Does VIPRE use multiple cloud providers?

Yes. Using multiple providers allows us to have a higher percentage of up-time, which helps to ensure we're available when you need us.

 

Does VIPRE keep logs?

We do keep minimal logs for the last two weeks of activity to help resolve reports of abuse. This includes:

• A log of outbound source ports for each flow, along with the virtual IP, on the VPN servers
  • None of this information directly identifies a user
• A record of VPN sessions on the web database both for Support purposes and identifying the targets of abuse complaints

The data is split into two slices - one in the website database, the other on the VPN endpoints. Once the user disconnects, the endpoint forgets about the session and the two halves are physically separated. Individual complaints can be investigated by querying the two data stores separately.

How do you keep up with changes to encryption best practices?

Short term, we keep our website's cipher suite list up to date with best practices, take openssl and openvpn updates for the client and servers as necessary, and react accordingly to things like Heartbleed. We're also following the impending sha1 deprecation and migrating relevant pieces up to sha256 over time.

We also pay attention to the latest research. 

• Our website strictly uses elliptic curve Diffie-Hellman
• Our OpenVPN endpoints for Encrypt.me for Mac use a custom-generated 2048-bit DH group
• Our IPSec endpoints for Encrypt.me for iPhone and iPad use a standard 1536-bit (minimum) DH group. 

Long term, the move away from CBC is one of the issues we're tracking. As far as block cipher modes go, we'll need to wait for the openvpn team to move forward on the Mac. As for IPSec, it's not imminent.

We also keep our eyes on AEAD and GCM modes, although it's somewhat academic at the moment. OpenVPN has two completely separate ciphers in play: the control cipher, which is just TLS, and the data cipher, which is specific to openvpn. You can see the available ciphers with openvpn —show-tls and openvpn —show-ciphers, respectively. As it happens, openvpn does support GCM modes for the control channel, since it's just using openssl. The data-channel cipher list does not appear to include any GCM modes. (Written with OpenVPN version 2.3.6 on hand.) 

 

What is your primary threat model?

Encrypt.team is primary designed for using untrusted networks - public hotspots, for example. Originally, our target was anyone who might be eavesdropping or sidejacking on a public network. Now, we've shifted our focus a little to include untrusted network operators (tracking, ad injection, etc).

 

Does VIPRE make any security promises?

In short, no. We do not claim to provide anonymity or protection from government agencies like the National Security Agency (NSA) or Government Communications Headquarters (GCHQ), for example. Users should not do anything while using Encrypt.team that they wouldn't do with their home Internet connection.