[mjg59]

I'm a huge fan of the technical basis for this. I want services to attest themselves to me so I can verify that they're running the source code I can inspect. And, well, the combination of founders here? Good fucking lord. I'm really fascinated to see whether we can generate enough trust in the code to be able to overcome the complete lack of trust that these people deserve. I can't imagine a better way to troll me on this point.

[pydry]

>the complete lack of trust that these people deserve

Yeah, I took one look at that and laughed. CEO of mt gox teaming up with the guy who sold his last VPN to an Israeli spyware company sounds like the start of a joke.

[rasengan]

I didn’t sell PIA. It was a merger to create a publicly owned privacy company and, unfortunately, the terms of the merger did not come to fruition.

I left the company on principle by relinquishing my shares at a mere fraction (about 1/3) the value. I walked away from millions of dollars, and I am happy with my decision.

Given what happened, we built VP so that trust is no longer required.

[rcakebread]

Nobody trusts you, mission accomplished.

[commandersaki]

RIP Freenode, never forget.

[nneonneo]

The SGX TCB isn’t large enough to protect the really critical part of a private VPN: the source and destination of packets. Nothing stops them from sticking a user on their own enclave and monitoring all the traffic in-and-out.

Also, the README is full of AI slop buzzwords, which isn’t confidence-inspiring.

[9dev]

Also, it requires me to trust Intel—an American company, to not have a backdoor in the SGX. That amounts to exactly no trust at all, so it’s a pass from me, and probably any non-US citizen.

[nneonneo]

The backdoor is as simple as “Intel has all the signing keys for the hardware root of trust so they can sign anything they want” :)

[rasengan]

Defense in depth dictates that this is more secure than standard VPNs out there (Mullvad, Proton, Nord, Express, etc.).

Any real security researcher recognizes this.

If you think 'trusting random strangers' is a better security architecture, then you should not work in security.

[waon]

Defense in depth only works if you put up meaningful security measures. As numerous people including GP has pointed out, you still retain the means to log user traffic. That's not meaningfully secure than the alternatives.

More importantly, trusting random strangers is much better than trusting a known hostile actor. During the Freenode fiasco, you have repeatedly demonstrated yourself to be untrustworthy and vengeful. Everyone saw your petty revenges against people who dared voice the slightest of criticisms. Why on earth should anyone trust that you'll uphold your customer's privacy no matter what?

[rasengan]

I think you should look into the narrative before parroting falsehoods. Further, I’m not sure what came off as a “revenge” in my response unless facts are being interpreted as such.

[lc5G]

This is the best critique of VP.net's approach in this thread. The purpose of the enclave approach is that you can be sure they're not logging your traffic. This is an advantage over competitors. But, as you say, this does not actually work. When you connect to the VPN, you don't know whether your traffic really gets mixed with other people's traffic. If it doesn't get mixed, then no matter what the trusted enclave code does, they still know all the input and output traffic belongs to you.

[commandersaki]

Ah, I now see how they can acquire a 2 letter domain with a gtld.

[rasengan]

> I'm a huge fan of the technical basis for this

Trusting random internet people is actually the biggest “troll” of the internet.

Any VPN that asks you to trust their guarantees and not the guarantees of code is selling you snake oil and should not be trusted.

Trust is not a feature in security. Thus, we removed and replaced it with code based guarantees.