mirror of
https://github.com/privacyguides/privacyguides.org.git
synced 2025-07-02 17:42:39 +00:00
Markdown style consistency (#858)
Signed-off-by: Daniel Gray <dng@disroot.org>
This commit is contained in:
Daniel Gray
112
docs/vpn.md
112
docs/vpn.md
@ -198,12 +198,12 @@ Operating outside the five/nine/fourteen-eyes countries is not a guarantee of pr
|
||||
|
||||
**Minimum to Qualify:**
|
||||
|
||||
- Operating outside the USA or other Five Eyes countries.
|
||||
- Operating outside the USA or other Five Eyes countries.
|
||||
|
||||
**Best Case:**
|
||||
|
||||
- Operating outside the USA or other Fourteen Eyes countries.
|
||||
- Operating inside a country with strong consumer protection laws.
|
||||
- Operating outside the USA or other Fourteen Eyes countries.
|
||||
- Operating inside a country with strong consumer protection laws.
|
||||
|
||||
### Technology
|
||||
|
||||
@ -211,18 +211,18 @@ We require all our recommended VPN providers to provide OpenVPN configuration fi
|
||||
|
||||
**Minimum to Qualify:**
|
||||
|
||||
- Support for strong protocols such as WireGuard & OpenVPN.
|
||||
- Killswitch built in to clients.
|
||||
- Multihop support. Multihopping is important to keep data private in case of a single node compromise.
|
||||
- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency to the user about what their device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
|
||||
- Support for strong protocols such as WireGuard & OpenVPN.
|
||||
- Killswitch built in to clients.
|
||||
- Multihop support. Multihopping is important to keep data private in case of a single node compromise.
|
||||
- If VPN clients are provided, they should be [open source](https://en.wikipedia.org/wiki/Open_source), like the VPN software they generally have built into them. We believe that [source code](https://en.wikipedia.org/wiki/Source_code) availability provides greater transparency to the user about what their device is actually doing. We like to see these applications [available in F-Droid](https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html).
|
||||
|
||||
**Best Case:**
|
||||
|
||||
- WireGuard and OpenVPN support.
|
||||
- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
|
||||
- Easy-to-use VPN clients
|
||||
- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
|
||||
- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) filesharing software, Freenet, or hosting a server (e.g., Mumble).
|
||||
- WireGuard and OpenVPN support.
|
||||
- Killswitch with highly configurable options (enable/disable on certain networks, on boot, etc.)
|
||||
- Easy-to-use VPN clients
|
||||
- Supports [IPv6](https://en.wikipedia.org/wiki/IPv6). We expect that servers will allow incoming connections via IPv6 and allow users to access services hosted on IPv6 addresses.
|
||||
- Capability of [remote port forwarding](https://en.wikipedia.org/wiki/Port_forwarding#Remote_port_forwarding) assists in creating connections when using P2P ([Peer-to-Peer](https://en.wikipedia.org/wiki/Peer-to-peer)) filesharing software, Freenet, or hosting a server (e.g., Mumble).
|
||||
|
||||
### Privacy
|
||||
|
||||
@ -230,13 +230,13 @@ We prefer our recommended providers to collect as little data as possible. Not c
|
||||
|
||||
**Minimum to Qualify:**
|
||||
|
||||
- Bitcoin or cash payment option.
|
||||
- No personal information required to register: Only username, password, and email at most.
|
||||
- Bitcoin or cash payment option.
|
||||
- No personal information required to register: Only username, password, and email at most.
|
||||
|
||||
**Best Case:**
|
||||
|
||||
- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
|
||||
- No personal information accepted (autogenerated username, no email required, etc.)
|
||||
- Accepts Bitcoin, cash, and other forms of cryptocurrency and/or anonymous payment options (gift cards, etc.)
|
||||
- No personal information accepted (autogenerated username, no email required, etc.)
|
||||
|
||||
### Security
|
||||
|
||||
@ -244,16 +244,16 @@ A VPN is pointless if it can't even provide adequate security. We require all ou
|
||||
|
||||
**Minimum to Qualify:**
|
||||
|
||||
- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
|
||||
- Perfect Forward Secrecy (PFS).
|
||||
- Published security audits from a reputable third-party firm.
|
||||
- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
|
||||
- Perfect Forward Secrecy (PFS).
