I went to Helsinki a couple of years ago. I was there running a security workshop for a local company and whilst in town, I caught up with Mikko Hypponen:
Now Mikko is a very interesting bloke having been around in the security industry since just about forever so he's seen a few things. There's a great TED talk where he talks about the first PC virus and actually travels to Pakistan to track down the guys who wrote it. He's also the Chief Research Officer at F-Secure who make the Freedome VPN, a tool I've used for some years now and it brings me to the point of this post.
I'm having a chat to Mikko and he's talking about Freedome and the importance of trust when he comes out with a really interesting comment:
You know what's great about Finland? We're the least corrupt country in the world!
So I looked it up and he's right! Either Finland or Denmark depending on whose stats you read but there it is, right up the pointy end of the list. And this is actually really, really important when it comes to a VPN because not only do you need to trust the company running the service, you need to trust the jurisdiction they're running in too because to some extent, you're beholden to their local laws.
VPN providers control your traffic. They can inspect it, modify it, log it and have a very good idea of what it is you're up to. And just before you say "ah, but much of my traffic is now HTTPS", as I wrote earlier this week, the negotiation phase of the connection is still observable so the VPN provider knows the site you're connecting to. Even upstream of that, DNS queries can be watched so per that article, there's a hell of a lot anyone inspecting your traffic can glean even on encrypted connections. Whoever can see your traffic - be that your local ISP or the VPN provider you decide to use - has an enormous responsibility and you're placing a huge amount of trust in them.
Which brings me to MySafeVPN. I first heard of these guys when they sent me spam a few days ago:
Which lead through to the MySafeVPN.com website:
Now any reasonable person would read that email and conclude that it's intended to represent an offering from Plex because, well, it literally says "Plex reveals...". And thus begins an absolute train wreck of communications as they attempt to explain themselves:
The basic premise (as it's repeated over and over again), is that there are Plex developers working for MySafeVPN and therefore this is not spam and putting Plex's name on it is cool. Of course, neither of these things are correct and Plex themselves are clearly unhappy about the whole thing:
So how do you explain the emails? Well Plex had a data breach back in 2015 and a few hundred thousand email addresses (including mine) were released out into the wild. It's not just them, Boxee lost data in 2014 and they too have been misrepresented by MySafeVPN:
In the Plex case, their data breach was as a result of a vulnerability in the IP.Board forum software they were running, a threat which miraculously, MySafeVPN believes their product can protect users from:
But let's move past the Plex connection for a moment and look at how the service is presented, keeping in mind of course the importance of integrity and trustworthiness in a service such as this. We'll start with attempting to order the product from the website at mysafevpn.com:
Not a good first impression for a company providing a cryptographic service! You'll also notice we're now off on myvpnhub.com for reasons which aren't exactly clear. We could attempt to force a secure connection, but that just returns a certificate for flfixed.com (which is an empty site with a landing page):
The lack of cryptographic protection didn't go unnoticed by the increasingly large array of people chiming in on the discussion:
But as things unfolded, the responses from MySafeVPN became more and more nonsensical, at least for an organisation (or possibly even just one individual), that should understand some of the basic mechanics of how modern day SSL or TLS work:
Just recently I wrote about what a fantastic time it is for HTTPS and how the free availability of transport layer security from the likes of Let's Encrypt and Cloudflare are transforming adoption rates. And then Scott Helme got involved and helped clarify:
Now Scott is the last bloke you want to argue the merits of certificates with, he literally runs a training program called The Best TLS Training in the World. Yet this didn't stop them attempting to educate him:
And it all goes downhill from there in ways I don't particularly want to document blow-by-blow here, but you can always read through their timeline with replies if you're the type of person who likes watching a train wreck in slow motion.
The website itself is full of misleading at best or even outright false statements. For example, their certifications:
Which they explain away as follows:
Whilst neither VMware or Symantec are mentioned in the list on the site, having a product like a VPN certified is a very different story to having people working for you that have achieved certifications.
Then there's the support number:
I actually tried this yesterday and it went straight to a voicemail service which didn't surprise me in the least. I tried it again earlier today and it was the same story - straight to voicemail. I thought I'd give it one more shot and record it to make a point about it being an unmanned phone, but then, well just listen:
Well that was weird, not exactly what you'd expect from a trustworthy VPN service!
