First, it looks good like you declare who you are. Many VPN providers seem to want to hide their real identities which is a big red flag.
I couldn't see from the website what your VPN is based on in terms of protocol? Or home brewed? OpenVPN?
Have you had 3rd party audits?
Have you considered alternative payment forms? Such as Bitcoin or other?
From your Terms of Service 'What we do not allow on or from our network...' how do you track these? Do you provide a transparency report summarising legal, copyright etc requests made, action taken?
Also from ToS 'What we need our customers to do:
- Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.' Do you have a public disclosure policy notifying of vulnerabilities?
Choosing a VPN involves placing a lot of trust in a 3rd party. Hence questions.
> First, it looks good like you declare who you are. Many VPN providers seem to want to hide their real identities which is a big red flag.
While I agree that, as a user, knowing who's behind a service, and in particular a VPN, can help build trust, there are several good reasons why you would want to remain anonymous when running a VPN or any privacy service like secure email and encryption tools. You will be targeted by multiple parties. The technical side of this challenge (both that of operating services like these and that of being a target) is complicated enough. Operator anonymity can mitigate some threats, from social engineering to physical threats, pressure, legal and otherwise, from a range of parties. Anyone with experience in these matters knows what I'm referring to, and don't think for a second operating outside of the US makes that much of a difference. The world is small. Many parties do not play by any rules besides their own.
> Operator anonymity can mitigate some threats, from social engineering to physical threats, pressure, legal and otherwise, from a range of parties.
And yet, Mullvad (Sweden), which seems to be one of the most trusted VPN providers without affiliate marketing, has no issues with publicly listing the names of every single member of the team[1].
> Do you know anything about how or if Mullvad cooperates with domestic and foreign entities?
I am not aware of this, but unlike the majority of VPN providers, Mullvad at least does not require any personally identifiable information, such as an email address, in order to use it.
And most VPN providers that hide their real locations, such as ExpressVPN (Hong Kong)[1], NordVPN and ProtonVPN (both Lithuania)[2], are just creating an illusion of privacy for their unsuspecting users.
Yes... at this point, IMO, there are no VPN providers that can be trusted to not sell you out (or your data). It's all very shady.
As I have said in previous comments, I currently use ProtonVPN, but my use case, like many others, is simply avoiding geo-blocks and not leaving my real IP everywhere.
Though, I do think, that if they make money off my data, and they probably do, the service should not charge a subscription (indeed ProtonVPN has a free plan, but it's a bit limited).
WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS.
We haven't had 3rd party audits yet, this is definitely on our wish list, because we understand it's all about trust.
Alternative payments like bitcoin are on the list as well, we aim for total anonymity for our users, payments are part of that.
To be honest we can't track any illegal activity, because we have a strict no log policy, all we can do now is say it is not allowed. We have nothing to hand over to enforcement either, they have to find different ways of getting the information they want. We should investigate and think about transparency reports and a public disclosure policy too, thanks!
I have no affiliation with the service, but I assume that:
1. They're small
2. They're new
3. Their team has more experience developing for Apple devices, thus it was quicker to release for those devices first before tackling Windows, Android, and/or Linux.
What they could do in the meantime is create a web-based tool to generate configurations for OpenVPN and/or Wireguard, like Mullvad does.
EDIT: "We will never share your personal information with any third party, except when we need to respond to a legal request from Dutch authorities" - https://www.wifimask.com/terms
As a VPN service that means it is not thoughtful about privacy.
As a counterpoint: any VPN service that claims that they will ignore the authorities legal requests is lying. No matter what, as soon as it is a business, has a registered address and a nominal director it can be put under pressure.
I think this is true. We want to be as honest and open as possible, that includes being honest about the laws we have to comply too. On the other hand, we have a strict no log policy, we have nothing to hand over to authorities accept for the registered email address, a hashed password and the last 4 numbers of a creditcard. Authorities will need to find different ways to get the information they want.
A 'no log policy' is a hard one, it may be true but you can't really prove a negative. So it is as good as your word and your reputation, which in this case may be very good but it may not be enough to reduce skepticism.
FWIW I do tech DD for a living and I've seen several places that had 'no log' policies on the outside and yet they would occasionally - or even structurally - log data in order to comply with the law.
The 'WBT' (Retenion duty for Telecommunicationsdata) has been disbanded, which should work to your advantage, but the GDPR makes explicit room for the accomodation of legal and regulatory requirements and this in turn may transcend your 'no log' policy. Please make sure you have appropriate legal advice on the subject, it is complex and getting it wrong can really bite you.
Your comment makes me think of a "Warrant canary" which we could set up to inform our customers that we have been served with a government subpoena:
https://en.wikipedia.org/wiki/Warrant_canary
Obviously if they are a Dutch company, then they must comply with Dutch regulations and authority demands. This is to be expected.
What is under their control (which I have not investigated) is how much logging they do. If they do the absolute minimal logging, then there's very little for the Dutch authorities to review. This of course excludes the very likely possibility that the overly performant Dutch intelligence service is monitoring everything from every angle (they have thus far proven to be very, very capable of doing so).
I've worked with the founder (Joost H., Remy says Hi). Can vouch for him, all-round good tech guy. He was a Windows server admin at a big cloud provider (CloudVPS), I was one of the Linux guys. He knows his way around Windows, hyper v and clustering. Even some Linux. Quit his job to work full time on the startup with his brother.
Big plus one here. I'd trust wifimask if I wasn't capable of hosting my own servers and needed a VPN.
I don't care about your stack or disclosing who you are just please don't lie to us about logging. Either you log everything or you log nothing or you encrypt everything and throw away the key or something. Dissidents and journalists everywhere will thank you.
Nice. Wifimask looks promising, esp with ad-blocking built-in. A few questions:
Where do you purchase your servers from?
How trustworthy are the underlying VPS providers across different countries that you've got presence in?
It was recently pointed out that PIA was $30 million in debt... Looks like VPN is a brutal business, but your pricing is (low?) at $4 for unlimited devices and you're bootstrapped. How do you manage to pull it off?
What are the upcoming features that you plan? Consequently, what are the most requested features?
All servers are purchased from Digital Ocean only at the moment. I think it is very important to buy servers from a thrustworthy party especially in the VPN business, even if that means we pay a little bit extra.
VPN is a brutal business. But because we are bootstrapped and thus no screaming investors/banks behind our backs and we are a small team, costs are low and there's no one who can pull the plug but ourselves. I don't know how many people are working for PIA, but in my opinion you don't need ten's or hundred's of people to build and run a VPN company. I'm not very surprised they are supposedly in that much debt.
The most requested feature is an Android app. ;-) And unblocking Netflix ofcourse, but they seem to get even better at blocking VPN's than the Great Firewall of China.
What would your feature request be? :-)
> All servers are purchased from Digital Ocean only at the moment.
Are there any legal or technical reasons to prefer DigitalOcean over OVH and Hetzner? They seem to be both, much more cost-efficient, and much more privacy-oriented.
As I see it, many main stream users use such a service to avoid geo blocking. Which is a feature you call teleporting. How do you plan to resolve the problem of Netflix/Amazon Prime blacklisting your VPN servers' IPs? Obviously this is part of your product as you list it as a feature. Hence, people might argue that your product is faulty and ask you to return their money.
We have now sort of "hidden" the information that Netflix is not unblockable under the FAQ part of this page: https://wifimask.com/contact
Maybe we should say we cannot unblock Netflix on the frontpage, because I also realize that's why a lot of people are looking for a VPN who does.
Nevertheless, besides Netflix, there is still a lot of content to be unblocked. And ofcourse, if unblocking Netflix was the main reason the get WifiMask and it doesn't work, you'll get your money back.
It does appear to be openvpn based, but if they were focused on launching their product and only had apple products on hand then that's likely why it's mac/ios only.
I'd expect that they'll have other platforms soon.
All true. You have to start somewhere, and the first focus was on Apple devices, apps for other platforms will soon follow. Meanwhile examples of OpenVPN config files are available too, so you can use the WifiMask service on any OpenVPN capable device:
https://www.wifimask.com/contact#androidwindows
- You load a number of JS files from third party CDNs including Cloudflare and Google without subresource integrity
- What does this offer me? It seems a lot more restrictive than other companies at lower price points, inability to use it on own libre devices, requiring proprietary software? How is this significantly different than renting a VM or two?
- Based on your cipher list in features, this is an openvpn wrapper?
- "WifiMask will also use your Personal Data to provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about." - This sounds like there is no opt out, no "if you choose to", just that special offers are mandatory to receive
Many thanks for your feedback! Much appreciated. The missing newlines and subresource integrity are now fixed. The Privacy Policy is now updated with information on how to opt-out.
WifiMask uses OpenVPN for the macOS app and IKEv2/IPSec for iOS. Examples of OpenVPN config files can be found at https://www.wifimask.com/contact#androidwindows which allows you to use the WifiMask service on every OpenVPN capable device. Meanwhile an Android and Windows app are in development, so stay tuned. ;-)
The optional 2FA used is Authy, you activate Authy with your phonenumber only once, after that you use Authy to login to your account. So 2FA is not done through SMS text messages for example, where hijacking could be a problem.
Good one with the list of hostnames, I will prepare one, for now you can take a look at this JSON file:
Authy is absolutely not acceptable for privacy applications like VPNs. Authy stores user information on third-party servers, when there are plenty of 2FA apps that work locally on the user's device.
The fact that Authy refused to delete user accounts (before they were acquired by Twilio), even when they promised to do so in their terms of service, is also very concerning:
As a minor nitpick, I dislike the term "Holland" when referring to the Netherlands. Additionally, you're based in Den Bosch, which is not even in Holland.
