similar effect in AWS, by declaring only the LB's security group as the source in servers' security group ingress rule.

Any requests sent directly to the servers simply wouldn't connect.

That’s also a thing on Azure, but you can actually deploy certificates for mutual authentication as well. That way if somehow the network layer is pierced, you have another layer of protection.

They do, but once you setup a load balancer, it wants to send all traffic through the load balancer.

AWS and GCP load balancers are more like an endpoint. Your network is otherwise unaffected.

AWS Elasticsearch was one of the last services which didn't support VPC until late 2017 [1], moreover if you had created a cluster without VPC support the migration is very cumbersome and application changes (to enable double writes) are required to execute it without any downtime [2].

[1] https://aws.amazon.com/blogs/aws/amazon-elasticsearch-servic...

[2] https://medium.com/@vishnunarang/how-to-migrate-elasticsearc...

Not to mention it's a massive pain to use elastic search with serverless... Especially if you want it in a private VPC. Adding ES raised our monthly bill significantly since it required also adding a NAT gateway (which then double-dips data transfer charges, actual bandwidth out and NAT processed data), the cost was replicated across multiple "States" (Dev/test/prod), and increased cold start times (below they did work to optimize that) since the lambdas accessing ES needed to be in the VPC too.

I can see developers crunched for time (or businesses, money) not taking the additional steps to get there... And this is the same deal for Redis/memcache, which is another reason I think we see those exposed sometimes too.

(To be clear, the additional costs are minor compared to a big business budget, they would be more detrimental to a low (~<400/month) budget project .. or a team that can't dedicate 300-600 man hours to implement this)

And if you want to use it with Cognito (to get user auth for Kibana), you NEED to have a public elasticsearch instance...

I'm not sure if that's better. You're just introducing more complexity in to your network..

If you don't have the budget for a nat/load balancer or want to just keep it simple, a simple iptables rule would do! Then test with nmap regularly to see if it's correct.

> If you don't have the budget for a nat/load balancer

It's not such a big budget in any of the big cloud providers.

And my point is: if you don't need access, you won't even have such load balancer. Unless someone goes out of their way to provide access to your server, no external access will exist.

It's usually not intentional. It's common to either assume by default it will listen on and connect to it. With cloud VMs, people spin up a VM for non-public use but check the box that adds a public IP and forget it's there.

It's a design problem in my opinion. By default, listening on should exclude loopback interfaces by the OS. That way, anything makig incorrect assumptions would fail and would require correction. Second, cloud firewall rules should imply deny all when "none" is selected. That way, having no protection is the same effort as adding at least one manual rule.

Along this line, every Google Compute Engine VM instance comes with 2 “implied” rules: allow all egress and deny all ingress.

I have seen people taking the easy way out setting up dev environments where these security holes are ignored. Hopefully in some near future, everyone would use something like tailscale[1] or nebula[2] instead of taking the easy way out and leaving it all open.

[1] https://tailscale.com/

[2] https://github.com/slackhq/nebula

What's the difference between a VPC and iptables? I agree that you shouldn't expose insecure services. But why do I need to introduce an entire private address space and cloud-managed SDN services to achieve that goal? If it weren't industry status quo, I'd almost call you a shill for the union of ops teams working to secure jobs for years to come. Almost.. (;

I would think that the post you respond to either supposes a hosted service (you do not control the server and its iptables) or that it multiple layers of protection is good for something critical.

But yes, if it's your own server, everyone should remember that regular Linux features are darn powerful, too.

A VPC, with security groups, can be much easier, depending on how your instances are managed. You’re sure that all the indtances have the same rules and that the rules are always updated, even in if you use auto-scaling.

If you use some provisioning tool you can have the same thing with IPtables. But why are you on AWS if you don’t want to used the features Amazon provides?

Not directly comparable. You can use iptables on a EC2 instance inside a VPC.

VPC is more akin to a glorified virtual switch/bridge.

I am astonished that ES still does not recognize that there should be at least minimal protection against exposure by default. I mean, it's not super hard to generate good password on install, and if it's not necessary, it can always be manually disabled, but it is astonishing that "let's somebody else worry about security" is still a thing...

Putting unsecured ES on side, but logging passwords in plain text? That's a whole another level of stupidity.

You could have stopped at logging passwords.

People pay good money for your advice. Others ignore the free advice.

According to The Register, UFO VPN is just white-labeleing a parent service[1]. The full list of compromised providers is thus UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.

[1] https://www.theregister.com/2020/07/17/ufo_vpn_database/

Never buy a VPN with these kinda names. You can tell they are shady from their names and websites.

UFO, Secure, Pure VPN, etc

Which name is better in your opinion? PIA? Nord? Express? All their web sites look alike as well.

IMO, this https://www.privacytools.io/providers/vpn/ is currently one of the best sources on deciding for a VPN provider. Or you could host your own on a cheap VPS.

But, there are few reasons to actually use a VPN nowadays, there was a discussion on HN a few days back, but I cannot seem to find it at the moment.

Edit: Found it: https://news.ycombinator.com/item?id=23566390

If some of them are no good and their websites look the same, then is that not a good filter criteria?

What about ProtonVPN?

So you would also reject VPN from Purism company?

If you can't see the code..

This feels like someone scuttling the ship. - VPN based in Hong Kong. - VPN claims to not keep logs but does (ie. willing to descieve customers and secretly compromise their security). - New national security law effecting Hong Kong speech and liberty. - VPN likely to be challenged to turn over user data to Chinese authorities in the relatively near future. - Hong Kongers acquiring VPN services in droves for the explicit purpose of avoiding Chinese state monitoring of their internet traffic and communications records.

If I was working at UFO and saw the risks to my fellow citizens created not just by the company's poor security but their willingness to descieve customers I'd worry the company would quietly hand over whatever the Chinese authorities asked for - no "warrant canaries" or truth in advertising - and if probably look to throw a figurative grenade into their operations. If that meant data exposure, better now before they perfect the application of the new security laws then later when everyone feels comfortable and the CCP is just sucking up all of UFO's traffic and logs.

VPN providers are something you should have especially high standards for. They are largely unregulated, can see all of your meta data and have an economical incentive to sell it (IIRC some big player has been caught doing that).

If a provider shows even the slightest amount of fishiness, instantly discard them (NordVPN immediately comes to mind, with their weird influencer marketing campaign).

How? I mean how do you measure VPN services? I never understood why people working in tech would ever trust a VPN service? A VPN is seeing all your traffic, and you have to take their word that they do not log any of it? I use free tier AWS servers across the globe with wireguard. It might not be perfect, but I still prefer that than using a VPN service.

I trust VPN services for the one thing they're good and useful for: hopping over geo-fences for content.

You should not have any expectation of privacy or security from consumer VPN services (if you want that, obtain Tor Browser or Tails as your needs require). They provide a means to choose roughly where your client traffic comes from, and that's it. The rest is marketing bullshit.

They're probably sufficient for low-key deflection of DMCA notices if you're torrenting shit--rightsholder enforcement companies aren't exactly able to undertake nation-state level investigations for what they do.

Why would I assure myself that Tor is safe either? Do we know for a fact that government agencies don't control the majority of the egress points?

Safe from what? Always assume that an exit node is compromised. Never run unencrypted and unauthenticated traffic over it. There used to be these password sniffing experiments run over exit nodes, which always caught surprisingly many logins. Don't do it.

That doesn't mean traffic can be deanonymized. Tor as a whole isn't compromised in any meaningful sense even if the exit nodes are. Large parts of the original white paper concerns this.

> Do we know for a fact

This always has been and always will be the security rabbit hole. (Well, one of them.)

How do you define "know for a fact"? Even if you personally know a person managing an egress node, how do you know they aren't operating on behalf of someone else?

Saw an article a while back (years) saying NSA/FBI is able to track TOR connections and won’t say how even if it means they’d forfeit some cases.. anyone remember this?

Edit to add: Also, it’s public knowledge that TOR is funded by the DoD, it seems extremely feasible that they privately control a sizable chunk of nodes. Based on what I know of American 3 letter agencies, I don’t think one could resist designing a “secure” system only they can listen in on.

I consider TOR a very secure messaging channel between you, the other party, and the American government (metadata only, but that’s really not too big of a limitation in this case).

Most Tor nodes are actually in Germany. You can see a map of them https://tormap.void.gr/

The design of the system is resilient to some nodes being under hostile control, too.

Well then aren’t I glad the US intelligence agencies don’t have a history of collaborating across national boundaries!

Some nodes can be under hostile control, but as the number increases the likelihood increases that they can link entry to exit based on timings. I consider it quite likely that the us govt can say “hey Germany/UK/Fance/etc., we have this batch of exit times, do any of your nodes correspond on entry?” or vice virce.

If your threat model is that the whole world is out to get you and will stop at nothing to find you, it is very much the case that you are going to lose. Tor raises the cost of surveillance, but is not magic.

As an aside, the five eyes countries collaborate much more closely with one another than they do with France or Germany (or that was the case when I read about this after the Snowden leaks.)

Is the rest marketing bullshit because of insurmountable technical challenges or is it because you have to __trust__ the VPN service? I.e. if I were to somehow think up a business model that included some novel level of transparency, could I provide a VPN service that could honestly claim to provide privacy and security to its users?

I also use my AWS free tier EC2 + wireguard for hopping over geo-fences. It is free, and my traffic is encrypted from my device to the remote EC2 server.

I’ve tried that but all the content providers seemed to know I was using a VPN. Any tips?

Approximately: IP addresses are allocated to a network operator by the IANA via an ASN. Most large streaming services block non-residential ASNs at this point. Sometimes they miss one here and there. Your best bet is with smaller providers that operate using a less recognizable ASN. At this point even many non-streaming services block traffic from EC2, Azure, and other cloud providers just to cut down on bots.

Yeah I tried AWS and Digital Ocean and they were blocked by Netflix which is really what I care about. A commercial VPN I use actually works for Netflix but only in 2 specific regions.

https://lowendbox.com/ has always been a good place to find geofence hopping friendly VPS which can serve as a VPN. Not affiliated, I just use it and recommend.

Weird... I did the test, and clearly I cannot watch shows on European TV website, and when I select one of my European server, then I can watch the shows. Something must be off with your setting.

It depends on the service. Not everyone does it, but many services ban the Amazon, Azure, Google, DO, and many other AS sources simply because they won't originate "normal user" traffic.

Correct, I just checked Netflix, and it is still the US Netflix, even when I hopped from a Paris AWS server. But all french TV website are working like if I was in France.

> I never understood why people working in tech would ever trust a VPN service?

It’s not that I trust them but I’d rather some random company across the world has my jerk off logs rather than my ISP who hands my habits to my government and all its favoured cohorts.

For all you know, your government is running that VPN you’re using

> For all you know, your government is running that VPN you’re using

The NSA is simply not most people's threat model, and if they _are_ running it, it probably means that someone shadier is not. I'm using a VPN because I don't want my ISP to see what I'm browsing, don't want end sites to know who I am, want to watch American Netflix, and because the country I'm in tries to block all adult sites. The NSA is welcome to all of this traffic _shrug_

My government, along with any other entity with lawyers, can obtain my browsing history from my ISP as evidence that is admissible in civil or criminal court by submitting some paperwork. They can’t do that with my VPN traffic, even if some government spooks are secretly running the VPN. The NSA is not going to burn their operation to help the MPAA fine me.

I believe they have a cute name for it. It's called 5-Eyes.

Yes maybe. I got to go with the maybe.

The only standard you can really trust is when they actually get subpoenaed and don't have anything to give to the court. An example of this is Private Internet Access.

Piggybacking off of this, Private Internet Access (PIA) has actually had their no logging policy "proven in court" via this method multiple times. [1][2]

Full disclosure: I work at PIA.



I wouldn't trust PIA for anything.

The whole company is shrouded in secrecy. After speaking at length with an ex-employee of PIA who now maintains this open-source iOS VPN client:


many (most?) employees and contractors at PIA have no idea of the identify of their direct managers.

Imagine working for a company and not knowing your manager's real name. Now imagine trusting that company with your internet traffic.

Disgruntled employees aren't necessarily the least biased sources one can find

Who said he is disgruntled?

Has PIA solved that issue a lot of providers have where services like Google voice recognition just fail to work better than half the time? I presently use AirVPN to bypass my carrier's video streaming limits but barely being able to use Assistant is a pain.

Is there any way to prove that is not NSA, say, and set up to only catch the biggest fish, or to always present parallel construction for criminals caught this way?

Of course you can't prove that, any more than you can't prove that YCombinator or FastMail aren't similar NSA operatives.

I like you. I tend towards pyrhonism (or maybe I don't!) so I appreciate that response.

Degree of proof is a relative: Maybe a terror organisation use PIA, NSA go fishing for evidence PIA has nothing. Terror org assassinate NSA head. PIA could be a front, but NSA head had to be willing to lose his life to hide the fakery, and terror org wasn't a big enough fish ... more likely you're currently in a coma. Lots of places for false premises to creep in.

Dial it back, is there a point where there'd ever be enough evidence?

Until they introduce some technical measures to provide some degree of anonymity to clients (of the paid service, of all things), all VPN providers should be treated the same way. They share the same business model of making money by selling kindergarten grade technical service and promises of “security” to the same crowd of clueless people by the same methods that include widespread misleading advertising, and now you tell me that some of those are actually freedom warriors.

Essentially, you describe that they provide bulletproof hosting (or network access), and no one does anything to deal with them. Simply because they are a VPN provider. And reply to officials with “Sorry, we have no data”. That's hard to believe.

ExpressVPN also had the same situation and had no logs available.

So a VPN provider needs to do something to get a police investigation, prove they're clean (not logging) and you're good to go.

Unless ... could be First for Business Internet VPN services ... ;o)

If I actually intended to do something illegal over a VPN, then yeah. Not really my style though. I prefer a dedicated, clean laptop, a large antenna, and a public hotspot for my torrenting.

FoxyProxy posted one of their Secret Service subpoenas along with their reply. TLDR; they said they have nothing to give:


As for PrivateInternetAccesss / PIA, I would not trust them at all. No one knows who the founders and executives are. After speaking at length with an ex-employee of PIA who now maintains this open-source iOS VPN client,


even many (most?) employees and contractors at PIA have no idea of the identify of their direct managers. All work is done remotely and using encrypted chat sessions without video.

PIA is incorporated in British Virgin Islands where apparently shareholders, owners, etc can "enjoy" complete privacy.

I recently had an interview with ExpressVPN and it was a bit different experience. I had a video call with the hiring manager with full disclosure (name/linkedin profile). I investigated the company a little bit - it was registered on the British Virgin Islands as well and no one knows the names of the founders. I didn’t get an offer - they didn’t have a position that would match my skill set - but I was quite okay with that.

So the company is run by people who enjoy privacy? It seems weird to frame that alone as an argument against a company which deals in Virtual PRIVATE Networks.

I thought this would be common sense but I guess not.

It should be a red flag to you that if a founder or executive won’t reveal his identity, there is a possibility those people represent a nation state or other organization (not necessarily governmental) that you would not give your private data to if you knew their identity up-front.

I suppose you have a point. There are plenty of reputable people out there building strong identities on pseudonyms. But if you’re trying to be truly anonymous, as opposed to pseudononymous, and aren’t tying that identity to anything outside of the one enterprise, that could mean you’re putting less on the line with your reputation. Or it could mean that this is just you starting to build an identity, since everyone has to start somewhere. But either case has the same characteristics common with burner identities, so you’d be justified in being skeptical and cautious.

Sure. But those statements are also true if you replace "VPN services" with "ISPs".

The point of VPN services is obfuscating your ISP-assigned IP address. And hiding your traffic from your ISP, which both knows who you are, and is generally vulnerable to your government. With VPN services, conversely, you can pick ones that are less vulnerable to your government. And if you use nested VPN chains, you can fully obfuscate the relationship between your meatspace identity and your site traffic.

So as long as you don't reveal your meatspace identity through your online activity, you can be at least somewhat anonymous online. And if you add Tor to the mix, you can be even more anonymous. And by hitting Tor through nested VPN chains, you're less vulnerable to deanonymization through Tor compromise. Such as the relay early vulnerability that CMU researchers exploited to deanonymize Tor users and onion sites.

> how do you measure VPN services?

It's pretty difficult. You can't say anything for sure, it's all trust. That's why you should be so strict.

When you host your own end point you still have to trustits provider of course, but of course the incentive (concentrated, specific user traffic data) for abuse is much reduced.

But how anonymous are you actually? Are you sure your traffic can't be connected to you? Certain you set everything up correctly?

With my provider of choice, because I trust them reasonably much (sure feels like jinxing it), I don't have these worries.

If you VPN service, only provide VPN, then a (free tier) AWS server in a foreign country + wireguard would do the same. Sure, AWS could log the outbound traffic for that account, but AWS only has an email address from me, not a credit card like a VPN service. Feels like the exposure is far less.

