We are all taking a chance/risk in ‘trust’ when signing up with ANY vpn provider. By chance ‘Leaseweb’ has been ‘outed’, sure other providers will “spread their cheeks” when authorities come calling, just that there is no ‘public’ info out ‘yet’
These servers were overseas.
I am the least tin foil hat guy in the security world, but relying on a 3rd party who has knowingly assisted a government with surveillance, when your entire business model is predicated on protecting privacy, is negligent and hypocritical at best.
If they continue to do business with Leaseweb the VPN/Security community will roast them alive.
Haha. I have absolutely ZERO doubt that virtually every intelligence agency on the planet is tapped into just about everything and gets pretty much whatever they want, whenever they want. Sure, maybe some stuff takes a little extra time and effort, but in a world where air-gapped physical hardware centrifuges can be made to destroy themselves, it’s comical to me every time I see a post like this about “the man” being able to see what you do online. If you’re that concerned, unplug. Of course, that’s pretty much impossible in the modern world. Even if you do unplug, you still have a drivers license. You still have a bank account, etc. Posts like these are just meant to be snarky finger-pointing jobs at providers like Leaseweb and Proton and PIA and, and, and, so everyone can sit on their high horse and feel big about themselves.
If you make yourself a target for a state-actor intelligence or law enforcement agency, they are going to get you no matter what you do. The question you should be asking yourself is, why are you so paranoid? You know the answer to that question and if it’s a legitimate reason to be paranoid (i.e. You are engaged in criminal activity or worse), then posting your woes onto Reddit is about the last thing you should be doing and ProtonVPN isn’t going help you in the least.
I use a VPN so that when I have to connect to public wifi, the jerk sitting next to me can’t see what I’m I doing and to keep my ISP and the corporate ad-mongers from building a dossier of my browsing that they can sell to the highest bidder without my consent. This is a far greater threat to me because it can result in a far less technically capable individual or group compiling enough information to target me specifically for reasons that would make my life miserable, like identity theft. I am not doing anything, nor am I a person in whom any state-actor would be interested. I just try to make myself as hard a target as possible for the “average joe” hacker looking to make a quick buck so they move on to someone easier. I also don’t live in an authoritarian country (yet), so I don’t fear the “regime” coming after me for anything I do or say online - that is a very different and very legitimate scenario. I use a VPN service because while it is within my capability to research and learn how to setup my own VPN server, I don’t have the time and it would be less reliable with a single point-of-failure being wherever I set it up. Power goes out? No more VPN.
The NSA doesn’t give a shit about your emails to grandma. Does it suck that they have them? Sure. In principle, should there be policies or systems in place to keep the NSA from getting them? Sure. Is that realistic in the world we live in? Hell no.
The worst thing about the leaks that you mention is that it could result in a key exploit that is known only to a select few and being employed against a select few becoming accessible to a much larger audience. We sorta saw this happen a couple months ago, but that targeted much older, more vulnerable systems that should have been patched or upgraded in the first place. Think about what would happen if an exploit like that could be deployed against modern up-to-date MacOS, Windows 7, Windows 10, iOS and Android devices simultaneously. Far-fetched, yes, but it’s sort of like giving a 4 year old the trigger to a nuclear bomb. What do you think he’s going to do?
I do trust ProtonMail, it’s where I have all my email.
With VPN though you’re so new, that some of us want to see how you mature and handle some real world situations when confronted by the ‘big bully’.
For my situation at the moment I have a few VPN subs, none of which are expiring soon. So I don’t need a new VPN sub now. Having taken part in your VPN beta trial the past few months, I could see great potential, when my current VPN subs expire, ProtonVPN will be at the top of the list for consideration.
I was at the beginning with you guys when ProtonMail launch and remain a loyal supporter of that service.
I think you are misunderstanding - blacklisting Leaseweb shows that you won’t do business with companies that knowingly comply with gag order without putting up a fight. It makes a statement and will hopefully sway other upstream providers when the government comes knocking.
If you’re willing to compromise your morals in this instance, what else will you compromise on? It’s a perception thing.
Either way, I sincerely wish you the best of luck. I appreciate your core mission statement and hope you succeed, even if I disagree that you’re upholding it in this instance.
There still lots that ProtonVPN can do.
Yeah, they’re a young company. That’s pretty obvious just by reading the posts from the official account here as well as on Facebook. Any 1st year marketing major would cringe at an official response that starts with “First of all …” That’s a Crucial Conversations 101 fail. It’s an extremely confrontational and condescending way to start a response to a question.
