It does appear to be openvpn based, but if they were focused on launching their product and only had apple products on hand then that's likely why it's mac/ios only.
I'd expect that they'll have other platforms soon.
All true. You have to start somewhere, and the first focus was on Apple devices, apps for other platforms will soon follow. Meanwhile examples of OpenVPN config files are available too, so you can use the WifiMask service on any OpenVPN capable device:
https://www.wifimask.com/contact#androidwindows
EDIT: "We will never share your personal information with any third party, except when we need to respond to a legal request from Dutch authorities" - https://www.wifimask.com/terms
As a VPN service that means it is not thoughtful about privacy.
As a counterpoint: any VPN service that claims that they will ignore the authorities legal requests is lying. No matter what, as soon as it is a business, has a registered address and a nominal director it can be put under pressure.
I think this is true. We want to be as honest and open as possible, that includes being honest about the laws we have to comply too. On the other hand, we have a strict no log policy, we have nothing to hand over to authorities accept for the registered email address, a hashed password and the last 4 numbers of a creditcard. Authorities will need to find different ways to get the information they want.
A 'no log policy' is a hard one, it may be true but you can't really prove a negative. So it is as good as your word and your reputation, which in this case may be very good but it may not be enough to reduce skepticism.
FWIW I do tech DD for a living and I've seen several places that had 'no log' policies on the outside and yet they would occasionally - or even structurally - log data in order to comply with the law.
The 'WBT' (Retenion duty for Telecommunicationsdata) has been disbanded, which should work to your advantage, but the GDPR makes explicit room for the accomodation of legal and regulatory requirements and this in turn may transcend your 'no log' policy. Please make sure you have appropriate legal advice on the subject, it is complex and getting it wrong can really bite you.
Your comment makes me think of a "Warrant canary" which we could set up to inform our customers that we have been served with a government subpoena:
https://en.wikipedia.org/wiki/Warrant_canary
Obviously if they are a Dutch company, then they must comply with Dutch regulations and authority demands. This is to be expected.
What is under their control (which I have not investigated) is how much logging they do. If they do the absolute minimal logging, then there's very little for the Dutch authorities to review. This of course excludes the very likely possibility that the overly performant Dutch intelligence service is monitoring everything from every angle (they have thus far proven to be very, very capable of doing so).
First, it looks good like you declare who you are. Many VPN providers seem to want to hide their real identities which is a big red flag.
I couldn't see from the website what your VPN is based on in terms of protocol? Or home brewed? OpenVPN?
Have you had 3rd party audits?
Have you considered alternative payment forms? Such as Bitcoin or other?
From your Terms of Service 'What we do not allow on or from our network...' how do you track these? Do you provide a transparency report summarising legal, copyright etc requests made, action taken?
Also from ToS 'What we need our customers to do:
- Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.' Do you have a public disclosure policy notifying of vulnerabilities?
Choosing a VPN involves placing a lot of trust in a 3rd party. Hence questions.
WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS.
We haven't had 3rd party audits yet, this is definitely on our wish list, because we understand it's all about trust.
Alternative payments like bitcoin are on the list as well, we aim for total anonymity for our users, payments are part of that.
To be honest we can't track any illegal activity, because we have a strict no log policy, all we can do now is say it is not allowed. We have nothing to hand over to enforcement either, they have to find different ways of getting the information they want. We should investigate and think about transparency reports and a public disclosure policy too, thanks!
I have no affiliation with the service, but I assume that:
1. They're small
2. They're new
3. Their team has more experience developing for Apple devices, thus it was quicker to release for those devices first before tackling Windows, Android, and/or Linux.
What they could do in the meantime is create a web-based tool to generate configurations for OpenVPN and/or Wireguard, like Mullvad does.
> First, it looks good like you declare who you are. Many VPN providers seem to want to hide their real identities which is a big red flag.
While I agree that, as a user, knowing who's behind a service, and in particular a VPN, can help build trust, there are several good reasons why you would want to remain anonymous when running a VPN or any privacy service like secure email and encryption tools. You will be targeted by multiple parties. The technical side of this challenge (both that of operating services like these and that of being a target) is complicated enough. Operator anonymity can mitigate some threats, from social engineering to physical threats, pressure, legal and otherwise, from a range of parties. Anyone with experience in these matters knows what I'm referring to, and don't think for a second operating outside of the US makes that much of a difference. The world is small. Many parties do not play by any rules besides their own.
