Why is VPN providers like Cryptostorm or OVPN not recommended

Pretty much title. Both providers seem to be very privacy focused etc, and trusted… at least OVPN. Cryptostorm seems to have been through some controversy, with one of their “staff” members or whatever, and accusations of being a honeypot, even though i can’t seem to find any proof on that.

1 Like

By whom, they don’t have any infrastructure audits audits, and ovpn has no source code for their clients.

4 Likes

Here is one good reason.

That blog post literally looks like marketing fluff.

1 Like

That’s a good point.

Yes you’re right, but my point was mainly to point out that OVPN has been acquired by Pango, a company who owns other, not very trustworthy VPN companies and thus, it adds another reason why OVPN should not be listed.

2 Likes

Pango is the owner of Hotspot Shield (VPN), Identity Defense (data aggregation service/broker), VPN 360, Ultra VPN, etc.

Sounds like they buy honeypots.

I want to provide proof, to back up my claims, so here it is. Black and white.

  • Owns Hotspot Shield VPN (AnchorFree) - https://www.corporationwiki.com/California/Sunnyvale/pango-inc/44270431.aspx

  • He has lectured to government contractors at the Technical Training Centre, Chennai Chengalpattu (Tamil Nadu, India) - https://in.linkedin.com/in/ravichandran-g-a8a1a391

  • “Hari Ravichandran … is CEO and Founder of Jump Ventures, a scalability infusion firm … and also the CEO and Founder of Aura a technology company dedicated to simplifying digital security … Hari has founded successful businesses focused on technology-enabled services and web security …” — funded by Indian and US government-owned property manufacturers. - About Hari Ravichandran - Hari Ravichandran

  • “AnchorFree, the company that makes the popular Hotspot Shield virtual private network (VPN) software, on Wednesday announced that it raised $295 million in a new funding round.” — VPN Company AnchorFree Raises $295 Million - SecurityWeek

  • The CSO /Co-founder Eugene Malobrodsky was engineer at SimulTrans which facilitates localization of and testing of government materials

  • Partnered w/ Sujay Jaswa, (silent investments and known investments)

  • Sujay is one of Silicon Valley’s leading business innovators, and oversees WndrCo’s investment and operating activities. Sujay Jaswa - WndrCo He makes Ventures and Growth investments, and creates companies through Venture Buyouts. He serves as Chairman of Aura, Twingate, and Super Unlimited, and led WndrCo’s investments in Figma, 1Password, Databricks, Pango, Pilot, Rally, Zagat / The Infatuation, etc.

  • “AnchorFree was accused last year by the Center for Democracy & Technology (CDT), a nonprofit technology advocacy organization, of collecting user data through Hotspot Shield and sharing it with advertisers.”

  • “Earlier this year, a researcher disclosed the details of a vulnerability that exposed the names and locations of Hotspot Shield users. The expert made his findings public after claiming that the vendor ignored his attempts to report the flaw. A patch was released a few days later.”

At the very least, this means both Hari and Sujay have partnered with venture business capitalists whom purchase businesses, and either flip them, or build them into other venture business capitals. They buy companioes and use them to either purchase other companies or sell them to make seed money for other projects, which all seem to have the WORST privacy policies, facilitating stealing and selling user data, up to and including browsing history, ad preferences, location data, names and addresses, phone numbers, usual PII. They have a LONG history of buying from weird companies that are paid for in seed funding rounds by shady companies that also have bad track records of selling user data, just like them.

It’s clear that they have incompetent partners, as well as staff, because despite being a comp sci major, Hari seems to hire ex-contractors for governments of both India and the US, who have little experience in their fields.

1 Like

OVPN was sued a few years ago and proved in a Swedish court that they don’t and can’t store any logs.

But as mentioned above I find it odd that they focus heavily on transparency and then… They don’t open source their apps.

1 Like

Or maybe they said they didn’t who really knows, either way an infrastructure audit also checks security related stuff, for example against infiltration and exfiltration of data from the company.

In any case, being to court and saying you can’t provide something isn’t the same thing as attestation from a third party.

2 Likes

Indeed, but IMO it makes the company stick out compared to the countless of other corporations that run a VPN that has neither open source nor a court order to back up their no-logging policy.

I also think there’s a bit more to it than OVPN simply claiming that’s the case:

To summarize the verdict, the Rights Alliance and their security experts have not been able prove any weaknesses in OVPN’s systems that could mean that logs are stored. OVPN therefore wins the information injunction as our statements and evidence regarding our no log VPN policy have not been disproven. The movie companies also need to pay OVPN’s legal fees which amounts to 108 000 SEK (roughly $12300 at current exchange rate).

I’d still recommend Mullvad over this.

2 Likes

I would add that any court case, criminal investigation documents and server seizures (see Express in Turkey in 2017) should be treated similarly to “no-logs audits” when considering it as a trust signal. It can be useful, especially it’s a recent one. However, conditions can change the next day - I’d argue it’s specifically relevant notion if the company got acquired after the fact, which is true for both Express and OVPN.

1 Like

Any opinions on Crypto Storm? I just found out about them and at first glance they look good. Cross-platform (Wireguard & OpenVPN), port forwarding support, can pay with Monero, claim to have no logs…

  • The website is buggy, which doesn’t give a good first impression. I tested this with both Firefox and Brave.
  • They don’t want to tell their users where they’re located, nor is there any information about the people behind it.
  • No audits.
  • No apps, you have to use Wireguard or OpenVPN clients.

There were some good things I noticed, but I don’t see any reason to recommend them over the options that Privacy Guides currently has. The fact that we don’t know anything about the people behind it is a big red flag, as well as their unwillingness to say where they are located. They say they do this to prevent themselves from being shut down, but this only creates more questions and makes me wonder why they see this as a potential concern. So no, I would not recommend them.

1 Like

For starters.

Cryptostorm seemingly has had associations with certain people potentially accused of criminal acts in the past.

A few years ago they installed an IDS on their VPN servers to intercept plain-text HTTP traffic with the justification of deterrence from using them for cyberattacks.

It is true that Cryptostorm was a pioneer in token based payments to avoid collecting information about their users. But they are not the only provider that practices information minimization of their users. You can’t disclose what you don’t have.

Some of this was discussed on the forum of AirVPN.

Given the alternatives. I do not see conducting business with them as necessary.

That discussion actually brought forward some interesting arguments in favour of Crypto Storm. The token system you mentioned (but which is not unique anymore) is one. I particularly noticed that if you connect to their VPN their DNS allows you to resolve .onion and .i2p domains in the normal browser. Not best practice due to browser fingerprinting I assume, but I still like it.

Yes I agree that was pretty disgusting to find out (bestiality)

That doesn’t have to be a bad thing. We also don’t know who created Bitcoin or Monero.

1 Like

You can’t compare a VPN provider and cryptocurrencies such as Monero this way because, with VPN providers, you are placing trust in a company, which means that I have no idea who I am trusting my data with Cryptostorm, and that isn’t a good thing. I would suggest that you read this excellent article by IVPN that talks about this.

On the other hand, it doesn’t matter that we don’t know who is behind Monero because we don’t have to trust them. We only need to trust the protocol that is publicly available for auditing.