Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support. Readers can learn more about how I conduct my reviews, my methodology, etc – here. More information on review badges here.
This review’s roll was #19 (at the time of the roll, CactusVPN).
Last Updated Jul 21, 2016
CactusVPN, like another service I’ve recently reviewed, relies heavily on an “affiliate referral” aka “native advertising” marketing strategy. I’ve talked about this subject at length in past posts and such, so I won’t go on too much about it here. Some VPN and web service companies use this model in moderation – against their better judgment. Others embrace it wholeheartedly. CactusVPN appears to fall into the latter category – as one affiliate in particular has in the past stolen my work and posted it on their site. When affiliates are allowed to run around unchecked like this, it tells a lot about the company that pays them. Someone on the internet comes with a dissenting opinion of your business dealings? Just steal their work, make fake websites to take their web traffic and troll forum posts to discredit them, it’s all good!
It strikes me as incredibly irresponsible when those they partner with are given free reign to steal copyrighted and trademarked work of others with no expectation or standard to live up to. And as a side note: I did contact CactusVPN at the time the aforementioned offense occurred. They acknowledged that they would contact the third party regarding my complaint, but I never heard back, nor was the stolen material taken down. Now that we’ve established this, to the review!
Signing up for the service: Signing up for the service: The first thing CactusVPN asks you for is your full name. A privacy no-no. There’s a little note at the bottom of the sign up page that says, “Please, use your real IP address if it’s possible as we do not accept orders from Proxy or VPN IP.” Just the fact that they even ask for that makes me cringe. Is this, or is this NOT a service that those concerned with privacy should consider. Based on what’s mentioned above, I would say it is not.
Once more, and it’s a minor complaint, but it always seems like these companies rarely think out the customer experience. After registration, I was greeted with a hodgepodge of 5+ welcome emails/receipts. Just seems sloppy to me, and many services fall prey to this.
Configuring the service: Mercifully, the config files and the ca cert for OpenVPN manual connection is easily found on user portal and in no time, I had them downloaded and set up. The user portal provides a user name and password which is automatically generated. The default password is quite short (8 characters) and contained no uppercase letters or special characters, which is a fairly weak scheme. But all in all, everything was relatively easy to setup.
As we saw early on in my reviews, some companies forget to enable a certificate verification method in their server configs. This was the case with CactusVPN as this message appeared in the logs: “WARNING: No server certificate verification method has been enabled”. Basically, this creates an attack vector in which the server can be spoofed by a third party because it’s not being verified with the proper certificate. This is not a professional way to configure a VPN for security.
Speed & Stability tests: All tests performed at non-peak times using beta.speedtest.net (html5) or the speedtest.net app. Connecting using UDP, Default encryption was AES-128.
|Speed Tests – CactusVPN – Desktop|
|No VPN||Trial 1||17||ms||97.14||mbps||11.99||mbps|
|Los Angeles||Trial 1||31||ms||91.21||mbps||11.09||mbps|
|Comp to Bench||+20||ms||95.23%||92.48%|
|Comp to Bench||+263||ms||8.07%||33.59%|
|Comp to Bench||+371||ms||14.34%||15.62%|
|Comp to Bench||+280||ms||18.88%||26.53%|
|Speed Tests – CactusVPN – Mobile|
|No VPN||Trial 1||26||ms||74.74||mbps||14.49||mbps|
|Los Angeles||Trial 1||35||ms||23.01||mbps||13.62||mbps|
|Comp to Bench||+19||ms||34.17%||94.42%|
|Comp to Bench||+260||ms||4.66%||64.41%|
|Comp to Bench||+376||ms||3.58%||40.43%|
|Comp to Bench||+355||ms||3.81%||55.63%|
AES-128 is faster than AES-256, but not as strong. It’s considered okay for most uses, although it’s speculated that resourceful and determined government actors could break it if they wish. Note that for Desktop – Bucharest – Trial 3 – the upload test failed, so the 0.00 mbps figure is intentional. Domestic speeds were quite fast and international speeds were so-so.
Getting support: It seems like it’s become a little more common lately, but I’m a big fan of the low, medium, and high priority drop down selection on the support ticket form (assuming it gets used as its implied). Opening a ticket was very easy and the interface was simple. I asked a question about their logging policy as it related to bandwidth logging, which I don’t mention in the terms section, but which they do have a no excessive bandwidth consumption policy. They replied about a day and a half later telling me that they monitor (as opposed to log) to see which accounts are consuming “excessive” bandwidth in real time, which is fairly normal and necessary from a server admin standpoint. I wanted to make sure first and foremost they weren’t contradicting themselves.
Getting a refund: I replied to my support request from above with a refund request and without too much hassle it was granted.
Terms and conditions were a bit longer than I’d have liked, but just shy of what would have earned CactusVPN the “Obtuse” stamp of shame.
CactusVPN respects the fact that the Internet provides a forum for free and open discussion and dissemination of information. However, when there are competing interests at issue, CactusVPN reserves the right to take certain preventative or corrective actions. In order to protect these competing interests…
Remember last review, how I said I’d made an observation in many of these company’s conditions pages? The trend appears to be 1) Say you’re concerned with and highly respect your user’s privacy, then 2) Immediately contradict yourself with a statement about something you do that potentially abuses it.
CactusVPN software and proxy filtering are bonus services and you can not consider them as they are part of service you’ve paid for. We reserve the right to stop providing this bonuses whenever we consider it necessary.
“Bonus services”. That’s a new one on me…
CactusVPN clients violate CactusVPN policy and the service agreement when the clients, their customers, affiliates, or subsidiaries engage in the following prohibited activities: Intellectual Property Violations
Client affiliates aren’t allowed to violate intellectual property – but CactusVPN’s affiliates are good to go! Utter hypocrisy.
Background Running Programs.
Background Running Programs are prohibited? So, no Email clients are to be used with this service? No chat applications? No Bitcoin wallets? It’s unlikely this is what this really means, but this is how it reads to me and there is no further explanation given.
We may send personally identifiable information about You to third parties when: We respond to subpoenas, court orders or legal processes which require us to disclose Registration Data or any information about You to law enforcement or other government officials as CactusVPN, in its sole discretion, believes necessary or appropriate.
“Just a head’s up, we’re all ready to sell you out if someone comes a-knockin'”
Final thoughts: Ethics have become one of the biggest hot-buttons for me when looking at VPN services and I can spot a shady operation from a mile away. CactusVPN’s affiliate program encourages third parties to act irresponsibly and seemingly without control or enforcement of any ethical standard – their lack of control over their reselling partners has affected me first hand as mentioned in my disclaimer at the start and I’m intimately aware of the damage this kind of irresponsible lack of expectation brings. The service’s configuration had some issues as well with the misconfiguration of the servers. It’s confusing that CactusVPN, like many others, state they are serious about privacy when they require names, IP addresses, etc on sign-up and not all of their terms and policies seem to reinforce this assertion. The service itself performed decently, although without a properly configured server, I would be wary of trusting the connection with my privacy. It isn’t the worst I’ve used, but CactusVPN achieves the bare minimum to qualify as “a functional VPN that someone could use”.
Update (7-21-2016): CactusVPN has reached out and informed me that the server certificate validation issue mentioned above (now with a strikethrough) has been fixed. I have not personally confirmed this, however.
|FROM THE VPN COMPARISON CHART|
|JURISDICTION||Based In (Country)||Moldova|
|Freedom Status||Partly Free|
|Logs DNS Requests||No|
|Logs IP Address||No|
|ACTIVISM||Anonymous Payment Method||No|
|PGP Key Available||No|
|Meets PrivacyTools IO Criteria||No|
|LEAK PROTECTION||1st Party DNS Servers||No|
|IPv6 Supported / Blocked||No|
|Supports TCP Port 443|
|Supports SSL Tunnel|
|Supports SSH Tunnel|
|Other Proprietary Protocols|
|PORT BLOCKING||Auth SMTP||No|
|SPEEDS||US Server Average %||95.23|
|Int’l Server Average %||13.76|
|SERVERS||Dedicated or Virtual|
|SECURITY||Default Data Encryption||AES-128|
|Strongest Data Encryption||AES-256|
|Weakest Handshake Encryption||RSA-2048|
|Strongest Handshake Encryption||RSA-4096|
|AVAILABILITY||# of Connections||3|
|# of Countries||4|
|# of Servers||16|
|Linux Support (Manual)||Yes|
|WEBSITE||# of Persistent Cookies||2|
|# of External Trackers||1|
|# of Proprietary APIs||6|
|Server SSL Rating||A+|
|SSL Cert issued to||Self|
|PRICING||$ / Month (Annual Pricing)||4.59|
|$ / Connection / Month||1.53|
|Refund Period (Days)||30|
|ETHICS||Contradictory Logging Policies|
|Falsely Claims 100% Effective|
|Incentivizes Social Media Spam|
|Requires Ethical Copy||No|
|Requires Full Disclosure||No|
|AFFILIATES||Practice Ethical Copy||No|
|Give Full Disclosure||No|
If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.