Regardless, I canceled my Plus account today and will just continue with PIA. Maybe I’ll give Proton another shot when they’re more mature - both as a company and in their offerings. They’re not worth 3x the price of PIA at the moment - speeds are worse, they only have an official client for Windows, and they don’t seem to really listen to feedback, instead taking the approach of “we know best.”
That Windows client sure is sexy tho’ - I’ll miss firing it up.
No secure core servers are from third parties. They are run in house by ProtonVPN mostly in underground bunkers and old military installations. That’s what makes them so comparatively safe, because they cannot be compromised by anyone except ProtonVPN themselves.
Every secure core entry node is in a privacy safe country (and not in a Leaseweb DC).
True, although it isn’t surprising given that they operate nodes in the US. That alone should arouse suspicion.
Don’t trust anyone that owns anything in the United States. ProtonVPN being the only exception because they are simply renting the servers from the hosting providers. But still, don’t trust a US VPN, or a Hosting Service operating or running servers in the US or UK.
Fair enough. We’ll see what ProtonVPN says, but they’re usually pretty up front about these kinds of issues.
So are you the type that’s in line with the phrase" If you have nothing to hide, you have nothing to fear"?
I think the Leaseweb situation needs to be put in the correct context, as it doesn’t seem like you read the article that you linked.
Leaseweb is a Dutch company. The Netherlands has a legal statute that permits lawful interception. Therefore, Leaseweb is obligated by law to comply.
There’s no gag order for them to fight. They can’t fight the law either, it’s the law. They would refuse to comply with the law, but let’s be honest, almost no company knowingly does that because nobody wants to go to jail.
Every once in a while, you get a situation like Apple, but that was challenging something the law did not explicitly require.
In the Leaseweb case, Netherlands has lawful interception, the police got a warrant approving lawful interception, so as a law abiding company, Leaseweb complied.
The problem is not Leaseweb, the problem is the law. Going to another provider doesn’t change the law. And all providers are subject to the laws of their jurisdiction.
So the solution actually is, use Secure Core, which provides technical protection.
ProtonVPN isn’t “fighting back” in any scenario. They haven’t added obfuscation so far, and have had no moral issues with VPN blocking in schools, university, public etc. And they have also made no efforts or expressed no desire to make the service accessible in censored countries or areas.
They have no drive to fight for net neutrality, privacy or any good principles a VPN stands behind, if not in technology most certainly in spirit.
Yeah, they’re a young company. That’s pretty obvious just by reading the posts from the official account here as well as on Facebook. Any 1st year marketing major would cringe at an official response that starts with “First of all …” That’s a Crucial Conversations 101 fail. It’s an extremely confrontational and condescending way to start a response to a question.
As far as I know they do not have any marketing guy. They just have devs/admins and customer support afaik. So you shouldn’t expect something like that maybe…
You’re with PIA too! My PIA sub is good for another +1yr, I also have other VPN subs, I like to chain my vpn connections for ultimate protection, a roll-my-own pseudo secure-core.
Trialing the ProtonVPN beta was fun though. I’ll also re-consider ProtonVPN in the future to see if they’ve matured enough & ironed out all the newbie bugs.
If not there are a handful of mature trust-worthy VPN providers who know what they’re doing at good pricing. In no particular order Mullvad, PIA, Cryptostorm, Vpn.ac, nvpn etc…
Proton Email is still tops though!
Yeah, after all this i might just switch back to my AirVPN annual sub and give it a few months.
I know that they operate the SC Servers themselves but I doubt that they are not in a big Datacenter. I mean all other Servers are just rented from Providers and the secure-core servers are bought. But they are still placed in a datacenter. And I doubt it’s their own. Building a own line to their own datacenter and doing stuff like cooling, access control etc. themselves would likely bust their budget. That the ProtonMail servers are underground is known, but that does not mean the datacenter is owned by Proton. Do you maybe have any source on this?
Anyway, I would still assume that SC is safe to use because essentially the traffic is encrypted. So even though you enter in a Leaseweb DC the exiting data is encrypted as well and goes to the same server every time. Therefore no guessing attacks.
You do understand ProtonVPN is subject to the laws of the jurisdiction where they operate servers? Just because they are based out of Switzerland doesn’t mean their US infrastructure doesn’t have to comply with US laws. Microsoft actually tried to fight this battle too (Office365 and Azure related) and lost.
I agree. I’m looking forward to their response.