> I mean how do you measure VPN services?

- Credit only Word of mouth, but it depends what type of VPN you're looking for. So again, word of mouth these days.

> I never understood why people working in tech would ever trust a VPN service?

-I do, quite a bit actually, I need to connect to another network but region specific.. They are a tool for as you say 'in tech' to work.

> A VPN is seeing all your traffic, and you have to take their word that they do not log any of it?

- At least in Europe that doesn't fly. It does depend on your provider though. Thats why you shop around.

- On this point, I will argue that running your own VPN is better, but so is running your own web hosting. It depends on your priorities.

  > I use free tier AWS servers across the globe with wireguard. It might not be perfect, but I still prefer that than using a VPN service.
 - Good for you. Enjoy.

Do you have big bills for traffic?

all of your traffic? Or just insecure DNS/HTTP requests?

All the traffic... but not all the time. At home, if I work, then I use the corporate VPN. Otherwise, no VPN, except when I need to appear like my traffic comes from another country. For instance, I just have (AWS) tiny server in Europe with wireguard. So, easy to switch. I share the servers with my family as we are all scattered around the globe and still like to watch our European shows/replay.

You can chain several unrelated VPN providers.

To elaborate on this a bit:

* You only need two VPNs assuming you just want to protect against either of them linking your browsing history back to your identity and selling that information.

* The second one must be paid for in a reasonably anonymous manner (ex Bitcoin) and only ever accessed via the first VPN in the chain.

* You're fine to pay the first one in a more traditional manner.

* The two providers must be completely unrelated.

* It is highly preferable that the two providers be in different legal jurisdictions (both from each other and yourself).

* This won't protect against a highly motivated criminal investigation.

This reminds me of chaining indials and outdials back in the POTS modem days. Operation Sundevil was certainly a motivated investigation.

Wouldn't that just put all the trust in the last one in the chain?

How would they know where I am?

Don't you have to pay for those VPN ? How do you pay them ?

Mullvad allows you to mail them cash.


Most crypto places force you to provide ID now and governments force you to declare how much you have. Both for tax reasons.

You could mine the crypto yourself, or buy it from someone in person. Bitcoin ATMs verify phone numbers, but if you have a burner phone you could also get BTC from them— they're surprisingly common at gas stations near me

Won't amazon cancel them when they keep getting copyright letters? Or do vpns have some other use I am not aware of.

Are you implying VPN services are only good for piracy? I personally use mine for privacy (sounds similar, is a little different).

VPNs do have some legitimate uses. Encrypting traffic over malicious networks (e.g. your average airport wifi) is probably the most common one for the average legal user. Getting an IP address in a given country is another sometimes legal use.

I honestly don't know if you can do this with your average commercial vpn, but the technology is also good for many things like setting up virtual networks (hence the name) so you can do things like access your home computer from anywhere without exposing it to the internet.

Just how insecure is airport WiFi these days with SSL and HSTS? I don't normally worry about it, and suspect people who still counsel against it of lazy FUD.

I'd notice pretty quickly if someone was MITMing all of my traffic. I guess they could MITM a third-party Javascript site that wasn't being served with HSTS. Normally that would just give them all the information I already give to Google or Facebook and the hundred other shitbags that run JS on the sites I browse, but if they got really lucky they could pretend to be some third-party payment provider that didn't use HSTS or I hadn't used before.

Personally I don't worry about it, but I wouldn't blame other people for doing so.

A browser is a very complex tech stack and it wouldn't surprise me in the slightest if there were vulnerabilities exploitable with a MITM. An airport would be a natural place to try and attack computers, lots of people with lots of money many of whom are doing things like moving that money around and many of whom won't think twice about connecting to an unsecured public hotspot.

There's also all the other apps on your computer, how frequently do you think electron-app-foo-bar updates it's chrome version and what are the chances it's using one outdated enough that there are known openssl vulnerabilities against it?

I don't think third party non-HSTS traffic is that much of a concern these days, both firefox and chrome block http traffic from https pages by default.

I’d be more concerned about other stuff, which a vpn doesn’t solve. Look up SMB relay attacks, netbios, and Responder. An average win10 laptop will disclose creds to anyone

Is your comment implying that VPNs are only used for copyright infringement?

Primary use of VPNs I see is to get onto my workplace's network.

Surely your company is not using a consumer provider like NordVPN or this UFO VPN company though?

I don't know of any company that would be using a public VPN service for anything related to work. Typically "work VPNs" are running on systems that the employer controls, set up by someone employed by the company, and meant solely for employees to connect to - there is no reason any company would want or need to use a public VPN provider for their corporate network VPN. It just doesn't make any sense to me why you would suggest it.

I use a VPN to keep Comcast from logging and selling my data to third parties. The client is always on and running on my PC.

I do the same, but again using remote AWS (free) servers. Which is funny sometimes, I realize that some website are suddenly in german because I am using my Berlin server, instead of my US one.

Why not use Tor instead? Frees from the worry of going over free AWS server bandwidth limits.

If a government body regulated VPNs then wouldn’t one of the stipulations be to keep logs for legal purposes?

It is definitely tough to choose, I don't know if you should discard nord vpn so quickly, recently they've been doing 3-rd party audits that proved they don't keep logs. That has to count for something right?

Similarly to social networks, their profitability and existence is linked to them being unregulated. If VPNs are regulated, and we know what that means for their users, they will be close to useless for majority.

> VPN providers are something you should have especially high standards for.

We need to implement standards of practice for this, let find a legal head to see how it can be done.

I wouldn't trust any VPN under China's sphere of influence.