> Operator anonymity can mitigate some threats, from social engineering to physical threats, pressure, legal and otherwise, from a range of parties.
And yet, Mullvad (Sweden), which seems to be one of the most trusted VPN providers without affiliate marketing, has no issues with publicly listing the names of every single member of the team[1].
> Do you know anything about how or if Mullvad cooperates with domestic and foreign entities?
I am not aware of this, but unlike the majority of VPN providers, Mullvad at least does not require any personally identifiable information, such as an email address, in order to use it.
And most VPN providers that hide their real locations, such as ExpressVPN (Hong Kong)[1], NordVPN and ProtonVPN (both Lithuania)[2], are just creating an illusion of privacy for their unsuspecting users.
Yes... at this point, IMO, there are no VPN providers that can be trusted to not sell you out (or your data). It's all very shady.
As I have said in previous comments, I currently use ProtonVPN, but my use case, like many others, is simply avoiding geo-blocks and not leaving my real IP everywhere.
Though, I do think, that if they make money off my data, and they probably do, the service should not charge a subscription (indeed ProtonVPN has a free plan, but it's a bit limited).
- You load a number of JS files from third party CDNs including Cloudflare and Google without subresource integrity
- What does this offer me? It seems a lot more restrictive than other companies at lower price points, inability to use it on own libre devices, requiring proprietary software? How is this significantly different than renting a VM or two?
- Based on your cipher list in features, this is an openvpn wrapper?
- "WifiMask will also use your Personal Data to provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about." - This sounds like there is no opt out, no "if you choose to", just that special offers are mandatory to receive
Many thanks for your feedback! Much appreciated. The missing newlines and subresource integrity are now fixed. The Privacy Policy is now updated with information on how to opt-out.
WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS. Examples of OpenVPN config files can be found at https://www.wifimask.com/contact#androidwindows which allows you to use the WifiMask service on every OpenVPN capable device. Meanwhile an Android and Windows app are in development, so stay tuned. ;-)
The optional 2FA used is Authy, you activate Authy with your phonenumber only once, after that you use Authy to login to your account. So 2FA is not done through SMS text messages for example, where hijacking could be a problem.
Good one with the list of hostnames, I will prepare one, for now you can take a look at this JSON file:
Authy is absolutely not acceptable for privacy applications like VPNs. Authy stores user information on third-party servers, when there are plenty of 2FA apps that work locally on the user's device.
The fact that Authy refused to delete user accounts (before they were acquired by Twilio), even when they promised to do so in their terms of service, is also very concerning:
I'm not sure I agree with pushing responsibilities on customers. If you miss some security item or if you make my account a super admin on signup I shouldn't have some responsibility to help you fix it.
What we need our customers to do:
- Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.
I will rephrase it, the intention is not to push responsibilities, we are merely asking our customers to let us know if they ever find a vulnerability. Thanks for the feedback!
I've worked with the founder (Joost H., Remy says Hi). Can vouch for him, all-round good tech guy. He was a Windows server admin at a big cloud provider (CloudVPS), I was one of the Linux guys. He knows his way around Windows, hyper v and clustering. Even some Linux. Quit his job to work full time on the startup with his brother.
Big plus one here. I'd trust wifimask if I wasn't capable of hosting my own servers and needed a VPN.
I have seen this throughout macOS lately with other apps too, a rightclick will show you the paste option btw. Meanwhile I will investigate this, thanks!
Unfortunately not yet, but we are working on it. Meanwhile we have example OpenVPN config files available, which you can use for OpenVPN on Android too: https://www.wifimask.com/contact#androidwindows
very reasonably priced, if I had a mac I'd be trying it out.
what I want is a vpn that the BBC that fools the bbc into thinking I'm in the UK. They're wise to my current one, pia.
Nice. Wifimask looks promising, esp with ad-blocking built-in. A few questions:
Where do you purchase your servers from?
How trustworthy are the underlying VPS providers across different countries that you've got presence in?
