The team of scientists and engineers that came out last year with the wildly successful end-to-end encrypted email service, ProtonMail, has now officially made public their new highly secure (and very fast!) virtual private network (VPN) called ProtonVPN.
As a ProtonMail user I’ve been incredibly pleased with the service and its security and this morning I signed up for their newest offering, ProtonVPN. I did so mainly because of the features, but also because it’s from a company I trust and, as a beta user, found it to be fast, robust, secure, and rock-solid.
I’m also stunned by how quickly they’ve nailed the key features needed in both email and VPN to keep us private and secure. A big plus also is that the company, Proton Technologies AG, is based in Switzerland, a country whose laws favor privacy, security and non-disclosure which is the perfect place to headquarter the firm:
“ProtonMail was founded in 2013 by scientists who met at CERN and were drawn together by a shared vision of a more secure and private Internet. Since then, ProtonMail has evolved into a global effort to protect civil liberties and build a more secure Internet, with team members also hailing from Caltech, Harvard, ETH Zurich and many other research institutions.
Today, we help our community of millions of users secure their private data online. More than 10,000 supporters have assisted us in this mission by donating to make this project possible. Thanks to your support, we are continuing to develop state of the art email privacy and security technology from our home base of Geneva, Switzerland.”
ProtonVPN has several key features that are a bit geeky, but have turned my head as someone who is deep in to cyber security:
- Secure Core: This architecture gives their secure VPN service the unique ability to defend against network based attacks. Secure Core protects your connection by routing your traffic through multiple servers before leaving our network. This means an advanced adversary who can monitor the network traffic at the exit server will not be able to discover the true IP address of ProtonVPN users, nor match browsing activity to that IP.
- Strong Encryption: All your network traffic is encrypted with AES-256, key exchange is done with 2048-bit RSA, and HMAC with SHA256 is used for message authentication which means it is VERY secure.
- Forward Secrecy: The encryption cipher suites they use only include ones that have Perfect Forward Secrecy. This means that your encrypted traffic cannot be captured and decrypted later if the encryption key from a subsequent session gets compromised. With each connection, ProtonVPN generates a new encryption key, so a key is never used for more than one session.
- Strong Protocols: They exclusively use VPN protocols which are known to be secure (OpenVPN and IKEv2). Though I’m not a cryptographer, every one that is whom I follow online swears by both of those protocols which have been examined and certified secure by top cryptographers all over the world.
- Physical Security: The company has gone to extreme lengths to protect ProtonVPN’s Secure Core servers to ensure their security. Critical infrastructure in Switzerland is located in a former Swiss army fallout shelter 1000 meters below the surface. Similarly, our Iceland infrastructure resides in a secure former military base. Our servers in Sweden are also located in an underground datacenter. By shipping our own equipment to these locations, we ensure that our servers are also secure at the hardware level.
Other Key Features Include:
- Open Source: Goes without saying that their transparency level is very high and having their software reliant on open source software examination and certification is a big selling point for any of us.
- No Logs Kept: Under Swiss law they don’t have to keep them so they do not.
- DNS Leak Protection: They ensure that your browsing activity cannot be exposed by leaks from domain name service (DNS) queries.
- Kill Switch: Their desktop and mobile applications come with a built-in Kill Switch feature which will block all network connections in the event that the connection with the VPN server is lost.
- Tor VPN: ProtonVPN comes with Tor support built-in. Through their selected Tor servers, you can route all your traffic through the Tor anonymity network and also access dark web sites. This provides a convenient way to access Onion sites with just a single click.
Take a look at their pricing page. They have a free offering (which is currently shutdown due to the overwhelming response and signups this week) and I signed up for the “PLUS” level today since, as a current ProtonMail user, I got a bit of a larger discount on both ProtonMail and ProtonVPN as a bundle.
I need to end with this: I’ve analyzed more than a dozen of the top VPN providers and previously chose Private Internet Access (which I still have active since I’m paid through April of 2018) and, especially for the non-geeks out there, it’s still the easiest to use, they keep no logs, have the most data centers, and still has my strong recommendation.