That's actually not an entirely crazy idea if you're trying to hide from Western governments. Are you more worried about the Chinese government coming after you? Likewise, if someone in China is trying to hide from the Chinese government, it might not be a bad idea to use an USA based VPN. Maybe string up a bunch of VPNs in regions that are at least somewhat hostile to each other and it might be too hard to track an IP back to its source. I guess trust no government and use their hostility towards each other to your advantage? Just an idea prompted by your comment.

> That's actually not an entirely crazy idea if...

Except that it gives them a direct avenue into your network for their own surveillance and other network attacks ... If you think comcast injecting their own JS into http pages is bad, wait you see what the d̶a̶r̶k̶ ̶a̶r̶m̶y̶ CPC could do with such power...

What's stopping any domestic TLAs from doing the same though?

Its more about trust. I trust them to try their best to be benevolent

Yeah, it's like banking. You want it to be in a neutral country whose government has come to a clear understanding with the industry.

In some cases, a country will support criminal activity in an enemy country, in order to undermine the later. For example, al Qaeda has made a lot of money from trafficking heroin to Western markets – even though al Qaeda thinks drug use is sinful, it justified that as another way of waging war against the West (get enough Westerners addicted to heroin and maybe the West will collapse). And the North Korean government has been heavily involved in drug smuggling and currency counterfeiting – partly that is just to make money, but I'm sure they justify it to themselves by the harm it causes to what they view as enemy states. Indeed, during World War II, Nazi Germany used concentration camp slave labour to counterfeit massive quantities of British currency, in the hope that they could cause inflation and damage to the British economy. So a country might be happy to host a VPN to help criminals in its enemy country evade detection.

(I'm not suggesting China is doing anything like that right now. But, even if they are not, I wouldn't rule out the possibility that some day the China-West relationship might deteriorate to the point that it becomes something they might consider. )

Exactly. One really needs to consider their threat model when deciding on a VPN provider. A perfect system isn't always possible.

What’s stopping China from using your data as a bargaining chip to trade for some data they want from, say, CIA?

No one should trust any open internet in the US. Already forgot Edward Snowden?

Many people I talk to IRL don't trust any US systems at all. It's a sad state of affairs when one can trust Chinese systems over western. Especially after Snowden. God bless him.

I wouldn't trust any VPN that I didn't set up myself.

Oeck claims no-logs and details how they've achieved that (they don't even have hard drives). Support is responsive, you'll be responded to by those who actually built the platform. They're planning support for WireGuard.

Unfortunately they have admins in Australia which has some pretty hefty laws similar to those in the US (look at gag-orders issued, and recent responses to media outlets for publishing vetted and leaked data). You can find their intro post in Whirlpool forums.

They configure a PXE and have a system in place for distributing the OS in each region (and thus each data center).

For debugging issues they try to replicate things on a local environment and my assumption is if there's any networking issues, they likely have a node on the same data center they can remote to, to test connectivity issues - however functional issues require replication locally. No SSH access to the box.

So I think for now, Oeck or Mullvad are good choices. I only wish these services did 1 thing differently - and that is, release a live video stream of their server farm's rack and video-document the entire process of compiling and shipping their hardware, as well as the systems in place for loading the OS to ensure no exfiltration data from malicious services or agents on the box.

This could be done relatively cheaply - I'm surprised none of the VPN providers have yet. A fish-eye lens attached to a webcam on a rack would be cheap to install. It's the closest thing we have to proof a VPN server hasn't been owned without a zero-day. If you're using up-to-date services, a LEO, government or APT using a zero-day to own your server is really the only means of exfiltrating user data in this environment.

> I only wish these services did 1 thing differently - and that is, release a live video stream of their server farm's rack

This is security theatre. Anyone wanting to surreptitiously access the server farm only has to stream an alternate video to defeat this.

But it still builds trust in the brand.

No one is safe from a state actor.

Trying to gain trust against something you have no control over is the very definition of security theatre.

Um, no.

I'm saying that staff can be observed as behaving correctly, professionally, and more. This would build trust in the brand from multiple perspective, not just security.

There are been a few cases in which this has turned around public opinion re: trust.

That's really fair, and I think you have a good point. Perhaps operating in a publicly visible place - think floor-to-ceiling windows at that particular server rack.

I've come to the sad realization if you want anything approaching no logs, you're going to have to use something slow like tor, or you're going to have to do the illegal thing and make a botnet.

VPNs are only useful for avoiding ISP / local network surveillance like comcast, your workplace, your school, airports, etc and to avoid DCMA scare letters. Making your own with a VPS is worse, since VPSs log on some level and directly forward the DCMA scare letters to you.

What about chaining VPNs? Even at 2 they'd have to cooperate to unmask your traffic, right?

Somewhere in the back of my mind is stored that minimaxir does this, but I couldn't confirm it with a quick search.

Edit: I was actually thinking of mirimir.

>What about chaining VPNs?

You could even do it multiple times, like... 7. You would then be, basically, "behind 7 proxies". /s

Provider#1 only knows all traffic goes to provider#2. Provider#2 knows everywhere your traffic goes. They don’t know your IP, but you need to login, so they know who you are anyways.

I think you need 3 levels. First level gets you to the second level. 2nd gets access to web-based email and bitcoin or single-use credit card payment to get the third level, which accesses data.

Obviously you use assumed identity.

With only two layers you'd need to access emails, say, for account confirmation direct from your own system; with 3 you put a VPN in that gap.

Do VPNs re-pack and modify the timing on packages they pass on to clients? It seems like they're need to if they're too avoid coordination attacks.

I'm recalling how a research paper showed an extraordinary high number of pages visited (80%) over HTTPS could be identified using page size alone. If a TLA is watching all traffic into and out of a VPN's server can they pair upstream traffic to downstream clients at all?

Just make sure the billing info of the outgoing VPN can't be traced back to you if you want anonymity.

