Hacker News new | past | comments | ask | show | jobs | submit login
Proton announces release of a new VPN protocol, "Stealth" (protonvpn.com)
190 points by theschmed 4 months ago | hide | past | favorite | 132 comments



Don't trust companies that save and hand over data. Don't trust proprietary security solutions. If this is literally just TLS based vpn wrapping, it's no different from using an onion bridge to get to your VPN endpoint. Proton gives data to federal agencies. Proton keeps user data. Proton removed their warrant canary. Use something better.

EDIT: If you want a truly safe VPN, you will need to do some work on both adversary modeling and technical implementation. If you are just worried about your ISP (filesharing of legally protected digital backups), use whatever. If you are worried that your data may be collected by your VPN provider, use a series of tor/vpn multihop. If you are a paranoid mf, use a privacy coin to purchase a VPS and then connect to it via tor on a public wifi network, set up a .onion hidden service for your ssh/chisel/etc port, connect over tor to forward your tunnel port to localhost, use that tunnel to connect to a multihop VPN system. Suggestions include mullvad, PIA, cryptostorm, whatever you want really. Throw a VPS with generic openvpn in the middle of your multi-provider hops, again paid in a privacy coin. Pay a homeless man to colocate a physical server that has DRAC and luks along with something like AMD TSME, then run containerized multihop there aswell.

Basically if you want something done right, at least do some of it yourself.


This is false. Proton VPN's no logs policy has been proven in court and backed by third party audits: https://protonvpn.com/blog/no-logs-audit

VPN is not classified as a communication tool in Switzerland and there are no existing Swiss laws that can compel us to log.

The Proton VPN Transparency Report & Warrant Canary is also still available at: https://protonvpn.com/blog/transparency-report


Proven in court is ultimately what I think most users really care about.

Thanks for sharing this.


How do we know this isn’t another CIA/Swiss front? Just like Crypto AG.

https://www.bbc.com/news/world-europe-51467536.amp

Some of us also remember Hushmail.

https://www.wired.com/2007/11/encrypted-e-mai/


There is no comparison between Crypto AG and us. Our encryption occurs client-side and our cryptographic code is open source and backed by third-party audits: https://proton.me/community/open-source


One thing that might put others at ease is having a way for client-side code to NOT be automatically updated, as some view this as a type of backdoor or method that malicious code might be injected without being noticed, even if unintentional.


Do you really expect anyone to be able to answer this? How would anyone ever know before it's too late? Nobody would use it if they knew, and they know that too.


People have too short memory to remember this


There is an unanswered bug report from March that suggests Stealth is not working in Russia:

https://github.com/ProtonVPN/android-app/issues/130


Protonvpn logged ips at the request of the Swiss government on behalf of the French government as a political favor.

https://www.theverge.com/2021/9/6/22659861/protonmail-swiss-...

Protonvpn does log data and does hand it over. It doesn't matter if they "had to" (they can fight) You can't put the genie back in the bottle.


Do you even read your own source? Even the truncated URL says Protonmail... a search for "VPN" in that article comes with "Yen said a similar order would also not be able to provide ProtonVPN metadata, as VPNs are subject to different requirements under Swiss law."

Sure you can refuse to believe the company's statement, but your comment is based on your (maybe deliberate, conveniently) misunderstanding of mail vs VPN...


Protonvpn is protonmail. They're the same company. They choose to operate in a way that allows user IP's to be given for arbitrary political reasons. They will do it with VPN too if they're "requested".


You appear to misunderstand the discussion.

Under Swiss law Email is communication which is subject to a VPN which is not classified as a communications medium and subject to different laws.

There is no way a legitimate company can insulate itself from legal compulsion. However a legitimate security company can do everything within the law to protect users. Proton does this and has been legally tested.


[flagged]


Dear Protonvpn, please listen to this guy, he knows everything! /s

Either you operate within the boundaries of a country's laws, or you try to be lawless and hide. A VPN provider hiding from the law, gee, what basis do you have to trust them, if they can also lie and hide stuff from their users?


Selectively disobeying laws that infringe upon user privacy is an act of civil disobedience, not evidence of broad willingness to disobey all laws, commit fraud, harm users, etc.


