Opinions on Windscribe VPN?

Questions
48

The lack of transparency regarding the Cure53 audit should be a red flag for Windscribe https://www.reddit.com/r/Windscribe/comments/1df9kl6/another_audit_post/

49

I’ve been using Windscribe as of a couple months ago.

I’ve had a pretty mediocre experience with some bugs and just general frustrations (some probably linux specific). Compared with Mullvad my constructive critisms are:

  1. Technical documentation is lacking, they seem to devote a lot more focus edge marketing towards the teenage-torrenting crowd than to writing good detailed docs. I don’t really mind the ‘edgy’ marketing stuff, so long as it doesn’t come at the expense of good documentation, or a good service.

    A. Community doesn’t seem especially technical either, so the subreddit hasn’t been super useful for finding answers to technical questions.

  2. The app feels cluttered yet simultaneously not very information dense, kind of has the vibe of a las vegas billboard.

  3. Double Hop depends on using a browser extension.

  4. Proxy feature (seems to) rely on using a browser extension.

  5. Bugs:
    A. When the VPN is enabled, updates sudo dnf upgrade, and applications including Firefox, Thunderbird, Freetube, and iirc Brave would take literally minutes to open. (I was able to find a workaround that solved this).
    B. The connection would drop intermittantly (kind of normal for a VPN in my experience) and nothing short of a full system restart would allow me to reconnect or even disable the firewall/“killswitch” (not restarting the app, not restarting the systemd services, not even a full logout). This would happen at least daily. I’m using a Beta version now and it seems the problem may have been solved.
    C. A separate issue with dropped connections, where the only way to reconnect was by switching from Wireguard to OpenVPN.

  6. Kind of minor complains / personal preferences:
    A. No option to download config files at the state/country/region level or ‘best connection’ type option. So if I import a wireguard config into NetworkManager it must be for a single specific server.
    B. No ability to create custom lists of VPN servers like I could with Mullvad.

What I do like about Windscribe:

  1. They do have a featureful linux app, despite the bugs I’ve experienced.
  2. The price is hard to beat
  3. Except for the criticisms above (some of which have been mitigated), most things just work (as a Linux user, I never expect that to be the case with VPN clients).
  4. Haven’t used the local proxy feature but it seems useful.
  5. No hard limit on concurrent or overall connections.
  6. Most of my issues are probably either Linux specific or would not be relevant to casual VPN users who just want a simple VPN and don’t care about double hop, proxies, custom lists, or technical docs.
  7. Did I mention price…
3 Likes
50

I haven’t seen anyone mention it yet but they recently open sourced their IOS app: GitHub - Windscribe/iOS-App: Complete source code of the official Windscribe iOS application.

One of their staff also said on Reddit that they had a new audit performed in May and they are “… currently incorporating the auditors’ recommendations into our software stack. We’ll then roll out the further-strengthened software stack across our server fleet.”

Those were the two things preventing Windscribe from being listed on here so that’s good. It’s one of the only VPNs I’ve found that has an actually decent Linux app so I’m happy personally.

1 Like
51

Who is PacketLabs ?

The only concrete bits we have so far is a partial screenshot
WS Audit PacketLabs - Album on Imgur
Maybe they just wait to fix the bugs. But I don’t think they should communicate it. before they have finished fixing the bugs.

This is nice, and the license is MIT 3.
That being said, they have yet to switch development off the app on GitHub. It has been two weeks since the initial commits. That means they probably still use an internal Git system. I guess they might switch in the next few weeks, so we should wait and see.

1 Like
52

Communicating it is a good thing. They didn’t give any real updates on their audit for years so any attempts at being transparent are a step in the right direction for them.

It looks like their other apps are also developed internally and then pushed to GitHub when there’s a new release.

53

I mostly use windscribe as a disposable VPN.

iirc port forwarding & by its extension torrenting etc is nice there.

I believe its the only provider that supports all major protocols.

54

Windscribe security audit

https://blog.windscribe.com/freshscribe-next-generation-vpn-infrastructure-2/

5 Likes
55

Now that the audit happened. Wonder if there’s any plan on Windscribe being added on the recommendation list.

56
57

They’ll probably wait to add it until the new stack is fully rolled out. Windscribe said the end of Q3 2024 it’ll be complete so I assume it’ll be added to the site in September.

2 Likes
58

Tl;dr
Not an audit, but a penetration test, so no access to internal infrastructure. All found vulnerabilities were fixed.
2 main vulnerabilities and one privacy issue were found

  1. Outdated software with unpatched security vulnerabilities (Sonatype Nexus Repository
    • Redis Metrics Exporter)
  2. Weak control access allowed access to their internal repo, which ultimately gave acess to > the salted SHA-512 hash for the redacted user, along with standard users
  3. Logging of IP adresses or users account info, depending on the connection method. Those are kept for 10-23 hours.

