VP.net Promises "Cryptographically Verifiable Privacy"

TorrentFreak spotlights VP.net, a brand-new service from Private Internet Access founder Andrew Lee (the guy who gifted Linux Journal to Slashdot) that eliminates the classic "just trust your VPN" problem by locking identity-mapping and traffic-handling inside Intel SGX enclaves. The company promises 'cryptographically verifiable privacy' by using special hardware 'safes' (Intel SGX), so even the provider can't track what its users are up to.

The design goal is that no one, not even the VPN company, can link "User X" to "Website Y."

Lee frames it as enabling agency over one's privacy:

"Our zero trust solution does not require you to trust us - and that's how it should be. Your privacy should be up to your choice - not up to some random VPN provider in some random foreign country."
The team behind VP.net includes CEO Matt Kim as well as arguably the first Bitcoin veterans Roger Ver and Mark Karpeles.

Ask Slashdot: Now that there's a VPN where you don't have to "just trust the provider" - arguably the first real zero-trust VPN - are trust based VPNs obsolete?

Does web site Y know?

[awwshit]

If web site Y knows that you are user X then no amount of encryption helped you. The network may not know but the site does.

Re:

[garyisabusyguy]

Cookies provide no security, and the 'sandbox' is broken when single entity owns multiple websites and can infer identify

Re:

[Coookie Monster]

Cookies provide no security

That not true!!! Me hug security cookie right now!!! Then I eat security cookie!!! SO MUCH SECURITY! OM NOM NOM NOM...

Re:Does web site Y know?

[Mondragon]

I fail to see your point here. The question here isn't whether you are a smart user of VPNs and browsers in general, it's whether your VPN provider is likely to undo your efforts. The "promise" here is that they won't make your situation worse, not that they are magical.

Re:

[garyisabusyguy]

I think that there is a point to be made that using a perfectly secure vpn provider is simply a fig leaf, that allows the user feel secure, while failing to address a multiplicity of vulnerabilities that exist in core technologies we use.

To disabuse Neal Stephenson, it is like having a picket fence in your front yard with one picket (he was talking about PGP) ten miles high and expecting that to keep people off of your lawn [slashdot.org]

Where is my InDUHvidual defence-in-depth provider that can DELIVER a sane and practic

Re: Does web site Y know?

[Big Hairy Gorilla]

I like rings or moats as a metaphor that can barely relate to then in steps from encrypted DNS lookup as a huge step up in privacy from your telecom provider or the big A and big G... your cloud provider could go to an open source private self hosted like nextcloud. Next is the hardware . I'd go with Google and install whatchama OS graphene OS ... or degoogle ... so you could go in steps .

Re:

[rsilvergun]

Presumably the idea is that website y knows that VPN provider x is using it.

From there it's an opsec problem. Most of the time though hackers don't get found out by incredibly complex shit they get found out because they accidentally post their email address onto a forum and it traces back to them.

Stuff like this is mildly useful for peace of mind if you're doing something dodgy online and possibly very useful to foreign intelligence agencies that have really good opsec.

But society-wide it's not

Re:Does web site Y know?

[garyisabusyguy]

I am less concerned about the impending hell-scape, then I am the current situation where all of the tracking enabled apps data have fallen into the hands of "data brokers", who now can show amusing things like individuals taking trips to Epstein Island [youtube.com], or the inevitable attempt to use travel patterns to charge Abrego Garcia with human trafficking charges [reuters.com]

People need to WAKE THE FUCK UP, and realize what is being done to them, and even a 'perfectly secure vpn provider' could be forced by courts, or corporate merger to give logs over to groups who can analyze them and drive court cases against anybody they want destroyed

Of course, nobody seemed to get upset about the National Enquirer's safe of blackmail material [npr.org](or who it may have ended up with), so I woefully expect everybody to continue to remain steadfastly oblivious

So if you didn't have the hellscape

[rsilvergun]

You wouldn't have people being charged with human trafficking just based on random travel patterns because you wouldn't have a fascist government looking for reasons to charge people with crimes they didn't commit.

You're putting the cart before the horse. The problem is once you have a fascist government all the individual security and privacy in the world won't save you. If all else fails they will just come down on you like a ton of bricks with simple violence.

And by yourself you can't stop fascis

Re:

[garyisabusyguy]

I am pretty sure you are a sperged as I am, so I will not follow the path of argument, but I ask you to consider that corporate data brokers have this data right now, and... no need to wait for a fascist government to see the results, the horse is already out of the barn and arguing about cart placement is not helping me

I am convinced that defence in depth is a workable solution, I just was one that an inDUHvidual can make use of without a team of infosec's on call

Legal ID requirement with VPNS incomming

[Bill, Shooter of Bul]

Given the state of the laws on Technology, we should see that come to pass where Anonymity is legally banned. While other smaller companies may be able to set up shop, or you can deploy your own VPN somehow without tracing it to yourself, any public for profits will have to comply with the law. So this is a neat tech implementation that may not end up mattering much in the near future.

Re:

[Mondragon]

Many (but not all, for sure) of these requirements are for age, not full ID, and age can be verified without eliminating anonymity under some of the legal schemes.