Show me a company that successfully does this.


I am not asserting that such a company necessarily exists, though Lavabit comes to mind.

I am simply responding to the assertion that any kind of legal noncompliance, including something as simple as refusing to compromise user privacy, necessarily renders a company untrustworthy, which was made in the parent comment:

>A VPN provider hiding from the law, gee, what basis do you have to trust them, if they can also lie and hide stuff from their users?


the statement was that a company operating illegally is _less_ trustworthy than one operating legally.

I think it is plausible, because if the company (through some wonder) picks and chooses which law it abides to, then it literally can scam anyone out of their life savings without any consequences…

I mean, it’s all pros and cons: governements have some cons, but they also offer a framework which is protecting you to some extend from scams. If you decide to deal with a company operating outside the law, you can avoid the government spying/tracking (which, depending on the country you live in, may be vital) _but_, such companies cannot be sued or anything, so you have significantly less legal protections…


Their claim: they have to follow the Swiss laws, the laws for mail providers and the laws for VPN providers are separate, and one of them requires IP logging, and the other doesn't.

Your claim: they're just doing whatever the hell they want, whatever is "politically" expedient for them. Without any substance behind it.

Considering Switzerland's reputation as low-corruption country, i.e. having a government that follows the rules, I can imagine the VPN department will fight such a "request" as you say in their court of law, but hey, I bet your guts know it all.


Following the law is not arbitrary. Nobody is going to jail for you, your data is not that important. And there is literally no better country to do this in. Whatever you think Proton could be would be a company you shouldn't trust in the first place.


If you're getting into that kind of paranoia, you might as well just buy burner laptops that use burner 5G SIMs, and go fully stateless.

Considering you, as a person, are stateful, the strategy will inevitably fail and you'll be caught.

This is how people seeking privacy after doing bad things got found out. People were tracing patterns of behaviour long before there was an internet that produced access logs.


some people are paid to be the overly paranoid person in the room professionally, for budget and leadership to dial their models against. notice i put the security and adversary modeling at the top.


Proton has multiple services, and the data retention of one service may have little to do with another. In particular, any data retention for their VPN service is going to be very different from say email for obvious reasons. Even for email, afaik, it was the recovery email address that gave access to the data in the account.

What's a better VPN service anyway? Mullvad? I see Proton's stealth feature as being valuable.

Disclaimer: I have no conflict of interest whatsoever with Proton other than being a free user.


PrivacyGuides (not affiliated with them, just find it a useful resource), highlights Proton, Mullvad, and iVPN as reputable depending on your use. They state Proton does not support ipv6 yet, Mullvad removed remote port forwarding, and iVPN the same.

The recommendation the person you're responding to (PIA and Cryptostorm), is very untrustworthy and doesn't even match the minimum criteria from PrivacyGuides.


Got any details, reference, quote, or analysis on the CS claim?

AFAICT, the only discriminating factor is lack of solicited third-party security audits. Which I don't think implies being "untrustworthy".

https://www.privacyguides.org/en/vpn/#marketing

https://discuss.privacyguides.net/t/why-is-vpn-providers-lik...

(PIA/Kape I get and relevant information is easily discoverable available on controversy surrounding them and their owners)


The default state of vpn services should be that they're untrusted.


i mentioned pia cryptostorm etc (or whatever) in the context of onion plus vpn multihop.


It depends on your threat model. If your threat includes three letter agencies and nation states then you're right-- don't use Proton. However, 99.9% of people don't have that threat model. In that case, Proton is better than most other providers out there (for email, vpn, etc).


I would hazard to say if that's your threat model, you're better off not using the internet in general. VPN provider won't really matter ultimately, there's a hundred things on either side of that tunnel that you have to take care of.


I'd argue physical channels and access are even less secure. People are broken easily (you can't trust anyone) and surveillance is everywhere and more sophisticated than you imagine. My first job was at a US-based video surveillance company owned by Israelis and used by casinos, stadiums, and entire cities. I have an idea of what it's capable of :)

What we need is a truly secure and private method of communication and payment. We're close on both.


The methodology is simple enough, the issue is the devices.

Sure you can run hardened, stateless linux, but how many SOC's are in your laptop? Those aren't trustable. Your phone's even worse.

