This post is a companion to a similar offer made on the Qubes mailing list a few minutes ago.
A recent study has revealed 14 of the top VPN providers are vulnerable to leaks via IPv6 as well as DNS.
Cryptostorm has been researching VPN service providers for a while and additional failure modes observed include VPN client binary blobs that install adware, key loggers, trojans, etc. The details down to the level of traffic captures from the offending services are found at this Cryptostorm project site:
Cryptostorm’s offering is fundamentally different from every other provider out there. Specifically:
Zero Customer Knowledge VPN - buy a token, hash it, the hash is your username, your password can be anything. Bitcoin is just one of a number of purchase paths. Cryptostorm doesn’t need to make dramatic vows about not logging it users - the system can’t, as it never has your identity. The hash is impossible to reverse, this provides additional protection since it’s impossible to derive the original token from it.
Adversary Resistant Networking - the Cryptostorm client, an open piece of Perl code, was modified to interdict the webrtc/STUN public IP address leak within days after this became public.
Recently, malware analysis experts Kaspersky reported that they faced a six month battle to eject espionage-ware from their network, identifying the effort as Duqu Bet, with Bet being the second letter in the Hebrew alphabet, a not so subtle slap at the Israeli government, whom they believe to behind the campaign.
Cryptostorm has had direct experience with Duqu Bet and from that have developed NIC parameter and sysctl hardening that interdict some of the midpoint injection methods used. This is still in the process of being included in the client side configuration, but it an example of the attention to detail Cryptostorm provides above and beyond the simple transport of packets.
Cryptostorm offers a free rate limited service which can be found at http://cryptofree.me - this service provides 256k symmetric capacity and mixes the free customers in with the paid customers of a busy node. It is felt that this serves several purposes, providing a no-cost means to evaluate the product, as well as supporting users in developing countries who need an alternative to Tor for whatever reason. You can examine the free service by using this config file:
We would like to hear from someone at Whonix regarding the following:
We want to share the particulars of the NIC and sysctl hardening being used, and what specific threats this eliminates, with an eye on this being included in Whonix.
We’ve been wrestling with bringing Whonix gateway up to a version of OpenVPN that works with Cryptostorm and this has been challenging for someone who has a good bit of unix background. We’d like to see Whonix ship with a more recent version of OpenVPN/OpenSSL, and some simple instructions for a wget of the config file for the free service. We realize Whonix is all volunteer, we can probably do most of the work, we just need connected to the right person within the Whonix team.
I am happy to answer questions from other Adversary Resistant Computing efforts such as Qubes, TAILS, etc - we’d love to see Cryptostorm Zero Customer Knowledge VPN service bundled with all of them, and we’re hoping given the recent negative attention on other providers that we can stampede a portion of the market into not simply vowing that they don’t log, but instead using methods similar to ours, which eliminates that possibility entirely.