Security Details

(The Geeky Bits)

Software Binaries

  • We use open source OpenVPN clients with the exception of Tunnelblick on Apple Macs
  • OpenVPN has recently been reviewed by independent security experts to ensure it is free of bugs and back-doors
  • OpenVPN is less likely to be removed from app stores

OpenVPN 

We optimise your encrypted connection to balance both speed and security.

  • TLD 1.2 – We use at least TLS 1.2, which is the best protocol available currently
  • Certificate Key 3072 – Both NSA and ANSSI recommend at least 3072 bits for a future-proof key
  • Signature Hash – SHA-256
  • Data Chanel Cipher – AES-128-CBC. AES-256 is 40% slower than AES-128, and there isn’t any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1],[2]). AES-256 is more vulnerable to timing attacks
  • Control Channel Cipher – TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
  • Diffie-Hellman Key – 3072 bits DH key,  both NSA and ANSSI recommend at least a 3072 bit future-proof key
  • HMAC Authentication Algorithm – SHA-256
  • TLS-Auth – Enabled
  • No logging, no data captured – We only hold data to manage your authentication on a server and to manage a device limit
  • We do not allow onion routing
  • We do not allow p2p port forward. We also block torrents where applicable laws are in force

Website

  • The website is independent from the OpenVPN servers, you are only identified by a hash when connected
  • Fully SSL enabled site – Payments are also forced via SSL.
  • You can review our SSL certificate and website tests Here
  • We do not hold your credit/debit card details, these are managed by the payment gateway, you can visit their site here www.stripe.com
  • The website and associated data is protected by multiple firewalls and intrusion detection platforms

Tracking and Ad Blocking

  • We maintain a large database and block over 1 million domains, updated daily
  • We maintain multiple DNS servers to route all internet requests and we validate DNSSEC signatures to ensure no third-party can interfere with your browsing
  • We route all recognised domains and patterns onto a local address meaning the tracking code and adverts never reach your device
  • We do not inject any code or advertisements in any way

Logging

  • We separate out website and VPN servers entirely. An active account and connection is referenced via a one way hash only.
  • All logging is disabled or output to /dev/null. We are unable to provide any details of individual traffic/web activity  if we were asked to do so.
  • We run automated traffic obfuscators on all our servers that randomly navigate child-safe content.

Have any questions or concerns? Feel free to contact us for more information.