Does Windscribe VPN meet our criterias ?
TLDR : They meet almost all of our criterias but there could be a problem with :
-
Double-hop (to be specified).
-
Public facing leadership. IMO it’s acceptable.
-
DNT and analyticson the website. I think it’s ok too.
Technology
Support for strong protocols such as WireGuard & OpenVPN.
- Killswitch built in to clients.
- I think that their Firewall feature is what we are looking for. source.
Multihop support.
- They have multihop at the browser-level. source.
- If VPN clients are provided, they should be open source, like the VPN software they generally have built into them.
- All their apps are open-source. source.
Privacy
Security
- Strong Encryption Schemes: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption.
- They claim to use even stronger algorithms. source.
Encryption
OpenVPN
Our OpenVPN implementation uses the AES-256-GCM cipher with SHA512 auth and a 4096-bit RSA key. Perfect forward secrecy is also supported.
Browser Extensions
We use TLS 1.3, ECDHE_RSA with X25519 key exchange and the TLS_AES_256_GCM_SHA384 cipher.
IKEv2
Our in-app IKEv2 implementation utilizes AES-256-GCM for encryption, SHA-256 for integrity checks. Desktop and Android apps use ECP384 for Diffie-Hellman key negotiation (DH group 20), and iOS uses ECP521 for Diffie-Hellman key negotiation (DH group 21).
WireGuard®
WireGuard® is an opinionated protocol that uses ChaCha20 for symmetric encryption, authenticated with Poly1305; Curve25519 for ECDH; BLAKE2s for hashing and keyed hashing; SipHash24 for hashtable keys; and HKDF for key derivation.
- Forward Secrecy.
- Published security audits from a reputable third-party firm.
- Here is the 2024 retest from PacketLabs, after the 2022 penetration test report from Cure53 (which is also avalaible as a PDF).
- Desktop apps audited in 2021 by Cure53. [source] (Code Audit Report · Windscribe/Desktop-App Wiki · GitHub).
- We’ve had an audit of our mobile apps as well" (source). Were can we find it @yegor ?
Trust
- Public-facing leadership or ownership.
- Founders are named Yegor Sak (LinkedIn, Twitter, interview, PrivacyGuides), Alex Elisenko and Mark Ulicki.
- “Since its inception in 2016, Windscribe has been and continues to be privately owned and operated. We have zero outside investors, and 100% of the equity is owned by the three founders Yegor Sak, Alex Paguis (Linkedin) and Mark Ulicki) and Windscribe employees.” source.
- “You can reach our CEO, co-founders, and staff directly through any of the channels listed above. We listen to every issue that our users have and engage in discussions on features, improvements, favorite snacks, you name it.” source
- There is the name of several employees on Windscribbles and we can find their social media.
- Connie Lukawski (Backend Team Lead/Sr. Software Developer). source (There even is her CV).
- Catt Garrod (software developer, frontend engineer). (LinkedIn).
- Ben Thornton (Content Lead). LinkedIn.
- Rebecca Rosenberg (Marketing Team Member).
- Daniel Sobey-Harker (Head of Community). Twitter. LinkedIn.
- Johnny Mainframe,
- Unni Menon,
- Simon Phoenix
- We can see even more of their employees of LinkedIn.
- Jaime Yu (Senior Software Engineer).
- Jess Malone (Senior Software Engineer).
- Animesh Pal (Senior Software Engineer).
- They have blog posts where we can see their pets, their Spotify playlist, the daily routine of Catt Garrod (frontend engineer), …
The Cure53 audit also names precisely some 5 employees
“Cure53 would like to thank Yegor Sak, Alex Elisenko, Connie Lukawski, Konnor Klashinsky, Mark Ulicki, and all other participatory personnel from the Windscribe team for their excellent project coordination, support, and assistance, both before and during this assignment.”
Marketing
- Must self-host analytics. The provider’s site must also comply with DNT.
- I don’t know how to check for DNT.
- They claim “The Windscribe website does not contain any 3rd party analytics, tracking pixels, A/B test platforms, or social widgets.” source.
- Blacklight from the The MarkUp finds zero ad-tech companies of windscribe.com. However, the website tries to connect to https://static.cloudflareinsights.com/beacon.min.js/vcd15cbe7772f49c399c6a5babf22c1241717689176015 and https://stats.windscribe.com/piwik.js .
Must not have any marketing which is irresponsible:
- Making guarantees of protecting anonymity 100%.
- “No Bull Poop. A VPN is not a magic privacy button powered by “military grade encryption”. A VPN alone will actually do very little for your privacy, and is just one of several tools that you should have in your toolbelt.“ source.
- “almost nothing can give you absolute anonymity online“. source : Do VPN services offer true/absolute online anonymity?
- Claim that a single circuit VPN is “more anonymous” than Tor, which is a circuit of three or more hops that regularly changes.
- not aware of that. They also say “Here, at Windscribe, we’re not a fan of being misleading; many VPNs hype up their product and its capabilities beyond reality. “ source.
- Use responsible language
- “the amount of ways to hack a person far outweigh the protection a VPN offers you.“. source : Will Windscribe protect me from Hackers?
I have slightly edited the criterias for the sake of brevity.