CactusVPN Review

Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support.  Readers can learn more about how I conduct my reviews, my methodology, etc – here.  More information on review badges here.

This review’s roll was #19 (at the time of the roll, CactusVPN).

 

Last Updated Jul 21, 2016

CactusVPN, like another service I’ve recently reviewed, relies heavily on an “affiliate referral” aka “native advertising” marketing strategy.  I’ve talked about this subject at length in past posts and such, so I won’t go on too much about it here.  Some VPN and web service companies use this model in moderation – against their better judgment.  Others embrace it wholeheartedly.  CactusVPN appears to fall into the latter category – as one affiliate in particular has in the past stolen my work and posted it on their site.  When affiliates are allowed to run around unchecked like this, it tells a lot about the company that pays them.  Someone on the internet comes with a dissenting opinion of your business dealings?  Just steal their work, make fake websites to take their web traffic and troll forum posts to discredit them, it’s all good!

It strikes me as incredibly irresponsible when those they partner with are given free reign to steal copyrighted and trademarked work of others with no expectation or standard to live up to.  And as a side note:  I did contact CactusVPN at the time the aforementioned offense occurred.  They acknowledged that they would contact the third party regarding my complaint, but I never heard back, nor was the stolen material taken down.  Now that we’ve established this, to the review!

shady

 

Signing up for the service: Signing up for the service: The first thing CactusVPN asks you for is your full name.  A privacy no-no.  There’s a little note at the bottom of the sign up page that says, “Please, use your real IP address if it’s possible as we do not accept orders from Proxy or VPN IP.”  Just the fact that they even ask for that makes me cringe.  Is this, or is this NOT a service that those concerned with privacy should consider.  Based on what’s mentioned above, I would say it is not.

exposed

 

Once more, and it’s a minor complaint, but it always seems like these companies rarely think out the customer experience.  After registration, I was greeted with a hodgepodge of 5+ welcome emails/receipts.  Just seems sloppy to me, and many services fall prey to this.

Configuring the service: Mercifully, the config files and the ca cert for OpenVPN manual connection is easily found on user portal and in no time, I had them downloaded and set up.  The user portal provides a user name and password which is automatically generated.  The default password is quite short (8 characters) and contained no uppercase letters or special characters, which is a fairly weak scheme.  But all in all, everything was relatively easy to setup.

As we saw early on in my reviews, some companies forget to enable a certificate verification method in their server configs.  This was the case with CactusVPN as this message appeared in the logs:

“WARNING: No server certificate verification method has been enabled”.

Basically, this creates an attack vector in which the server can be spoofed by a third party because it’s not being verified with the proper certificate.  This is not a professional way to configure a VPN for security.

broken

 

Speed & Stability tests:  All tests performed at non-peak times using beta.speedtest.net (html5) or the speedtest.net app.  Connecting using UDP, Default encryption was AES-128.

 

Speed Tests – CactusVPN – Desktop
    Latency Download Upload
No VPN Trial 1 17 ms 97.14 mbps 11.99 mbps
Trial 2 10 ms 95.92 mbps 12.32 mbps
Trial 3 10 ms 95.03 mbps 12.37 mbps
Average 12 ms 96.03 mbps 12.23 mbps
               
Los Angeles Trial 1 31 ms 91.21 mbps 11.09 mbps
Trial 2 33 ms 91.68 mbps 11.70 mbps
Trial 3 32 ms 91.45 mbps 11.13 mbps
Average 32 ms 91.45 mbps 11.31 mbps
Comp to Bench +20 ms 95.23% 92.48%
               
London Trial 1 274 ms 7.12 mbps 4.67 mbps
Trial 2 275 ms 7.04 mbps 3.13 mbps
Trial 3 277 ms 9.10 mbps 4.52 mbps
Average 275 ms 7.75 mbps 4.11 mbps
Comp to Bench +263 ms 8.07% 33.59%
               
Bucharest Trial 1 383 ms 13.94 mbps 3.83 mbps
Trial 2 386 ms 13.93 mbps 1.90 mbps
Trial 3 382 ms 13.43 mbps 0.00 mbps
Average 384 ms 13.77 mbps 1.91 mbps
Comp to Bench +371 ms 14.34% 15.62%
               
Amsterdam Trial 1 295 ms 18.07 mbps 4.03 mbps
Trial 2 292 ms 18.12 mbps 2.92 mbps
Trial 3 291 ms 18.21 mbps 2.78 mbps
Average 293 ms 18.13 mbps 3.24 mbps
Comp to Bench +280 ms 18.88% 26.53%

 

Speed Tests – CactusVPN – Mobile
    Latency Download Upload
No VPN Trial 1 26 ms 74.74 mbps 14.49 mbps
Trial 2 11 ms 74.76 mbps 14.44 mbps
Trial 3 11 ms 74.90 mbps 14.23 mbps
Average 16 ms 74.80 mbps 14.39 mbps
               
Los Angeles Trial 1 35 ms 23.01 mbps 13.62 mbps
Trial 2 35 ms 21.21 mbps 13.44 mbps
Trial 3 36 ms 32.45 mbps 13.69 mbps
Average 35 ms 25.56 mbps 13.58 mbps
Comp to Bench +19 ms 34.17% 94.42%
               
London Trial 1 277 ms 2.69 mbps 6.86 mbps
Trial 2 276 ms 3.83 mbps 10.29 mbps
Trial 3 274 ms 3.94 mbps 10.65 mbps
Average 276 ms 3.49 mbps 9.27 mbps
Comp to Bench +260 ms 4.66% 64.41%
               
Bucharest Trial 1 382 ms 2.30 mbps 5.97 mbps
Trial 2 388 ms 3.09 mbps 7.07 mbps
Trial 3 407 ms 2.65 mbps 4.41 mbps
Average 392 ms 2.68 mbps 5.82 mbps
Comp to Bench +376 ms 3.58% 40.43%
               
Amsterdam Trial 1 300 ms 2.75 mbps 8.21 mbps
Trial 2 407 ms 2.90 mbps 10.26 mbps
Trial 3 406 ms 2.91 mbps 5.54 mbps
Average 371 ms 2.85 mbps 8.00 mbps
Comp to Bench +355 ms 3.81% 55.63%

 

AES-128 is faster than AES-256, but not as strong.  It’s considered okay for most uses, although it’s speculated that resourceful and determined government actors could break it if they wish.  Note that for Desktop – Bucharest – Trial 3 – the upload test failed, so the 0.00 mbps figure is intentional.  Domestic speeds were quite fast and international speeds were so-so.

 

Getting support: It seems like it’s become a little more common lately, but I’m a big fan of the low, medium, and high priority drop down selection on the support ticket form (assuming it gets used as its implied).  Opening a ticket was very easy and the interface was simple.  I asked a question about their logging policy as it related to bandwidth logging, which I don’t mention in the terms section, but which they do have a no excessive bandwidth consumption policy.  They replied about a day and a half later telling me that they monitor (as opposed to log) to see which accounts are consuming “excessive” bandwidth in real time, which is fairly normal and necessary from a server admin standpoint.  I wanted to make sure first and foremost they weren’t contradicting themselves.

 

Getting a refund: I replied to my support request from above with a refund request and without too much hassle it was granted.

 

Concerns in Terms & Conditions / Privacy Policy:

Terms and conditions were a bit longer than I’d have liked, but just shy of what would have earned CactusVPN the “Obtuse” stamp of shame.

 

CactusVPN respects the fact that the Internet provides a forum for free and open discussion and dissemination of information. However, when there are competing interests at issue, CactusVPN reserves the right to take certain preventative or corrective actions. In order to protect these competing interests…

Remember last review, how I said I’d made an observation in many of these company’s conditions pages?  The trend appears to be 1) Say you’re concerned with and highly respect your user’s privacy, then 2) Immediately contradict yourself with a statement about something you do that potentially abuses it.

