Not much point in serving .sig's and your PGP key if its over HTTP. Unless you're already in someone's WOT, there's nothing to verify against. At least if you use HTTPS we can somewhat trust that we're being displayed the key you think we should be displayed.
Indeed; the key used doesn't even appear to be available on any keyserver. However, it does have some use in being able to determine that a newer release was made by the same person as the previous ones. That's something you can't get with HTTPS.
Though he didn't complain about the software itself, he complained about the way it's hosted. Different concerns. And in today's world, SourceForge is liked less than GitHub from what I've noticed.
Sourceforge has inserted adware into projects' downloads in the past. It's also a ghost town and I wonder what sort of resources (if any) they have working on the site to keep it secure. This is a big concern when the software they're hosting is as security-sensitive as a VPN package.
Their Senior Director of Business Development, Roberto Galoppini, said this in the comments to the link above:
"Developers opt in and are compensated, they are in control both of the installer behavior and of what sort of secondary offerings will be presented to their user base. Moreover they are not asked to integrate their application with a third parties' piece of code, and maintaining a bundled and unbundled version is trivial for them.
End-users are provided with a transparent installer behavior, all programs are malware-free and honestly described. All uninstall procedures are extensively tested, both for open source applications and third parties' offerings."
In case you're looking to build your own and rely on existing software, we built an easy way to create a VPN and deploy it to digital ocean or rackspace, in a single click.
Why the downvotes? This is free, and I just posted it as an alternative. You can also take our open source script and run it on a box of your choice, if you don't want to trust us with your keys (which we never store).
Man that page looks fraudulent. Doesn't even mention what kind of "VPN" is used other than it is supposedly "open". So, what client can I use? Which devices or operating systems does it support?
Not even the FAQ addresses any of it.
And with all that one is expected to trust ones key to that site? (the way the page is setup I guess the target audience can not even be expected to know what a "key" is, or why they would even need to trust that site even if they did use it)
At the very bottom, in the fine-print, there is a link to a blog post. Great. Start with that! Move the whole page to the bottom of the blog post. "But that will hurt adoptability". GREAT! No one in the in their right mind should be "securing their internets with some cloud thing that some dude recommended" in under 30 seconds anyway.
This is only encouraging people being gullible which is kind of ironic since the aim seems to be to help people not trusting public wifi.
So, in a different world, you'd be right. In this case, we originally built this for Sochi so journalists could use a VPN. Journalists are not going to have any idea how to build a box, ssh in, run a script, etc. We later changed the copy to be related to DEF CON, to keep it current, but yeah.
The blog cypherpunks.ru written in Russian contains a lot of spelling and grammar errors, as well as typos, which to me indicates the quality of the content in general.
Anyone knows the best current way to install a VPN on Ubuntu?
I've tried several times, it's way more difficult than I thought, and when I've some success, performance is, at best, disappointing. And that's using 1GB/s dedicated server.
Presumably 'I want a VPN, I don't need 90% of what OpenVPN offers, and I don't want to spend a huge amount of time figuring out how to OpenVPN quickly and easily.'
OpenVPN is just an apt-get install away, and the defaults would suit you fine in if you don't have any special needs. You do need to configure what IP nets you want to tunnel (unless you use it in bridging mode), but that's it.
Good point.
How can we be sure this is secure enough to use?
OpenVPN is widely used, so the thought is any issue with it would be more likely to be found.
People looking to set up their own VPN server are missing the point. Your run-off-the-mill hoster is not any more trustworthy than a run-off-the-mill VPN provider so you aren't gaining anything security-wise. In fact you are losing (slightly) by having your traffic exiting the tunnel stick out where with a shared IP extra effort (potentially non-trivial) would be required to tell your traffic apart from that of other users. A subscription with a reputable VPN provider costs less or as much as a VPS with a reputable VPS provider, so you aren't gaining anything cost-wise either.
If you do it for the skillz, sure, but otherwise it's completely pointless.
Edit: Just to make it clear, that wasn't directed at the project here, but at some of the comments in this and other VPN-related threads. Another VPN protocol and implementation is always cool. (although Windows users need love too)
You've got some good points there, bu not everyone is a freedom fighter or overly concerned about their privacy up to that level.
Some people just don't want to be snooped on by your casual script kiddie while on public wifi.
you can setup VPS with VPN on Google Cloud Platform for $6 per month + $1 traffic. It works pretty stable. And you can use any amount of devices and be sure about logs not only because you read it in marketing materials. Most of VPN providers gives single device plan for this price and all promises about logs are just words (maybe honest, who knows).
52 comments
[ 0.20 ms ] story [ 113 ms ] threadhttps://en.wikipedia.org/wiki/Web_of_trust
https://www.gnupg.org/gph/en/manual.html#AEN554
Somebody's been trying to fix that with https://keybase.io/
edit: None left, sorry!
edit: they are all gone.
Edit: invite count update
Their Senior Director of Business Development, Roberto Galoppini, said this in the comments to the link above:
"Developers opt in and are compensated, they are in control both of the installer behavior and of what sort of secondary offerings will be presented to their user base. Moreover they are not asked to integrate their application with a third parties' piece of code, and maintaining a bundled and unbundled version is trivial for them.
End-users are provided with a transparent installer behavior, all programs are malware-free and honestly described. All uninstall procedures are extensively tested, both for open source applications and third parties' offerings."
Ah, "professional management"… the beginning of the end of any good company.
Anyway, I'd still complain if someone tried to serve me free food on a dirty plate.
I don't know why the original submitter submitted a sourceforge link; maybe it should be replaced with a github link.
Check it out here: https://www.tinfoilsecurity.com/vpn/new
Our script: https://github.com/tinfoil/openvpn_autoconfig/blob/master/bi...
And with all that one is expected to trust ones key to that site? (the way the page is setup I guess the target audience can not even be expected to know what a "key" is, or why they would even need to trust that site even if they did use it)
At the very bottom, in the fine-print, there is a link to a blog post. Great. Start with that! Move the whole page to the bottom of the blog post. "But that will hurt adoptability". GREAT! No one in the in their right mind should be "securing their internets with some cloud thing that some dude recommended" in under 30 seconds anyway.
This is only encouraging people being gullible which is kind of ironic since the aim seems to be to help people not trusting public wifi.
Is there any chance you could make a version wrapped in stunnel to help with countries which are able to detect OpenVPN traffic, such as China?
I've tried several times, it's way more difficult than I thought, and when I've some success, performance is, at best, disappointing. And that's using 1GB/s dedicated server.
Configure from the panel. I use ThreatSpike labs. Too easy.
https://github.com/Nyr/openvpn-install
https://www.softether.org/
It supports SSL VPN to boot.
I already think of OpenVPN as not being simple enough.
If you do it for the skillz, sure, but otherwise it's completely pointless.
Edit: Just to make it clear, that wasn't directed at the project here, but at some of the comments in this and other VPN-related threads. Another VPN protocol and implementation is always cool. (although Windows users need love too)