Hacker News new | ask | show | jobs
by dguido 2635 days ago
The slimy marketing around centralized VPN services is why I consider it a point of pride to include the following as a "feature" in the AlgoVPN readme (

> Anti-features

> * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA

> * Does not install Tor, OpenVPN, or other risky servers

> * Does not depend on the security of TLS

> * Does not require client software on most platforms

> * Does not claim to provide anonymity or censorship avoidance

> * Does not claim to protect you from the FSB, MSS, DGSE, or FSM

It's incredible how quickly services that massively centralize bulk consumer web traffic were normalized. This is not ok. Further, most of these services are located in "exotic" locales with uncertain legal protections, anonymous or psuedo-anonymous owners, and make barely enough revenue to hire more than 3 or 4 staff members to maintain and secure their own infrastructure. This whole industry is a slow motion disaster.
2 comments
simias 2634 days ago
> * Does not install Tor, OpenVPN, or other risky servers

What do you mean by "risky servers" here? I run OpenVPN on a few servers, is there something I should know?

link
dguido 2634 days ago
There's an FAQ in the AlgoVPN documentation that addresses this question (https://github.com/trailofbits/algo/blob/master/docs/faq.md#...):

> Why aren't you using OpenVPN?

> OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update[1] and maintain[2] the software themselves. OpenVPN depends on the security of TLS[3], both the protocol[4] and its implementations[5], and we simply trust the server less due to past[6] security[7] incidents[8].

[1] https://www.exploit-db.com/exploits/34037/

[2] https://www.exploit-db.com/exploits/20485/

[3] https://tools.ietf.org/html/rfc7457

[4] https://arstechnica.com/security/2016/08/new-attack-can-pluc...

[5] https://arstechnica.com/security/2014/04/confirmed-nasty-hea...

[6] https://sweet32.info/

[7] https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin/blob...

[8] https://www.exploit-db.com/exploits/34879/

link
progval 2634 days ago
It uses openssl, which regularly gets security issues published.

It shouldn't be too bad if you keep your server and clients updated, though (depending on your thread model).

link
solipsism 2635 days ago
FSM == Flying Spaghetti Monster?
link
always4getpass 2634 days ago
You got downvoted, but if you go to github this is exactly what it means lol

https://github.com/trailofbits/algo

link
kmonsen 2635 days ago
Russian intelligence service: https://en.wikipedia.org/wiki/Federal_Security_Service
link
solipsism 2635 days ago
Huh? I didn't ask about the FSB (the first initialism). I asked about FSM (the last).
link
kmonsen 2635 days ago
OOps sorry a bit tired and jetlagged.

For FSM the best I can do is the Flying Spaghetti Monster, nothing else here makes sense: https://en.wikipedia.org/wiki/FSM

link
dsl 2635 days ago
That is the FSB (or (ФСБ). FSM isn't the acronym or a transliteration of any known national intelligence service.

FSB - Federal Security Service, Russia

MSS - Ministry of State Security, China

DGSE - General Directorate for External Security, France

FSM - Federated States of Micronesia National Police would be my best guess. They do dignitary protection and counter-narcotics, so I would assume they have at least some intelligence function.

link
jpatokal 2635 days ago
Given that Micronesia has a population of 100k, I wouldn't worry too much about their secret service.

I presume OP meant FSM as in Flying Spaghetti Monster as a stand-in for any organization that might wish to spy on you with its noodly appendages.

link
kissickas 2635 days ago
Then what is the FSB?
link