 

CactusVPN software and proxy filtering are bonus services and you can not consider them as they are part of service you’ve paid for. We reserve the right to stop providing this bonuses whenever we consider it necessary.

“Bonus services”.  That’s a new one on me…

 

CactusVPN clients violate CactusVPN policy and the service agreement when the clients, their customers, affiliates, or subsidiaries engage in the following prohibited activities: Intellectual Property Violations

Client affiliates aren’t allowed to violate intellectual property – but CactusVPN’s affiliates are good to go!  Utter hypocrisy.

 

Background Running Programs.

Background Running Programs are prohibited?  So, no Email clients are to be used with this service?  No chat applications?  No Bitcoin wallets?  It’s unlikely this is what this really means, but this is how it reads to me and there is no further explanation given.

 

We may send personally identifiable information about You to third parties when: We respond to subpoenas, court orders or legal processes which require us to disclose Registration Data or any information about You to law enforcement or other government officials as CactusVPN, in its sole discretion, believes necessary or appropriate.

“Just a head’s up, we’re all ready to sell you out if someone comes a-knockin'”

 

Final thoughts: Ethics have become one of the biggest hot-buttons for me when looking at VPN services and I can spot a shady operation from a mile away.  CactusVPN’s affiliate program encourages third parties to act irresponsibly and seemingly without control or enforcement of any ethical standard – their lack of control over their reselling partners has affected me first hand as mentioned in my disclaimer at the start and I’m intimately aware of the damage this kind of irresponsible lack of expectation brings.  The service’s configuration had some issues as well with the misconfiguration of the servers.  It’s confusing that CactusVPN, like many others, state they are serious about privacy when they require names, IP addresses, etc on sign-up and not all of their terms and policies seem to reinforce this assertion.  The service itself performed decently, although without a properly configured server, I would be wary of trusting the connection with my privacy.  It isn’t the worst I’ve used, but CactusVPN achieves the bare minimum to qualify as “a functional VPN that someone could use”.

 

Update (7-21-2016): CactusVPN has reached out and informed me that the server certificate validation issue mentioned above (now with a strikethrough) has been fixed.  I have not personally confirmed this, however.

 

FROM THE VPN COMPARISON CHART
CATEGORY VPN SERVICE CactusVPN
JURISDICTION Based In (Country) Moldova
Fourteen Eyes? No
Freedom Status Partly Free
LOGGING Logs Traffic No
Logs DNS Requests No
Logs Timestamps No
Logs Bandwidth No
Logs IP Address No
ACTIVISM Anonymous Payment Method No
Accepts Bitcoin Yes
PGP Key Available No
Meets PrivacyTools IO Criteria No
LEAK PROTECTION 1st Party DNS Servers No
IPv6 Supported / Blocked No
  Offers OpenVPN Yes
OBFUSCATION Supports Multihop
Supports TCP Port 443
Supports Obfsproxy
Supports SOCKS
Supports SSL Tunnel
Supports SSH Tunnel
Other Proprietary Protocols
PORT BLOCKING Auth SMTP No
P2P Some
SPEEDS US Server Average % 95.23
Int’l Server Average % 13.76
SERVERS Dedicated or Virtual
SECURITY Default Data Encryption AES-128
Strongest Data Encryption AES-256
Weakest Handshake Encryption RSA-2048
Strongest Handshake Encryption RSA-4096
AVAILABILITY # of Connections 3
# of Countries 4
# of Servers 16
Linux Support (Manual) Yes
WEBSITE # of Persistent Cookies 2
# of External Trackers 1
# of Proprietary APIs 6
Server SSL Rating A+
SSL Cert issued to Self
PRICING $ / Month (Annual Pricing) 4.59
$ / Connection / Month 1.53
Free Trial Yes
Refund Period (Days) 30
ETHICS Contradictory Logging Policies
Falsely Claims 100% Effective
Incentivizes Social Media Spam
POLICIES Forbids Spam No
Requires Ethical Copy No
Requires Full Disclosure No
AFFILIATES Practice Ethical Copy No
Give Full Disclosure No

 

If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.