But if you’re extra-serious about your VPN — or have specific needs to be highly secure when online — I’d absolutely recommend you immediately go and signup for ProtonVPN.
While discussing cyber security and online safety with clients, family and friends, I’ve had several of them ask me for guidance on how to secure their communications and web activities. While a thorough examination of all the detail surrounding privacy, security, and good online habits could be the length of a book, let me give you some of the basics along with a few links to learn more.
There are several reasons you should care about whether your online, digital communications and web surfing are private:
a) Tracking: Ever wonder how Facebook knows you just shopped for Corningware at Amazon and suddenly the ads on Facebook are displaying other bakeware companies? Would you be surprised to know that nearly all websites you visit set a little digital file called a “cookie”—a file that can prove to be very beneficial most times—but that some cookies are set by third party companies that do nothing but track ALL of your website visits (and much more) everywhere?
b) Are You Naked on Public Wifi? If you ever connect to a public Wifi hotspot, you should know that it is trivial for a Wifi hotspot to be spoofed and you might have already inadvertently connected to it! There are also packet-sniffers that can view any unencrypted traffic going back and forth between your laptop or device and the Wifi router and some blackhat hacker can view it.
Want to see how incredibly trivial it is to create a man-in-the-middle attack and spoof a Wifi hotspot? Then read this article which should scare the beejesus out of you (it did me). It’s called Maybe It’s Better If You Don’t Read This Story on Public WiFi and its tagline is this:
We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.
If after you have read that article you are still logging on to public Wifi hotspots without using a VPN, please comment below and give me your argument as to why you think it’s OK to get online with public Wifi and no VPN. I’ve yet to hear a single, valid reason why someone shouldn’t connect securely.
c) Government Surveillance: You’ve undoubtedly heard about Edward Snowden who revealed the vacuum mass surveillance apparatus in place by the National Security Agency and that they’re are scooping up ALL metadata about who called whom; what websites you visit and searches you perform; what texts you send; who your Facebook/Twitter and other friends are; what photos you post; and much more.
As a preview to what might very well happen here in the U.S. under a Trump administration, a new law just passed in the United Kingdom and it will give you a taste of what is probably coming to America…and soon…and why we all need to be more diligent about our privacy and security. The UK Now Wields Unprecedented Surveillance Powers — Here’s What It Means spells out what we could expect in the US in the near future:
The UK is about to become one of the world’s foremost surveillance states, allowing its police and intelligence agencies to spy on its own people to a degree that is unprecedented for a democracy. The UN’s privacy chief has called the situation “worse than scary.” Edward Snowden says it’s simply “the most extreme surveillance in the history of western democracy.”
The legislation in question is called the Investigatory Powers Bill. It’s been cleared by politicians and granted royal assent on November 29th — officially becoming law. The bill will legalize the UK’s global surveillance program, which scoops up communications data from around the world, but it will also introduce new domestic powers, including a government database that stores the web history of every citizen in the country. UK spies will be empowered to hack individuals, internet infrastructure, and even whole towns — if the government deems it necessary.
It is also probable that both the UK and the US will take steps to ban end-to-end encryption (one reason I use more and more services outside the US) and/or legally force companies to insert backdoors in their software so law enforcement can get in to the computer or device you own, especially without having to secure one of those pesky search warrants. It’s actually a lot more ominous than that, but writing much more about it is beyond the scope of this post.
Are you scared now?
You should be. I am, and I stay abreast of all of this every, single day. Read on for some specific tips and tricks to stay safe online.
Edvard Munch’s painting The Scream…and a few scared internet users
I just sent them my rebuttal and I reprint it below with the StarTribune’s paragraphs in italics and green. Also, since the StarTribune apparently did little-to-no research, I’ve provided them with helpful links.
Curiously the StarTribune changed the linkbait-like editorial title in the online version by toning it down, perhaps realizing that characterizing it as “Apple defies order” is wrong: National security is at stake in Apple’s faceoff with feds.
