Opinions on Windscribe VPN?

Creative · December 3, 2022, 9:13pm

Hey dear community!

Any opinions about Windscribe VPN and how they handle things?
We would be thankful for any input!

InconspicuousEntity · December 3, 2022, 10:13pm

I personally don’t want to use a VPN in NA.

Creative · December 3, 2022, 10:16pm

Makes sense, thank you for the answer, @InconspicuousEntity !

dngray · December 4, 2022, 8:06am

We did away with the “eyes” nonsense some time ago, because it’s only one treaty of many. Many countries also do invasive surveillance nowadays. It’s also not 2012 anymore.

github.com/privacytools/privacytools.io

🌐 Website Issue | Redefine requirement on services Five Eyes under a Juristiction section

opened 01:41AM - 28 Oct 19 UTC

closed 08:00AM - 24 May 22 UTC

dngray

high priority 📝 correction

## Description These days I really don't think this specific services should …be recommended or not recommended based upon the FVEY [(Five Eyes)](https://en.wikipedia.org/wiki/Five_Eyes). The reason for this is, that even if you were to choose a country that was not in the FVEY there is nothing stopping FVEY states from "leaning" on said country that you have chosen for your services. Additionally we can be sure FVEY is not the only intelligence gathering agreement in the world. I would think countries that align themselves with China or Russia might very well share information too. A user needs to establish whether their usage is going to align with their state's policy. For example if I lived in `insert EU state with good privacy legislation` might be a better choice than something overseas. This argument comes up quite often in regard to DoH, VPN providers. - https://github.com/privacytoolsIO/privacytools.io/issues/1428 - https://github.com/privacytoolsIO/privacytools.io/issues/1395#issuecomment-540905268 - https://github.com/privacytoolsIO/privacytools.io/issues/1431 - https://github.com/privacytools/privacytools.io/issues/1915 We should encourage the use of [End to End encryption](https://en.wikipedia.org/wiki/End-to-end_encryption) wherever possible, and if anonymity is required, the usage of Tor or other strong anonymity networks.

We’re waiting for their write-up Add Windscribe by dngray · Pull Request #1312 · privacyguides/privacyguides.org · GitHub

dngray · December 4, 2022, 9:19am

It was actually based on more lengthy discussions with other people that were in other threads, and in Matrix, additionally there is constructive reasoning provided behind these scribbles as you put it.

Creative · December 4, 2022, 12:57pm

Awesome, this discussion and vetting was exactly what we were looking for.
I should have checked Github as well for issues.

Thank you again for the great input, Daniel!

CostcoFanboy · May 22, 2023, 10:06pm

I honestly do not think the Ukrainian event should be forgotten or forgiven.

I believe that it can be said that many other VPN providers did not have such huge fuck ups and are considerably more worthy of being recommended by such a popular privacy guide.

I also find it fairly worrisome for privacyguides to recommend a VPN led by a CEO that behaves like an unhinged child on Twitter.

jonah · May 24, 2023, 6:06pm

I think if we were going to start judging projects based on how unhinged their developers are, there are a number of existing recommendations I can think of that we would have to reconsider.

That being said, VPN providers do require a bit more trust than usually expected, so it’s something we can factor in. I don’t think we would recommend against Windscribe on the basis of a Tom Spark YouTube video alone.

dngray · May 25, 2023, 5:59am

What I do like about them is they were honest about the scope and took steps to make sure it could never happen again. All of their servers now operate in RAM, which is about the best you can hope for with a public VPN provider. They do seem to have a strong understanding of PKI, and use short lived certificates.

They also have other informative articles rather than just “marketing SEO fluff” like a lot of VPN companies do.

We still would be waiting for that audit likely they were fixing and refactoring code to be publicly available.

It’s Tom Sparks, of course he’s going to be a sensationalist twit. His whole take on the PTIO/PG transition was to support Marco Wollank’s (BurungHantu) lies without any research/comment from the other side (us) and then to make some crappy “hit piece” for his channel. When challenged on Twitter there was silence. Apparently that stemmed from a post on Reddit where I suggested he had a strange obsession with Tor Guard and his “reviews” weren’t very scientific, only speed tests and no real evaluation of apps, their kill switches, (whether the implementation is safe) or other features such as IPv6 routing, port forwarding etc, if they are open source, or if they’ve had audits. I don’t know whether that has improved, as I don’t watch his videos and am not his target audience.

I have found that Windscribe has been professional in the limited correspondence I have personally had with them, regarding questions about their service.

yegor · May 25, 2023, 3:55pm

Hi folks, man child here.

Firstly, I’ll say that citing Tom Spark as a source in the VPN space is like citing the opinion of a 12 year old on middle-eastern geopolitics. His recent opinion changed, not sure why but now we’re “A tier”: The WindScribe Review - Done by a True VPN Master Elite Hackerman Anonymous Incarnate - YouTube

Anyhow, back on topic of the Ukraine thing. Server seizures happen all the time, for all VPN providers as it’s a function of network size and how many people use the service. Bigger services will have more seizures. This was not our first nor the last, and it’s normally not a big deal or “news worthy”.

