/me dusts off his old incomplete Rust implementation of MASQUE 
1 Like
Yeah it’s perhaps the sad state of things. Though I think if a VPN company’s strategy/interest doesn’t align with pushing for better privacy tech (or at least attempting to) even if it means some temporary friction, they will inevitably be left in the dust. It is the Virtual PRIVATE Network business after all 
2 Likes
@obscuracarl Is there any plans for the app to undergo an audit this year?
Actually, not necessarily. If you are a journalist for example that need to communicate with sources. Communicating trough TOR might mean their identity will be know (if the source’s entry node is malicious) which isn’t a good thing.
This is just an example as to why some people might not want to use TOR.
TOR does grant anonymity but it slightly less secure. The likelihood of a TOR node being compromised is much higher than a (reputable) VPN server.
Edit: My example with the source doesn’t entirely make sense, but it is more to illustrate point privacy vs security.
Jonah asked this earlier I think it would be nice to get a clarification/answer
What exactly does mullvad see about the obscura user? How icloud relay works is that the second relay sees that an apple user is connected but it doesnt know which specific user.
Does mullvad know which specific obscura user is connected? Not the user’s real ip but since they know which obscura server ip is connecting to them, wouldnt they know more information such as port, mtu size, latency, and be able to identity the specific user in hand? what if someone is multihopping from a Singaporean Obscura server to an Albanian Millvad server. They are very likely to be the ONLY person using such a multihop configuration. I think if all mullvad knew was that any possible obscura user was connected to “x” server, this would offer a lot of privacy like icloud relay but it seems to me that mullvad can identity the specific user in question, if they were forced to give logs. And in this case, even though the authorities or whoever don’t have the user’s real ip. They can now ask Obscura directly who this specific user is and try to identify him.
1 Like
Also have you thought about releasing a servers page like mullvad has so users can know who the hosting provider is? If i use an Obscura server that is hosted by M247 or Datapacket for example and then multihop to a mullvad servee that is hosting by the same provider, the hosting providers themselves can collude and in a case like this, any interested authorities dont need to ask either Obscura or Mullvad for logs, they can just go to the hosting provider itself.
Also native monwro support would be nice
Yes, we plan to do that and are working on the specifics. We want to do it when we have a somewhat “steady state” for our codebase so that the audit isn’t immediately invalidated by huge code changes.
I’ve heard good things about Cure53, any other security analysts people have had good experiences reading reports from?
1 Like
They have audited Mullvad in the past.
I suggest what @phnx shared, radicallyopensecurity. Picocrypt dev had his program audited by them. I also think their services are cheaper compared to very popular and known companies.
I would like to be convinced on why I should use Obscura instead of just multihopping between IVPN and Mullvad or Protonvpn and Mullvad. Why should I trust an American based Company like Obscura even with my connecting IP when the US can just gag order you at any time?
@carldong
2 Likes
Also do you have a plan to enable quantum encryption on your wireguard config servers? In the case that you are trustworthy it would be nice to see you taking steps in the right direction as the US Government very likely hordes all interesting VPN data so they can decrypt later.
Because how are you going to acquire multiple VPNs safely? 
Even if you do acquire them safely it’s not reasonable to expect most people will, so this set up is safer as a product.
I’m also curious about quantum-resistant encryption. It seems like that should be possible to add to Obscura’s VPN client (if it isn’t already) since Mullvad already supports it on plain WireGuard tunnels.
1 Like
This isn’t tricky at all.
Users can sign up with Windscribe & Mullvad, say (both those providers swear by God they don’t correlate control traffic, like account/payments, with data traffic, like OpenVPN/WireGuard).
Then chain those from a client that supports doing so.
Multi-party VPNs may be easier to setup but not anymore safer in that, the end-user has to absolutely trust the involved parties do the right thing… which is no different to assuming Windscribe & Mullvad do the right thing, in the example above.
1 Like
I have to agree with ignoramous here. Why would I trust a random VPN coming poping out of nowhere with no real trust record especially one coming out of the United States that has draconion laws. I can just use rethink DNS to chain trusted VPN providers to have the same effect and I can pay in monero with providers like ivpn or windscribe. Don’t really see the benefit of trusting my first and likely my most important hop to a random company like obscura.
What would it take for you to trust Obscura in full? The head of it is in this thread - might as well lay out your requirements.
Eidt: please also specify which specific comment of theirs you are referring.
I as referring to his latest comment. It would take audits, more public interviews by Carl dong such as what Viktor vescei(youtube interviews) has done for ivpn. It would also take monero support and more transparency such as where the servers are being run. Mullvad and ivpn have a good nice and transparent server list where we can see all the hosting providers and whether or not the server is rented or owned. Run from ram or disk. Ect. Something like system transparency would be nicd, this is what mullvad itself is working on. Honestly I trust proton and ivpn more than I trust these guys which is why I feel this way and why I think I am better off mulithoping with said providers. That being said the reason I trust said companies so much is because of their transparencies and I see no reason why I wouldn’t be able to trust obscura if their transparency was more or the same as these other providers.
TLDR AUDITS MONERO SUPPORT MORE YOUTUBE INTERVIEWS. perhaps even showing up to public events. Would love it if we could chat in person with this guy so we know who we are trusting our traffic to.
1 Like
I am pretty sure Obscura is well aware of all that is required or wanted from all kinds of privacy enthused experts to prove their products’ legitimacy.
And we’ll have to give them time. If even half of these preferences and requirements don’t happen by the end of the year - that’s when one would be okay to reasonably discount Obscura.
But let’s give them a chance.
My personal opinion is that a little more should have been done before this partnership announcement because it’s very limiting with only one OS at the moment - but this as far as I can say was business decision than anything.
Either way, let’s wait and watch.
1 Like
Wouldn’t both VPNs have a persistent identifier to know you’re the same user over time. Private Relay authenticates using something like Privacy Pass so they just know that a user is allowed to use the service but they don’t know which user. Nothing stopping VPN services from also implementing Privacy Pass I think but I don’t think any of them do.
If this were all it took to trust them, you wouldn’t really need to chain two VPNs in the first place, you could just take them at their word that they don’t log entry and exit traffic.
The entire point of a multi-party system like this is the user needs zero direct interaction with the exit node.
You shouldn’t, if your most sensitive data (i.e. your “most important hop”) is who you are and where you’re connecting from.
There is always a split between who you are and what you do with these two-party systems, and which of those two things are more important to keep protected will depend on the individual person.
A lot of people freely connect to the internet from their own home on a connection paid with their own name and billing information. I think it is reasonable for those people to think that what they’re doing on the internet is actually the more sensitive data they want to keep partitioned from their personal information, and so they might decide a setup like Obscura VPN makes sense for them. Their most important hop is the last/exit, not the first/entry.
There are also plenty of people who cannot divulge that information to a US company or any company that they are persistently connected to. Obscura would not make sense for them to use. This is ultimately a personal choice you have to make.
1 Like
The difference is that in your example, either Windscribe or Mullvad could unilaterally choose to harm your privacy, while in a functional multi-party setup they would be forced to work together to do so.
If Mullvad has your account/payment information and you’re using them as the exit node, your setup with Windscribe is completely irrelevant if Mullvad alone decides to work against you.
This is the same reason VPN after Tor is recommended against.
1 Like