Sure meatspace is full of surveillance gear, and has been for years. Face rec/id has been around for a decade longer than people think, plate readers, traffic cams basically everywhere, etc etc. The problem those systems all have is filtering out the signal from the noise. They don't know that person-X is someone to watch until they're tagged. Once they're tagged, it's basically over, but, how do you tag them? Right now, that's mostly manual, and based on external data. If there is no external data, there's no risk of being tagged.

The real question is, can someone remain normal enough while not generating suspicion while they're up to no good. I'd say they certainly can, most don't, but, it's far from an impossibility.


> Pay a homeless man to colocate a physical server

So many questions about that server provisioning workflow :)


DRAC and luks, the homeless man enters a consultancy agreement to subcontract as a legal entity and is fairly compensated to use their services of being the authorized agent of your provisioning wing of your entity. as authorized agent, they simply agree with the datacenter that when an authorized physical server arrives it is added to a rack. when your entity structure needs to decommission a machine you use DRAC to destroy data at rest with a 70 hour dban series power it down and have the data center mail it to whoever buys it on ebay.


Is the hardware run on solar charged batteries, or does it recharge through plugging into coffee shop outlets. Is the network leeched from Starbucks, through a cell modem?


you misunderstand, the homeless man signs an agreement to be the authorized agent of contact that is able to tell the data center when authorized servers will arrive by mail and when they need to be sent to a different location. do not collocate servers in data centers run by homeless men, as there is less chance of fire suppression and climate control factors in their facilities (shopping carts/cardboard/tent cities). it may be fine for a startup, check your security model and postures.


Cell modem or being on someone's WiFi gives away your location though.


Pretty straightforward with biceps.


I don’t understand your allegations against Proton VPN. They give data to federal agencies and they keep user data? When did they do that? Can you share any evidence of this?


I think they're referring to ProtonMail, not ProtonVPN. Same company, same difference. What makes you believe that they would play one service so significantly differently than the other?

https://arstechnica.com/information-technology/2021/09/priva...


Because Swiss law for the two services are different, and their compelled actions for email are not applicable to their VPN services. Their public statements, audits, and track record for the two services reflect that reality.


A flaw in your argument: a VPN protocol that emulates the traffic pattern of an HTTPS connection is not the same as a TLS VPN.


PIA is associated with Kape technologies, a company founded by an Ex-Mossad agent that acquired many VPN companies.


Instead of choosing a company to trust, I would prefer that everybody implemented ECH (Encrypted Client Hello) and there would be almost no data to collect. Why Cloudflare seems to be the only one who implements it?


China blocks TLS 1.3 entirely.


At that level of paranoia you're probably better off just airgapping your network away from the internet and only transfer data using physical drives.


we were speaking about modeling for vpn systems, wait for a thread about air gapped networks to be fascinating enough and for me to stumble across it for me to give a wildly inappropriate but technically correct though complex and subjective answer.

however there is a significant issue with using hard drives to transfer data in airgapped networks without proper f-caging, optical transfer of data via taking a video of rapidly flashing QR codes is fairly secure when under enough blankets, but mylar shielding of walls and windows may be required depending on the adversary model.


we were speaking about modeling for vpn systems, wait for a thread about air gapped networks to be fascinating enough and for me to stumble across it for me to give a wildly inappropriate but technically correct though complex and subjective answer.


Proton does not care anymore. Maybe they never did? Their new wallet wholeheartedly cements any skepticism I've had previously about them.


Elaborate on this?


Agreed. To that end, I wonder what the current prevailing recommendation is for a top tier VPN? Or should we roll our own using a VPS and Wireguard?


I trust Mullvad, or more like I haven't found a reason to not trust them yet. I buy the activation cards on Amazon for convenience and as far as I can tell the individual scratch off activation code you activate on their site with your account number cannot be traced back to you.


Mullvad accepts XMR which is more difficult to trace than amazon related anything. Mullvad does however state that payment information is disassociated from account numbers 90 days after payment. Theoretically you could use any payment you like, pay the 90 day compliance tax, set a cal event, then begin using it about a week after that 90 days is up. Cheaper to use XMR.