They are also very useful for circumnavigating geolocation restrictions.

This was necessarily going to happen at some point and I hope it serves as a cautionary tale to not blindly trust "no logs" claims.

This isn't the first time VPNs with those claims have turned out to have them, they've been used as court evidence IIRC.

Edit: https://proprivacy.com/privacy-news/no-logs-ipvanish-hands-l...

What's the most trustworthy VPN that HN users recommend? My 3 year subscription to my local one is about to run out! Looking for advice on what is trusted nowadays!

No such thing. You would be better off renting an inexpensive VPS and running your own VPN on it.

Public VPN services have to be the one of the greatest lemon markets to have ever existed:

You want people's private data? People will pay you to give it to them. Go ahead and sell the service for less than it costs due to the boatloads of data that you get.

People realize this, so you end up getting a disproportionate number of customers that don't worry about you getting their data because they're only using the service to behave abusively... which drives up costs.

So an honest provider has to deal with dishonest competition selling below cost and a customer base that is saturated with problem customers because good customers are savy enough to avoid VPNs.

Running your own VPN provides no privacy, since you're the only user.

Of course other VPNs don't provide privacy either. The belief that they do is due to marketing, and misunderstanding what the "Private" part of VPN means: it means that two non-publicly routable IP networks (10/8, 172.16/12, 192.168/16) are virtually joined into one network. VPN companies took advantage of this (and that the connection is usually encrypted) to imply that they offer a privacy product.

The main use of a commercial VPN is to bypass region locks and other legal controls that depend on location. Pick a VPN provider (or VPS host) in a jurisdiction that won't cooperate with your home law enforcement. Assume the VPN provider spies on all your traffic.

This is such a deeply misleading statement.

Privacy fundamentally is about keeping things private ... from someone.

If that someone is everyone, then nothing is private. Any sufficiently powerful entity can just overpower you, torture you into submission, guarantee a backdoor into a system you thought was cryptographically private, etc.

I for one do pay for a VPN service, because it keeps my home traffic stream private from some people - namely my ISP - with high probability.

It also obfuscates various types of traffic I generate and makes it harder, though I agree not impossible, to collate my traffic into a usable form for spying agencies.

For me that’s easily worth paying ~$100/year for someone else to manage, and if they base their business reputation on not collecting logs, etc., there’s enough incentive to trust that while also staying vigilant to verify what I can and switch providers if they are shown to be lying.

Self-hosting a vpn is utterly not an alternative for my use case, not even for technical reasons as I am an engineer who works on production web services all day. Just from a cost effectiveness / value POV, third party vpn vendors are a good solution for me.

Right, I overspoke. It provides no extra privacy, against anyone except your ISP. If they're the threat, AND you're able to safely assume that the VPN provider is less of a threat, THEN it provides some privacy.

How does that help? If you're the only one with traffic from that IP, how does that give any privacy? Especially if you pay with something tied to your identity. And why does a VPS have any less likelihood of logging your traffic?

> Especially if you pay with something tied to your identity.

Then don't do that.

Though VPN are not really a strong solution for hiding your identity period. Tor is a more effective tool, but hiding your identity is extremely difficult to do effectively.

> And why does a VPS have any less likelihood of logging your traffic?

They may be too but at least you should expect their business to be viable without doing that, which is better than you can say for VPN services.

>Then don't do that.

You'll be stuck with the shadiest, slowest, most remote VPS in the world if you're unwilling to either give up your personal identity, or lie about it.

it's good for things like public wifi and other untrusted networks since your data is encrypted from your machine to the vpn server

it's 2020. if you're still relying on vpn connection to provide encryption, you are doing it wrong. (I understand there are certain cases you have to deal with unencrypted traffic, but those should be really rare now).

you don't have any control of what protocols your apps use and if they're encrypted or not

If you are talking about apps, recent versions of Android and iOS both deny apps to use unencrypted connections, with only a few exceptions (like browsers)

>You want people's private data? People will pay you to give it to them. Go ahead and sell the service for less than it costs due to the boatloads of data that you get.

The amount of "private data" as a VPN operator isn't a lot. Most sites nowadays are https, so at best you're getting browsing habits on a per-site basis. On the other hand, using a commercial VPN does confer advantages in some cases:

* geo restrictions: commercial vpn have servers in multiple countries, so you can easily switch to one that works. you can achieve the same with cloud servers, but you'll have manually spin them up/down, which isn't convenient

* anonymity: commercial vpns usually have dozens/hundreds of users on one server. You can also switch servers/regions to increase your anonymity set further. This is a much bigger anonymity set than your own private server, which is linked solely to you.

* bandwidth: if you're a heavy traffic user, you'll probably end up paying more. most cloud providers only give you around 0.5TB for a cheap server (within the price of a vpn subscription)

* DMCA/abuse: they handle the DMCA/abuse letters for you. With a self hosted server you'll have to at the very least respond to the ticket they sent otherwise they'll take down your server.

Practically all traffic over a VPN is encrypted because most traffic going over them is encrypted, so I'm not sure how much traffic a VPN provider is really going to be able to sell. They aren't really going to be see very much of what you do if you take even some basic precautions like using HTTPS websites, or using SSL newsgroups, etc. Maybe bittorrent isn't encrypted? I can't imagine that it wouldn't be encrypted but I am not as familiar with how that works.

Your proposed alternative does not address the threat model that most people have when looking for a "VPN".

The threat model you're referring to is, I assume, mostly DMCA warnings. (As in: You want your service to not get disconnected in response to them)

It does address it, when you factor in an appropriate choice of non-US VPS provider.

Not just DMCA warnings, but full extortionary lawsuits. From what I can tell, these exist in most countries. Jurisdiction hopping won't protect you from a determined attacker.