While Windscribe claimed victory, this is far from reassuring. 2) is a serious vulnerability which shows the lack of defensive security thinking and 3) is concerning as they effectively logged users, although temporarily, despite claiming “no-logging”.

Of course, this “audit” was very different from Mullvad’s. Mullvad gave full access to a server source code to test it from vulnerabilities. Here, it is only a test from an outsider’s perspective, but does nothing to evaluate how one malicious employee could exploit internal code.

I don’t want to be mean with WS, but with their history, I believe a more thorough audit is warranted for inclusion on PG.

5 Likes
59

This TLDR is very wrong, and it sounds like the audit was not actually read, or you have an axe to grind for some reason…

Point #2: This is not a “serious vulnerability” (notice the actual severity on the issue - LOW) as this is only for rootfs, which is a blank slate server with no configs, secrets, or useful information. This also didn’t affect anything in production, as this is a pre-production audit. This was an oversight for sure, but that’s why we did the audit before going into production with this setup.

Point #3: This affected zero customers as the beta servers the select group used to provide us feedback never accessed the machine that the audit was performed on, where we did enable full logs for debugging, and forgot to put them back to how they were.

If you read the scope section, you will find the following:

This included the ca-023.windscribe.com node along with the security testing and manual source-
code review of the Windscribe cross-process communication and microservice stack.

So the scope is VERY extensive, and included full access to the server and all source code running on it, and the auth infrastructure it connects to.

There were so few findings because this is not the first audit (earlier Cure53 one had more findings), so if you actually read the whole thing, the results are pretty damn good (2 low severity issues, and one info).

Since you mentioned Mullvad, they did a VERY similar audit of their pre-production infra last year: Infrastructure audit completed by Radically Open Security | Mullvad VPN

Which resulted in:

RoS discovered 1 High, 6 Elevated, 4 Moderate, 10 Low and 4 info-severity issues during this penetration test.

All software has bugs, as everything is done by humans who make mistakes. I caution not to add emotion into the mix, or make baseless claims that are not backed up by facts.

Cheers

14 Likes
61

Personally I have no issue with jokes, its how a lot of brand do marketing these days. What misinformation are you talking about?

2 Likes
64

While I do have some issues with Windscribe myself, the jokes aren’t a part of it. The april fools, jokes, etc are just part of a marketing gimmick. Look at Dbrand insulting their customers and their products on a regular basis. It’s modern marketing.

3 Likes
65

Serious issue was a personal opinion, not a level. Anyway the audit rankings do not use

From what I understand, they might had acess to your internal code, but they still were just doing pentesting, meaning they tried to penetrate it from outside. Mullvad’s audit is internal and external, like if an employee had access to a mullvad server what could he do.

Scope 3

Maybe, but who knows ? The point of an audit is that I dont have to believe you. And your no logs policy wasnt upheld, per the audit.

66

You clearly didn’t read the audit/blog post because there’s a section that says “External and internal penetration testing” in huge bold letters. The same section also says they were tested with full access to the machines.

3 Likes
67

This is so annoying. I read it one week ago. Everyone say I havent but I have.

BTW, I didnt see that. I dont consider the Windscribe blogpost, just the audit. Feel free to atach screenshots

68

No disrespect, but what are you credentials to provide “personal opinions” on a security matters from a document that you have not fully read?

The scope of the audit is clearly stated in the document (and blog post), which states that full access to infrastructure and code was provided.

image
image915×356 76.4 KB

You probably just read the title of the report which does say “Penetration Test”, which is exactly the same title of the Mulvad report, that you also have not actually read: ros-website/ros-public-reports/ROS - Mullvad VPN 2023.pdf at d923ae2001cdf48deeb0130475a415273e5087c7 · radicallyopensecurity/ros-website · GitHub

Scope 3: Now we’re getting into the tin foil hat territory. If that was the case, it would be in the report. Much like it is Mulvad’s report where they accidently sent production traffic through a test server.

MLL-024 — Production multihop traffic on test system
The VPN server used for testing processes multihop traffic for production VPN users.

7 Likes
81

Im keeping this tread open for now as we haven’t decided as off yet. That said I have deleted a few comments to clean up the tread. @guest138759215 im nicely asking you to keep the nonsense at bay, or you will be muted.

5 Likes
82

It looks like they’re just deleting all of their comments so this whole segment of conversation will have no visible cause