U.S. security at stake as Apple defies order
Apple Inc., the world’s largest info-tech company, now stands in defiance of a federal court order, saying it will fight attempts to force it to help the FBI crack the iPhone of a San Bernardino terrorist involved in a major attack on U.S. soil that left 14 dead and 22 injured. Apple says the government is overreaching and would be setting a dangerous precedent.
The company is wrong on both counts, but the world of encrypted information is a complex one. It is worthwhile to proceed carefully, because this could prove to be a critical showdown in the growing clash between privacy and national security.
Your editorial, “U.S. security at stake as Apple defies order” was one of the most stunningly naive positions I’ve read yet when it comes to the controversy over Apple’s stand on weakening the encryption of one, single iPhone. A weakening that would instantly open a Pandora’s box of cyber threat problems of which you are obviously clueless and seemingly dismissed out-of-hand.
First, it should be noted that the government negotiated for two months with Apple executives. When those talks fell apart, Justice Department officials turned to a federal judge, who ordered the company to create a way to bypass the security feature on the phone. The FBI had obtained a warrant to search the phone and, not incidentally, the consent of the employer that had issued the phone to Syed Rizwah Farook.
First off, it should be noted that the FBI permitted San Bernardino officials to change the password on the terrorist’s iCloud account (rebutted by FBI, now blaming official) and only then, obviously realizing their mistake, requested Apple’s help. Had they not done so Apple has stated publicly it would have been possible to obtain the shooter’s iCloud backup data. Since this mistake was made, the FBI then negotiated with Apple to recover what they could. Discovering that doing so was not possible, and subsequently failing in convincing Apple to create software to weaken iOS (the operating system that controls the iPhone and iPad) so they could break into the device without having it ‘wiped’ by its ten password attempt limit, the FBI then obtained a court order hoping to force Apple to create a method to do so.
Apple has complied with what Justice officials characterize as “a significant number” of government requests in the past, including unlocking individual phones. Apple CEO Tim Cook has become increasingly concerned about customer privacy, particularly after 2013 revelations by whistleblower Edward Snowden about massive government surveillance operations. The company has continued to tighten its security systems and decided to no longer maintain a way into individual phones. Farook’s iPhone 5c was among those with a 10-tries-and-wipe feature that essentially turns it into a brick if too many false passwords are entered. Newer operating systems employ ever-more-sophisticated security features.
The government’s authority to get private information, such as texts, photos and other stored data, through a warrant is not at issue. The key here is whether the government can compel a private company to create a means of access that the company contends will weaken its premier product.
Cook maintains that creating a “master key” to disable security on Farook’s phone ultimately would jeopardize every iPhone. With more than 100 million in use across the country, that is no small threat. There are, however, technology experts who say Apple could create a bypass — allowing for what’s called a brute force hack — without affecting other phones.
With respect to your position on Apple’s creating this sort of “bypass” for this single iPhone, all while acknowledging this is not a “small threat” for the 100 million iPhones already in existence, you then opined, “There are, however, technology experts who say Apple could create a bypass” “without affecting other phones.” This is your supposed justification for minimizing the threat of putting in a backdoor (or what you euphemistically characterize as a “bypass”) for those 100 million+ iPhones already in existence? Who are these so-called “experts” anyway?
Though our national security is an absolute imperative, the Edward Snowden revelations about mass NSA surveillance—and what most of us see as a direct violation of our Constitution by them (as well as their practice of passing that data to the DEA, FBI, IRS and local law enforcement)—the intelligence community made their bed…and now they have to lie in it.
From Wired’s article called Apple’s iPhone Encryption Is a Godsend, Even if Cops Hate It:
It took the upheaval of the Edward Snowden revelations to make clear to everyone that we need protection from snooping, governmental and otherwise. Snowden illustrated the capabilities of determined spies, and said what security experts have preached for years: Strong encryption of our data is a basic necessity, not a luxury.
And now Apple, that quintessential mass-market supplier of technology, seems to have gotten the message. With an eye to market demand, the company has taken a bold step to the side of privacy, making strong crypto the default for the wealth of personal information stored on the iPhone. And the backlash has been as swift and fevered as it is wrongheaded.
