OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Tunnelbear VPN Service security audit

I recommend using a VPN service for your mobile devices when you are not in your own home or office. This includes anything that connects via WiFi. The reason for this is that when you connect to a WiFi access point, you are depending on that router to provide you with a secure and correct connection. You assume that no one is intercepting communications between you and the router or between the router and the Internet. You assume that when you request access to a bank or other website, you get that website and not a fraudulent impostor site. But we know that hackers intercept and corrupt restaurant, hotel, and office routers.

VPN services protect against these problems by providing you with a secure and authenticated connection to their servers from which they then pass you on out to the Internet. However, when you buy a service, you are forced to trust the service provider. Many of them are not trustworthy. Recently, The Centre for Democracy and Technology, working with Carnegie Mellon University carefully examined Hotspot Shield, a very popular VPN service with over 500 million users. That free VPN service promised both top security and privacy but in fact provided no security and sold your private information. They filed a complaint against Hotspot VPN with the FTC.

A recent study of 283 VPN service apps for Android found:
  • 18% didn't even encrypt the traffic!
  • 75% of those that listed enhanced privacy as a benefit, used third party tracking tools to monitor customers' activity.

For many years I've been recommending Tunnelbear and am happy to announce that they are proving themselves. For the first time I know of, a VPN service company has paid for outside auditors to come into the facility, view their code, examine their procedures and try to penetrate test their service. The deal was to do the security audit, then report the results giving Tunnelbear 4 months to fix any problems and then come back and re-examine them.

The results are available here, and they've written a blog post about it here. In summary, the auditors checked Windows, Android, Mac, and iOS as well as a Chrome extension and internal procedures. They found 3 critical and 3 high risk issues and some small ones. All 3 critical issues were patched and 2 of the three high-risk ones were patched on the follow-up audit. The high-risk issue that was not addressed was "overly generous permissions" for staff with direct access to their servers. I'm guessing that Tunnelbear didn't agree with that risk assessment. Tunnelbear intends to make this an annual procedure.

Doing this and making it available sets Tunnelbear apart from every other VPN service I know of. For those of you not already using it, the full version costs $60/yr. for up to 5 devices. For those who only need occasional access, they offer a free service for up to 500MB per month. This is sufficient for occasional access at restaurants.

Further Reading

Date: September 2017

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster