Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support. Readers can learn more about how I intend to conduct my reviews, my methodology, etc – here. More information on review badges here.
Written Jun 5, 2016
Welcome all – to this new series of reviews in which I will attempt to pull back the curtain and point out the good and the bad alike on VPN services, which are randomly selected from the VPN Comparison Chart! First up in this series, as per my “roll” on random.org (#91 at the time of the roll) – is ProXPN.
Signing up for the service: When going to the ProXPN website to purchase service, a couple of things about the process stood out to me:
There is no one week or even one month subscription option on the website, the minimum subscription is for a period of 3 months. Technically, they do have a free version of their service, but the speeds are throttled and you won’t get the real experience to determine if purchasing is worth it for you. Sign-up also requires an email address and phone number. Obviously, for people concerned with privacy, those requirements are of concern. Just a note: I did not (and will not in the future) sign up for the service using my TOPG email account, lest it be a dead giveaway who is using the service.
Configuring the service: Typically, the first thing you do after purchasing VPN service is download configuration files from something like a members area or download portal on the official site. When going to download the raw .ovpn files, I realized they don’t actually have any. They had installers available for Windows and OSX, and links to the app for Android (Google Play Store), and iOS (App Store).
As none of these allows for a manual configuration using my chosen platforms, I sent their support team an email asking if they have these files available for users like me that prefer privacy centric platforms. After not hearing back for several hours, I also sent a tweet. 24 hours later, I received an email back I (but I suspect it had something to do with them learning of the review occurring as they replied to my initial announcement). The email I received back had a zip folder containing .ovpn files, which was a nice surprise – Until… OpenVPN wouldn’t allow the connection to be established. After looking over network configuration settings to make sure nothing was out of place, I turned my attention to the .ovpn files themselves. They had all of their certs included inline (typically seen in Android versions of config files, as ca certs are required separately for Linux setups when using OpenVPN). I broke out the ca cert into its own crt file (Basically just a key file that OpenVPN knows what to do with), but the connection still did not resolve. I tried out the file on Android thinking that because it used inline certs it might resolve a connection, but still no luck. I examined the logs and saw the following:
“WARNING: No server certificate verification method has been enabled”.
This indicated that the client config files I was sent were not set up to even verify the server certificate (to know for certain it’s connecting to the actual server and not one in disguise). The cause of which, was that the files contained no lines to accomplish this task, which typically appears in one of the the following forms:
I appreciate that their support team was willing to go out of their way to bundle some config files for me to use the service on my chosen platforms, however, this appears to be a pretty big oversight considering you can be exposed to Man-in-the-Middle attacks if your client never verifies the server’s certificate. It could be that .ovpn files were quickly put together by someone to satisfy a customer, but it’s not something that should be sloppily compiled and shipped out without proper vetting. Most people aren’t going to know what anything in the config file even means, much less if it’s missing something important like that.
Getting support: I sent out a last ditch email asking if they could help me even get a connection established given this information, but after 2 more days and a few follow ups to try contacting someone, I didn’t receive anything back. In the meantime, I checked the support page and noticed that they had a US-based 1-800 support phone number. This ended up being nothing more than a straight-to-voicemail line that had, as its message, (paraphrasing) “Thanks for calling ProXPN. Please email us at (support email address) for billing and technical issues. If you’d like to leave a voice message, please remember to leave your email address.” (not a phone number indicating no intention of returning an actual call). What on earth is the point of this? If you don’t intend to provide phone support, please don’t include a number for phone support. I tried the number 3 separate times over 3 separate days and got the same message each time – and… decided to call it there – as, I believe I dug far enough to believe I’d done due diligence on everything but speed/stability tests (which I do plan to include when possible in future reviews).
Using the service: Well, this is where things get slightly disappointing, but I suspect it won’t be the last time it happens, unfortunately. I wasn’t able to get the service up and running as per the issues I was having above. While I intend to provide speed and stability tests in the future, there won’t be any such results this time around. My policy for handling this now and in the future will be giving the reviewed service a 3 day window in which support has to get me up and running. I believe this to be fair given a worst case scenario privacy need in say the threat model of an activist in a hostile-to-free-speech country. Waiting 3 days to be able to access the Internet when you’re alone in a country where you can be imprisoned (or worse) for expressing your opinion, is not acceptable. (For the record, I have used somewhere around a dozen different services in the last 6 months and never once had this issue or anything like it when setting up the service. Most services I’ve used are relatively easy to setup and .ovpn files and included cert files typically work out-of-the-box with little to no tweaking.) I did inspect the .ovpn files to see what their default configuration was like. It used what appeared to be default settings for everything from encryption to shotgunning ports – (not specifying one, but listing 3, which could cause unpredictable stability as a network switchover could be interrupted if certain ports are blocked).