|
||||
- Published security audits from a reputable third-party firm.
|
||||
|
||||
**Best Case:**
|
||||
|
||||
- Strongest Encryption: RSA-4096.
|
||||
- Perfect Forward Secrecy (PFS).
|
||||
- Comprehensive published security audits from a reputable third-party firm.
|
||||
- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
|
||||
- Strongest Encryption: RSA-4096.
|
||||
- Perfect Forward Secrecy (PFS).
|
||||
- Comprehensive published security audits from a reputable third-party firm.
|
||||
- Bug-bounty programs and/or a coordinated vulnerability-disclosure process.
|
||||
|
||||
### Trust
|
||||
|
||||
@ -261,12 +261,12 @@ You wouldn't trust your finances to someone with a fake identity, so why trust t
|
||||
|
||||
**Minimum to Qualify:**
|
||||
|
||||
- Public-facing leadership or ownership.
|
||||
- Public-facing leadership or ownership.
|
||||
|
||||
**Best Case:**
|
||||
|
||||
- Public-facing leadership.
|
||||
- Frequent transparency reports.
|
||||
- Public-facing leadership.
|
||||
- Frequent transparency reports.
|
||||
|
||||
### Marketing
|
||||
|
||||
@ -274,24 +274,24 @@ With the VPN providers we recommend we like to see responsible marketing.
|
||||
|
||||
**Minimum to Qualify:**
|
||||
|
||||
- Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out.
|
||||
- Must self host analytics (no Google Analytics etc). The provider's site must also comply with [DNT (Do Not Track)](https://en.wikipedia.org/wiki/Do_Not_Track) for those users who want to opt-out.
|
||||
|
||||
Must not have any marketing which is irresponsible:
|
||||
|
||||
- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
|
||||
- Making guarantees of protecting anonymity 100%. When someone makes a claim that something is 100% it means there is no certainty for failure. We know users can quite easily deanonymize themselves in a number of ways, eg:
|
||||
|
||||
- Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
|
||||
- [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint)
|
||||
- Reusing personal information eg. (email accounts, unique pseudonyms etc) that they accessed without anonymity software (Tor, VPN etc)
|
||||
- [Browser fingerprinting](https://privacyguides.org/browsers/#fingerprint)
|
||||
|
||||
- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
|
||||
- Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.
|
||||
- Claim that a single circuit VPN is "more anonymous" than Tor, which is a circuit of 3 or more hops that regularly changes.
|
||||
- Use responsible language, eg it is okay to say that a VPN is "disconnected" or "not connected", however claiming that a user is "exposed", "vulnerable" or "compromised" is needless use of alarming language that may be incorrect. For example the visiting user might be on another VPN provider's service or using Tor.
|
||||
|
||||
**Best Case:**
|
||||
|
||||
Responsible marketing that is both educational and useful to the consumer could include:
|
||||
|
||||
- An accurate comparison to when Tor or other [Self contained networks](https://privacyguides.org/software/networks/) should be used.
|
||||
- Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion)
|
||||
- An accurate comparison to when Tor or other [Self contained networks](https://privacyguides.org/software/networks/) should be used.
|
||||
- Availability of the VPN provider's website over a .onion [Hidden Service](https://en.wikipedia.org/wiki/.onion)
|
||||
|
||||
### Additional Functionality
|
||||
|
||||
@ -321,7 +321,7 @@ A common reason to recommend encrypted DNS is that it helps against DNS spoofing
|
||||
|
||||
Needless to say, **you shouldn't use encrypted DNS with Tor**. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.
|
||||
|
||||
### Should I use Tor _and_ a VPN?
|
||||
### Should I use Tor *and* a VPN?
|
||||
|
||||
By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides zero additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. [Read more about Tor bridges and why using a VPN is not necessary](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required).
|
||||
|
||||
@ -339,35 +339,35 @@ Thus, this feature should be viewed as a convenient way to access the Tor Networ
|
||||
|
||||
A VPN may still be useful to you in a variety of scenarios, such as:
|
||||
|
||||
1. Hiding your traffic from **only** your Internet Service Provider.
|
||||
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
|
||||
3. Hiding your IP from third party websites and services, preventing IP based tracking.
|
||||
1. Hiding your traffic from **only** your Internet Service Provider.
|
||||
2. Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.
