Disclaimer: The below review is my opinion, which I will try to provide as many examples for and as much evidence as possible to support. Readers can learn more about how I intend to conduct my reviews, my methodology, etc – here. More information on review badges here.
Last Updated Aug 16, 2017
Welcome back to the next in the series of my VPN reviews. I had a little extra time this weekend, so I decided to spend it making a review – a week early! This time around, we’re looking at, as per my “roll” on random.org (#96 at the time of the roll) – SaferVPN.
Signing up for the service: Signing up for SaferVPN was thankfully, simple and streamlined. Their website has a clean look and things worked the way they were supposed to. I was able to choose between 1 month, 6 months, or 12 months of service, which is all fairly standard. One thing that was kind of annoying, but not a huge deal: by the end of sign up, I had received something like 4 emails about the whole ordeal. These included a receipt email, welcome email, invoice email, and activation email (which is redundant with the normal sign up process step of choosing a password). Again, not a big deal, just a little annoying and feels like that could all be put into one big welcome email or left out altogether.
Sign-up also requires an email address, which in my opinion, is the most one should expect when looking for a service for privacy purposes. As always: I did not sign up for the service using my TOPG email account so as to hopefully blend in with the other users and avoid any special treatment.
Configuring the service: SaferVPN’s website download area was tailored more to the layman, providing your usual array of Windows and OSX installers, Android, iOS, and Chrome links, etc. As per my review methodology page, I’m testing what these services are like for more advanced users concerned with the finer points of privacy configurations (Linux, AOSP Android, etc). In this regard, I was a little disappointed to see that the only link to the manual configuration page wasn’t to be found on the main download page, but on the welcome pop-up splash panel (would probably be hard to find the next time I visited the site). When clicked, the link took me to a support board with some manual configuration instructions and download links for .ovpn zips. The setup instructions were competent, but for Linux, they required using terminal commands to download their ca certs – an actual link to just download through the site would have been nice to have too. The way they currently instruct the user to configure service on Linux requires the user to reference their server list and manually configure the connection. This really should have been boiled down to a zip package download link for convenience in my opinion… because the Android manual configuration page HAS download links for .ovpn files, so why not duplicate them for another platform (they’re fairly interchangeable). Despite the Android page having these files, they were available to download only one at a time for individual servers, which is a little clunky. Many other services I’ve tried have a place to download everything you need in one go – config files, cert files, etc. This makes things easy to transfer to other devices and know you won’t overlook or be missing something important for setup.
I downloaded four .ovpn files from the Android manual config direct link page – and 2 of the four did not have the proper file extension (.ovpn) which was a little odd. Linux gets confused by this and wouldn’t even set up an OpenVPN connection with them, but Android seemed to be okay with it either way. After renaming the 2 properly, I was able to establish a connection with both devices.
After connection, I looked through the log and found: “WARNING: No server certificate verification method has been enabled”. It appeared that, like the last review with ProXPN, the config files I downloaded were not set up to verify the server certificate (to know for certain it’s connecting to the actual server and not one in disguise). The cause of which, was that the files contained no lines to accomplish this task, which typically appears in one of the the following forms: ns-cert-type server or remote-cert-tls server SaferVPN’s default encryption is Blowfish-128, which is known to have weaknesses as well. This can be changed to Blowfish-256 manually, however, just concerning for privacy/security purposes if someone didn’t know better.
Speed & Stability tests: After finally getting the service up and running, I ran a series of speed tests, see below – all tests performed at non-peak times using speedtest.net, the speedtest.net app, test server was Phoenix NAP AZ Data Center for all trials. Connecting using UDP, Blowfish-128 encryption (the default).
|Speed Tests – SaferVPN – Desktop|
|No VPN||Trial 1||10||ms||97.01||mbps||12.86||mbps|
|US West||Trial 1||39||ms||92.03||mbps||11.85||mbps|
|Comp to Bench||+29||ms||93.45%||91.83%|
|Comp to Bench||+378||ms||8.37%||11.07%|
|Comp to Bench||+346||ms||11.96%||39.45%|
|Hong Kong||Trial 1||346||ms||11.58||mbps||6.66||mbps|
|Comp to Bench||+339||ms||11.76%||51.94%|
|Speed Tests – SaferVPN – Mobile|
|No VPN||Trial 1||11||ms||74.33||mbps||14.44||mbps|
|US West||Trial 1||36||ms||21.37||mbps||13.89||mbps|
|Comp to Bench||+25||ms||28.55%||96.50%|
|Comp to Bench||+400||ms||5.32%||32.10%|
|Comp to Bench||+397||ms||3.06%||32.61%|
|Hong Kong||Trial 1||360||ms||3.04||mbps||3.02||mbps|
|Comp to Bench||+348||ms||3.78%||18.38%|
The US West server speeds held up quite well on desktop, but the international servers I tried were pretty slow all around. Some slowdown is expected of course given proximity, but any downloading or streaming using these servers would be pretty painful I’d imagine.
