ProtonVPN Open Sources All Its Code

ProtonVPN open sourced its code this week, ZDNet reports: On Tuesday, the virtual private network (VPN) provider, also known for the ProtonMail secure email service, said that the code backing ProtonVPN applications on every system -- Microsoft Windows, Apple macOS, Android, and iOS -- is now publicly available for review in what Switzerland-based ProtonVPN calls "natural" progression.

"There is a lack of transparency and accountability regarding who operates VPN services, their security qualifications, and whether they fully conform to privacy laws like GDPR," the company says. "Making all of our applications open source is, therefore, a natural next step." Each application has also undergone a security audit by SEC Consult, which ProtonVPN says builds upon a previous partnership with Mozilla...

The source code for each app is now available on GitHub (Windows, macOS, Android, iOS). "As a community-supported organization, we have a responsibility to be as transparent, accountable, and accessible as possible," ProtonVPN says.

"Going open source helps us to do that and serve you better at the same time."
They're also publishing the results of an independent security audit for each app. "As former CERN scientists, publication and peer review are a core part of our ethos..." the company wrote in a blog post. They also point out that Switzerland has some of the world's strongest privacy laws -- and that ProtonVPN observes a strict no-logs policy.

But how do they feel about their competition? "Studies have found that over one-third of Android VPNs actually contain malware, many VPNs suffered from major security lapses, and many free VPN services that claimed to protect privacy are secretly selling user data to third parties."

ProtonVPN is still keeping control?

[Futurepower(R)]

How does that compare with UltraVNC [uvnc.com]?

Why use a VPN server?

[Futurepower(R)]

Why use a VPN server? Why not just connect directly using UltraVNC?

Router Firewall and UltraVNC?

[Futurepower(R)]

Using a Netgear FVS336Gv2 VPN Router Firewall and UltraVNC allows connecting without involving a third party.

(However, Netgear, in my opinion, has areas of sloppy management.)

Service provider

[DrYak]

ProtonVPN isn't merely a developer of VPN software.
They also provide a VPN *Service* with VPN servers that you can connect to.

*That* is the interesting part.

They will try to bring a bit of trust and transparency around the VPN services they provide.

Compare with the recent NordVPN fiasco [slashdot.org]...

Re:

[Miles_O'Toole]

I guess you believe that a server in the US is just as secure from government interference as a server in Switzerland.

Isn't that cute!

Re:

[Shaitan]

Switzerland cooperates with government requests from the US on the regular. There is a reason they were "Panama Papers" and not "Switzerland papers." The Swiss caved on their stance of privacy and anonymity long ago with regard to normal people. They may offer confidential transactions to governments with regard to one another but that doesn't help the rest of us.

Re:

[lrichardson]

With one major caveat: individuals with large amounts on deposit.

Swiss authorities are co-operative when it comes to terrorism, and *certain* crimes ... when it comes to tax evasion, Switzerland is still one of the go-to nations for the mega-wealthy.

Re:

[Shaitan]

If you are counting on that you won't have a large deposit for long. Switzerland has agreed to cooperate and the banks that weren't on board have capitulated by this point https://www.usatoday.com/story/money/2016/01/27/us-slaps-13b-penalties-swiss-banks/79399262/

Re:

[lrichardson]

If you are relying on a story in usatoday ... wow, have I got news for you! Seriously, they raised the bar ... a bit. Now one needs to go through at least one intermediary, preferably via a numbered company, so that the Swiss authorities can say 'We have turned over all information regarding our US clients'.

opening.

[DrYak]

Interestingly, all the existing VPN tech is also based on having servers.

I was reply to a top poster (who since then got modded to -1, so depending on your settings, you might not be seeing it), complaining that we have plenty of opensource VPN software, and saying that it's a solved problem. I was merely pointing that there's a bit much beyond "there exist GPLed VPN plugins to NetworkManager"

That you can connect to.

The problem is all that goes behind the "connect to a VPN server phrase".

Even if the protocol used by SomeRandomVPN is covered by opensource (say WireGuard to mention something hip modern a

Re:

[Aighearach]

That handwaving exists for all these tools, too, it is weak sauce analysis. There is nothing about this that should lead you to presume it is somehow more secure. Is it because it had the word Proton in the name? Why does that make it more secure?

Account management systems already exist.

The only way to prevent misconfiguration is not to allow configuration, but if you're running a VPN service, you have to be able to configure the details, so obviously this can be configured. And misconfigured.

Internet Protocol Security (IPsec) ?

[johnjones]

why are they coding our own VPN implementation ?

golang code is fun but really all the options to wiretap have been examined ?

Re: Internet Protocol Security (IPsec) ?

[Anonymous Coward]

why are they coding our own VPN implementation ?

They use OpenVPN for the actual connections.

The implementations discussed are their client packages making OpenVPN easy to use in context of the services provided, like choice of exit-country, preventing DNS leaks, and more.

The purpose of making their code open source is to demonstrate how they do things, including how they use OpenVPN underneath, so that anyone interested can verify that it is done securely and correctly.

Such verification has actually been done by a third-party security firm, identifying a small number of low/medium issues in each implementation, which were subsequently either fixed or described/accepted as not being actual security problems.

All of this is very good and they should be commended for it.

golang code is fun but really all the options to wiretap have been examined ?

Not sure what your point is, so I'll refrain from comment.

ProtonMail/VPN

[Arthur, KBE]

They've been accused of being associated with both Russian and Israeli intelligence. Who knows who's *actually* behind this operation and what are they doing, right now, to prove their authenticity?

Re:

[Miles_O'Toole]

Oh, my...we've got a live one here!

Re:

[eaglesrule]

I always remember: if it seems too good to be true, it probably is.

Here we have a secure, reliable vpn/email service that open sources its code.

I use and would recommend Proton services, but I agree with the op's sentiment. It's good to ask questions.

Re:

[Miles_O'Toole]

It's good to ask questions, but do they have to be stupid ones? Since you are a user of Proton services, as am I, you're probably as aware as I am that they bend over backwards to be transparent and privacy-friendly, and put their servers in a place where they can defend themselves from the long, flexible noses of various governments. And it's not like there's a shortage of stuff written about them. The guy above could have done a little research and found this out himself.

Re: ProtonMail/VPN

[Aristos Mazer]

Your use of passive voice and lack of citations disturb me.

This is great news!

[BanHammer]

So anyone can deploy their own ProtonVPN kind of service using a few commands if I understand correctly?

Re:

[110010001000]

That isn't a surprise. You have been able to do that for many years with OpenVPN.

Re:

[gencha]

Yes. You can now set up your own VPN service and then just use that to be completely anonymous on the internet, instead of having to pay for a service from a third party. This is great!

Re:

[EvilSS]

Yes. You can now set up your own VPN service and then just use that to be completely anonymous on the internet, instead of having to pay for a service from a third party. This is great!

Well, sort of. If you are running your own VPN server, unless you are using a host that accepts something like bitcoin for payment, you won't be completely anonymous since the VPN IP will be back-trackable to your server host. Even then, it's possible for the hosting provider to backtrack your IP back to you, since they will see your incoming IP. So perfectly fine for running something like Netflix from a different region, but not something I'd rely on completely to hide you from a government or court (MPAA

Great, but...

[jeromef]

How many people will build the source code themselves to ensure the binary is actually what it is supposed to be?

Re: Great, but...

[bn-7bc]

Only those with a polecy that tequers source audits I guess. Orif yordistro of chouce does not have a package for ir