Security Details
(The Geeky Bits)
Software Binaries
- We use open source OpenVPN clients with the exception of Tunnelblick on Apple Macs
- OpenVPN has recently been reviewed by independent security experts to ensure it is free of bugs and back-doors
- OpenVPN is less likely to be removed from app stores
OpenVPN
We optimise your encrypted connection to balance both speed and security.
- TLD 1.2 – We use at least TLS 1.2, which is the best protocol available currently
- Certificate Key 3072 – Both NSA and ANSSI recommend at least 3072 bits for a future-proof key
- Signature Hash – SHA-256
- Data Chanel Cipher – AES-128-CBC. AES-256 is 40% slower than AES-128, and there isn’t any real reason to use a 256 bits key over a 128 bits key with AES. (Source : [1],[2]). AES-256 is more vulnerable to timing attacks
- Control Channel Cipher – TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
- Diffie-Hellman Key – 3072 bits DH key, both NSA and ANSSI recommend at least a 3072 bit future-proof key
- HMAC Authentication Algorithm – SHA-256
- TLS-Auth – Enabled
- No logging, no data captured – We only hold data to manage your authentication on a server and to manage a device limit
- We do not allow onion routing
- We do not allow p2p port forward. We also block torrents where applicable laws are in force
Website
- The website is independent from the OpenVPN servers, you are only identified by a hash when connected
- Fully SSL enabled site – Payments are also forced via SSL.
- You can review our SSL certificate and website tests Here
- We do not hold your credit/debit card details, these are managed by the payment gateway, you can visit their site here www.stripe.com
- The website and associated data is protected by multiple firewalls and intrusion detection platforms
Tracking and Ad Blocking
- We maintain a large database and block over 1 million domains, updated daily
- We maintain multiple DNS servers to route all internet requests and we validate DNSSEC signatures to ensure no third-party can interfere with your browsing
- We route all recognised domains and patterns onto a local address meaning the tracking code and adverts never reach your device
- We do not inject any code or advertisements in any way
Logging
- We separate out website and VPN servers entirely. An active account and connection is referenced via a one way hash only.
- All logging is disabled or output to /dev/null. We are unable to provide any details of individual traffic/web activity if we were asked to do so.
- We run automated traffic obfuscators on all our servers that randomly navigate child-safe content.
Have any questions or concerns? Feel free to contact us for more information.