| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by Oeck 2189 days ago

Hi smt88,

Thank you so much for checking it out.

This is a problem. As far as I know there are only two ways to gain trust with an audience when your company is a start up. So I am going to be completely transparent with the answer and hopefully you will see our point of view.

1) Third party security audit - This is one way of a startup gaining trust. Having a third-party audit the VPN and the VPN showing the results. We actually went to see how much something like this would cost and it was in excess of $20,000. We unfortunately do not have this sort of money to put up. In addition to that, most VPN providers who have done so were already established and had a steady stream of income.

The issue I have with this is at the end of the day it is a $20,000+ sticker you can have. Should the VPN provider wish to do so, they can easily change their system after the audit is complete and do what they like anyway. So, I agree it adds to trust, but at the end of the day it can be reversed in the background. Having said that, when we can afford to do so, we will most likely get it done to follow protocol.

2) Open Source apps - Due to the way our VPN works, we found the best solution for us was to use the libvpn libraries. They can be found at http://libvpn.com/

These libraries, unfortunately, are not open source. However, they are very powerful and the code is of good quality. Due to this, we are unable to make our apps completely open source.

Again, open sourcing the apps, although it looks good, ultimately doesn't mean anything. Any malicious activity can be done in the back-end. The apps source code may show up fine, but the back-end of the service can do whatever the owners want.

That's not to say open sourcing them isn't a good thing, it is just that aside from the fact that we can't do so, ultimately it means little if the service provider wanted to screw its customers.

I would love to hear feedback on other ways we could gain trust. In our FAQ we explain about our system and our privacy policy explains what we do not log, what we monitor etc. We also have an EV SSL certificate on the website to help build this trust.

Regards, Peter @ Oeck.