We have completed our first independent audit with Cure53. Proud to say there were no high-severity vulnerabilities found.
Hope it was worth the wait! 
5 Likes
I’m still going to ask and point out that Obscura has actively chosen not to disclose the entities funding the project.
You may do the right things and show that you’re being transparent but not with everything. And not having a good answer for the question is indeed questionable no matter.
This was brought up in another Obscura thread and I wanted to bring it up again here to once again ask and inform others of your refusal to be transparent here.
The VPN industry is funded by so many questionable people so it’s not unreasonable to ask this of you to disclose. Obscura’s responses on the other thread absolutely do not inspire confidence and was corporate speak at best.
I want to like Obscura but you’re not alleviating reservations people have. And hence this reminder for others reading.
1 Like
I personally just tried Obscura with their MacOS app. The app itself isn’t too bad. However, one thing that I did notice was that the experience of choosing and connecting to servers was mainly the same as with establishing a connection with any other VPN provider. I expected to be able to manually choose for myself on what server and location that I wanted to connect to for both the entry and exit nodes (so choosing whichever Obscura VPN server and Mullvad server pairing/path that I wanted), but I didn’t get that option. I also noticed that the server selection was much smaller than I anticipated compared to just using Mullvad natively, and found it quite surprising that I didn’t have full access to the entire Mullvad server network like what my impressions on it have suggested. If I remember correctly, I even had access to all of Mullvad’s available servers when I bought and used it through Tailscale. When I looked at all of the available locations of Obscura that were listed in their FAQs page, I thought those were the available locations that I could pick from when choosing the location/server that I wanted to connect to just for the Obscura entry node and I didn’t realize those were the location options for the whole connection path.
I still stand by that the technology, ideas, and concepts of the Obscura VPN are all excellent and I would love to become a full user. However, it seems that it needs a bit more time in the oven before prime time. Note, I’m not trying to bash/troll or anything like that, but I was just honestly noting my first impressions when I decided to try it on my MacBook.
My comment was not concerning the quality of the product but the management and decision making and the company itself.
Thank you for sharing your views of your experience though. Good context.
Thanks. I was just replying to your post as sort of just an add-on to what you have said.
1 Like
Awesome!
No severe issues, only very minor issues. Mostly possible Dos. The most severe was an unencrypted key in plaintext, but Curw noted that this needed a permission to access, so no real-world impact.
Also great to see Cure53 also analysing potential privacy/fingerprint issues and noting them.
1 Like
For others who may lack context:
This community has been bitten once before by a non-VPN service.
Yeah we were trying to keep things simple for the location selection, and we chose a subset of Mullvad servers that had good connections to our servers.
If you have a particular location in mind, please feel free to DM me and I’ll look into it!
Yup to be clear:
- It would have required
rootaccess on the machine, in which case all bets are off. - We’ve since moved the key to the keychain for defense-in-depth many versions ago in v1.128 (we’re now on v1.151).
2 Likes