this post was submitted on 07 Sep 2024
53 points (94.9% liked)

Privacy

32156 readers
902 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
53
submitted 2 months ago* (last edited 2 months ago) by andylicious1337 to c/[email protected]
 

Hi privacy fans :) I've been a lurker in this lemmy-community for a while now and a "fan" of privacy for about 4 years now. Since 4 years, I've been on and of with VPNs. Sometimes I think I dont need one, sometimes I change my mind and start searching for one. The only one I tested (and used) so far, was Mullvad. But now reading about Surfshark, I was wondering, if there might be a better solution or if Mullvad is already the best solution for VPN. What I dont like about Surfshark is, that it is part of North Security and that it is not open-source (or at least I can find any info about that).

I hope you guy and gals have some suggestions or recommendation :)

Edit: wow... thanks for all of your fast replies. Coming from Reddit, I am used to only shitposting. Thanks for all your input. I will look into all the mentioned VPN hosters, thx ๐Ÿ‘

you are viewing a single comment's thread
view the rest of the comments
[โ€“] [email protected] 7 points 2 months ago (2 children)

As far as I know they don't have audits done, so who knows about the logging. Both IVPN and Mullvad pass those. Could still be fine though, but I'd rather trust Mullvad or IVPN.

[โ€“] [email protected] 5 points 2 months ago* (last edited 2 months ago) (1 children)

So, I just looked it up and apparently their official stance is that auditing is questionably effective and thus unnecessary:

Our software is free and open source, while we repute at the moment [it's] not acceptable to provide external companies with root access to our servers to perform audits which can not anyway guarantee future avoidance of traffic logging or transmission to third parties. On the contrary, we deem very useful anything related to penetration tests. Such tests are frequently performed by independent researchers and bounty hunters and we also have a bounty program.

In other words, their reasoning seems to be:

  1. Their software is free and open source, so if it does logs anything, the community would find out, so in this sense the community is the independent auditors;
  2. There's no stopping an audited party from ceasing to log right before the audit and start up again after the audit ends, so an audit is kind of toothless anyway;
  3. Regarding penetration tests, they already have independent testing done as well as a bounty program.

Personally, I don't entirely agree with points #2 and #3 (though I can see their points), but point #1 is fair I suppose. In my opinion, though, it should not be up to the users to hold the company accountable; and there is a difference between penetration tests and log auditing, as the former I believe are merely to check the resilience against outside hacking.

My end impression is that judging from their other documentation and forum posts, the fact that their software is fully open-source, and their past behavior in accordance with their stated values, I think I'm inclined to believe them. However, it is somewhat worrying nevertheless that there isn't log auditing involved regardless of their actions.

ย 


Edit: Clarification

[โ€“] [email protected] 4 points 2 months ago (1 children)

But what about server side logging? Even if the server is open source how can one that they are actually the code they publish without changing anything if there are no audits?

[โ€“] [email protected] 2 points 2 months ago* (last edited 2 months ago)

There's a certain point where it just comes down to trust. And if you distrust a company enough that you think they aren't posting the same code to the git repository that they say they are, then maybe that's when you shouldn't be doing business with them.

This is the case with all organizations, corporate or otherwise.

[โ€“] [email protected] 0 points 2 months ago* (last edited 2 months ago)

audits are invalid as soon as they finish, there's absolutely no way to trust any of these companies.