Update Windscribe VPN Security Breach

SearchLight

Level 12
Verified
Jul 3, 2017
591
@windscribe appreciate the effort that you are making to overcome the security breach.

In your blog you also mentioned that Wireguard will be made your default protocol.

Other VPNS using Wireguard claim to erase the users actual IP address after a session or obfuscate that address with a Double NAT solution. You state that you designed a system that makes the users originating IP address known to your Wireguard system but difficult to read by your operations people within the Windscribe system. This implies that there is still a chance that someone could access that information as that IP stays within the "server". Will you be taking additional steps like the other VPNS claim to erase that IP information immediately after the user logs out of your app and/or system? Thanks.

 
Last edited:

windscribe

From Windscribe
Verified
Developer
Dec 28, 2016
91
@windscribe appreciate the effort that you are making to overcome the security breach.

In your blog you also mentioned that Wireguard will be made your default protocol.

Other VPNS using Wireguard claim to erase the users actual IP address after a session or obfuscate that address with a Double NAT solution. You state that you designed a system that makes the users originating IP address known to your Wireguard system but difficult to read by your operations people within the Windscribe system. This implies that there is still a chance that someone could access that information as that IP stays within the "server". Will you be taking additional steps like the other VPNS claim to erase that IP information immediately after the user logs out of your app and/or system? Thanks.

This is already in place, as per the article above.
 

windscribe

From Windscribe
Verified
Developer
Dec 28, 2016
91
Not at all. They were forced to admission when caught with their pants down. They deserve no laurels.
Not true. You have us confused with NordVPN, Torguard, and PIA (who lied completely).

We voluntarily disclosed this July 8th: OpenVPN Security Improvements and Changes

We could have hidden the reason from you, and nobody would ever know since gov seizures rarely get leaked online for profit/lulz. For shady VPN companies like above, it's an easy choice:

Say nothing, silently "fix" it, keep all the users you have, and pretend it never happened.
OR
Disclose it, fix it properly, lose customers and reputation.

They chose the former, we chose the later.
 

windscribe

From Windscribe
Verified
Developer
Dec 28, 2016
91
Then that network boot is somewhat your persistent storage

Also, >grub

The fact that you're using grub also means that attestation is not being done correctly. This combined with the fact that grub doesn't even do secure boot well. The only verification grub has is weak GPG keys which aren't as strong as secure boot. It has a colossal amount of attack surface

So yes, you still have a very serious problem on your hands. Are we ignoring badbios or just the fact that an attacker can modify grub on the servers?

The main issue here seems to be the fact that openvpn is quite complex a protocol to manage (as you've said others haven't got it right either). Maybe it is time to find one that is easier then?

No idea whether the neuralyzer tool verifies the OS being sent to it and even if it does, you're ignoring the fact that an attacker can modify grub/bios so the verification is meaningless anyway
The flow I posted is simplified, there are several other security checks and balances in place. All will be described in detail in a technical writeup that will be posted when we release it.
 
Top