The trick of selling via Amazon is that although Amazon (and thus the government, if they subpoena'd that info) could easily see you're using Mullvad, they could not figure out which Mullvad account was yours.


A small note to do your own research on:

Wireguard sets up an IPV4 based internal network and the machine responsible for the routing MUST know the client IP that was assigned to the connecting machine. There are some kernel modules to OBFUSCATE but not eliminate this data. Wireguard therefore has a fundamental design flaw that makes it faster but potentially less anonymous than OpenVPN protocol.

DYOR and YMMV. I always disable WG for at least my first hop.


> Wireguard sets up an IPV4 based internal network and the machine responsible for the routing MUST know the client IP that was assigned to the connecting machine.

How else would it work? You could strip the source IP, but then you couldn't get replies and you'd have a very anonymous VPN that could only be used to send UDP packets; no receiving and no TCP since even establishing TCP requires replies.


Are you referring to this issue specifically? “Wireguard leaks IP address in client mode if connection fails” https://github.com/linuxserver/docker-wireguard/issues/139


I think you need to post more context here because this doesn't make sense. We run large-scale WireGuard for hundreds of thousands of clients, and we know none of their client source IP addresses.


What are your sources here? Aside from Proton VPN being no-logs already being proved in court, Proton has third-party audits to back up their no logs claims: https://protonvpn.com/blog/no-logs-audit


They haven't cited any and likely can't. As an end user at the end of the day I care about real-world track record. Proton has not been able to comply to real-world requests over several years.

While theoretically there may be more secure approaches you may also be introducing new dangers as well. Eg; paying for a VPS with an anonymous coin doesn't mean your VPS provider can't deanonymize you or comply with a warrant. You need to make sure every single link in the chain is foolproof. That's way more error prone.

IMO a proven legal track record is in a way more valuable than unproven theoretical flaws (if you can even call them that).


> Without going into too much detail, Stealth also establishes VPN connections in a specific and unique way that avoids alerting internet filters.

I began mistrusting Proton some time ago with their hit piece on RAM-only VPN server confirming my bias.

Let's assume any adversary interested in reversing that new protocol, what's the point of not being transparent on how this new and fancy obfuscation works.

The TOR project has a lot of innovation in censorship circumvention[1] while still being transparent to their userbase.

[1] https://snowflake.torproject.org/


> With Stealth enabled, your Proton VPN connection will be almost completely undetectable.

In their defense, they're basically saying this doesn't do anything since it's still detectable.


It will be interesting how robust this new protocol is against traffic pattern analysis. A regular HTTPS connection has different patterns over time than a VPN, mainly because it carries only HTTPS and not all of the machine’s traffic; and only for a specific "website" (simplification here) instead of bundling the whole web to a "single server". The latter may be easier to evade, but the former will be hard.

Anyways kudos to them, and I can’t wait to see how it fares against China’s GFW.


Unfortunately it's not gonna work. The GFW periodically disturbs/resets any persistent or large-enough traffic to IPs outside of China and bans them. That's why even if you have the best obfuscation protocol (like setting up your own server outside with truly indistinguishable traffic like a normal HTTPS), you still cannot have stable connections with large traffic. The current reliable ways of evading GFW are using IPs inside China via non-GFW controlled IEPL connections. These are loopholes deliberately left by GFW in order for certain legit use cases to bypass them (like research / big international corps etc.)


Might depend on provider? I have a single endpoint and no such issues. Transferring multiple GBs on some days. I'm using a custom protocol though that's basically udp but with the tcp protocol number in the ip next protocol field. I'm simply ignoring any injected rst packets etc.


Yes, depends on a lot of factors like provider (different telecoms have different network settings/policies), location (GFW is multi-tiered with at least provincial boundaries, certain cities/provinces might have tighter control/policies), time/date (e.g. sensitive periods), etc. But what I'm saying is that traffic analysis is really effective. A single IP with multiple GBs on a day is on the low end and thus probably fine. GFW target potential VPN-like services which have much higher aggregate traffic over a period of time. If you have higher traffic it could trigger IP bans regardless of your custom protocol. I had custom servers setup like yours before and they die mysteriously sometimes so I had to rotate once in a while on new IPs.