Re:

[Big Hairy Gorilla]

It looks like a trend. Even in Europe, which has a modicum of an attempt to address some of the worst aspects of digital media, the Law Enforcement people are always trying (happened in the last year) get a master key to your encrypted messages. This pattern repeats every so often, privacy wants encryption, Law wants a key to your private stuff. 1990's Clipper chip, remember?
So Europe's approach isn't terrible. If your company has 50M monthly users or 15+% of the market, iirc, then new reporting requirement

No liability, no privacy

[Mondragon]

Unless you give me a user contract that lets me sue you for failing to deliver the promised privacy, it's still useless.

This is just stupid

[Artem S. Tashkinov]

Regardless of whether your VPN provider offers true privacy, you can still be tracked [browserleaks.com].

Here's what every website you visit sees about you with a common web browser::

• User-agent
• Time zone
• GPU ID
• Screen resolution
• Locale

And a gazillion of other things that uniquely [amiunique.org] identify you.

Of course you can disable JavaScript or use something like Tor Browser but by doing so, you'll again become unique. There's no real privacy on the Internet. This game has long been lost.

Even your browsing patterns, such as how many pages you open per hour, can be used to identify you among other users.

VPN nowadays is good for evading Internet restrictions imposed by your ISP, country, or businesses. That's about it. It's not about privacy.

Re:

[rsilvergun]

So what you describing is called a browser fingerprint and there are plenty of ways to prevent it.

On the other hand like I mentioned on another comment that only applies if you are fairly technical and while that might protect you it's not going to protect the vast majority of people who simply do not have the skills.

And if it's one thing the last 6 months has taught me it's that the rest of the world will drag you down with it. Freedom isn't something that can be protected with individual action. I

Re:

[Big Hairy Gorilla]

Well put. Server side telemetry has become very powerful and nobody really knows that it's in use.
The more parameters you measure the less unique you can be. At this point, as you point out, pretty much no one can evade this.
One thing a VPN offers though, is protection from your own service providers. By only using encrypted DNS lookups, you are depriving your telecomm company of reading your deepest thoughts via your search terms and sites visited.

The name sounds familiar...

[devslash0]

Isn't it the same company who was found to be manipulating your traffic and selling your browsing history to advertisers?

https://www.reddit.com/r/VPN/c... [reddit.com]

Re: The name sounds familiar...

[PoopMelon]

It's different company

Cryptographically verifyable, but not practically

[djshaffer]

Unless you audit their data center and software you don't know if they have actually purchased and are using this hardware.

Re: Cryptographically verifyable, but not practica

[Big Hairy Gorilla]

They are light in their concept of "verifiable". I'm guessing but this sounds like a valid use case for cloud providers. It comes down to your trust of the hardware. A custom kernel is probably an easier way to sniff RAM .. relatively speaking ... but I read everything and the issue of verification is very glossy. I didnt find anything that went past "claims".

Nice ad.

[Rendus]

At least they're somewhat transparent about the bias.

So uhhh

[paul_engr]

What about the neighbor on the party line standing directly next to that sgx enclave running on that cpu? Nome of this prevents eavesdropping outside of the server

Trust the code

[manu0601]

One still has to trust the code to actually implement what is advertised. And to be bug-free, too.

Intel SGX is deprecated

[tlhIngan]

I don't know about you, but Intel SGX is deprecated/no longer exists. It only exists in Generation 8-12 CPUs, but Generation 11 and 12 CPUs received a microcode update that disabled it because of the problems it had.

And for anyone wondering, no, it was not AMD compatible. AMD has their own protection system based on ARM TrustZone technology. (And it has nothing to do with Intel ME or the AMD equivalent).

SGX was used by the UHD Blu-Ray folks, so it also means you cannot play discs on any PC now, making UHD B

Difference between this and keeping data in memory

[protopatterns]

What's the difference between this and expressvpn, which (supposedly) only keeps your all data --- including your IP --- in ephemeral memory? I see that as much less risky than keeping everything in 'hardware safes', even if they're encrypted: it is still a persistent form of memory. What I'm asking: is this really better? (honest question, trusting the company aside)

Dare I say "tailscale" ?

[davecb]

https://tailscale.com/kb/1123/... [tailscale.com]

Hah. Hahah. AHAHAHAHAHAHA

[Subsentient]

Right, as if just because the VPN claims it's cryptographically verified means that there's no side channels, infections, tracking cookies, malicious JS, or any other number of obvious causes of doxxing. You have no privacy. Let me be very clear. There is no place on Earth that is totally private, and no information on Earth that is totally secure. By all means, go ahead, protect yourself as best you can. Just remember, that at the end of the day, you will fail.

Re:

[bleedingobvious]

Additionally, when you're connecting your device *directly* to an external network over which you have zero control - you're exposed. In every way.

This delusional belief that VPN==security has always been a bit of a joke. Unless you built, configured and managed both ends of the pipe this has never been true.

Worse yet, it's a *great* way to unintentionally expose networks to infiltration and malware.

Ver and Karpeles?

[carnivore302]

Them being involved, I would keep it quiet if I wanted to raise any money. MtGox ring any bells?