Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
∞ take a peek at our legendary cryptostorm_is twitter feed if you're into that kind of thing ∞
Ξ we're rolling out voodoo network security across cryptostorm - big things happening, indeed! Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit GitHub Ξ

Proxy.sh thoughts?

Encouraging best practices in the VPN industry via independent, community-certified verification of clean installers and clean basic service operations. Let's reward the good, and make the bad a little bit less tempting 〰 github repo#cleanVPN
User avatar

Topic Author
ntldr
ForumHelper
Posts: 39
Joined: Sun Feb 01, 2015 4:15 pm

Proxy.sh thoughts?

Postby ntldr » Sun Feb 01, 2015 4:40 pm

Hello

I'd like to hear Cryptostorm's thoughts about proxy.sh if you guys got any of them to share? :think:

User avatar

parityboy
Site Admin
Posts: 1105
Joined: Wed Feb 05, 2014 3:47 am

Re: Proxy.sh thoughts?

Postby parityboy » Sun Feb 08, 2015 10:10 pm

@OP

Well, the privacy policy is here, but this is the interesting part (after claiming that they are the only VPN provider that lets you know what's going on behind the scenes):


BY USING THIS WEBSITE AND/OR SERVICES, YOU AGREE THAT YOU CONSENT TO THIS PRIVACY POLICY AND ANY CHANGES HERETO IN THE FUTURE. YOU AGREE THAT PROXY.SH MAY MAKE CHANGES TO THIS PRIVACY POLICY AT ANY TIME WITHOUT ANY GIVEN NOTICE AT ITS DISCRETION.



So ummm....yeah.

User avatar

parityboy
Site Admin
Posts: 1105
Joined: Wed Feb 05, 2014 3:47 am

Re: Proxy.sh thoughts?

Postby parityboy » Sun Feb 08, 2015 11:19 pm

@OP

Ars ran this policy by Nate Cardozo, a staff attorney at the Electronic Frontier Foundation. (Full disclosure: he's a friend of the author and grew up in the same town.)

He called Proxy.sh’s policy the “single worst policy I’ve seen.”

“No exaggeration,” he said over chat. “Seriously. The very worst government requests are exactly the only ones that they'll honor.”


Source

User avatar

Topic Author
ntldr
ForumHelper
Posts: 39
Joined: Sun Feb 01, 2015 4:15 pm

Re: Proxy.sh thoughts?

Postby ntldr » Tue Feb 10, 2015 1:15 am

parityboy wrote:@OP

Ars ran this policy by Nate Cardozo, a staff attorney at the Electronic Frontier Foundation. (Full disclosure: he's a friend of the author and grew up in the same town.)

He called Proxy.sh’s policy the “single worst policy I’ve seen.”

“No exaggeration,” he said over chat. “Seriously. The very worst government requests are exactly the only ones that they'll honor.”


Source


Can you tell if the network status page is bullshit?


User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

accuracy of proxy.sh status page?

Postby Pattern_Juggled » Thu Feb 12, 2015 8:54 pm

ntldr wrote:Can you tell if the network status page is bullshit?


What we've done before is write a polling script to pull raw data from such status pages, dump them to text, and then plot the results to see if there's obvious issues with the distribution of point-pairs over time. Usually, there is.

That's one reason we moved to an uptime reporting framework that's entirely independent of our control, via our pingdom-powered uptime scoreboard. It limits the kind of customisation we can do to the presentation, admittedly, but the upside for everyone is that the stats presented there are genuine and can be validated as such given pingdom's independent collation of them.

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
ntldr
ForumHelper
Posts: 39
Joined: Sun Feb 01, 2015 4:15 pm

Re: accuracy of proxy.sh status page?

Postby ntldr » Fri Feb 13, 2015 12:42 am

Pattern_Juggled wrote:
ntldr wrote:Can you tell if the network status page is bullshit?


What we've done before is write a polling script to pull raw data from such status pages, dump them to text, and then plot the results to see if there's obvious issues with the distribution of point-pairs over time. Usually, there is.

That's one reason we moved to an uptime reporting framework that's entirely independent of our control, via our pingdom-powered uptime scoreboard. It limits the kind of customisation we can do to the presentation, admittedly, but the upside for everyone is that the stats presented there are genuine and can be validated as such given pingdom's independent collation of them.

Cheers,

~ pj


I'm curious but which file I've to give you to check if while connecting to their node it's giving out my real ip to them? I mean if they say there's no logging isn't this wrong..so?

User avatar

Pattern_Juggled
Posts: 1492
Joined: Sun Dec 16, 2012 6:34 am
Contact:

logging, no-logging, & verifying no-logs policies

Postby Pattern_Juggled » Fri Feb 13, 2015 4:52 am

ntldr wrote:I'm curious but which file I've to give you to check if while connecting to their node it's giving out my real ip to them? I mean if they say there's no logging isn't this wrong..so?


It is impossible, to my knowledge in any case, to connect to a "VPN service" node/server without in doing so exposing one's physical/local IP address to that node in the process. If there's a clever way to provably obfuscate that information during connect, I'd love to study it more... and we've a few "blue sky" concepts in that space that are down-the-road research projects for "spare time" fiddling (ha).

Our solution to this has been to modify the source code of the openvpn instances running on our nodes, so the physical IP of connected members is not used as an internal-process tracking key... this removes not only logging, but the capability of logging, from our production infrastructure. Those mods are published in full in this forum thread: logs.cryptostorm.org.

There's no way to confirm or disconfirm, via external means, whether a "VPN service" is keeping logs, or not. It comes down to trust - which basically sucks, in terms of technical solutions... but that's the reality of things. There's enough examples of "no-logging" services that are caught red-handed turning over logs to third parties to make such trust a hard thing to earn. We've earned that trust, we feel, over many years of service provisioning and a demonstrated record of never turning over the logs which we really don't retain and have never retained.

Often looking at Terms of Service will show a direct contradiction between a "no logging" claim on one marketing page, and in the ToS an admission that logs are actually maintained. This is so common that we've basically stopped flagging such situations, as it becomes essentially routine.

In 2007 when "no logging" was first pioneered by several folks who are now on the cryptostorm team, it was considered to be "illegal, irresponsible, and totally impractical." In the span of five years, it went from that to a standard marketing claim every company now makes. Which is sort of sad, to me anyhow. At the time we pioneered it, no-logging was profoundly revolutionary... mostly because we actually didn't (and don't) keep any logs.

Finally, of course, our move to token-based authentication means that even if we did keep logs (which we don't - and we can't, per source edits posted above), those logs don't connect back to real-life identity of human beings. Which is exactly the point, tbh.

Cheers,

~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉

    ✨ ✨ ✨
pj@ðëëþ.bekeybase pgpmit pgpðørkßöt-on-consolegit 'er github
bitmessage:
BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f

User avatar

Topic Author
ntldr
ForumHelper
Posts: 39
Joined: Sun Feb 01, 2015 4:15 pm

Re: Proxy.sh thoughts?

Postby ntldr » Mon May 04, 2015 7:10 pm

We are happy to announce that we have just updated our Ethical Policy with a revisited text. In fine, this new Ethical Policy essentially remains the same. It explains we will actively alert legitimate authorities when a truly noxious abuse occurs across our network whereas we will at the same time transparently inform our users about both the abuse and our attitude towards it.

We believe this new version adds more clarity to what our ethics has always been, and that it should properly answer the questions but also the misconceived thoughts people may have when it comes to this singularity that makes Proxy.sh so special.

We hope you will appreciate this update and that it will give you even further assurance that you are part of the finest VPN network.


https://proxy.sh/panel/knowledgebase/5/Ethical-policy.html

hm... :D


Return to “#cleanVPN ∴ encouraging transparency & clean code in network privacy service”

Who is online

Users browsing this forum: No registered users and 5 guests

Login