I very rarely had outages of half a minute to two or three minutes, and every time I feared it was an ip ban. Wouldn't be too bad though, I have access to most of an /24. I had silly ideas like load balancing across multiple ips, but as a custom protocol is already standing out, I wonder how much louder I could scream "here I am" :)


Can VPN providers rotate used IPs faster than they are blocked or it is too expensive?


I'm sure they have monitoring services to detect banned IPs and rotate on new IPs. However, in my experience, the most popular VPN providers are actually not specialized in evading GFW despite what they claim. During sensitive periods of time, most of the them couldn't be connected reliably. Those providers specializing in providing GFW evasion are called 'airports' or 'ladders' in the Chinese community and they use custom non-VPN protocols and tools for their services.


How much is "large", ballpark?


I had custom servers banned randomly in the ballpark of 100 GB / day, but your mileage may vary.


Is there a good comparison of "undetectable" VPN protocols? Wireguard[0], Shadowsocks[1], VLess[2], VMess[3], Trojan[4], etc. All of them seemed to work for me during my recent trip to China.

[0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

[1] https://shadowsocks.org

[2] https://xtls.github.io/en/development/protocols/vless.html

[3] https://xtls.github.io/en/development/protocols/vmess.html

[4] https://trojan-gfw.github.io/trojan/protocol


> All of them seemed to work for me during my recent trip to China.

Depending on how you were connecting, your traffic may have been explicitly allowed. If you were connecting via your cell phone, using roaming with your home SIM card, you're not subject to the Great Firewall (all your data was essentially VPNed through your wireless carrier's PoP already). And IIRC many larger hotel chains that cater to foreigners (and would likely refuse to allow a citizen to stay there) also aren't GFW'd


Yeah, AIUI the Chinese government cares that Chinese citizens can't bypass the GFW, but either explicitly or implicitly does not care if foreigners do.


As it should be -- a government's duty is to serve its citizens, not any foreigners who happen to be visiting.


This is a weird response to a censorship regime.


Wireguard and Shadowsocks are trivially detectable, as Chinese and Russian providers show in practice.

TLS-in-TLS (trojan) seems to be detectable too.

If we look at Chinese and Russian government DPI, we will see that now VLESS with XTLS‑Vision and XTLS‑Reality are not detectable. YET.


yup, vless works, mullvad/nordvpn/pia/surfshark don't.


> [0] The article says Wireguard is easy to block, but in my experience GFW lets it through.

For some time. After a while, the connection eventually gets blocked or throttled. The annoying thing about understanding the GFW is that it's not quite deterministic.


It seems their Android app is open source... Maybe the protocol could be reverse engineered?

https://github.com/ProtonVPN/android-app

PS: Tried their free plan in China and it won't connect ("Connection Timeout"). In fact, I had to use another VPN to get past their app's loading screen (guessing it got stuck while doing a request to their server)...


From a cursory glance, it seems to be Wireguard + TLS

https://github.com/ProtonVPN/android-app/blob/fc9e7f500fe56b...


Is this just a brand name for tunneling traffic over TLS on port 443 (which has been a thing for decades) or am I missing something here?


Masquerading as legitimate traffic is important for many VPN users, I guess. Many don't want ISP to know they are using a VPN, and others don't want to get their VPN blocked.


Absolutely, but this is announcing this as a "new" protocol. I'd like to know what is new or if I'm missing something.


"Stealth" isn't a property of core VPN tunneling protocols --- establishing a secure channel is. Stealth is something you'd build on a transport underneath a VPN protocol. Completely replacing WireGuard or IPSEC just to beat DPI seems pretty silly.


FWIW, when this same URL was being discussed two years ago, someone looked into it and decided that it was, in fact, "Wireguard over TLS".

https://news.ycombinator.com/item?id=33171089


Yeah, I see someone else on the thread has evidence of the same. If they're just tunneling WireGuard over something, I don't care, knock yourself out, it's fine.


This is too light on details to determine if there's anything interesting here. Similar to others, these are my main concerns:

* Is this an open protocol?

* I would like to see a detailed comparison to similar solutions

* Looks like it's TCP so head-of-line blocking may cause performance issues.

