Check this box to affirm you have no conflict of interest.
on
Website
Short description
Nym/NymVPN is a decentralized VPN network that aims to offer full privacy and/or anonymity with decentralization, open source, no-logs policy, some unique traffic obfuscation features and anonymous payment and signup/login
Why I think this tool should be added
It has been independently audited:
One of them being Cure53 which is a famous auditor.
It’s fully open souce (so not just clients but also there’s the nym repo itself and some others)
Privacy policy of apps state they will not log your data unless it is on a legal basis (If it’s decentralized and anonymous though how they’re gonna do it though, unless they can use the third parties but , and anyways I guess that can be confirmed with it’s open source nature)
Your internet activity while using NymVPN services is not monitored, recorded, logged, stored, or passed to any third party, unless doing so is required by applicable law, e.g. in case of a lawful intercept request, required for providing the NymVPN services, required for billing and debt collection purposes or you have granted consent to this (by enabling telemetry).
They have Litepapers and whitepapers outlining alot of those things that can be combined with the open source code and other things:
(Optional but helpful criteria)
they have their roadmap open over at trello: Trello
Yes it is! It’s effectively a free WireGuard (actually AmneziaWG) dVPN and mixnet, available on 5 major platforms (Android, iOS, Linux, macOS, Windows), and run by reputable scientists, cryptographers and privacy people. Worth giving it a try (and sharing your feedback with us ) before we switch to the paid version in March!
Hi. Long time reader of the forum. I think I’d be great if Nym were added too (breaking this response into 3 parts due to posting requirements).
------------------------ Part 1 ---------------------------
As a statistician and ML engineer, I see that most people in the privacy community don’t understand (through no fault of their own) how easy it is for governments to track who they are communicating with e.g. know that Bob is texting Jim on Signal or that Bob is on privacyguides. This is due to 2 factors: 1) governments are known to cooperate with each other on mass surveillance through ISP monitoring and are increasingly doing so more (e.g. United Nations Convention against Cybercrime); and 2) ML algorithms (which require no human guidance after training) can very easily fingerprint the websites people view if they can passively view the servers (though ISP level monitoring i.e. point 1). A good example of how easy it is for ML algorithms to “fingerprint” what websites people navigate to is evident in the following 2018 paper - dl.acm.org/doi/pdf/10.1145/3243734.3243768. This paper shows almost perfect detection rates:
“On undefended traffic, the DF attack attains a 0.99 precision and a 0.94 recall” - quote from paper [1] [2]
[1] BTW, precision and recall are fancy terms for measuring how well a model finds the right things (websites in this example). Precision is about the accuracy of the things it finds (how many found are actually correct), while recall is about how many of the total correct things it actually found. For simplicity sake, you can just think of them both as measuring raw accuracy - which in this example is 99% and 94% (lol)! This basically shows how useless traditional VPNs are at evading government surveillance (although their great tools against corporate surveillance). [2] DF (Deep Fingerprinting) is the named approach in the paper which uses an algorithm (CNN) which is a whole lot less powerful than the algorithms used today (Transformers)
------------------------ Part 2 ---------------------------
Although the effectiveness of Nym will never truly be tested (because we don’t know which algorithms and resources governments use), it employs a lot of techniques which made me think as an ML engineer - “that’s a really good idea to confuse an ML algorithm”. These main techniques include: 1) cover traffic; and 2) mixnet (with continuous mixing). Currently there is no technology which employs these two capabilities and are therefore more susceptible to ML-based attacks. In addition to the links @GorujoCY provided I found the following guide to be a really easy way to understand how Nym works - Introduction - Nym docs. Also the following provides a brief overview on the main privacy mechanisms it uses - Nym (mixnet) - Wikipedia.
------------------------ Part 3 ---------------------------
Recently Switzerland has issued a statement to amend its surveillance laws. If you look closely at the amendment which is written in French (https://www.newsd.admin.ch/newsd/message/attachments/91537.pdf), it states that the law is about knowing “who is talking to who” communications and not end-to-end encryption communications:
“Providers with limited obligations and providers with full obligations shall remove any encryptions they have performed or that have been performed for them. For this purpose, they shall capture and decrypt the telecommunications correspondence of the monitored person at appropriate points so that the surveillance data is delivered without the mentioned encryptions. End-to-end encryptions between end customers are not affected.” - part of the linked Swiss Amendment translated from French
To me, this new surveillance law looks like a direct attack on Nym [3], which only recently launched its product in Switzerland (as discussed in this topic). To make it very clear, Nym protects against “who is talking to who” communications and this is what this law is about. In my opinion, this may be an early indication that governments are finding it harder to surveil this type of network (again just my opinion based purely on the events I’m seeing).
I understand that this forum likes to see technologies which have stood the test of time. However, I think that Nym should be actively recommended and added soon due to the lack of technologies which match its described mechanisms. From my reading it seems much better equipped than Mullvad’s DAITA at preventing website fingerprinting attacks - and I love Mullvad and have been a customer for 5 years (not planning on leaving).
I think this should be accepted soon. If the first VPN came around and this forum hadn’t seen a VPN before, would we be saying “it needs to stand the test of time” or “lets go use this product because it provides clear technological benefits”.
Nym is a full-fledged mixnet that comes as a result of years of study of network anonymity systems and their various trade-offs: The Loopix Anonymity System | USENIX
In comparison to Tor (see section 3.1 Tor: The Second-Generation Onion Router) it attempts to thwart GPAs (global passive adversaries) from linking communication partners/endpoints over the network. Assumedly, the mixnet is what you route your traffic through when using the anonymous mode in NymVPN.
I believe AmneziaWG is for censorship circumvention for their fast mode in NymVPN which is a two-hop Wireguard VPN a bit like Obscura, more suited for latency sensitive tasks.
The “cover traffic” Nym employs constantly sends data packets to be routed through its decentralized servers, whether you are using the service or not e.g. your phone could be idle and it will always send packets at a constant rate. I sometimes use Sniffnet (https://sniffnet.net) when using Nym and (if i can remember correctly) it uploads/downloads packets at a rate of 200 packets per second. Because everyone using the Nym network is uploading/downloading at a rate of 200 data packets per second, it makes it difficult or even impossible to use a ML algorithm to classify peoples traffic purely on their upload/download rate. For example if Bob was using a regular VPN service and was watching a video on privacyguides and had a download rate of 500 packets per second and some server on the same VPN service he was using had a download rate of 500 packets per second, it may be possible to infer that Bob is on privacyguides if you had access to the ISP of his output VPN server [1]. However, if Bob was using Nym this inference is not possible because everyone uploads/downloads at a constant rate. This “cover traffic” is actually only one of the mechanisms Nym uses to stop governments using ML algorithms to make inferences on what websites people are on or what people you are texting.
DAITA is very cool also. However, from my reading of the two papers Nym employs a lot more useful techniques for the purposes of evading an AI guided traffic analysis. From a simple mans perspective, the two techniques Mullvad’s DAITA employs are: 1) constant packet sizes; and 2) dummy/random packet injection. The constant packet size makes all data packets the same size which i would only assume would be ideal for ML “website fingerprinting” algorithms because data packets range from up to 1460 bytes and can be anything in between - MTU vs. MSS: What Every Network Administrator Should Know - The Network DNA. The dummy packet injection randomly inserts packets when you make a request which are sent based on a random generation process. This is useful for confusing an AI/ML algorithms on the total number of packets sent.
Simply put Nym does all DAITA does but more [5].
It has constant packet sizes - as with Mullvad
Instead of sending random packets along with your internet request it sends constant cover traffic (always 200 packets are uploaded/downloaded). Sending constant cover traffic is a better idea to defend against a ML algorithms because it removes the identifiable piece of information of “when you are using the network” and removes estimates of “how many packets are being sent per second” (which may be able to be modeled by an ML algorithm)
Finally, it uses a mixnet which means all you packets don’t flow through the same server. They are constantly being mixed with other users packets and random packets are being added to the mix nodes [2]. This is one of the main parts of Nym which makes it so hard to perform an AI/ML guided traffic analysis (in theory at least - again no one really knows what techniques governments use lol).
Not that this type of comparison matters when comparing systems. However, it must be pointed out that Nym consists of the very top researchers from their field. Both Claudia Diaz and Harry Haplin have h-index scores of 39 and 31 respectively [3]. These are indicative of researchers who have made top contributions to cybersecurity. In other words, they really know what they are doing [4].
[1] In reality, you dont upload/download at a constant rate - giving even more information to an ML algorithm for you to be classified e.g. at second 1 you may download 255 packets, at second 2 you may download 297 packets, etc. [2] Better off to read about the Nym mixnet on their website. In short it shuffles you network packets with other peoples packets, making it much more difficult know who owns which packet. [3] You can view this on Google Scholar [4] I’m starting to sound like I’m being paid as an affiliate marketer for Nym lol - I’m not. Also here’s my Nord link … [5] I’m still a paid subscriber of Mullvad due to their other great features though
Thank you for working on Mixnet - this is marvelous and innovative.
I am concerned about Nyms’ decision to ship NymVPN as an AppImage. This is, in my opinion an unpopular decision, as fuse2 is unmaintained and is SUID root dependent.
If Nym sends a fixed amount of constant 200 packets per second which also have a fixed amount of packet size, can’t a AI/ML algorithms just be able to “strip out” these packets and be left with real packets that are transmitted?
Doesn’t it also make it possible that Nym traffic stands out more as one that sends a fixed amount of packets & size per second, which means ISP or global adversary can point every Nym user?
These are the 2 questions I have for now from just reading the thread. On why PrivacyGuides didn’t include it yet, is because it needs to meet their new criteria which will take time to set a decent one, get tested by a member, share their experience etc and many other factors that plays into adding to ensure it fits all possible threat models and a safe recommendation because people lives may depend on such addition or their long time investment.
Thanks for the feedback, what would be your recommendation? Only offering Flatpak?
Access to LAN should be here next week. Split tunneling is a bit more involved. As a v1 we want to offer basic split tunneling (either inside or outside of NymVPN). The long term vision is a more advanced split tunneling (mixnet or VPN or outside) - likely not doable on all platforms.
, and anyways I guess that can be confirmed with it’s open source nature)
) before we switch to the paid version in March!