You can blame the Dutch Tourism board for that, they unilaterally declared 'The Netherlands' to be too complicated for marketing purposes and decided on Holland.
So, from on high: Den Bosch is now also in Holland, as are Maastricht, Enschede, Middelburg and Groningen, to great chagrin of those living there. It's been a major point of contention between the NBTC and almost all of the rest of the country but 'Made in Holland' has displaced 'Made in The Netherlands' for quite a while now.
"From now on the Netherlands and the Kingdom of the Netherlands can be recognised internationally by a new logo. The logo is characterised by two symbols: NL and a stylised orange tulip. The logo replaces the much used ‘Holland tulip’ of the Netherlands Board of Tourism & Conventions’ (NBTC)”
I think it will be ‘a while’ before ‘Holland’ is gone, if only because ’Nederland’ doesn’t work well in cheering on sports teams.
That's great news. I was in the midst of that when it was first announced and the NBTC still shows the old logo. Excellent - and very timely - news. I never did like the 'Holland' bit, it seemed like a dumbed down version, marketeers taking over tradition.
I was thinking/reconsidering this same thing today too! ;-) I have to discuss with my brother, but I think it will be changed soon into "Made in the Netherlands". Thanks for the feedback. ;-)
May I suggest to turn off logging for your own server too? :-) Anyone with physical access to the server can access the logs, maybe even when the disks are encrypted, I can imagine someone with the right knowledge can extract the key from RAM on a running server:
I have seen this throughout macOS lately with other apps too, a rightclick will show you the paste option btw. Meanwhile I will investigate this, thanks!
I'm not sure I agree with pushing responsibilities on customers. If you miss some security item or if you make my account a super admin on signup I shouldn't have some responsibility to help you fix it.
What we need our customers to do:
- Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.
I will rephrase it, the intention is not to push responsibilities, we are merely asking our customers to let us know if they ever find a vulnerability. Thanks for the feedback!
Talking about mobile only VPN: you can also check "Warp+" (https://1.1.1.1/) from Cloudflare - unlimited traffic starting from $1/month (depens on your region)
Hi, thanks for the post.
I'm also trying to develop a VPN for personal use, between me and my friends, do you have any tips on how to generate the credentials for each user automatically ?
Using a database for user authentication, you could write a script to fill the database with some usernames and passwords.
Or create a webfrontend for users to register their own usernames and passwords.
Yes thanks thats a good idea, I was also wondering how OpenVPN behaves with different connections, if it can handle multiple users simultaneously or not
You could generate a certificate for each user, but without the duplicate-cn option a user is only allowed 1 connection to the same server. You can also use username/password authentication instead of certificates, also in this case you'll need to set the duplicate-cn option to allow multiple connections from the same user to the same server, because in this case you use the option username-as-common-name and the CN (common name) will then be the username.
Feedback: Installing a dedicated app is a blocker for me, and I imagine it is for people more paranoid about security. I would prefer to use Tunnelblick + a config file.
Dedicated VPN apps would be more acceptable if they were open source. A few other VPN services (e.g. Mullvad) open source their apps for transparency, and it would be great to see WifiMask do the same. Open source apps would be a distinguishing feature in what many users see as a commodity service.
We preferably launch once in a while. ;-)
This is not really a launch btw, although it's getting a launch with upvotes on HN this time. But I just wanted to show the current state of WifiMask, it took some time to work on it more and there is still a lot of work to do, like Android and Windows apps.
Suggestion for the macOS menubar icon. Make the icon change colour to red when disconnected or the VPN is not in use. Maybe even a notification should be displayed.
BREIN doesn't care if you use a VPN to protect your privacy and security when you're not doing anything illegal. Especially not when you're connected to a VPN server somewhere on the other side of the planet. ;-)
I have seen this throughout macOS lately with other apps too, a rightclick will show you the paste option btw. Meanwhile I will investigate this, thanks!
very reasonably priced, if I had a mac I'd be trying it out.
what I want is a vpn that the BBC that fools the bbc into thinking I'm in the UK. They're wise to my current one, pia.
Unfortunately not yet, but we are working on it. Meanwhile we have example OpenVPN config files available, which you can use for OpenVPN on Android too: https://www.wifimask.com/contact#androidwindows
I couldn't see from the website what your VPN is based on in terms of protocol? Or home brewed? OpenVPN?
Have you had 3rd party audits?
Have you considered alternative payment forms? Such as Bitcoin or other?
From your Terms of Service 'What we do not allow on or from our network...' how do you track these? Do you provide a transparency report summarising legal, copyright etc requests made, action taken?
Also from ToS 'What we need our customers to do: - Use responsible disclosure in the event any security vulnerabilities occur in our website, software or infrastructure.' Do you have a public disclosure policy notifying of vulnerabilities?
Choosing a VPN involves placing a lot of trust in a 3rd party. Hence questions.