* What prevents entities from detecting that all your traffic is going to a single endpoint, or just blocking known VPN servers directly?


Will it work in China? You guys go back and forth about whether you trust VPN companies, but for me I’m just looking for something that works with 100% reliability in China.


Does it work in China?

I would think it would've been best to keep this update "silent", so to speak, to avoid letting said parties know of this new protocol.


You are way underestimating GFW and people who work on it.


Tailscale has been working in China for me the last couple of weeks.

Also check out Amnezia VPN and the cloak implementation.


Awesome.

Question though: don't most VPN filters simply block a list of all known VPN endpoints? Maybe I missed something but I don't see how Proton's Stealth evades this simple filter?


I would assume https (websocket) with domain fronting


By not telling what their endpoints are?


Is there documentation for the protocol anywhere, or is this going to be a proprietary protocol to Proton that doesn’t gain much adoption outside of their users? If their claims are true this could be a great alternative for certain use cases


I use protonvpn because I pay for protonmail. It is frustrating because I feel like I need to pay another VPN provider to get decent service. The client is ridiculously unstable and doesn't have the features found on other platforms. If you're not already using their mail services, use linux, and don't like being snubbed despite being a paying customer, look for another provider. Note that the stealth mode is not available for linux, just another way to tell their linux customers that they don't matter.


Providers like petfect privacy have offered stuff like this for over a decade and they, like others, don't advertise their blatant misunderstandings[0] of the threat models people in censored countries face. I don't see why this is being shilled here so much, it's as close to an obvious honeypot as you'll ever see.

https://news.ycombinator.com/item?id=41079157


> Stealth does this by using obfuscated TLS tunneling over TCP. This is different from most popular VPN protocols that typically use UDP

The reason most VPN protocols use UDP is for performance. With TCP, a single blocked packet can delay multiple streams. And fwiw, openvpn supports using TLS over TCP, but it is less performant than udp.

I would be more interested in a protocol that uses quic and looks like http/3


UDP is a complete red herring and you should carefully reread any analysis that says a VPN protocol is superior to WireGuard because it uses TCP and not UDP. It's trivial to run WireGuard over TCP (it's our default for all our users, because something like 1 in 20 users has problems getting UDP out to the public Internet).


Friend of mine just tried this in Russia. DOESN'T WORK


Do they happen to use the Russian App Store? If so, the app hadn't been updated to utilize the new protocol because Apple had delisted[1] ProtonVPN in mid July.

[1] https://apps.apple.com/ru/app/proton-vpn-fast-secure/id14370...


The issue reported here (unanswered since March) says they are using Stealth in Russia and it is still not working: https://github.com/ProtonVPN/android-app/issues/130


He is permanent resident of Spain but he is in Russia currently. So he has Spanish AppStore



ProtonVPN's IP ranges blocked?


I dunno. But they advertise their "Stealth" protocol as a solution for everything. And there are still problems.


This was "published" now, but this same URL was discussed two years ago here about the same thing?

https://news.ycombinator.com/item?id=33170028


coincidentally, while searching for "proton vpn stealth" i came across this exact article 2 days ago and was surprised seeing it here with latest publish date. But, in previous article "windows" was not included in the list of platforms stealth was available on. I guess with today's proton VPN update, it became available on windows too and so they updated the article.


I'm interested to try this out for a game I'm banned from. My little brother did a thing little brothers tend to do (lol) and I got caught in the crossfire. This is my baseline test for all VPN services.


Seems to be more focused on preventing VPN detection by middleboxes than by endpoints.


I'm a big dummy but do you care to elaborate on that?


There are two types of VPN detection people are worried about:

- Endpoints (e.g. Netflix or video game) detecting VPNs and blocking users of VPNs from their server because they don't trust the user to not be bypassing their rules

- Middleboxes (e.g. airport wifi or the great firewall) detecting VPNs and blocking the user from the internet because they don't want the user to have unfiltered internet access.

The latter group have a lot more tools to see if something is VPN traffic since they have access to the entire (encrypted) traffic, so can do stuff like checking are you constantly exchanging the vast majority of your requests through a few hosts.

The former don't have as much information, but they have one really easy, really effective option, which is to contract with one of the IP classification databases that lets them see if the client is on a home internet connection. If it's not, they can just block you. Watching Netflix from your EC2 instance isn't going to be that reliable. And it's hard for the VPN providers to reliably get IPs that look residential, residential service usually prohibits such uses, companies that run both residential and business services still usually run them separately from an infra perspective as it makes their life easier, and even if you found an ISP to co-operate and let you use their residential addresses to run your VPN, the databases can just mark the entire ISP as having this kind of use, which would hurt the ISP's users, which counts as a strong disincentive for an ISP to become known for this kind of business.

So for VPNs to bypass blocks by remote services, it means they're going from (most legitimate) shopping around ISPs willing to host them on residential IPs on the down low to the more sketchy end buying residential IP traffic from places that sell residential IP space from e.g. malware or software that buries this detail in its T&Cs. There's also the Tor exit node route of using your users as a sort of mesh network to get residential IPs, but legitimate VPN providers are not going to do that because of the risk it exposes their users to legal liability.

This is not really something that can be fixed with protocol updates like Proton is doing here - the protocol updates are more about evading the middleware style traffic analysis mentioned here


The endpoint blocking is pretty easy to bypass if you run your own VPN (e.g., Tailscale with an exit node in your home network, or an OpenVPN server).

My workplace recently blocked all VPN exiting traffic, even on the guest network. I found this quite bothersome, as I do prefer to tunnel everything through my house. I never use public WiFi without VPN; not because I'm doing illegal things, nor because I think it keeps the NSA from spying if they want to (after all, they can just monitor my house). It keeps the coffeeshop and airport and hotel networks from watching my moves, though.

It also doesn't trigger multi-location detection on Netflix, etc.


> There's also the Tor exit node route of using your users as a sort of mesh network to get residential IPs, but legitimate VPN providers are not going to do that because of the risk it exposes their users to legal liability.

Could there be a middle ground? Unless using encrypted DNS, the VPN has access to the website name, and could use a list of legitimate services that ban VPNs (like Netflix) and only then use their users as a mesh.


When they talk about detection, they are most likely referring to protocol level detection by ISPs forced to block VPN traffic, hostile local networks, corporate firewalls and such.

The actual service you are connecting to (example: website, game server etc.) most likely uses a IP-based detection service such as https://focsec.com/ or similar. In such cases, the protocol will not make a difference.


Thanks for the info. That's a bummer!


A VPN protocol won't really make a difference for that, usually online services detect VPNs based on IP addresses.



haha. I wish. I play 4s with my little bro and a couple of my friends and my little bro thought it would be funny to hot mic a hitler speech. We all got banned. lol


FAFO. Sounds justified.


My absolute favorite reddit expression. I actually donate to an animal shelter every time I read it.


Looking forward to seeing the pictures of the animals you sponsored


This sounds more like a press release for a company than a technical overview of the protocol. Is there a reference implementation available?


How does it address TCP over TCP reliability layer collision?

Reference: https://web.archive.org/web/20230310043036/http:/sites.inka....


I mainly use Proton to get around geo-blocks. FWIW, I tried this new protocol out on BBC iPlayer and it failed horribly. I tried the Wireguard UDP I normally use and streamed without any problem. It's a single data point but if the goal is to avoid sites knowing you are on a VPN, it isn't fit for purpose.


I don't think this is enough information to quantifiably say that your issue was caused specifically by the Stealth protocol itself and nothing else.


> in the constantly evolving battle for online freedom, our work is not finished.

I'm assuming this boils down to a cat and mouse game, then? E.g. popular firewalls patch this and Proton releases an update to bypass filters?

Also, couldn't access this site directly because of corporate firewall, how ironic.


I wonder what differentiates this from something like Stunnel?


It's Proton branded.


Do we really need yet another VPN protocol?


we do, actually. you're missing the point. this is to evade VPN blocking.


I'm not, protocols like these already exist and since this is ProtonVPN's own protocol all you need to do is block the IP addresses and it would be useless anyway.

It doesn't work against GFW nor in Russia. I've seen some people saying they're having issues in Iran as well.

If you had a protocol like this combined with something like MysteriumVPN (which has "decentralized" VPN nodes) then yeah, it'd probably help.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: