Our goal, however, is different. We aim to bring VPN/privacy protection to people who have never heard of VPN (notice that we don't have "VPN" anywhere on our site, except for in a quote from TNW and in the help section). Despite there being 100's (if not 1000's) of VPN services out there, very few of them, sadly, care about the non-tech-savvy audience.
Unfortunately, because TunnleBear uses it's own client rather than the standard Windows VPN mechanism VPNCheck can't be used with it. While I love your company and the generous touch of humor and whimsy you bring to a normally somber market, I can't live with a product with that gaping a security hole. If and when that's fixed and if the performance is about an order of magnitude better than it was when I tested it a year or so ago I'll be on board in a heartbeat.
I'm trying to avoid proprietary OS's now -- I don't suppose I could get into the linux beta you mention here:
Will such people understand the subtle ways in which using a VPN will make your communications less secure, though?
http://www.theguardian.com/world/interactive/2013/jul/31/nsa... (page 17)
If you are concerned about your privacy and want to use a VPN, then I would recommend using cryptostorm . Firstly because it is run by people passionate about privacy, who have devoted considerable time and effort into creating a service that is both "safe" and fast. Secondly because those efforts have been directed at solving the right problems: unlinking, best practices crypto, and fast links.
The primary strength of cryptostorm is their decoupling of the VPN service provider and account management. You don't buy VPN service, you buy a token that is redeemable for VPN service.
Their banking is handled by a First Nation's bank (so effectively a country), and the financial transaction is between you and a 3rd party (not cryptostorm the VPN service provider).
So while some companies claim "we don't log account access", cryptostorm literally has nothing that they can log. They do not have access to any personal information at all. It is all handled by other people. Even if cryptostorm was compromised, or they lie about not logging, or they are forced to log due to court order - they are unable to provide any personal information.
So they solved the important problem: you are anonymous to your VPN service provider.
Their openvpn config is heavily tweaked to ensure that it uses only the most robust crypto (no RC4, thank you very much).
Of course, a VPN isn't really much use against a nation state level actor, but at least it can provide protection against local miscreants on an open wifi.
(Full disclosure: I've spoken with the cryptostorm guys about privacy and security, I respect their skills and knowledge. I might be biased for that reason [I also know anakata, teimo and peter sunde, and no disrespect to them but the cryptostorm guys did it correctly])
1) cryptostorm would still have the ip the isp assigned a user. mapping this ip to a real name is trivial. right?
2) The cryptostorm team decided to remain 'pseudoanonymous' at this point. The points they outline (privacy activists get constantly hassled and threatened) make sense but don't help me verify the integrity of the service. You saying that you spoke to them and that they are trustful doesn't do much either. Why should i trust them? I know in the end i should trust no one, but your argument boils down to cryptostorm being outside of FRA jurisdiction?
You could argue that iPredator is not a real crypto/security vpn service in the first place. I think they are using 128bit encryption which can be cracked if enough effort is put into it. They are just making it more difficult, eliminating 'drive by snooping'.
Lastly: no offense, but that website is not very trust-inducing. i know it shouldnt matter but still....
You purchase an access token (time limited from first use) from a third party (cryptostorm offers bulk rates for resellers). The entity which sells the tokens is based in a First Nation in Canada, meaning it has reduced legal attack surface. This entity is distinct and separate from cryptostorm.is the VPN service provider. They are compartmented and share no information. Neither one has sufficient information to link a specific individual to any activity.
That's the beauty of what they've done, they've made it so that you don't have to trust them. As I said, they could be compromised and log everything, it doesn't matter. They cannot tie an account to an individual. That's the problem that they solved. They removed trust from the equation.
Now, indeed, you should not use a VPN for anonymity. That is not what they are designed for and that is not what they are capable of providing. However, given that the cryptostorm VPN service can only know:
* you originating IP,
* your (anonymous) token ID, and
* the packet stream that exits their servers...
You can easily ensure a level of anonymity to your internet usage by accessing the VPN from an IP that is not associated with you (eg public library, coffee shop, etc). Provided you maintain discipline and never access it from an IP "owned" by you, they cannot know who you are.
I've spoken and written before about how VPNs are not tools for anonymity. A recent example is a "no logs" VPN used to catch a kid sending bomb threats to his school . A VPN service is essentially just a proxy, and no single hop proxy is going to deter a nation state level actor. VPNs are tools for privacy, circumventing stupid IP restrictions, and evading (some) network access controls. They're not safe for robust clandestine activity.
I've spoken with them and they are competent, have been doing VPNs for years, and are passionate about privacy and security. That doesn't mean I trust them. The beauty of their architecture is that I don't have to.
I know they cannot offer this indefinitely but I want to thank them for their help.
Haha - No thanks. The fact that TunnelBear rely on reviews from the MSM, who are gvt mouthpieces defending the NSA spying through sneaky wording techniques, this just puts me off. I mean come-on, they're getting Yahoo to vouch for them? With the amount of hacks Yahoo have had recently! Yahoo didn't even use SSL between their severs for christ's sakes... and not to mention the NSA are all over their users' data!
I like the idea, and the interface is attractive. But only a solid review from the likes of TorrentFreak (or a similar 'forward-thinking' media outlet) would reassure me enough. Does TunnelBear even accept cryptocurrency?
I don't see what's so special about tunnelbear, except better branding. VPN provider market has been quite flooded for some time.
I wonder how it is possible that you keep no logs of customer IP addresses. It seems that, from a technical standpoint, you must log some IPs for troubleshooting connection issues and being sure that your system is not being used for nefarious purposes (i.e., ones that cause harm to your own system, not necessarily copyright infringement or spam). Furthermore, wouldn't you need to log IPs to track how much data one user transfers? Or even to determine who has an account and who doesn't? This data must reside somewhere on your system.
For most things though, you can just use ssh, no setup on the server required. You just need putty, or another ssh client on your local computer.
Nice guide for putty here: http://www.bestvpnservice.com/blog/how-to-setup-putty-for-ss...
For command line ssh clients, things are much easier. Just go:
ssh yourhost.com -D 8080
and then set up firefox to use a 'socks proxy' at localhost:8080, like the firefox part of that putty guide.
The difference is I can buy a VPN with BTC, not be required to provide details of my identity, and make 99% of the traffic out of my machine encrypted (which prevents significant amount of local MITM attacks, for ex at coffeeshops).
Still though I would like to know more about what is actually going on. As others have said, being open source would be neat.