Most VPS providers generally insist on recording your identity, probably with government ID, to limit abuse that would otherwise fall onto them. Whereas VPN providers have already made the choice to weather mild abuse complaints.

I have looked into bulletproof VPS providers. They're drastic overkill, expensive, and getting in bed with the wrong sorts of people.

I second Mullvad also. They don't even have usernames, emails or passwords. All you use to log in is a random number for your account. Can't get much more anonymous than that. And they financially sponsor wireguard, have a bunch of wireguard servers. Can't recommend them enough.

I found Mullvad pitifully slow, even with Wireguard.

Mullvad nodes are all over the place for me; same geo-location can provide ~300kb/s down -- a few hours later multiple mb/s.

I get close to my native bandwidth (80-90 Mbps for a 100 Mbps connection) when using a local wireguard server.

Mullvad, ProtonVPN, and IVPN are recommended by https://www.privacytools.io/providers/vpn/

PrivateInternetAccess has fought and won in US court, but they're also US-based.

(I use Mullvad.)

Impossible for me to verify their no logging claims, but Mullvad have worked well for me in the past, and you can pay in cash using a randomly generated numerical user ID, which strictly limits what they directly know about you. The fact that they accept these payments, and that Mozilla work them with them for Mozilla VPN and presumably have done at least _some_ due diligence, give me some level of confidence that they are sincere about their other claims.

I personally trust Mullvad because of their generally good reputation (built through independent audits), super clean user interface and very fair pricing (5€/month flat fee, no crazy long-term contracts).

Mullvad is also the provider Mozilla is using for their new VPN service (with fewer features).

I have been using Mullvad for the last few years: https://mullvad.net/en/

I don't have much to base it on but they seem trustworthy, and I've seen them recommended here before.

I also use Mullvad and I pay by sending an anonymous envelope of cash to Sweden with a random number scribbled on a bit of paper. So far all of the cash I’ve sent has been added to my accounts. There’s obviously no way to know whether they follow through on their no-log claim but my sense is they’re pretty trustworthy. At the very least the person who opens their mail is.

I can't tell if this is real or not. Do you actually send cash to Sweden?

I do indeed! I’ve sent USD, GBP, and Euros from all over the world - Europe, North Africa, South America, and the US. (I was a “digital nomad” pre-pandemic.) They even give you a one-time-use token for cash payments so you can maintain the anonymity of your account number if the letter is intercepted.

Other than the letter I sent from Morocco, I never included a return address.

That is one of they many ways in which you can add money to a Mullvad account. You should try creating an account; it only takes one click.

I just signed up with Surfshark but I'll definitely check out Mullvad.

When he says it's just one click to generate an account, he means it.


That link automatically creates a new account. No names, no email address (except if you set up a PayPal subscription), not even a password. Your account number is literally all you need. They even have a FAQ that provides a generalized database schema.


It is possible (and yes, I tried it!), although other payment methods are available, including some more conventional methods.

Mullvad also happens to be Firefox's choice of vpn provider.

Why not just use Bitcoin or gift card?

Not the person you're responding to, but bitcoin isn't that anonymous. Much more than a credit card, but less so than cash.

Bitcoin ATM/local bitcoin -> sell for monero/mixer -> buy monero.

I generally trust Mozilla/Firefox and they just released a VPN. It is nice to be able to outsource my VPN research to them as well, since there aren’t many orgs I trust like that. It works well so far.

Im starting to trust Mozilla less since they discovered the camera in Firefox keeps recording even when you lock your phone and that they wont fix it until October....

As it should?

You're on a call. You lock the phone. You expect the call to continue right?

This bug is in their new browser. Its in a very early stage. So these bugs are expected

No, I dont expect the camera to stay ON (even for a video call) if I lock the phone.

Do you expect the call to continue, or to drop, when you lock the phone mid-call?

They should definitely have to ask the permission to be able to run the microphone or camera in the background, specially in Firefox (as opposed to native apps).

They already asked permission, and you're still on the call.

Firefox is using Mullvad for their VPN product.

Commercially I’d say ProtonVPN or PrivateInternetAccess.

Best is to make your own, checkout https://github.com/StreisandEffect/streisand for an easy way to set that up.

I would never do business with Private Internet Access.


(you can google to find more-- this was just a quick result)

Despite this, they claim to be working on a way to verify their privacy claims. I don’t understand how, but if they succeed it will be noteworthy and might redeem them a fair bit

They could get a security researcher, or three, to look over their systems? Then maybe invite large consumer groups to send an expert to take a look (they could come armed with info on users, that they could check up on, in order to try and confirm they weren't being fed a whole fake server?

SwissVPN. Without going into detail, I'm aware how they respond to all kinds of information requests due to my previous type of work. That earned my business.

Cryptostorm is up there, but I'll back ProtonVPN as well.

I already trust ProtonMail for my emails, so in my case ProtonVPN would be a the good choice. But I still have an active subscription with IPA, and as far as I know they proved in courts that they don’t have logs, which is a strong claim.

I use a registrar called Njalla[1] for many of my domain names and they are soon also launching a VPN option. They are privacy focused so they provide whois privacy, crypto payment and login via xmpp/e-mail only.

In their faq they state that they have previously worked on projects such as ThePirateBay... (this is a legit business and service though).

I hope I get to try their VPN soon. Other than that I usually just use a systemwide tor proxy. It's actually quite entertaining how my netflix feed randomly changes based on the current exit node.


We are building a VPN-like service that solves the logging problem:

- Cash-in-Envelope Payment.

- Chains multiple servers with onion encryption. If there were any logs, they are useless.

- Custom built for privacy, similarities to Tor. Open Souce.

- Multi-Identity: Exit at multiple servers simultaneously.

