I decided to contact the VPN services listed in this article and ask them to provide their PGP/GPG public key.
Here is a short summary:
PROVIDED GPG KEY: AirVPN, BolehVPN, Ipredator, IVPN, Mullvad.
DID NOT PROVIDE GPG KEY: Boxpn, EarthVPN, NordVPN, Private Internet Access, PrivatVPN, Proxy.sh, VikingVPN.
DID NOT RESPOND MY E-MAILS: Anonine, BTGuard, Privacy.io, TorGuard, TorrentPrivacy.
NOT CONTACTED: PRQ, Faceless.ME, IPVanish, BlackVPN.
Those companies were not contacted because they either keep logs, or their policies are too vague, or they use a deficient SSL/TLS certificate.
Below you will find their responses to my messages. My name, my e-mail address, and tracking links have been removed. Conclusion is in the end.
AIRVPN:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by AirVPN
Hello!
Please find our gpg public key attached. Please send us yours at your convenience.
Kind regards
AirVPN Support Team
BOLEHVPN:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by BolehVPN
Hi there. We do not use PGP encryption and so have no pgp key to provide.
If you have any further questions then please just reply to re-open the ticket.
Yours faithfully,
BolehVPN Support Team
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by BolehVPN
First of all our PGP Key is (and apologies for the delay in providing this) as this was not escalated to me.
We will definitely include our PGP key publicly soon.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: OpenPGP.js v.1.20130820
Comment: OpenPGP.js
xsFNBFIy6/UBD/9jLNzo8nq6Kx03iUL0owJmmLQXO/pee1Vz4xHfDTyXj4pY
UJugPE1VMivp2k5V4KiIR1t/fjJYk3GZQxXn+DCJCoSSf+rN11272sQz2Gta
KdqNDEuo22RjnxDYvgnz3xSKKQe0hoPUs6wBVPU7rqQl+RJKxi gS80mAyug2
a3SU+nUSew/hcsHPNtizbwwrx+AzhVXFuRENg+I4i9yMpyseMgIC93IK1xuE
81GNm5EI4Dipue2WcP+veYbChDi+ihUn1tq64U/3nSOUrx+/0jXMGrqfoFoK
LEJx9/gjI56Ke8SKwU0LN+xesfCZJb/mh8I+XKy/gNgeMe3aFG9h4UQhuZuO
652zTWPM8g0v9nxQ3LfVQZUoa2QXZM3IAgz2i/IFdx713Ncqi7DKbU+EKTU0
F7S+ddLSAED15DTnxhC6+d4WElPvO4HE3ZnUHQ3l87dXt0Len5 1fFnSYpUhM
dXIMph8zZJ5Xol3p4G6HxMR9FeKVY2L1k04ljKg75grY/i9tpTA0OnBfCB6t
tM5xrvGB88vq9VaxETSHNcUwtLH+vhCDS7lEMCQhFD7agGCTzT l5T+lFDMGl
xN3eyhXM4V4ILmn8xS+jVWAhoBxTtLqSWcrrUdYhO5Q2/FK9ITeZqcHIQfvx
NijK36r8zVScUnzWL0EMk/EQ0vDjXerxwwFyXQARAQABzR9Cb2xlaFZQTiA8
c3VwcG9ydEBib2xlaHZwbi5uZXQ+wsFcBBABCAAQBQJSMuv6CR A5OsIriWPu
dgAA3+gP/0EDCLoGx8nMdGdMiGrT4oXhpgW0Fe8Hug5yZ58rws1fphyOFY1 y
F130LdBHrQ2yD1YP5BPVABkY/g/AVSd2Dh7Av0Qi0QIZIbIYRwCoXpZnEZKv
H81wSMyuKjwQY5bIyq92o3mE8puONX+mLBUoK9m8g2755f718o xg9BeE7f1s
3uiBU5sn2XsK5Ev+CBhirZAEPeMw5ZentX6YaxVM9dnhfI82E2 fVODRFhOgB
oBxmOorI9RCE42QztvbxiEuC9hawhwJ44Lmh82Pryf7afMiDO5 K5YKswnMFN
y86/IbOdDL/aBn65L5chSpEjOI09KHucfxDiwyt1oh4Z3ry9T9pJONkT7duZ
5veRSz/QiMyolclpQuKEOHRTT/idVJLz9jiJKBPfHfJBUjxOAry7cGTDqH6G
39BHuemueeIliyoCHLFMqveS0hoi8LOamAibf7v+/UPUijCdUna1IS56B3A/
3/rrVZAmSD25l2L9wgevtJCVrMUVA5pADh45KKuUYu6gEMV5tbkd tK2jxIBz
yTaY54aAyA6QWGchUFffcTrxXK51ruz6pi1GRTKfb+78EgLebg WGuZxDHz4H
Xfa/TZKQ9F3iXLtIME7Khqn1gdxD49c04LdCix+/5FxdHYdlQ6WeMjjOdLPF
zLpHGxL7yaVbWEKE+ypc+Y+leyuvoWvJ
=50hP
-----END PGP PUBLIC KEY BLOCK-----
You may continue the communication there
I believe our service has unique advantages compared to other providers:
a) Our company is under Malaysian jurisdiction, arguably better protected than let's say a US/UK/EU jurisdiction
b) As usual, we don't take logs as well and are not required by law to do so.