|
||||
3. Hiding your IP from third party websites and services, preventing IP based tracking.
|
||||
|
||||
For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're _trusting_ the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor.
|
||||
For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're *trusting* the provider. In pretty much any other scenario you should be using a secure**-by-design** tool such as Tor.
|
||||
|
||||
### Sources and Further Reading
|
||||
|
||||
1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
|
||||
2. [The self-contained networks](https://privacyguides.org/software/networks/) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
|
||||
3. [Slicing Onions: Part 1 – Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447
|
||||
4. [Slicing Onions: Part 2 – Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447
|
||||
5. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides/)
|
||||
1. [VPN - a Very Precarious Narrative](https://schub.io/blog/2019/04/08/very-precarious-narrative.html) by Dennis Schubert
|
||||
2. [The self-contained networks](https://privacyguides.org/software/networks/) recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network
|
||||
3. [Slicing Onions: Part 1 – Myth-busting Tor](https://medium.com/privacyguides/slicing-onions-part-1-myth-busting-tor-9ec188ae1904) by blacklight447
|
||||
4. [Slicing Onions: Part 2 – Onion recipes; VPN not required](https://web.archive.org/web/20210116140725/https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required) by blacklight447
|
||||
5. [IVPN Privacy Guides](https://www.ivpn.net/privacy-guides/)
|
||||
|
||||
[^1]: "WireGuard" and the "WireGuard" logo are registered trademarks of Jason A. Donenfeld.
|
||||
|
||||
## Related VPN information
|
||||
|
||||
- [The Trouble with VPN and Privacy Review Sites](https://medium.com/privacyguides/the-trouble-with-vpn-and-privacy-review-sites-ae9b29eda8fd)
|
||||
- [Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/)
|
||||
- [blackVPN announced to delete connection logs after disconnection](https://medium.com/@blackVPN/no-logs-6d65d95a3016)
|
||||
- [Don't use LT2P IPSec, use other protocols.](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)
|
||||
- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/)
|
||||
- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/)
|
||||
- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/)
|
||||
- [The Trouble with VPN and Privacy Review Sites](https://medium.com/privacyguides/the-trouble-with-vpn-and-privacy-review-sites-ae9b29eda8fd)
|
||||
- [Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker](https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/)
|
||||
- [blackVPN announced to delete connection logs after disconnection](https://medium.com/@blackVPN/no-logs-6d65d95a3016)
|
||||
- [Don't use LT2P IPSec, use other protocols.](https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa)
|
||||
- [Free VPN App Investigation](https://www.top10vpn.com/free-vpn-app-investigation/)
|
||||
- [Hidden VPN owners unveiled: 101 VPN products run by just 23 companies](https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/)
|
||||
- [This Chinese company is secretly behind 24 popular apps seeking dangerous permissions](https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/)
|
||||
|
||||
## VPN Related breaches - why external auditing is important!
|
||||
## VPN Related breaches - why external auditing is important
|
||||
|
||||
- ["Zero logs" VPN exposes millions of logs including user passwords, claims data is anonymous](https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/) July 2020
|
||||
- [NordVPN HTTP POST bug exposed customer information, no authentication required](https://www.zdnet.com/article/nordvpn-http-post-bug-exposed-sensitive-customer-information/) March 2020
|
||||
- [Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool](https://www.theregister.com/2019/10/21/nordvpn_security_issue/) October 2019
|
||||
- [VPN servers seized by Ukrainian authorities weren't encrypted and allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them](https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/) July 2021
|
||||
- ["Zero logs" VPN exposes millions of logs including user passwords, claims data is anonymous](https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/) July 2020
|
||||
- [NordVPN HTTP POST bug exposed customer information, no authentication required](https://www.zdnet.com/article/nordvpn-http-post-bug-exposed-sensitive-customer-information/) March 2020
|
||||
- [Row erupts over who to blame after NordVPN says: One of our servers was hacked via remote management tool](https://www.theregister.com/2019/10/21/nordvpn_security_issue/) October 2019
|
||||
- [VPN servers seized by Ukrainian authorities weren't encrypted and allowed authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them](https://arstechnica.com/gadgets/2021/07/vpn-servers-seized-by-ukrainian-authorities-werent-encrypted/) July 2021
|
||||
|
||||
Reference in New Issue
Block a user