Insights For Success

Strategy, Innovation, Leadership and Security

Virtual Private Network

Private Internet Access leaves Korea due to security concerns

GeneralEdward Kiledjian

We learned that Private Internet Access (PIA) has shut down its Korea exit nodes due to concerns about the privacy of its users. It learned through a "close contact" that South Korea law enforcement intended to clone its local data. 

Private Internet Access (PIA) didn't know why they would take these types of actions against it, but took immediate action as soon as it learned about this possibility. 

On the 21st January 2018 at 6.15pm Pacific Time, Private Internet Access was alerted by close contacts in South Korea that law enforcement would be seeking to mirror our servers tomorrow, 24th of January 2018, at 10:00 A.M without due process. Upon learning this information, we decided to remove and wipe the South Korea region from our network immediately.
— Private Internet Access blog

Even if the South Korean authorities did clone the data,  Private Internet Access (PIA) does not log any traffic or session data. 

In addition to removing its South Korea exit nodes, it also rotated its certificates as an additional security control. 

This is a great example that proves that Private Internet Access is committed to the privacy of its users. Good going PIA. 
 

Source: Private Internet Access

How do I test the speed of my VPN service

GeneralEdward Kiledjian

How can you test the speed (performance) of my VPN service provider? I receive this question regularly, and I thought it was about time I wrote an article about it. 

When evaluating internet speed, there are dozens or hundreds of different parameters that can influence your final score. In the world of VPN, these may include:

  • The distance between you and the VPN server - even though most of your traffic is flowing at the speed of light, users have become accustomed to super speedy internet and even the slightest delay is noticed. If I am sitting in Toronto but using a VPN in Switzerland (where privacy laws a much stronger), I should expect a more noticeable slowdown in my internet speed.
  • VPN server capacity - Most internet service providers "over-sell" their service to offer lower prices. If too many of their customers try to log into the same servers at the same time, they will experience noticeable performance reductions (slowdowns) and maybe even dropped connections (which could lead to your private information leaking). I only use VPN providers that show the loads on their servers.

server selection and load information from ProtonVPN

  • Your Internet Service Provider speed (ISP) - Obviously your VPN performance can never exceed the "last mile" performance of your Internet Service Provider. Remember that the speeds plastered on their marketing material are usually indicative speeds and many services see severe performance degradation during peak usage hours (when everyone is trying to stream Netflix or Youtube content). Additionally some regional Internet Service Providers throttle (aka slow down) VPN connections on their home use plans to encourage corporate customers to buy corporate (more expensive) plans. The only time a VPN connection may be faster than your native ISP performance is for controversial protocols like BitTorrent. Some ISPs throttle the performance of BitTorrent and so hiding it inside a VPN may deliver better performance. 

https://www.xplornet.com/legal/usage-traffic-policies/satellite-kah-traffic-management-policy/

  • Device capacity - An often overlooked performance limiter is the ability of your local VPN termination device to compute the required encryption/decryption quickly (most often a PC, laptop, smartphone or tablet). The faster your internet speed, the more processing power your end device will need to "keep up". 

How do I test VPN speed?

The only way to test VPN speed is to use one of the (well designed) speed testing sites. 

SpeedOfMe

SpeedOfMe is a nice light HTML5 speed test service that works on every device (Windows, MAc, iPhone, iPad, Android, Chromebook, etc).

TestMy.Net

What makes TestMy.Net interesting is that use multiple download servers and combine the information to provide one real world statistic. They use IP geolocation to find servers in your terminated area.

TestTest by Ookla

No speed test article would be complete without mentioning Ookla. They are the 800lb gorilla. Just make sure the test server is in your termination city otherwise you will get a false score.

How do I test my VPN to determine if it is leaking?

GeneralEdward Kiledjian

When something leaks, it's usually bad news. A leaking pipe in the kitchen or a leaking radiator. The same principle applies to your VPN. When a poorly designed VPN fails and leaks your data, that's the start of a bad day.

Unfortunately, there is no visible indication that your VPN is leaking.    Obviously, well-designed VPN services do not leak, my favourites being: 

When looking for VPN leaks, we typically evaluate these angles:

  • DNS leaks
  • IP address leaks (IPv4 & IPv6)
  • WebRTC leaks

Below are basic instructions on how to quickly identify VPN leaking. If you are more paranoid or highly technical and demand to use your magical IT skills, you can also inspect the packets using tcpdump or WinDump while running the below tests. 

It's time to start testing

What am I looking for?

Obviously, you connect to your VPN service first, then visit all of these sites. The hope is that none of the information shown should actually be associated with your "real" computer (IP address, DNS server and WebRTC). 

The most significant failure I see with most VPNs is DNS and WebRTC leakage.

If your VPN service provider offers multiple servers, then you should run the tests with the various servers.

If your VPN service provider offers multiple protocols, then you should run the test with each of the protocols.

I have found some VPN providers where it did not leak on one server but leaked on another. Where it did not leak via one protocol but leaked with another. Testing the various combinations is time-consuming but critically important. 