It was recently pointed out that PIA was $30 million in debt... Looks like VPN is a brutal business, but your pricing is (low?) at $4 for unlimited devices and you're bootstrapped. How do you manage to pull it off?
What are the upcoming features that you plan? Consequently, what are the most requested features?
All servers are purchased from Digital Ocean only at the moment. I think it is very important to buy servers from a thrustworthy party especially in the VPN business, even if that means we pay a little bit extra.
VPN is a brutal business. But because we are bootstrapped and thus no screaming investors/banks behind our backs and we are a small team, costs are low and there's no one who can pull the plug but ourselves. I don't know how many people are working for PIA, but in my opinion you don't need ten's or hundred's of people to build and run a VPN company. I'm not very surprised they are supposedly in that much debt.
The most requested feature is an Android app. ;-) And unblocking Netflix ofcourse, but they seem to get even better at blocking VPN's than the Great Firewall of China.
What would your feature request be? :-)
> All servers are purchased from Digital Ocean only at the moment.
Are there any legal or technical reasons to prefer DigitalOcean over OVH and Hetzner? They seem to be both, much more cost-efficient, and much more privacy-oriented.
As a minor nitpick, I dislike the term "Holland" when referring to the Netherlands. Additionally, you're based in Den Bosch, which is not even in Holland.
I was thinking/reconsidering this same thing today too! ;-) I have to discuss with my brother, but I think it will be changed soon into "Made in the Netherlands". Thanks for the feedback. ;-)
You can blame the Dutch Tourism board for that, they unilaterally declared 'The Netherlands' to be too complicated for marketing purposes and decided on Holland.
So, from on high: Den Bosch is now also in Holland, as are Maastricht, Enschede, Middelburg and Groningen, to great chagrin of those living there. It's been a major point of contention between the NBTC and almost all of the rest of the country but 'Made in Holland' has displaced 'Made in The Netherlands' for quite a while now.
"From now on the Netherlands and the Kingdom of the Netherlands can be recognised internationally by a new logo. The logo is characterised by two symbols: NL and a stylised orange tulip. The logo replaces the much used ‘Holland tulip’ of the Netherlands Board of Tourism & Conventions’ (NBTC)”
I think it will be ‘a while’ before ‘Holland’ is gone, if only because ’Nederland’ doesn’t work well in cheering on sports teams.
That's great news. I was in the midst of that when it was first announced and the NBTC still shows the old logo. Excellent - and very timely - news. I never did like the 'Holland' bit, it seemed like a dumbed down version, marketeers taking over tradition.
We preferably launch once in a while. ;-)
This is not really a launch btw, although it's getting a launch with upvotes on HN this time. But I just wanted to show the current state of WifiMask, it took some time to work on it more and there is still a lot of work to do, like Android and Windows apps.
As I see it, many main stream users use such a service to avoid geo blocking. Which is a feature you call teleporting. How do you plan to resolve the problem of Netflix/Amazon Prime blacklisting your VPN servers' IPs? Obviously this is part of your product as you list it as a feature. Hence, people might argue that your product is faulty and ask you to return their money.
We have now sort of "hidden" the information that Netflix is not unblockable under the FAQ part of this page: https://wifimask.com/contact
Maybe we should say we cannot unblock Netflix on the frontpage, because I also realize that's why a lot of people are looking for a VPN who does.
Nevertheless, besides Netflix, there is still a lot of content to be unblocked. And ofcourse, if unblocking Netflix was the main reason the get WifiMask and it doesn't work, you'll get your money back.
BREIN doesn't care if you use a VPN to protect your privacy and security when you're not doing anything illegal. Especially not when you're connected to a VPN server somewhere on the other side of the planet. ;-)
Suggestion for the macOS menubar icon. Make the icon change colour to red when disconnected or the VPN is not in use. Maybe even a notification should be displayed.
Talking about mobile only VPN: you can also check "Warp+" (https://1.1.1.1/) from Cloudflare - unlimited traffic starting from $1/month (depens on your region)
110 comments
[ 2.9 ms ] story [ 185 ms ] threadEdit: a word
I'd expect that they'll have other platforms soon.
EDIT: "We will never share your personal information with any third party, except when we need to respond to a legal request from Dutch authorities" - https://www.wifimask.com/terms
As a VPN service that means it is not thoughtful about privacy.
Our intelligence agency (AIVD) allegedly facilitated the planting of stuxnet (they had a guy in there or something)
So it'd be reasonable to say that "we're not uncooperative"
FWIW I do tech DD for a living and I've seen several places that had 'no log' policies on the outside and yet they would occasionally - or even structurally - log data in order to comply with the law.
The 'WBT' (Retenion duty for Telecommunicationsdata) has been disbanded, which should work to your advantage, but the GDPR makes explicit room for the accomodation of legal and regulatory requirements and this in turn may transcend your 'no log' policy. Please make sure you have appropriate legal advice on the subject, it is complex and getting it wrong can really bite you.
Best of luck with your company!
Thanks!
Even the authorities asking for data have an interest in keeping the VPN's reputation alive in case the VPN does cooperate.
What is under their control (which I have not investigated) is how much logging they do. If they do the absolute minimal logging, then there's very little for the Dutch authorities to review. This of course excludes the very likely possibility that the overly performant Dutch intelligence service is monitoring everything from every angle (they have thus far proven to be very, very capable of doing so).
I couldn't see from the website what your VPN is based on in terms of protocol? Or home brewed? OpenVPN?
Have you had 3rd party audits?
Have you considered alternative payment forms? Such as Bitcoin or other?
From your Terms of Service 'What we do not allow on or from our network...' how do you track these? Do you provide a transparency report summarising legal, copyright etc requests made, action taken?
Also from ToS 'What we need our customers to do: - Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.' Do you have a public disclosure policy notifying of vulnerabilities?
Choosing a VPN involves placing a lot of trust in a 3rd party. Hence questions.
WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS. We haven't had 3rd party audits yet, this is definitely on our wish list, because we understand it's all about trust. Alternative payments like bitcoin are on the list as well, we aim for total anonymity for our users, payments are part of that. To be honest we can't track any illegal activity, because we have a strict no log policy, all we can do now is say it is not allowed. We have nothing to hand over to enforcement either, they have to find different ways of getting the information they want. We should investigate and think about transparency reports and a public disclosure policy too, thanks!
1. They're small
2. They're new
3. Their team has more experience developing for Apple devices, thus it was quicker to release for those devices first before tackling Windows, Android, and/or Linux.
What they could do in the meantime is create a web-based tool to generate configurations for OpenVPN and/or Wireguard, like Mullvad does.
While I agree that, as a user, knowing who's behind a service, and in particular a VPN, can help build trust, there are several good reasons why you would want to remain anonymous when running a VPN or any privacy service like secure email and encryption tools. You will be targeted by multiple parties. The technical side of this challenge (both that of operating services like these and that of being a target) is complicated enough. Operator anonymity can mitigate some threats, from social engineering to physical threats, pressure, legal and otherwise, from a range of parties. Anyone with experience in these matters knows what I'm referring to, and don't think for a second operating outside of the US makes that much of a difference. The world is small. Many parties do not play by any rules besides their own.
And yet, Mullvad (Sweden), which seems to be one of the most trusted VPN providers without affiliate marketing, has no issues with publicly listing the names of every single member of the team[1].
[1] https://mullvad.net/en/what-is-privacy/
Do you know anything about how or if Mullvad cooperates with domestic and foreign entities?
Perhaps threats are unnecessary.
Stating you have a no logging policy does not mean you cannot covertly cooperate.
Fourteen Eyes collaboration is real, and Sweden is not a country where a business not complying with the law stays in business.
I am not aware of this, but unlike the majority of VPN providers, Mullvad at least does not require any personally identifiable information, such as an email address, in order to use it.
And most VPN providers that hide their real locations, such as ExpressVPN (Hong Kong)[1], NordVPN and ProtonVPN (both Lithuania)[2], are just creating an illusion of privacy for their unsuspecting users.
[1] https://vpnscam.com/expressvpn-really-based-in-hong-kong/
[2] http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-min...
As I have said in previous comments, I currently use ProtonVPN, but my use case, like many others, is simply avoiding geo-blocks and not leaving my real IP everywhere.
Though, I do think, that if they make money off my data, and they probably do, the service should not charge a subscription (indeed ProtonVPN has a free plan, but it's a bit limited).
- Your last two bullet points for 'what we do not allow' is missing newlines (https://www.wifimask.com/terms)
- You load a number of JS files from third party CDNs including Cloudflare and Google without subresource integrity
- What does this offer me? It seems a lot more restrictive than other companies at lower price points, inability to use it on own libre devices, requiring proprietary software? How is this significantly different than renting a VM or two?
- Based on your cipher list in features, this is an openvpn wrapper?
- "WifiMask will also use your Personal Data to provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about." - This sounds like there is no opt out, no "if you choose to", just that special offers are mandatory to receive
WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS. Examples of OpenVPN config files can be found at https://www.wifimask.com/contact#androidwindows which allows you to use the WifiMask service on every OpenVPN capable device. Meanwhile an Android and Windows app are in development, so stay tuned. ;-)
Can't find list of hostnames to use with OVPN, seemingly
Good one with the list of hostnames, I will prepare one, for now you can take a look at this JSON file:
https://vpnserver.wifimask.net/vpnservers.json
The fact that Authy refused to delete user accounts (before they were acquired by Twilio), even when they promised to do so in their terms of service, is also very concerning:
https://news.ycombinator.com/item?id=9103606
https://web.archive.org/web/20141011062757/authy.com/terms
Big plus one here. I'd trust wifimask if I wasn't capable of hosting my own servers and needed a VPN.
What language(s) do you use?
What libraries do you use?
What static and dynamic security analysis tools do you use?
What style guides and code best practices do you use?
Where do you host your code?
Where are your backups?
Where are your POPs located?
Have you had any pen tests run?
https://wifimask.com/contact#androidwindows
Where do you purchase your servers from?
How trustworthy are the underlying VPS providers across different countries that you've got presence in?
It was recently pointed out that PIA was $30 million in debt... Looks like VPN is a brutal business, but your pricing is (low?) at $4 for unlimited devices and you're bootstrapped. How do you manage to pull it off?
What are the upcoming features that you plan? Consequently, what are the most requested features?
Thanks.
VPN is a brutal business. But because we are bootstrapped and thus no screaming investors/banks behind our backs and we are a small team, costs are low and there's no one who can pull the plug but ourselves. I don't know how many people are working for PIA, but in my opinion you don't need ten's or hundred's of people to build and run a VPN company. I'm not very surprised they are supposedly in that much debt.
The most requested feature is an Android app. ;-) And unblocking Netflix ofcourse, but they seem to get even better at blocking VPN's than the Great Firewall of China. What would your feature request be? :-)
Are there any legal or technical reasons to prefer DigitalOcean over OVH and Hetzner? They seem to be both, much more cost-efficient, and much more privacy-oriented.
> What would your feature request be?
WireGuard.
I'm definitely keeping an eye on WireGuard, it is very promising.
DigitalOcean are capped + 1cent/gb but your offering unlimited.... a few heavy streamers or torrents could ruin your monthly bill?
(you say "made in Holland" in your logo)
https://www.nbtc.nl/
So, from on high: Den Bosch is now also in Holland, as are Maastricht, Enschede, Middelburg and Groningen, to great chagrin of those living there. It's been a major point of contention between the NBTC and almost all of the rest of the country but 'Made in Holland' has displaced 'Made in The Netherlands' for quite a while now.
That is history :-). https://www.government.nl/latest/news/2019/11/08/new-interna... (3 weeks ago):
"From now on the Netherlands and the Kingdom of the Netherlands can be recognised internationally by a new logo. The logo is characterised by two symbols: NL and a stylised orange tulip. The logo replaces the much used ‘Holland tulip’ of the Netherlands Board of Tourism & Conventions’ (NBTC)”
I think it will be ‘a while’ before ‘Holland’ is gone, if only because ’Nederland’ doesn’t work well in cheering on sports teams.
https://news.ycombinator.com/item?id=11366537
So not just launched as I’d expected
That said, I swapped to Mullvad VPN recently due to the Private Internet Access controversy.