Speaking of getting in touch, they're apparently headquartered in Ontario:
Which you can find on Google Maps and check out using Street View, it's the one with the red seats out front:
And in case that looks like an odd place for a VPN provider to be HQ'd, that's because it's a Vietnamese restaurant:
Apparently the Pho Ga is good but what that has to do with a VPN service is beyond me. Look, maybe it's a guy running it out of his bedroom above the restaurant, I don't know, but the point is that combined with the weird greeting on the support number and other oddities observed earlier, clearly the whole thing is very fishy.
Others have also classified the service as untrustworthy:
And even as I attempted to take screen caps of the site, it was going in and out of suspended mode:
At first, I thought this was the inevitable conclusion of the thing - the hosting provider had pulled the pin - but it did indeed come back to life and remains up at the time of writing.
Whilst looking into MySafeVPN, I was contacted over DM by the account. I won't relay what they said because that was a discussion between the two of us, but I did strongly suggest they stop tweeting, get their shop in order, then come back and explain themselves properly once they've done that. That was after a bit of dialogue back and forth of fairly predictable nature and I didn't hear back from them after that. Clearly the advice wasn't heeded and the engagement via Twitter continued, culminating in racial abuse of a young guy in London who'd joined the discussion:
@Aan_ath @Scott_Helme @MySafeVPNcom @tony_sutton @plex @troyhunt This, my friends, is how @MySafeVPNcom handles their opposition on Twitter. Great way to show maturity of handling a security company. pic.twitter.com/zpJVvzJD4p— Kelvin Zhang (@KelvZhan) April 5, 2017
Obviously this is all the personification of dodginess. There's been a lot of people chiming in on the topic both via Twitter and over on Reddit where MySafeVPN's behaviour was very eloquently described:
Many people were speculating that this was merely a scam and indeed Motherboard wrote a piece this week about it being a phony service. In that article, they did actually manage to talk to someone on the number I tried and subsequently had a call that culminated in name-calling of the reporter:
This scammer actually called @nicholasadeleon on the phone and called him a nerd— Motherboard (@motherboard) April 4, 2017
Yet just as I was wrapping up this post, I noticed that they had indeed managed to get a valid certificate on the host name doing the payment processing:
It's newly registered and per the earlier thread where they demonstrated a complete misunderstanding of the value of certs, it was indeed issued by Comodo. They've paid money for this and that shows a commitment to the service. Of course nobody in their right mind should actually pay them anything, but if it's just a scam then it's one they're actually investing in. But then - just to erode any good will that actually securing the billing system may have created, they come out with this:
We all remember the billing page from the earlier screen grab, right?
Countering the thinking of "maybe - just maybe - it's not a scam and they're just incompetent instead", I get this just before posting the story:
Now you can try going to myvpnhouse.com but you'll then find yourself at... mysafevpn.com! The spam seems to be directing people to multiple different host names and again, when we come back to trust and integrity, this looks anything but legit. And it goes on. And on.
To wrap up, let's move past these guys and back to the original premise on the trustworthiness of VPNs. You need to know who you're trusting your data with. You need to have confidence that they'll handle it responsibly. You want a proven track record and identifiable individuals who'll back the service. Increasingly, you also want them running in a jurisdiction that values privacy and that means the UK with their Snoopers' Charter is out, the US with ISPs now able to sell your browsing habits is also out and even Australia that's mandated the collection of browsing meta data is out. Canada (where MySafeVPN is allegedly based) forms another leg of the Five Eyes intelligence alliance and frankly, that quintet doesn't have a real good track record when it comes to respecting privacy. People often ask me what I think of [insert other VPN service here] and there's a simple answer - I have no idea. I made my decision based on trust more than anything else and I simply don't have it to that same level with any other provider.
You can get into Freedome for €4.16/m (less than half the price of MySafeVPN) and in case you're wondering, no, I'm not in any way incentivised to recommend their service and have bought my own licenses at full retail price for years.
Edit: About 12 hours after posting, it looks like they've now been taken offline: