This is a VPN service focused on privacy, security and censorship circumvention.
Why I think this tool should be added
It brings a nice package that other providers don’t offer (fully anonymous, biggest network, custom DNS support, censorship circumvention, unlocks Netflix, not a lot blacklisted, ROBERT for granular DNS filtering).
I reviewed one by one all our criterias (Opinions on Windscribe VPN? - #119 by mangomango) and I think they meet all of them, except the double hop support, which they only support for desktop, at the browser level. Feel free to verify my review.
They released the whole thing. It’s in the blog post. It’s also talked about in the thread I linked. Yegor, the Windscribe owner, even replied to questions about it.
Oops, you’re right, that is (one of) the posts I was remembering. I was thrown off by the choice of the term pen-test (since I think the scope of the audit went beyond just penetration testing).
I think I don’t have much else to add beyond what has already been shared:
Windscribe’s 2024 blogpost on the new infra and the audit(s) (edit: removed incorrect info)
Your Link to @yegorscomment on the scope of the audit. (I’d add this earlier comment which also touches on the scope of the audit), in particular that:
So the scope is VERY extensive, and included full access to the server and all source code running on it, and the auth infrastructure it connects to.
[…]
The scope of the audit is clearly stated in the document (and blog post), which states that full access to infrastructure and code was provided.
(edit: removed some things because I was wrong)
I do not understand why the 2024 audit was not linked to in the 2024 blogpost announcing the completion of that audit (or some subsequent followup blogpost), maybe they are waiting until they complete the rollout of the new infrastructure (started in July, target completion of late '24/early '25 iirc), or maybe it is some other reason. But in any case, in my eyes, releasing the findings of the 2024 audit should be a pre-requisite to getting listed I think.
Neither of those say they’re doing an additional audit by cure. The Reddit post literally says they had one done by cure and then had one done by packet labs.
Why do you say they distanced themselves from the audit ?
They have actually been transparent about it and I don’t see why you say this ? But yes we should indeed give less attention to the report of the Cure53 audit because it was a pre-production audit, and give more attention to the actual stack that will be running.
Chronology :
Cure53 audited their pre-Production Alpha stack in December 2022. This stack was running in production for a selected group of beta testers. They continued working on it during 18 months.
In June 2024, they released an audit (audit + retest) from PacketLabs which obviously had a very, very few concerns (2 low-risk and 1 informational finding, all fixed). This brand new FreshScribe stack will be rolled out in Q4 2024 (this means between now and december).
I thank @Shampoo and @Anon47486929 for clearing up mine and others confusion. I think I lean towards Windscribe meeting PGs requirements.
I do take away from this that Windscribe should probably update their website to be more informative about their audits. This thread is relying heavily on Opinions on Windscribe VPN? to inform this discussion.
No, you just did not understand. Read the blog post, it is very clearly explained there.
Production means that it was used in entirety in real life, for real users.
The audit was conducted on a brand new derivative codebase and VPN host infrastructure that is not yet accessible to all customers. It has been running in production in entirety for several months now, available to a select group of beta testers.
This stack will be made available to all users in select locations starting the week of July 15th 2024, with the entire fleet expected to be upgraded by the end of Q3 2024.
That’s true, we definitely should wait that they roll out FreshScribe to all locations and all users before recommending them !
They did both.
We already very clearly explained why they did two audits and there is no problem with that
They did. Read the blog post post about their audit if you discuss the audits, please. We linked it several times on this thread and the other thread about Windscribe.
That’s why I already asked to clarify the criteria.
Anyway I personally really don’t care of double-hop and guess that very few people use it, even within the people who wrote this criteria.
If someone is worried about a single node compromise, shouldn’t he use Tor ?
But I did not want to start a new thread to modifiy criterias to make Windscribe pass because then you will think I am shilling them hahaah
