I've been a happy PIA subscriber since the Snowden controversy. However every time I see them becoming more popular (at least 4 of my friends have signed up with them in the past few weeks) and earnestly trying to make themselves more secure, I also realize that someone, somewhere within the NSA (and yes, other intelligence agencies around the world) is elevating them on a list of VPNs to break.
I've said this before, but PIA and other similar VPN providers are great security against most drive-by hackers. I am a happy customer for this reason.
But if your threat model includes "NSA/CIA/FBI/DEA", you are going to have to spend more than $4 a month to remain secure.
Okay, I'll bite. My budget is more than $4 a month, but not thousands. Is there any way to keep myself secure from the NSA/CIA/FBI/DEA/etc in a simple VPN-way?
> if your threat model includes "NSA/CIA/FBI/DEA"...
I think there are two vastly different threat model within that - (a) large-scale and indiscriminate vacuuming up of the average citizen's Internet usage data to fill up datacenters and do analytics, and (b) active targeting of a specific subject.
I'm hoping a VPN will insulate me against (a) too. But for (b), I don't think I stand much of a chance even if I spent $400 a month.
"Failsafe" is unnecessary. Come on, we call ourselves engineers here, right? A cardinal rule of engineering is to not let "perfect" get in the way of "good enough".
They don't store any user logs (I have no reason to suspect they'd lie about that). So there's not much stored data to break. Which means the focus will be on breaking their traffic encryption protocols.
Not necessarily. There's no need to break the encryption or have logs if the NSA can monitor all the traffic going in and out of the proxy server. They just have to correlate your incoming encrypted connection with the outgoing unencrypted data to remove the layer of anonymity. I'd frankly be a little surprised if they weren't doing this or something like it.
I would guess that using PIA makes you less secure against NSA snooping since it makes you more of a target and provides weak anonymity.
> I would guess that using PIA makes you less secure against NSA snooping since it makes you more of a target and provides weak anonymity.
So you're saying not using encryption and VPN services is a safer choice as regards Internet usage today? You seem to be going against the grain of most of what's been discussed around privacy & Internet surveillance on HN recently.
I wouldn't make a blanket statement like that. Depends what VPN and how you're using it and what you're doing on the internet and (in particular) what threat you're trying to protect yourself against. PIA will do a good job of protecting the contents of your messages from someone sniffing your wifi hotspot, but is useless against someone with the ability to monitor all internet traffic. The data leaving the PIA proxy is just as unencrypted as it would be if you weren't using a VPN, except your attempt to secure it will likely draw extra attention. There's strong evidence [1] that the NSA has special rules that allow enhanced collection and analysis of encrypted traffic.
Hypothetically, I believe a US entity could be forced to start logging and simultaneously be forced to not mention that logging had been turned on (and, indeed, to lie if asked about it).
Based on their sites, I believe they're UK-based company (and US endpoints are just endpoints, in case someone wants to have US-located exit to access US-only services), so it makes somehow reasonably harder (but not impossible) to correlate between the client and their traffic.
Still, I don't see any significant difference between NSA and GHCQ, except that we have (thanks to Snowden) some details of former's operations leaked, but the latter's remain secret (or I didn't pay enough attention to the news, maybe).
"Q: Where are you located? A: We are located in the US. Being in the US is optimal for VPN Privacy services since the US is one of the few countries that does not have a mandatory data retention policy. Countries in the EU are forced to log, even though some claim they do not."
> Whether you trust them or not is entirely up to you, but it's not that hard to set up your own VPN tunnel.
While I agree that trust is a _giant_ issue, speed and price (due bandwidth needed/used) is also a major concern if you're one looking for an always-on VPN solution.
I personally used PIA for a few months mostly due to cost and it is at or near my speed cap at all times. I have also rolled my own VPN using a VPS at the same price point, however, considering that bandwidth would be limited and speeds were not as stable, it's hard for me to choose that route for my use cases.
Sure, if I need absolute security I wouldn't use PIA and I'd reconsider using a VPN on any VPS on US soil. But then, one would have to consider if it will be worth it.
You still have to trust somebody to host your VPN endpoint.
(Although, it's probably less risky to use some relatively obscure VPS/dedicated/colocation ISP than major VPN service which certainly attracts some attention of TLAs)
Fair point, but your personal VPN is also a lot less likely to attract scrutiny and be attractive to snooping than PIA. It's just a much bigger surface area, more popular, and potentially has a lot more useful data than your single box.
Your CA doesn't have to be (read: shouldn't be) the same box. Also, it doesn't have to be (read: shouldn't be) connected to the internet. I recommend a USB key you keep around your neck or on your keychain, but it's really up to you.
I use this service, and have been thrilled with it for a long time. They do no logging whatsoever, and their encryption and endpoint options are great.
they are also by far the cheapest truly secure option in this space - $40/year
Interesting to note that you've hosted your beta clients on Kim Dotcom's Mega service. This is the first time I'm coming across a legit & popular service hosting its public client files on Mega.
I love PIA but I was too afraid to use it at Black Hat / DEFCON this year. If you use L2TP (required for iOS, handy for OS X because there is a native client) there is no certificate to prevent a MITM. Is there any way to address this? Can you use a certificate instead of a pre-shared key?
nitpick: There is a native OpenVPN client for iOS in the AppStore. I don't know how they managed to, but it's plugging into the native iOS VPN functionality and it works perfectly well.
To my knowledge, there are 7 companies including OpenVPN who have been granted access to private VPN APIs. I personally use the OpenVPN iOS client for "always-on" phone VPN.
Pretty bogus preset choices, what is this? If the provider isn't providing the expertise to ensure a safe connection for every customer, what the hell are they doing?