Getting a refund: I finally sent a request for a refund, which again took about 24 hours from the time the request was submitted to the time a refund was granted. No hassle to get the refund thankfully, nor was I forced to endure any obnoxious troubleshooting beforehand as some companies require, to remove a possible excuse and keep you locked into the service as long as they possible can.
“Forbidden Activites – Other Activities – This means any activity (including lawful ones) which are determined by XPN as a danger to XPN’s users, operations, reputation, goodwill, or customer relations.”
I’m going to go out on a limb and say they could justify terminating your account for badmouthing them. I’m just glad I got my refund before publishing this review…
ProXPN’s front page’s marketing indicates: “With proXPN, no one can… See the websites you visit or record your online activity, Wirelessly intercept banking details, instant messages, or passwords, Trace your connection to find out the current location of your device” and further down the page states, “proXPN ensures that your online activities cannot be monitored or recorded by anyone – governments, internet service providers, hackers, and neighbors included.” But the terms page is quick to backpedal: “It cannot be guaranteed that other means of communications (e.g. mail, facsimile, and voice telephone service) will ever be 100% secure.”
In my opinion, this should be the attitude and tone of the company from the start. Security and privacy are very complicated, and oversimplified marketing can be misleading and potentially life threatening depending on the customer’s threat model.
Recurring Payments & Cancellations.
When signing up for ProXPN service, you are automatically enrolled in re-billing when the term of your service expires. You can technically cancel the recurring payment through Paypal at any time, but this still kind of bothers me as it seems to an attempt to scrape a few extra bucks from forgetful customers.
“Information That We Collect – proXPN, B.V. only collects your sign-up information, email, and password. We do not keep logs of connection times, activity, or origin IPs. What we don’t collect cannot be requested.”
Note that “ProXPN B.V.” is one of three registered organizations as listed on their terms page (proXPN Direct LLC, proXPN B.V., and proXPN Ltd.) Since ProXPN B.V. is the only one that doesn’t log the above, what does that mean for the other two? They also mention that they “only” have the information given to them during sign-up. This just so happens to include a phone number and email address – which is a lot to ask for from people concerned with personal privacy.
“Use Of Collected Information – proXPN, B.V. will only use personally identifiable information collected through our web site to contact users regarding only products and services offered by proXPN, B.V. We will NOT share this information with anyone. Period.”
Again, this only mentions one registered entity of their operation. It’s quite possible that it’s simply an oversight that the one is mentioned but the other two are not. Regardless, it makes me nervous because technically they did state their case if the worst is to be assumed that the other organizations perhaps are the ones to share your info. Possibly a stretch, but the point is their wording needs tightened up to really put my mind at easy regarding this issue.
“proXPN’s Log Keeping Policy – Our logging policy is quite simple, we don’t log anything. We don’t log any activity of our users at any time. proXPN = NO LOGS.”
Ideally I’d like them to specify no DNS request or bandwidth logs in addition to Traffic, IP Address, and Timestamps, to ensure that a potential customer can really see what ISN’T being logged.
“Our [Warrant] Canary Policy”
As always, it’s impossible to verify a whether a warrant canary is representative of reality and is mostly marketing theater.
Final thoughts: ProXPN leaves a lot to be desired. If you are looking to perfect your privacy setup, and share the same platform preference and I do, you will likely hit roadblocks with their manual setup (for ideal security hardening along with system level tweaks) and may be waiting for some time before their support team provides a workable solution.
But hey – you can at least get a refund without a hassle.
|FROM THE VPN COMPARISON CHART|
|JURISDICTION||Based In (Country)||Netherlands|
|Logs DNS Requests|
|Logs IP Address||No|
|ACTIVISM||Anonymous Payment Method||No|
|PGP Key Available||No|
|Meets PrivacyTools IO Criteria||No|
|LEAK PROTECTION||1st Party DNS Servers||No|
|IPv6 Supported / Blocked||No|
|Supports TCP Port 443|
|Supports SSL Tunnel|
|Supports SSH Tunnel|
|Other Proprietary Protocols|
|PORT BLOCKING||Auth SMTP|
|SECURITY||Weakest Data Encryption|
|Strongest Data Encryption|
|Weakest Handshake Encryption|
|Strongest Handshake Encryption|
|AVAILABILITY||# of Connections||1|
|# of Countries||16|
|# of Servers||21|
|WEBSITE||# of Persistent Cookies||2|
|# of External Trackers||0|
|# of Proprietary APIs||16|
|Server SSL Rating||B|
|SSL Cert issued to||Self|
|PRICING||$ / Month (Annual Pricing)||$6.25|
|$ / Connection / Month||$6.25|
|Refund Period (Days)||30|
|ETHICS||Contradictory Logging Policies|
|Falsely Claims 100% Effective||Yes|
|Incentivizes Social Media Spam|
|Requires Ethical Copy||No|
|Requires Full Disclosure||No|
|AFFILIATES||Practice Ethical Copy|
|Give Full Disclosure||No|
If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.