ProtonVPN uses Leaseweb servers, at least in the US. What is your reaction to this?
First of all, the problem is not limited to Leaseweb. In most countries, particularly the US and UK, all server and network providers will work with the authorities. It is not really because these providers are intentionally “bad”, but because they are legally obligated to do so.
ProtonVPN is probably the only VPN service that offers some measure of protection against this. Our Secure Core architecture is designed specifically to mitigate this by combining 3 things: server that we 100% own and manage which are built by us and shipped to Secure Core locations from Switzerland for security reasons, control over the network by serving as our own ISP, and legal protection by basing in privacy jurisdictions.
Full details here: What is Secure Core? | Proton VPN
Connecting directly to a US server without using something like Secure Core is like having sex with a street hooker in Africa without protection, you can pretty safely assume that you’ll have AIDS after the experience.
I think it’s safe to say that no servers based in the US are immune to government spying. Fortunately, even with traffic sniffing it’s typically unlikely that your IP address will be revealed unless the server itself is compromised. If you’re concerned about that, use a server that is in a non-x-eyes country (or use securecore, I guess. they did kinda make that to combat this exact thing)
PIA shut down their Leaseweb German exit points because of this revelation, they still haven’t found another provider in Germany. There are other VPN providers who use Leaseweb too, so let’s wait and see what they’re gonna do
Realistically you shouldn’t use a endpoint in the US, UK or Canada for reasons such as these. Better alternatives are places like Switzerland, Sweden and Iceland.
So the official response is “We don’t care, use Secure Core?”
Don’t knock it too you try it.
They use Leaseweb for their Singapore servers too. I’m researching them all to see which ones are hosted where.
If Leaseweb allowed the Russians and Germans access to their datacenter, nothing flowing through those servers can be considered safe.
At a minimum, ProtonVPN should cease operations with Leaseweb and find another provider.
This is why Secure Core exists.
It’s a blog post, not a professional article.
What makes anyone think that other providers are more trustworthy?
Any provider operating servers in the US will spread their cheeks when the feds roll up.
Always use servers overseas, and even then make sure they are from reputable providers.
For example, many of the Swiss servers are run by M247, a British company in Manchester which could technically be obligated and gagged under the IP Bill/Snoopers charter. But no one mentions that lmao
Yep, that is the responsible thing to do. There is no excuse for working with a provider who knowingly allowed and actively assisted two governments in intercepting traffic. Especially when there are many other providers they can choose from. I’m curious to see if they will give an official response.
If you think being skeptical of these sorts of things is tin foil hat worthy after Snowden, Vault 7 and all the horrible worse than tin foil hat shit that turns out to be REAL, you are really new to the scene.
It’s more like, we care a lot, that’s why we built Secure Core.
But more seriously, you misunderstand the issue entirely. Blacklisting Leaseweb does not resolve the issue. Any other provider can be legally obligated to do the same, if they are not in a privacy jurisdiction. In fact, many providers are already under this obligation, they just aren’t talking about it or it is not known.
But even worse than that, ALL upstream ISPs have this obligation. So even if the provider is not obligated, the ISP the provider is connected to that is handling the actual IP transit…is doing it.
Hence, it matters little which provider you go with in the US. You’re under surveillance, end of discussion. But Secure Core helps to prevent this issue that otherwise impacts all other VPNs.
It is also worth pointing out here that Secure Core is not just a generic double VPN. That doesn’t resolve this issue entirely. Secure Core does a lot MORE than double VPN with the specially selected jurisdictions and networking/hardware setup.
…‘official response’ isn’t too re-assuring nor detailed enough.
So from the 1st paragraph we can infer that US/UK server location are most at risk legally?
Then shouldn’t there be servers located at the least legally risky countries like Luxembourg, Austria, Finland, Romania, Bulgaria, Lithuania, Portugal etc.?
What about more anonymous payment methods, like cash & gift-cards? There still lots that ProtonVPN can do.
Here are the other Leaseweb locations that ProtonVPN uses; Germany, Hong Kong, Manassas(Virginia), San Jose(California)
The provider won’t make a difference. Any server hosting company in the US is always going to be more than happy to spread their cheeks when the government rolls in.
Your best bet is using overseas servers, but even then from them 70% of all web traffic flows through the US anyway.
Secure Core won’t do shit if the entrance node is Leaseweb. So the takeaway here is to make sure to use a Secure Core node that isn’t in a Leaseweb datacenter, which there is a list of above.
Regardless, with how much bluster Proton puts out there about privacy there is no excuse for continuing to do business with a company who knowingly assisted two different government agencies in intercepting traffic.