Their website works through Cloudflare. Some Tor exit nodes are just blocked, others are shown this:
User account credentials are exposed to Cloudflare. This may include user’s e-mail address if provided.
Wireguard private keys created with Windscribe’s online config generator on their website would also be exposed to Cloudflare.
How are the user credentials, keys and all the secrets are exposed? Proton has their nameservers on Cloudflare too. Are they exposing your secrets too?
You should try reading how Cloudflare works, what a reverse proxy is, and how it is different from just using nameservers.
Just using Cloudflare’s nameservers won’t cause this screen and “Server: cloudflare” HTTP response header.
This schematic from Cloudflare themselves explains what is encrypted and what is not:
To someone relatively new to this stuff like me, this seems pretty bad from a privacy/security aspect. Is it?
Asymmetric cryptography protocols like Wireguard assume that private keys should remain private to keep the communication secure from eavesdropping and manipulation, not shared with big tech third parties like Cloudflare. Allowing a third party to intercept plaintext account credentials and Wireguard private keys is not the way for a VPN provider serious on privacy.
Such practices should disqualify a VPN provider from being considered a primary VPN for privacy-seeking users. It may be suitable for location spoofing when used over a more privacy-focused VPN if the latter does not provide desired exit server locations.
I wonder how other VPN providers manage to survive without Cloudflare.
Couldn’t have said it better myself.
But they are available as plaintext to Cloudflare in-transit. Oh, we just have to think of it as trusted.
Cloudflare can reuse plaintext username and password. Ties to device fingerprints also isn’t something that sounds desired from privacy-focused services.
Account username and password are neither hashed, nor short-lived. Wireguard configs containing private keys are also neither hashed, nor short-lived.
Thanks for countering those arguments, I think you’re absolutely right. I’m hoping yegor could shed some light on this in order to discuss this further, otherwise I’ll open a ticket at Windscribe.
if you do @yegor to ping him its more likely he will respond then if you just link his profile.
Well, he came here recently to discuss the questions concerning the Control D stuff. But not this.
So that’s a bit disappointing.
It’s only been 4 days since I asked (indirectly, via the helpdesk) for a response by @yegor, so let’s just wait a bit more.