What made that one different, is the events described in the blog post (the primary source of news from the event). It would have been real easy to say nothing, and rotate the certs as a “preventative security measure” (as some VPNs have done previously) and not a single person outside the company would ever know.

That being said, I can almost guarantee you such an event occurred with many other VPN providers and they simply said nothing, to avoid threads like this. Especially when it’s so easy to say nothing and brush it under a rug.

Don’t confuse our complete transparency for weakness. We made a mistake, we let everyone know, we learned from it, and deployed a superior solution which you can verify yourself vs other VPNs using steps mentioned in the blog post. Not a single provider that is currently subject to the same issue we had bothered to fix it, almost 2 years later.

I hope the above sheds some light on this.

jonah · May 25, 2023, 5:45pm

I suspect not for long after posting this message

While I have you here, I think we are still waiting for this, right?

yegor · May 25, 2023, 8:34pm

I addressed the questions there. The full “node audit” will be made public when the new node stack actually hits production. It’s still pre-release.

We could publicize the one we have from Cure53, but it would be rather meaningless as what was audited is not in production.

Here is a quick summary of that, all of this was already fixed.

CostcoFanboy · June 7, 2023, 1:55am

Hey man child,

Firstly, I’ll say that citing Tom Spark as a source in the VPN space is like citing the opinion of a 12 year old on middle-eastern geopolitics.

I’m not citing Tom Sparks as a source for VPN trustworthiness, but your clear outburst on a public forum.This was stupidly unprofessional and you keep showing your lack of professionalism here.

It’s kind of obvious the guy is a fucking moron when his first pick is a closed source VPN.

This was not our first nor the last, and it’s normally not a big deal or “news worthy”.

Yes, the fuck ups of one-self is never newsworthy, only the fuck ups of others ;).

That being said, I can almost guarantee you such an event occurred with many other VPN providers and they simply said nothing, to avoid threads like this.

Baseless speculation and smearing, cool. I’m sure it happens to garbage ass crap like Tunnelbear or PureVPN. But this is to be the most trustworthy. Incompetence makes you lose trustworthiness.

I’ll stick to NOT supporting the VPN that uses outdated encryption technologies like 4096-bit RSA keys.

I’m out and will suppress notifications from this thread.

CostcoFanboy · June 7, 2023, 1:57am

I think if we were going to start judging projects based on how unhinged their developers are, there are a number of existing recommendations I can think of that we would have to reconsider.

I strongly believe you should make mention of this in general on products. Privacy is based on trust. Trust comes from integrity, history and professionalism.

yegor · June 7, 2023, 2:37am

# of server seizures = # of active users * percentage of people engaged in "seizure worthy" (illegal) activity.

Therefore, the bigger the VPN, the more seizures they have. That’s just a simple fact. We get about 1 seizure per year, on average. All but the one we disclosed was a non-event with no impact. Nord/Express/PIA were around for longer, and are bigger than Windscribe.

Any VPN company that does not operate RAM disk nodes, or use encryption is therefore subject to this exact issue. RAM disk nodes only became “cool” in the last ~4 years, at least based on public info released by VPN companies. Therefore, any seizure that occurred before because neither mitigation was in place would have resulted in an identical situation.

Here are just some of these events, impact of which was exactly the same.

Difference here, is the PR spin. “preventative security update” (its not, its an IDENTICAL situation), “server held no useful information for the authorities” (no VPN server ever does).

Had we been assholes, we could have said the exact same thing: “Ukraine servers were sized, no data was on them, so it’s all good. Btw we’re rotating the keys for extra security”.

Had we followed the lead of the “industry incumbents” this thread wouldn’t exist and you would know nothing about this event.

Regime6045 · September 20, 2023, 11:05am

Any news on this? Windscribe offers port forwarding, which IVPN/ProtonVPN/Mullvad all dropped recently. Perhaps that makes it worth adding to the Guide?

Bhaelros · October 14, 2023, 6:36pm

Why WS is still not added to the recommended VPN list?

jonah · October 14, 2023, 7:00pm

@Regime6045 ProtonVPN supports port forwarding.

@Bhaelros I think we’re still waiting for the things we’ve been waiting for this whole time?

The iOS client hasn’t been open sourced https://github.com/privacyguides/privacyguides.org/pull/1312#issuecomment-1563379064
Their full node audit hasn’t been released:

We are currently undergoing a full audit of our server stack which should be published in early 2023.

https://windscribe.com/knowledge-base/articles/has-windscribe-been-audited

I’d love to add more services, but our criteria is well-defined, and unless we’re going to change them in order to list Windscribe, Windscribe isn’t going to be recommended. The simple fact is that there are already three services which do meet our criteria—so our criteria obviously isn’t too strict—and Windscribe isn’t demonstrably better than our recommendations as far as I know, so all we can do is wait