c) Our speed is pretty good (although of course your mileage may vary depending on which server you choose but you can see regular reviews of our service in terms of speed).
d) We offer access to our friends tracker at IPT for subscribers 30 days and above if you're a fan of P2P. We are not affiliated to them but do have a cordial relationship with them. However we do not share customer details with them.
e) We hope our personal service in answering your questions as thoroughly as possible will set us apart from other providers
BOXPN:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by BoxPN
Hello -----,
Thank you for the mail,
May i know to what device are you trying to set-up with?
Can you please clarify what you mean by PGP key?Please rate my reply:
<LINK REMOVED>
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by BoxPN
Hello -----,
Thank you for the mail,
boxpn is not similar to other vpn services like strongvpn, hma etc.
They are all providing simple encrypted proxy with no security layers.
Boxpn is the only vpn service provider that provides corporate grade
security with hardware base firewalls, threat management gateways,
antimalware filters. Also we can encrypt your traffic with up to
2048bit which is only provided by boxpn.
Please rate my reply:
<LINK REMOVED>
Please don't hesitate to ask if you have any further questions or
problems.
Best Regards,
----
Paul G.
Level 1 Support
EARTHVPN
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by EarthVPN
Hello,
Thank you for your interest.Unfortunately we do not use PGP.
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by EarthVPN
Hello -----,
Thank you for your interest in our services.If you have concern about email traffic you can use our https form below to contact us.
<LINK REMOVED>
We provide best price/performance ratio on the vpn market.You can visit below link for the features which differentiates us.
<LINK REMOVED>
Best Regards,
EarthVPN Ltd.
IVPN:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by IVPN
Hi,
Please send PGP encrypted emails to admin@ivpn.net using the attached certificate.
Kind regards,
Chris
Technical Support
NORDVPN
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by NordVPN
Dear -----,
Please let me know what PGP key are you requesting for?
Best regards,
Marty K.
NordVPN.com
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by NordVPN
(They did not respond.)
PRIVATE INTERNET ACCESS:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by Private Internet Access
Hi -----,
Thanks for contacting us. Where are you being asked for this information? None
of our set-ups use this setting. Please let me know and I will look into this
further.
Thanks,
Calien M, Level 1 Tech Support
Private Internet Access™
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by Private Internet Access
Hi -----,
Thanks for contacting us. There are several steps we take to ensure the privacy
of our users via email. First, all of, we never request or send sensitive
information via email. Secondly, all of our emails are SSL encrypted, to ensure
that the email is not snagged in transit. We also do not keep logs of any
activity on our network, to ensure there is no way to find out who was doing
what when connected to the VPN, unlike Ipredator and IVPN, which both admit to
keeping logs for "debugging" purposes. The fact of the matter is, if the
information exists, even for debugging, it can be subpoenaed and seized by a
court, and used to prosecute the customers of that service. It is for this exact
reason that we keep NO LOGS WHATSOEVER. Privacy is our number one goal with our
service.
You may also want to check out these posts in our blog:
https://www.privateinternetaccess.co...2013/06/prism/
https://www.privateinternetaccess.co...on-encryption/
They address recent hot topics in the privacy world, like what would we do when
faced with a situation like Lavabit, or what we are doing to ensure the NSA has
no ability to invade our customer's privacy. Please let me know if there are
further quesitons.
Thanks,
Calien M, Level 1 Tech Support
Private Internet Access™
PRIVATVPN:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key.
Quote:
Originally Posted by PrivatVPN
Hi,
For what? We only provide a certificate, ca.crt
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by PrivatVPN
Hi,
First of all, we do provide a secure VPN service not a secure email. I
don't really understand why our VPN security should be less secure because
we don't encrypt emails. We never have personal details in our emails.
Nothing to reveal in emails to us.
I have never used the services you mention, but what I can see is that we
have more servers on different countries. What we're working hard on are
high quality service, such as IP-transit. We buy our service from Internet
providers, and not like other VPN service do, they rent servers from a
small hosting company with shared internet connection. Take Mullvad and
AirVPN, they only rent servers from low profile companies. They rent a
server with 1 gbit for 150€. We pay 1200 - 1500€ for every 1 Gbit, quality
capacity and still we have better prize. We also have servers like that,
but we're working on exchanging that.
We also gonna allow 4 logins simultaneously.
PROXY.SH:
Quote:
Originally Posted by Me
Hello, please provide your PGP Key. Thanks.
Quote:
Originally Posted by Proxy.SH
Hello,
Please let us know the department you wish to talk to. We will provide PGP accordingly.
Kind regards,
Gena
Quote:
Originally Posted by Me
Hello,
I would like to talk to the customer care department.
Also, I found your business through the article "VPN Services That Take
Your Anonymity Seriously, 2013 Edition"
(https://torrentfreak.com/vpn-service...dition-130302/),
published by TorrentFreak.
I did a little research and of all the VPN services listed there, only
four of them provide their GPG public key to their customers; they are:
AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded
as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
If you do have a PGP/GPG public key, then why don't you provide it in
your website?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by Proxy.SH
Hello,
Thanks for your inquiry.
Regarding the PGP key, we do not publish them to public to avoid them being compromised by unknown decryption methods. Moreover, we generate a unique key for specific cases. This provides even more security than having a public key used for all sorts of communication - we believe it defeats a bit the purpose of having a messaging encryption capacity.
Now, regarding the difference we have compared to the suppliers you quoted, I would tend to believe these consist of:
1) We offer more diverse payment methods (95+) than any other supplier.
2) All our services are run from RAM and they do not log anything.
3) Our network is huge, with more than 30 countries and over 200 nodes for the $10 package.
4) We have a Windows/Mac/Linux/Android OpenVPN client that we hand crafted with love.
5) Our security team is made up of two researchers in encryption. Other providers do not obviously have academia among their ranks.
6) We are not from Sweden, or EU, or worse, United States. We are from Seychelles and our staff is working remotely from the 4 corners of the planet. This makes our structure more resilient to third party assaults.
Voila, that's pretty much about it. Should you have any further question, please do not hesitate.
Kind regards,
Gena
VIKINGVPN:
Quote:
Originally Posted by Me
Hello, do you use PGP (Pretty Good Privacy) for e-mail encryption? Could you provide your PGP Public Key? Thank you.
Quote:
Originally Posted by VikingVPN
We do not consider email to be a safe or secure form of communication.
Our security model works around the idea that anything sent via email is not secure.
Therefore we do not use PGP.
Quote:
Originally Posted by Me
Hello,
I am very surprised that you do not use PGP/GPG (Pretty Good Privacy).
Your business claims to offer high levels of Privacy, Security, and in a way Anonimity, but when it comes to customer relationship it seems that none of those things really matter.
If a person wants to contact you through e-mail, he has left no option but to have his whole message transmitted unsecurely. Although e-mail is unsecure by design, GPG is a popular free encryption tool used by many privacy conscious users - and companies - to increase security.
So, as you allow your customers to contact you through e-mail, why do you choose *not* to use GPG since your business is privacy and many of your customers may use GPG?
Also, I found your business through the article "VPN Services That Take Your Anonymity Seriously, 2013 Edition" (https://torrentfreak.com/vpn-service...dition-130302/), published by TorrentFreak.
I did a little research and of all the VPN services listed there, only four of them provide their GPG public key to their customers; they are: AirVPN, Ipredator, IVPN, and Mullvad. They are usually highly regarded as credible and efficient by users.
So I have some questions:
How is your service compared to those mentioned here?
Is your service in any way better than theirs?
Why should I should choose your company over them?
Thanks.
Kind regards,
-----
Quote:
Originally Posted by VikingVPN
Hi -----!
Sorry about your concern over email security. There are multiple reasons that we do not use PGP email. Mainly that we do not consider email secure, as we have said before. Another big reason is it is customer policy not to personally identify any users on our service. It is especially important in email because all email in many countries is intercepted, including if the email just transits across one of those nations en route to its destination. If there is no identifiable customer data in the email, then the company has no liability to release information to governments, and the user is in no danger of being identified. A unique PGP signature can be tied to a person/computer.
That being said, you are not the first person to come to us with concerns that we do not encrypt our email. It is not technically difficult for us to implement, but we are hesitant to do so because if people feel their emails are "bulletproof" they will reveal identities or illegal activity they are doing, putting liability on the company. We will likely be reconsidering the issue over the next week.
I don't like to plug our own VPN services over others, but here are our advantages:
Strong network security, administrated by certified and experienced personnel.
Our VPN service does not use Windows operating systems, both for security and clandestine reasons.
We do not use any closed-source software server-side, and we do not use a closed-source client.
We do not use any closed-source encryption ciphers. (No PPTP, No IPsec, No SSTP)
We stay on top of standards and actively defend against problems as they arise. (We avoid NIST P_521 certified elliptic curves due to NSA tampering, we updated OpenSSL to 1.0.1e on the day of release, etc)
We use strong encryption settings for the VPN network. The default is 4096-bit RSA and AES-256-CBC (on OpenSSL 1.0.1e to counter the BEAST vulnerability) and our settings can NOT be lowered.
We only use Tier-1 network providers and have a very fast network with 12 redundant carriers, preventing outages, combined with a policy that allocates minimum amounts of bandwidth to each user. In other words, our service is fast and it doesn't go down (with the exception of a rare server update).
We don't log anything. We have a policy of keeping no connection data at all unless we are under DDoS attack and need to update firewalls. That data is stored in memory and permanently destroyed in an unrecoverable fashion on restart.
Speed, Privacy, and Security are our main concerns at VikingVPN.
If you would like to know more information, just ask! We are pretty open about our cryptology and security, although we do keep some secrets about our intrusion detection systems and killswitches.
** CONCLUSION **
As you can see, most VPNs listed here don't use PGP/GPG encryption, either because they don't know how to use it or because they don't care about their customers, which is evident in their responses.
I believe you should NEVER trust in any service that claims to offer privacy, security and anonimity, but does not provide SSL/TLS certificate enabled by default in their pages, and their PGP/GPG public key to contact them.
So here is a brief comment about the services that provide their GPG key:
AirVPN: They are usually well reviewed by users, but they are incorporated in Italy, which may be subjected to EU Data Retention Laws. Beware.
BolehVPN: The least recommended. They did not have a GPG key available when I first requested it; their website does not have SSL/TLS enabled by default, and it does not work when I try "https" manually.
Ipredator: It is from The Pirate Bay guys, so they know very well what they are doing and they have a strong reputation for security. They could only be a little clearer regarding their privacy policy since they log "only for debugging purposes".
IVPN: They are an EFF member, based in Malta, and the only one that has an EV SSL certificate (the green address bar). They also have the most detailed and complete website, and they go as far as analyzing other VPNs' privacy policies. Highly recommended.
Mullvad: It is the only one that accepts cash sent by regular mail as payment, which is the most anonymous payment method ever. Highly recommended.
I hope you have enjoyed it! Please leave your comments. Thanks! ;)