This is a VPN service focused on privacy, security and censorship circumvention.
Why I think this tool should be added
It brings a nice package that other providers don’t offer (fully anonymous, relatively big network, custom DNS support, censorship circumvention, unlocks Netflix, not a lot blacklisted, ROBERT for granular DNS filtering).
I reviewed one by one all our criterias (Opinions on Windscribe VPN? - #119 by mangomango) and I think they meet all of them, except the double hop support, which they only support for desktop, at the browser level. Feel free to verify my review.
The audit is not thorough though? Personal opinions on Windscribe aside (I do think they are an unserious business that tries too hard to be edgy, while being almost useless when it comes to technical depth of explanations when interrogated), their audit seems to be always on the horizon and never executed.
They did the “pentest” in ye old 2022, which then they repeatedly denied as being an actual audit since, and I quote:
“The stack that was audited didn’t make it to production, so publishing the results of this audit is pointless. We further improved the software stack to the point that it warranted another audit entirely.”
Then, when asked about audits as recently as 4 months ago, they shared an image, literally an image of an audit frontpage (WS Audit PacketLabs - Album on Imgur) which was hilarious because:
They promised a Cure audit, and then did packet labs
And they also did not release the full report last I checked.
I wouldn’t trust Windscribe to handle something as sensitive and trust dependent as a VPN, when they just can’t do basic transparency right. They are an edgelord’s idea of what a cypherpunk VPN should be. We already have excellent recommendations like Mullvad, I don’t think Windscribe is in the same level of privsec at all (notice I didn’t say feature parity, since it’s privacy guide and not a tech enthusiast review site)
They released the whole thing. It’s in the blog post. It’s also talked about in the thread I linked. Yegor, the Windscribe owner, even replied to questions about it.
Oops, you’re right, that is (one of) the posts I was remembering. I was thrown off by the choice of the term pen-test (since I think the scope of the audit went beyond just penetration testing).
I think I don’t have much else to add beyond what has already been shared:
Windscribe’s 2024 blogpost on the new infra and the audit(s) (edit: removed incorrect info)
Your Link to @yegorscomment on the scope of the audit. (I’d add this earlier comment which also touches on the scope of the audit), in particular that:
So the scope is VERY extensive, and included full access to the server and all source code running on it, and the auth infrastructure it connects to.
[…]
The scope of the audit is clearly stated in the document (and blog post), which states that full access to infrastructure and code was provided.
(edit: removed some things because I was wrong)
I do not understand why the 2024 audit was not linked to in the 2024 blogpost announcing the completion of that audit (or some subsequent followup blogpost), maybe they are waiting until they complete the rollout of the new infrastructure (started in July, target completion of late '24/early '25 iirc), or maybe it is some other reason. But in any case, in my eyes, releasing the findings of the 2024 audit should be a pre-requisite to getting listed I think.
No it’s not. You are referring to packet labs report link you shared above, I am talking about the actual 2024 audit they promised by Cure. It’s also the same presented in the image link I shared. Here is their support on reddit clarifying the same: https://www.reddit.com/r/Windscribe/comments/1df9kl6/another_audit_post/
Neither of those say they’re doing an additional audit by cure. The Reddit post literally says they had one done by cure and then had one done by packet labs.
Ah, so their knowledge base seems outdated. I stand corrected, will edit the above to reflect the same. As for the Cure audit, they had been promising a new re-audit after they distanced themselves from the 2022 audit, so the implicit assumption was a Cure audit. It was also discussed in the subreddit multiple times.
But anyway, the point about lack of prompt transparency still stands. I am very against inclusion of Wind scribe, just based on the marketing and the practices they seem to work with.
Why do you say they distanced themselves from the audit ?
They have actually been transparent about it and I don’t see why you say this ? But yes we should indeed give less attention to the report of the Cure53 audit because it was a pre-production audit, and give more attention to the actual stack that will be running.
Chronology :
Cure53 audited their pre-Production Alpha stack in December 2022. This stack was running in production for a selected group of beta testers. They continued working on it during 18 months.
In June 2024, they released an audit (audit + retest) from PacketLabs which obviously had a very, very few concerns (2 low-risk and 1 informational finding, all fixed). This brand new FreshScribe stack will be rolled out in Q4 2024 (this means between now and december).
Because I was quoting them? The audit was done on non-production software, and the audited software wasn’t deployed even later. So that was officially a useless audit.
As of now they are still promising to roll the newer audited stuff out by Q4, and Ig that’s why they haven’t changed the answer in their knowledge base. So currently they aren’t actually running audited software across their users if their representations and what you have said is correct.
Either you are wrong, or windscribe is lying on reddit. Their quote is “The stack that was audited didn’t make it to production”. Even if it was used in beta, beta testing is not production anyway.
I thank @Shampoo and @Anon47486929 for clearing up mine and others confusion. I think I lean towards Windscribe meeting PGs requirements.
I do take away from this that Windscribe should probably update their website to be more informative about their audits. This thread is relying heavily on Opinions on Windscribe VPN? to inform this discussion.
No, you just did not understand. Read the blog post, it is very clearly explained there.
Production means that it was used in entirety in real life, for real users.
The audit was conducted on a brand new derivative codebase and VPN host infrastructure that is not yet accessible to all customers. It has been running in production in entirety for several months now, available to a select group of beta testers.
This stack will be made available to all users in select locations starting the week of July 15th 2024, with the entire fleet expected to be upgraded by the end of Q3 2024.
That’s true, we definitely should wait that they roll out FreshScribe to all locations and all users before recommending them !
They did both.
We already very clearly explained why they did two audits and there is no problem with that
They did. Read the blog post post about their audit if you discuss the audits, please. We linked it several times on this thread and the other thread about Windscribe.