The above test shows that the VPN is protecting my IP and DNS information but in this case was leaking my private 10.x test lab internal IP address (which is obviously bad). When I switched to a new server from the same provider, the leak stopped.

Mobile phone VPN leaks

An August 2016 research paper highlighted the issue of IP leakage on Android smartphones. They discovered that 84% of Android VPN apps leaked the user's "real" IP address.

What is WebRTC and why does it leak?

WebRTC is an API standard that allows voice and video chat without needing to install any plug-ins. It is a cross-platform web browser standard. 

The "trick" to leaking your WebRTC information is to use basic Javascript to send a UDP packet to a Session Traversal Utilities for NAT (STUN) server. That server sends back a packet containing the IP address where the request originated. 

If vulnerable, you will see your internal IP Address in the WebRTC response. 

What is DNS and why does it leak?

The domain name system (DNS) is a special global directory that converts URLs into numeric addresses that the internet can route. If you enter kiledjian.com into your browser from New York, your DNS server will return the numeric routable IP address for my website 104.28.2.40. 

DNS services are typically provided by your internet service provider or company. Anytime you try to access a webpage; you ask that DNS server for the numeric routable IP address of the site and thus your provide (or school or company) have a running list of every website you tried to access. When using a good VPN service, all DNS requests should be routed to their anonymous DNS service thus protecting your browsing information. When your browser sends the request to your ISP DNS anyway, that is called a DNS leak because your privacy is "broken".

Honest review of the Tunnelbear VPN service

GeneralEdward Kiledjian

Similar Articles:

Start

I've written about half a dozen articles over the last couple of weeks reviewing various VPN services. I asked my social media followers what other VPN services they wanted me to review, and many readers requested that I review TunnelBear. So here is my review of the TunnelBear VPN service.

TL;DR - TunnelBear is an excellent service that won't disappoint.

First, it meets the multi platform requirement. It supports MacOS, Windows, IOS and Android (with browser extensions for Opera and Google Chrome). These are the most requested platforms by users and will meet the needs of 95% of their user base. If you are a tinker and want an OpenVPN configuration file or router support, you will be sorely disappointed (see VyprVPN in that case). They have talked about a very manual configuration option for Linux using OpenVPN, but this isn't for the faint of heart.

TunnelBear has about 19 servers worldwide. This is in strong contract to companies like HideMyAss that offer 190+ locations with 720+ servers.  Countries listed during my test included: United States, United Kingdom, Canada, Germany, Japan, France, Italy, Netherlands, Sweden, Switzerland, Ireland, Spain, Singapore, Norway, Denmark, Hong Kong, Brazil, Mexico, India.

One issue I have with many services is that there is no "auto-connect to the fastest server" option, but TunnelBear has this option. When compared to VyprVPN, UnlimitedVPN (Keepsolid) or HideMyAss, TunnelBear's performance was always a little bit slower. Youtube was always using a lower quality, and downloading files always took a bit longer. 

Many VPN services just provide a plain; we do not collect logs statement. As a more technical user, I expect a little more "meat" with a statement like that. You can read the TunnelBear privacy policy here.  

I appreciate the honesty and clear privacy terms provided by TunnelBear:

By using our services, you authorize TunnelBear to use your information according to Canada’s laws, regardless of which country you are located in
TunnelBear explicitly does NOT collect, store or log the following data:

- IP addresses visiting our website
- IP addresses upon service connection
- DNS Queries while connected
- Any information about the applications, services or websites our users use while connected to our Service

Canada is a member of the five eyes and as a Canadian, I believe my information is collected and shared with the other members of the spying consortium. My preference is to use a VPN service who is headquartered in Switzerland (or another privacy loving locale). 

TunnelBear also offers a free tier (500MB per month) to anyone who wants to test their service or has very limited needs. Free VPN service is a rare offering from a reputable company, and one TunnelBear should be very proud of. 

You can earn one free GB of additional traffic by tweeting about TunnelBear using an in app feature. I tried this twice, and they added 1GB each time within 10 minutes.

I tested Netflix USA with the TunnelBear VPN turned on and Netflix detected the connection as a VPN and refused to show the US catalogue. 

Pricing

The annual TunnelBear subscription is $4.99 a month which is competitive. If you shop around (check out the link in my KeepSolid UnlimitedVPN review) you can get a similar VPN service at $49.99 for an unlimited lifetime subscription. 

Conclusion

TunnelBear offers an easy to use VPN service or the average Joe. It doesn't offer a tonne of client support. It is based in a high-risk country (Canada) and the price is average. 

If your look around on deal sites, you can find an UnlimitedVPN lifetime (5 devices) deal for $49.99 which is a better deal. UnlimitedVPN is based in the USA so they suffer the same headquarter location issue (being based in a Five eyes country) as TunnelBear. The difference is you get a tonne more exit servers than TunnelBear.

For real security, I would say check out Private Internet Access or ProtonVPN.  

Review of HideMyAss VPN (HMA)

GeneralEdward Kiledjian

After writing my first VPN service review a couple of weeks ago, I asked my readers "what other VPN services" I should evaluate. A much-requested one was HideMyAss (HMA), so here is that review.

You can't evaluate VPN service providers without seeing HideMyAss.  They have ads everywhere. My first experience with HMA was through a 1-month free offer provided by Anonabox

Most security blogs and posts on review sites give HideMyAss a poor rating because they have (allegedly) turned over user log information to authorities (without putting up a fight).  Others complain that the service is "feature light".

HideMyAss has a massive network of termination points (one of the biggest in the world). 

HideMyAss cost

HideMyAss has increased its prices over the years and has a single tier plan (aka you don't pay for usage volume or number of connected devices).

Your commitment term determines your monthly price. At $6.99 for 12-months, they are competing with the likes of VyprVPN and ProtonVPN. HideMyAss is almost double the price of Internet Private Access (IPA), which is regarded as one of the best from a privacy-guarding perspective. Another much more popular cheaper alternative is UnlimitedVPN.

Once a season, HideMyAss does run a 50% off promo so....

HideMyAss features

The first major feature is the sheer size of its VPN network. HideMyAss offers 720+ VPN servers in 320+ locations in 190+ countries.

Now we get to the less feature part of our program. HideMyAss VPN support's two simultaneous connections per subscriber. ProtonVPN supports 2 with it's $4 a month basic plan. VyprVPN supports five simultaneous connections with its $6.67 a month plan. VPN Unlimited is offering a $49.99 lifetime plan with five simultaneous connection support. 

HideMyAss supports OpenVPN, PPTP and L2TP. 

People who buy HideMyAss aren't power users but people who are looking for a "simple" VPN solution with an extensive termination network. They support terminations in locations like Servia and Malawi.

Is HideMyAss Secure and Private?

So many security forums and Reddit threads discuss how HideMyAss (allegedly) turns over user data to police with little pushback. The most prominent example of this accusation is a 2011 situation where it is believed HMA turned over user information for Cody Kretsinger. Cody Kretsinger was a member of LulzSec and arrested by police for hacking Sony Pictures (he was convicted of the crime). 

There are dozens of other such claims, just do a quick Google search.

Reading the End User License Agreement, you learn that HideMyAss (Privax) is a UK company and is now owned by Avast (a Czech company). The UK is not known as a haven for privacy (e.g. snoopers charter). Most UK providers must maintain rich metadata logs.

The HideMyAss privacy statement for their VPN service says "We will store a time stamp and IP address when you connect and disconnect to our VPN service, the amount data transmitted (up- and download) during your session together with the IP address of the individual VPN server used by you. We do not store details of, or monitor, the websites you connect to when using our VPN service. We collect aggregated statistical (non-personal) data about the usage of our mobile apps and software." HMA claims this information is kept for 2 to 3 months but the UK Investigatory Powers Act requires that this type of information be kept for 12 months.

Does HideMyAss allow Peer2Peer networking? The answer is Yes for legal content and no for illegal ones. Here is an example of a Reddit thread where a user claims HMA cut-off his service for downloading copyrighted content. In this thread, a user called neonovo says "Yes, two dmca notices from the vpn hide my ass, which as they did not hide my ass I did some much-needed research and found btguard.

I do not condone downloading copyrighted material or breaking any laws but knowing your VPN will (allegedly) roll over quickly is not comforting.

If you want to download torrent based content (legal of course), you should check out the list of torrent friendly providers maintained by TorrentFreak

Is HideMyAss secure?

I emailed HideMyAss support asking for details about its encryption technologies and directed to this support write-up. This write-up does not answer any of my questions about what cyphers are used and how. I believe some of their protocols (like L2TP) use pre-shared keys (which is a bad thing).

Without any additional information, I have to assume the worst and say "I don't consider HideMyAss secure at this point". My starting position is to assume technology is insecure unless proven otherwise.

I could not find DNS leak protection as an option in the Windows client, but my tests showed that it did not leak DNS information. 

HideMyAss performance

Assuming everything above didn't scare you away, you may be wondering about performance. Anytime I perform a VPN test; it is done using a 100MB fibre connection (<10ms ping) with a cleanly installed and patched Windows 10 computer connected directly to the internet connection. 

Some HideMyAss connections had excellent performance, and other's cut my throughput by more than 50%. Through trial and error, you will be able to find the servers that work best for you, but there is no automated performance cataloguing function. 

One item I will add here is the ability to get US Netflix. I  test this with every VPN and Netflix never works, except this time it did with one of the US servers I tested. Since it did not work consistently, I am assuming there were a couple of IP addresses Netflix hadn't catalogued as VPN yet. 

Conclusion

I don't use VPN to hide illegal activities. I use VPN to protect my privacy when I am using untrusted networks or from my ISP [read Your ISP is tracking you]. With everything that I learned during this review, I can't recommend HideMyAss. There are so many better options (in my opinion) that you shouldn't settle for a company that doesn't go the extra mile.