Though this is clearly the right thing for Apple’s business—especially if they continue to hope to sell in countries like China (see Apple iPhone a danger to China national security)—I still want to say, “Thank you Apple…seriously.“
Last night was part two of the PBS Frontline program called United States of Secrets. It was one of the best, most thorough overviews of what is going on with the NSA’s vacuum surveillance that I’ve ever seen.
You owe it to yourself, and the future of our children, to be aware of what’s going on.
NSA Finally In The Light
I’ve been deeply concerned about the massive, sweeping surveillance going on for over TEN YEARS! Whenever I bring up this topic (and online security in general) too many of my family and friends just shrug and say, “Oh well.” Frankly, I just don’t understand why most people don’t seem all that concerned about our fundamental erosion of liberty caused by the NSA’s mass surveillance.
Thankfully the Edward Snowden whistleblowing finally shined a light on what I intrinsically knew was going on shortly after 9/11 (see Snowden’s revelations and the overall controversy at The Guardian’s NSA Files website section). Yes, I feel vindicated for my paranoia but that attestation is not something I longed for…instead I hoped the government’s drive to classify their constitutional violations and illegal activities as “keeping America safe from terrorism” would stop.
Unfortunately that whistleblowing has made it increasingly hard for companies who sell their technology outside of the United States. For example, the NSA was inserting hardware in Cisco routers which caused CEO John Chambers to write a letter to President Obama asking for it to cease…now.
One of the podcasts I listen to regularly is Security Now, a TWiT show. Every one of these shows (as well as many of the shows on the TWiT network) finds me learning a great deal that I use personally, for my company, or my own “Security Tip of the Week” on the Minnov8 Gang Podcast. To say I find Steve Gibson and Leo Laporte knowledgeable, trustworthy and reliable is an understatement — and I’ve taken to extending those feelings to their advertisers — since Leo continually touts the fact that he only supports advertisers he vets and actually uses.
But I think these guys either had a lapse when it comes to the VPN provider proXPN, or they have never signed up for a trial period with this vendor and then tried to cancel the account during that trial period (which I now suggest they have a TWiT staffer do for EVERY potential advertiser).
Making it hard to cancel is the oldest trick in the book to get some percentage of people to pay when you charge their credit card immediately and then make them jump through a bunch of hoops to cancel and get a refund. Here is what happened and why I strongly caution you to consider another vendor for your VPN services:
Would it be OK for the government to collect all of your private data in one place, share it between agencies, enable companies to send anything “suspicious” to our intelligence agencies, all in the name of keeping us “safe?” What if your Facebook friends and photos you post were collected and sent to the government by Facebook? What if your internet provider (e.g., Comcast, Time Warner) or mobile provider (e.g., AT&T, Verizon) intercepted and sent your check-ins, photos posted, emails sent, websites visited and all your digital traffic to a government intelligence agency?
It’s happening now and a bill, CISPA, will only make it easier.
CISPA, the Cyber Intelligence Sharing and Protection Act, has been reintroduced in the House of Representatives. It’s the contentious bill that would provide a poorly-defined “cybersecurity” exception to existing privacy law. CISPA offers broad immunities to companies who choose to share data with government agencies — including the private communications of users — in the name of cybersecurity. It also creates avenues for companies to share data with any federal agencies, including military intelligence agencies like the National Security Agency.
Andrew Couts at Digital Trends — a refreshingly pragmatic voice in technology — pointed out in this article All You Need to Know about Washington’s Big Cybersecurity Push that this CISPA bill isn’t horrible, just far too incomplete.
The problem with CISPA—and many of these Washington knee-jerk “homeland security” legislative reactions—is that the legislation itself has far too many holes in it, the obvious potential for abuse exists with the usual lack of strong oversight, and companies have been granted immunity (just like AT&T was in the ongoing NSA Warrantless Wiretapping fiasco) so there are no checks-and-balances on them either.
As an aside, if you don’t know about the NSA $2 billion plus data center nearing completion you should. Read this Wired article from last April and it will make you stop-and-think about what the government might do with all the data they’ll increasingly have access to if CISPA passes as-is: The NSA Is Building the Country’s Biggest Spy Center (Watch What You Say). It always amazes me that the gun-nuts out there are SO concerned about their 2nd amendment rights being taken away but are either clueless, too stupid, or not bothered to become aware of the fundamental Constitutional rights U.S. citizens have already lost…and continue to lose bit-by-bit.
Couts said this in his article:
Like Obama’s cybersecurity order, CISPA’s primary aim is to increase the sharing of cyber threat information (or CTI, as the cool kids call it). Unlike Obama’s order, however, CISPA allows the sharing of information in both directions – from government to business, and vice versa. Sharing is not required by the law, but it is allowed.
CISPA also provides broad legal immunity to companies that collect and share CTI with the federal government, as long as they do so “in good faith” – which might mean businesses can’t be sued or charged with crimes for collecting and sharing CTI under CISPA. Furthermore, CISPA shields the shared CTI from transparency mechanisms, like the Freedom of Information Act (FOIA).
Read the full text of CISPA here: PDF.
HOW TO OPPOSE CISPA (it’s really easy and fast to do so): That’s why I oppose this legislation. Since I’m a member of the Electronic Frontier Foundation (EFF) I was particularly pleased that they made it extremely simple and fast to send a letter to your congressional representatives. You can do so here and it will take 2-5 minutes.
Do you ever do anything on your Android smartphone that you would like to be secure and private? You know, like banking, sending a text message to a friend or loved one, accessing secure web pages, or calling someone? If you do any of that, the U.S. mobile carriers have embedded software on Android devices that can grab every keystroke, see every app you launch, and even view the content of the secure web pages you access even when you are in Wifi mode with mobile 3G/4G turned off!
Though I’d been peripherally aware of a kid named Trevor Eckhart who’d come across what he calls a “rootkit” on Android phones, I was stunned to see this Wired article explaining it and was even more appalled when I watched Trevor’s 17 minute video (embedded below).
I’ve been observing the continuing acceleration in governmental intelligence gathering since 2006 (see, “Massive, sweeping surveillance on *all* you do“) and the U.S. National Security Agency’s warrantless wiretapping, but watching this video gave me one of those “Oh. My. God.” moments this morning.
Wired said this at the start of their article:
The Android developer who raised the ire of a mobile-phone monitoring company last week is on the attack again, producing a video of how the Carrier IQ software secretly installed on millions of mobile phones reports most everything a user does on a phone.
Though the software is installed on most modern Android, BlackBerry and Nokia phones, Carrier IQ was virtually unknown until 25-year-old Trevor Eckhart of Connecticut analyzed its workings, revealing that the software secretly chronicles a user’s phone experience – ostensibly so carriers and phone manufacturers can do quality control.
But now he’s released a video actually showing the logging of text messages, encrypted web searches and, well, you name it.
CarrierIQ, now busted, has backed off of their cease-and-desist (PDF) and pointed out that they’re not really doing anything with the data. It’s all to help out the carriers managing their networks. Aha…that’s what the guy said when the cops popped his trunk and found lockpicking and glass cutting apparatus along with a black ski mask and latex gloves. “Really officers, I don’t use that stuff for breaking and entering.”
The Register also wrote about this and it’s a great read…but do that and make sure you also watch the video below. Yes, it’s a bit geeky and long, but the first few minutes explains the issue and about the 15 minute mark he shows what’s happening.
Action? Raise a stink by contacting your Congressperson. Join what continues to prove is our only tech-savvy defense against the assault on our Constitution and Bill of Rights when it comes to technology: the Electronic Frontier Foundation. Tweet about it using the hashtag: #CIQ.
Glad I have an iPhone 4S since it doesn’t have this embedded software on it…until we find out otherwise.
[youtube http://www.youtube.com/watch?v=T17XQI_AYNo ]