- No Blockchain! Ie. no distributed and immutable log ;)

- Based in the EU, Austria.

- Public availability within the next months.

Check it out at https://safing.io/spn/

FoxyProxy. Dedicated servers for each customer so speed is really good (at least for me). Video streaming sites are guaranteed not blocked. And here's US Secret Service subpoena for logs that was handled well:


For a VPN provider to actually be trustworthy, you'd have to be able to verify their policies. But that's impossible, so VPN providers just fall into "might be doing bad things" and "confirmed to be doing bad things".

I'm surprised nobody has mentioned airvpn yet. They're run by hacktivists and they're great. Mullvad is the other one with a good reputation, but everyone's mentioned that already.

Piggybacking on this, can anyone comment on Mozilla’s new VPN service?

It's Mullvad with a different UI. That's it.

The most trustworthy is one which you setup yourself imho.

I am giving each of my family in various locations a raspberry pi 4b with wireguard setup.

They are aware of/benefit from this cross country VPN thing too.


The old saying trust but verify always seems to come up. Companies claim x and we find it to be untrue. They apologize, share statement they will do better and the cycle continues. Is anyone else tired of the tomfoolery?

Do you have a suggestion on how to verify the claims of a company you only interact with over the Internet?

(edit: not that I disagree with you, I honestly don't see a practical way to do that. It's not like security seals have proven their worth in pixels either)

The sensible thing to do is to assume a cynical mind. Unfortunately, with stuff like this, you'll probably be more often right then wrong, though you may never find out.

Solution is "credit score"-like system evaluating companies, and keeping track of incidents like these.

With WireGuard, it is easy these days to setup a VPN on our own server(https://www.freecodecamp.org/news/how-to-set-up-a-vpn-server...). Obviously it won't give us anonymity, but it is a good choice for security when browsing from public wifi.

On a reddit thread about this news, they mentioned that the company behind ufo vpn (dreamfii hk limited) is actually owned by lippo limited, which is owned by lippo group. I can't find any information on the web that back this though. But if this is true, this kind of shenanigans (saying they don't keep log but actually keep them anyway, then leaks it due to sheer incompetence) is not surprising considering lippo group's well known history of corporate malpractice and screwing up their customers and partners alike. How companies this shrewd (so shady and well known they became a meme) continue to survives (and thrives!) is beyond me. Maybe there is money in screwing people after all.

I don't know why anybody ever cared about logging policies. How would you even know if they keep logs or don't, or what they do with them if they do?

You can’t possibly know. You have to just assume all VPN companies are logging your activity indefinitely regardless of what they say. Though I suppose you’d rather go with a VPN company that claims it doesn’t do any logging, over one that says it does.

Exactly. The only way is to make logs useless to begin with. See my comment earlier: https://news.ycombinator.com/edit?id=23881148

Know what's valuable? Internet traffic from people who think it's important enough to hide, and who have technical skills to get jobs with them. The value of privacy viewed this way would mean that a truly private VPN service would be hugely expensive, like the way a new Rolls Royce is priced at 50x that of what you need to get from A to B.

VPN providers are just internet resellers with a side business of affiliate marketing other VPN providers comparing “privacy” claims and acting unbiased

I’m amazed at the smart people that fall for that

The best test are court cases where investigators were stonewalled by a particular VPN provider

If you dont want the US knowing something but dont mind China knowing something, Express VPN got you

More importantly is that all this internet traffic is routed through China. Explicit MITM attacks are a courtesy.

Why would you trust a VPN when any TLA/CIA/NSA/FBI can set up 1/10/100 options relatively cheaply. Unless you go through TOR or use a false MAC address you have no guarantees, even then fingerprinting and fake TOR exits points are a serious risk if you are trying to be truly anonymous.

I think that at this point it is far easier to just setup a socks proxy with an vloud based machine than to research which firms have shady practices and which dont. I went into a womrhole over NordVPN vs PIA vs ProtonVpn and then just went with a proxy server. Costs peanuts with the cloud compute ecosystem.

>then just went with a proxy server. Costs peanuts with the cloud compute ecosystem.

The problem with personally operated VPN servers is that all the traffic ties back to a single user: you. This is fine if you're on a malicious network and need secure exit node for your data, but for anonymity (eg. ad tracking, DMCA) it's objectively worse.

If they promised no logs why did they take the extra steps to log. That's the opposite of a lazy mistake.

How can you tell when VPN provider is lying when they say they don't collect logs?

They say that they don't collect logs.

The only way is to make logs useless to begin with. See my comment earlier: https://news.ycombinator.com/edit?id=23881148

Why does anyone think with the prevalence of "free" VPN that these companies aren't storing and selling the crap out of your info?

Entrusting a third party to only play the role of protecting your privacy always sounds like a dangerously bad idea.

They've got no dog in the fight.

if you want a vpn ur better off running squid on a $5/month vps box , less likely this kind of nonsense happens

You can't trust firms hosted in HK anymore. It's as tainted as China is.

Must have had an encounter with an unidentified filing object...

There needs to be a serious rethink of VPN services

We did exactly that.

See my comment earlier: https://news.ycombinator.com/edit?id=23881148

Can you chain two VPNs?

Yes you can.

While you can, this is really hard. Let us do it for you.

See my comment earlier: https://news.ycombinator.com/edit?id=23881148

Can the title be updated to include the name of the "firm" (article says "Hong Kong-based VPN provider called UFO VPN")?


@dang: can the title be changed to "UFO VPN claims zero-logs policy, leaks 20M user logs". So users don't have to click through to the story to find out which firm?

Ok done.

Edit: I also changed the URL from https://www.hackread.com/vpn-firm-zero-logs-policy-leaks-20-... to what seems to be the original source.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact