Hacker News new | past | comments | ask | show | jobs | submit login
TunnelBear VPN app (tunnelbear.com)
52 points by plg on March 15, 2014 | hide | past | favorite | 45 comments

I'll be sticking with iPredator, and here's why: I don't care what my VPN client looks like -- I care about how secure it is. I have immense trust for Peter Sunde & Friends. They are not in this business to Get Rich Quick™. They are in it for deeply held moral, social reasons; reasons, so deeply held, they have put their own personal safety and freedom at risk. I feel very safe knowing they will NEVER comply with NSA, Interpol, etc., and that they are always one step ahead of BigBrother. I'm sure the Tunnel Bear people are cool and all, but no one can touch the Pirate Bay team. End of conversation.

Hi, I'm Ivan Sergeyenko, also known as iBear. I am one of the engineers on the TunnelBear team. We all hold deep respect for Peter Sunde and his team. iPredator is definitely one of the most trustworthy VPN services out there.

Our goal, however, is different. We aim to bring VPN/privacy protection to people who have never heard of VPN (notice that we don't have "VPN" anywhere on our site, except for in a quote from TNW and in the help section). Despite there being 100's (if not 1000's) of VPN services out there, very few of them, sadly, care about the non-tech-savvy audience.

Hey, Ivan, have you folks fixed the security hole yet where your tunnel can potentially drop and the connection simply reverts to clear without the user knowing it? Have you yet included a function similar to VPNCheck which blocks traffic in that event?

Unfortunately, because TunnleBear uses it's own client rather than the standard Windows VPN mechanism VPNCheck can't be used with it. While I love your company and the generous touch of humor and whimsy you bring to a normally somber market, I can't live with a product with that gaping a security hole. If and when that's fixed and if the performance is about an order of magnitude better than it was when I tested it a year or so ago I'll be on board in a heartbeat.

Hey svintus, I think your friend Gita was just telling me about you a few weeks ago :) Do you quit your job to work on tunnelbear, huh? People like you belong on my hero-bookcase

I'm trying to avoid proprietary OS's now -- I don't suppose I could get into the linux beta you mention here: http://help.tunnelbear.com/customer/portal/articles/824779-i...

"We aim to bring VPN/privacy protection to people who have never heard of VPN"

Will such people understand the subtle ways in which using a VPN will make your communications less secure, though?

How about giving us a clue rather than just being cryptic.

Despite their best intentions, cooperation on part of the service provider might not be needed:


http://www.theguardian.com/world/interactive/2013/jul/31/nsa... (page 17)

Unfortunately, it doesn't matter what beliefs the owners of a Swedish VPN have. The FRA law [0] means that any data which goes over Swedish links will be logged. One can only assume that the iPredator service is heavily monitored by the IC, just on principle.

If you are concerned about your privacy and want to use a VPN, then I would recommend using cryptostorm [1]. Firstly because it is run by people passionate about privacy, who have devoted considerable time and effort into creating a service that is both "safe" and fast. Secondly because those efforts have been directed at solving the right problems: unlinking, best practices crypto, and fast links.

The primary strength of cryptostorm is their decoupling of the VPN service provider and account management. You don't buy VPN service, you buy a token that is redeemable for VPN service.

Their banking is handled by a First Nation's bank (so effectively a country), and the financial transaction is between you and a 3rd party (not cryptostorm the VPN service provider).

So while some companies claim "we don't log account access", cryptostorm literally has nothing that they can log. They do not have access to any personal information at all. It is all handled by other people. Even if cryptostorm was compromised, or they lie about not logging, or they are forced to log due to court order - they are unable to provide any personal information.

So they solved the important problem: you are anonymous to your VPN service provider.

Their openvpn config is heavily tweaked to ensure that it uses only the most robust crypto (no RC4, thank you very much).

Of course, a VPN isn't really much use against a nation state level actor, but at least it can provide protection against local miscreants on an open wifi.

(Full disclosure: I've spoken with the cryptostorm guys about privacy and security, I respect their skills and knowledge. I might be biased for that reason [I also know anakata, teimo and peter sunde, and no disrespect to them but the cryptostorm guys did it correctly])

[0]: http://en.wikipedia.org/wiki/FRA_law

[1]: http://cryptostorm.is

2 questions:

1) cryptostorm would still have the ip the isp assigned a user. mapping this ip to a real name is trivial. right?

2) The cryptostorm team decided to remain 'pseudoanonymous' at this point. The points they outline (privacy activists get constantly hassled and threatened) make sense but don't help me verify the integrity of the service. You saying that you spoke to them and that they are trustful doesn't do much either. Why should i trust them? I know in the end i should trust no one, but your argument boils down to cryptostorm being outside of FRA jurisdiction?

You could argue that iPredator is not a real crypto/security vpn service in the first place. I think they are using 128bit encryption which can be cracked if enough effort is put into it. They are just making it more difficult, eliminating 'drive by snooping'.

Lastly: no offense, but that website is not very trust-inducing. i know it shouldnt matter but still....

No, my argument boils down to "cryptostorm doesn't know who you are". They isolated their accounting (the part that has to collect money and ties an individual to an account) from their VPN service. They compartmented their operations from their business. So their customers are anonymous to them.

You purchase an access token (time limited from first use) from a third party (cryptostorm offers bulk rates for resellers). The entity which sells the tokens is based in a First Nation in Canada, meaning it has reduced legal attack surface. This entity is distinct and separate from cryptostorm.is the VPN service provider. They are compartmented and share no information. Neither one has sufficient information to link a specific individual to any activity.

That's the beauty of what they've done, they've made it so that you don't have to trust them. As I said, they could be compromised and log everything, it doesn't matter. They cannot tie an account to an individual. That's the problem that they solved. They removed trust from the equation.

Now, indeed, you should not use a VPN for anonymity. That is not what they are designed for and that is not what they are capable of providing. However, given that the cryptostorm VPN service can only know:

* you originating IP,

* your (anonymous) token ID, and

* the packet stream that exits their servers...

You can easily ensure a level of anonymity to your internet usage by accessing the VPN from an IP that is not associated with you (eg public library, coffee shop, etc). Provided you maintain discipline and never access it from an IP "owned" by you, they cannot know who you are.

I've spoken and written before about how VPNs are not tools for anonymity. A recent example is a "no logs" VPN used to catch a kid sending bomb threats to his school [0]. A VPN service is essentially just a proxy, and no single hop proxy is going to deter a nation state level actor. VPNs are tools for privacy, circumventing stupid IP restrictions, and evading (some) network access controls. They're not safe for robust clandestine activity.

I've spoken with them and they are competent, have been doing VPNs for years, and are passionate about privacy and security. That doesn't mean I trust them. The beauty of their architecture is that I don't have to.

[0]: http://grugq.tumblr.com/post/73393664323/no-logs-earthvpn-us...

iPredator is indeed awesome, and surprisingly cheap for the value it provides as well.

I want to thank the Tunnelbear guys, they've made their service free for everyone in Venezuela during the protests, to avoid government internet censorship (which is about to get worse since they are now meeting with the ISPs to implement more strict website filtering).

I know they cannot offer this indefinitely but I want to thank them for their help.

Thank you for your kind words! We are doing our best to stay on top of the situation, despite the government's attempts to block us. If you read this and tunnelbear.com is blocked for you, try tuneloso.com. It's a static mirror we've put up on S3, it has not been blocked yet, to the best of our knowledge.

> " All you have to do is turn the knob to “ON” and you are protected. " The Wall Street Journal.

Haha - No thanks. The fact that TunnelBear rely on reviews from the MSM, who are gvt mouthpieces defending the NSA spying through sneaky wording techniques, this just puts me off. I mean come-on, they're getting Yahoo to vouch for them? With the amount of hacks Yahoo have had recently! Yahoo didn't even use SSL between their severs for christ's sakes... and not to mention the NSA are all over their users' data!

I like the idea, and the interface is attractive. But only a solid review from the likes of TorrentFreak (or a similar 'forward-thinking' media outlet) would reassure me enough. Does TunnelBear even accept cryptocurrency?

I have been using https://mullvad.net/en/ for some time. It can also be paid with bitcoin.

I don't see what's so special about tunnelbear, except better branding. VPN provider market has been quite flooded for some time.

This was featured 2 years ago. http://hola.org/ is an easier alternative for web browsing.

Note that you can't use hola for anything except the browsers it supports. (As far as I know.) So it's good if you want privacy only in the browser.

Curious what logs and other personal information is kept on their servers. Haven't read through the blogs yet, but one thing a number of people consider when using a VPN service like this is the type of information that the provider keeps.

Yes this is correct. I am sorry that this is not made more apparent on our site.

Hi Ivan,

I wonder how it is possible that you keep no logs of customer IP addresses. It seems that, from a technical standpoint, you must log some IPs for troubleshooting connection issues and being sure that your system is not being used for nefarious purposes (i.e., ones that cause harm to your own system, not necessarily copyright infringement or spam). Furthermore, wouldn't you need to log IPs to track how much data one user transfers? Or even to determine who has an account and who doesn't? This data must reside somewhere on your system.

Thanks, I had missed the FAQ while browsing the site on a mobile browser.

Tried them about a year ago, Service was pretty slow. Never heard from CS after 3 attempts. Ended up needing to go through PayPal to get my money back. Private internet access has been my goto ever since.

Now I use DigitalOcean's $5/month box running CentOS.

Is there a 1-click deploy for a VPN on DigitalOcean that just works? SSTP prefered.

I'm interested in any howto for setting up a VPN server - the ones I found online usually assume you want to VPN into a buisness network, not channel access to the internet.

For most things though, you can just use ssh, no setup on the server required. You just need putty, or another ssh client on your local computer.

Nice guide for putty here: http://www.bestvpnservice.com/blog/how-to-setup-putty-for-ss...

For command line ssh clients, things are much easier. Just go:

ssh yourhost.com -D 8080

and then set up firefox to use a 'socks proxy' at localhost:8080, like the firefox part of that putty guide.

Is the 1TB of data transfer enough for you?

SSH doesn't work over Tunnelbear. That's really a deal breaker.

Pretty sure that's not true. I believe I've used SSH over TunnelBear, and this page specifically calls out SSH as supported: http://help.tunnelbear.com/customer/portal/articles/1470869-...

what I can't bear right now is their help web pages, bad responding to zoom and cut right display... brr. Is 'care about the non-tech-savvy audience' too ? or bearing down on them.

I've been using Tunnelbear for several months and never had a problem with SSH. Just SSHed to a couple servers to verify and had no problem.

We built a really simple one-click solution for building this that walks you through how to do it, without having to trust an outside party with your web traffic: https://www.tinfoilsecurity.com/vpn

Why anyone would voluntarily MITM their own data and hand ALL of it over to a single company (and a single point of failure) is totally beyond me. It's a market failure that services like these continue to exist.

A single point of failure...such as sending unencrypted traffic to an ISP?

The difference is I can buy a VPN with BTC, not be required to provide details of my identity, and make 99% of the traffic out of my machine encrypted (which prevents significant amount of local MITM attacks, for ex at coffeeshops).

Would love to see a bitcoin purchase option.

Yes, and please add an option to pay in bacon while you are at it.

We don't currently accept BTC, but you can pay for TunnelBear with honey. Contact us for our mailing address. (I am quite serious, we've actually received some delicious organic honey in the mail a couple of months ago). We wouldn't mind accepting bacon, but you will have to make the payment in person, I am afraid bacon would spoil during shipping.

I would like to see this kind of software open source.... Most of the VPN Clients are to complicated...

http://www.sparklabs.com/viscosity/ is also pretty simple.

It's not quite as "on-off switch", but: http://www.tinc-vpn.org/

Seems really cool and easy to use. I love how it's as simple as an on/off switch.

Still though I would like to know more about what is actually going on. As others have said, being open source would be neat.

Is there any VPN client API/SDK/lib which can be easily embedded in apps? (C++/Java/other?). Something with a free plan would be even better

Is this openvpn based solution? I am looking for something that could bypass bluecoat...

Our PC/Mac/Android clients are using OpenVPN.

How do you guys fund this?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact