Windscribe VPN Security Breach

SearchLight

SearchLight

Level 13
Thread author
Verified
Top Poster
Well-known
Jul 3, 2017
626
@windscribe appreciate the effort that you are making to overcome the security breach.

In your blog you also mentioned that Wireguard will be made your default protocol.

Other VPNS using Wireguard claim to erase the users actual IP address after a session or obfuscate that address with a Double NAT solution. You state that you designed a system that makes the users originating IP address known to your Wireguard system but difficult to read by your operations people within the Windscribe system. This implies that there is still a chance that someone could access that information as that IP stays within the "server". Will you be taking additional steps like the other VPNS claim to erase that IP information immediately after the user logs out of your app and/or system? Thanks.

blog.windscribe.com

Introducing WireGuard

Here at Windscribe, we’re always thinking about the next big thing and what the future holds. How will AI shape the fabric of human…
blog.windscribe.com blog.windscribe.com
 
Last edited:
  • Like
Reactions: Venustus, Nevi, roger_m and 1 other person
windscribe

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
128
SearchLight said:
@windscribe appreciate the effort that you are making to overcome the security breach.

In your blog you also mentioned that Wireguard will be made your default protocol.

Other VPNS using Wireguard claim to erase the users actual IP address after a session or obfuscate that address with a Double NAT solution. You state that you designed a system that makes the users originating IP address known to your Wireguard system but difficult to read by your operations people within the Windscribe system. This implies that there is still a chance that someone could access that information as that IP stays within the "server". Will you be taking additional steps like the other VPNS claim to erase that IP information immediately after the user logs out of your app and/or system? Thanks.

blog.windscribe.com

Introducing WireGuard

Here at Windscribe, we’re always thinking about the next big thing and what the future holds. How will AI shape the fabric of human…
blog.windscribe.com blog.windscribe.com
Click to expand...
This is already in place, as per the article above.
 
  • Like
Reactions: Venustus, Nevi, roger_m and 2 others
windscribe

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
128
Telos said:
Not at all. They were forced to admission when caught with their pants down. They deserve no laurels.
Click to expand...
Not true. You have us confused with NordVPN, Torguard, and PIA (who lied completely).

We voluntarily disclosed this July 8th: OpenVPN Security Improvements and Changes

We could have hidden the reason from you, and nobody would ever know since gov seizures rarely get leaked online for profit/lulz. For shady VPN companies like above, it's an easy choice:

Say nothing, silently "fix" it, keep all the users you have, and pretend it never happened.
OR
Disclose it, fix it properly, lose customers and reputation.

They chose the former, we chose the later.
 
  • Like
  • Applause
  • +Reputation
Reactions: w2phoenix, Venustus, JasonUK and 6 others
windscribe

windscribe

From Windscribe
Verified
Developer
Well-known
Dec 28, 2016
128
anupritaisno1 said:
Then that network boot is somewhat your persistent storage

Also, >grub

The fact that you're using grub also means that attestation is not being done correctly. This combined with the fact that grub doesn't even do secure boot well. The only verification grub has is weak GPG keys which aren't as strong as secure boot. It has a colossal amount of attack surface

So yes, you still have a very serious problem on your hands. Are we ignoring badbios or just the fact that an attacker can modify grub on the servers?

The main issue here seems to be the fact that openvpn is quite complex a protocol to manage (as you've said others haven't got it right either). Maybe it is time to find one that is easier then?

No idea whether the neuralyzer tool verifies the OS being sent to it and even if it does, you're ignoring the fact that an attacker can modify grub/bios so the verification is meaningless anyway
Click to expand...
The flow I posted is simplified, there are several other security checks and balances in place. All will be described in detail in a technical writeup that will be posted when we release it.
 
  • Like
  • Thanks
  • +Reputation
Reactions: Nevi, Gandalf_The_Grey, harlan4096 and 3 others

Similar threads

n8chavez
Serious Discussion Router VPN Killswitch
Replies
9
Views
492
VPN and DNS
sokabi
S
Shadowra
    • Like
    • +Reputation
Malware News Helldown ransomware exploits Zyxel VPN flaw to breach networks
Replies
0
Views
262
Security News
Shadowra
Shadowra
Gandalf_The_Grey
    • Wow
    • Like
Security News Park’N Fly notifies 1 million customers of data breach
Replies
0
Views
1,312
Security News
Gandalf_The_Grey
Gandalf_The_Grey

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top