I forced the mobile connection to jump from Wi-Fi to LTE several times and the VPN was able to reconnect each time without any trouble (some I’ve used in the past struggle with keeping a stable connection when roaming and switching networks), so that was a good sign for stability at least.
Getting support: I sent an email asking some questions about the .ovpn configuration and while waiting for a response, started a live chat session with “Mary”. When I asked some questions about the info above and general .ovpn configuration, I got responses asking me which problem/error I was having. Note that it’s highly likely that their live chat is farmed out to a third party with a scripted flowchart for simple, tier 1 issues (a lot of companies do this, but I’ve used others with more knowledgeable live chat too). When I re-emphasized that the questions I had were not related to a specific error necessarily, or rather that “the script” would probably not be of use, she terminated the chat session early. I tried reopening the page for live chat, but the prompt to begin chatting didn’t appear for some reason. I disconnected from the (non SaferVPN) VPN I’d been using, wondering if she actually blocked me – and sure enough, it came right up. I spoke to Mary again and asked if they had any tier 2 support via live chat, she notified me that she had escalated the ticket, that it would take a couple of hours to get back to me, then terminated the session again. Not too impressed.
I tried reconnecting to my VPN to recreate the issue with the live chat prompt not appearing on the support page and I WAS able to. Again, not sure what the root cause of that is, I can’t prove she actually did something to prevent me from asking further uncomfortable questions. Maybe there’s an IP based limit to how often a user can contact support via live chat or something. I wouldn’t even be mentioning it if I couldn’t duplicate the results, but… I can, and… it’s weird… food for thought.
I looked at the contact page and saw there was also a support phone number, which I tried to call. It went straight to voicemail and said (paraphrasing) “You have reached SaferVPN, please visit our website or use our live chat or email for support.” I’ve seen this kind of straight-to-voicemail pointer to the real support tools, but it always bugs me. Why have a phone number if it’s basically good for nothing? (other than solely to say you have one).
I got an email back from “Jeervan” who, in response to my question linked an about page on the site talking generally about encryption protocols the service uses, but failed to address my specific questions.
Getting a refund: There was no place on the website that I could find to cancel service and initiate a refund, so I responded to Jeervan with a refund request. “Robert” responded (paraphrasing) “We could indeed grant your request for a refund… but first, let’s try some troubleshooting!” I get why companies want to do this, sometimes they mean well and just want to help, but more often than not they want to keep you locked in or hold you to terms requiring a round of support before a refund is granted. As SaferVPN has a 14-day no hassle refund policy, I replied that I just wanted a refund, and a few minutes later they granted it.
SaferVPN’s terms contained page after page of typical nothing-is-ever-our-fault-seriously-never-ever-our-fault boilerplate terms (the things I’ll suffer through for you guys). Just a few standouts:
“When You set up Your Safer VPN Account, we ask You to provide certain information, such as Your name, email address” and “You agree to provide the Company with accurate and truthful registration information, including, but not limited to, Your name and email addressto [sic] keep Your registration information current during the Service Period as defined above” I wasn’t asked for my name during registration, but I was asked for my email address. Those concerned with keeping their personal info confidential may wish to look elsewhere. It always bugs me when they not only ask for that information but then follow it up with a clause in the terms requiring a real name and so forth. It’s unlikely they’d know if you gave a fake name (if they ever decided to request it), but the fact that they wrote that in there shows a lack of respect for privacy in my opinion.
“A subscription plan is an automatic payment recurring based on the service plan.”
I hate opt-out auto-renewal. I think it takes advantage of someone forgetting to cancel service. Unfortunately, it’s more or less the norm for some payment methods.
“Information We Collect (And Don’t) From You, Why We Need It, And How We Use It
What Safer Social Ltd. Retains From SaferVPN sessions:
– a time stamp when you connect and disconnect to our VPN service;
– the amount of data transmitted (upload and download) during your session;
– the IP address used by you to connect to our VPN;
– the IP address of the individual VPN server used by you.” All connection metadata appears to be logged, no good.
So… which is it, our privacy is important or you want to keep logging our connection metadata?
We do not store your name, home address (unless you entered them) but this data may be stored by the third party payment provider handling the transaction and may be accessible by us.
As good as, then?
Final thoughts: SaferVPN is easy to sign up with but a little rocky to get connected. The international servers I tried were very slow on both desktop and mobile, but if you only need US based connections on more powerful desktop-based hardware, it might be suitable for you.
They could be a lot better where privacy is concerned when it comes to the info required during sign up, default encryption, and their logging policy. Their obtuse “we’re-absolved-of-everything-wrong-with-the-world” terms could be cut in half for the sake of the user. It’s hard to recommend for privacy enthusiasts, or even someone who just needs something simple for geo-unblocking as the high price tag is in the top third of services on the Comparison Chart.
Update (8-16-2017): SaferVPN has reached out and presented several improvements to their site and service. They appear to have made a good faith effort, including the following changes. While not perfect, it’s certainly a step in the right direction:
- I have not verified this, but I’m told VPN configs were fixed to address the concerns I had from above – I have gone ahead and rescinded the “Broken” stamp.
- Several of their terms have been revised, such as requiring a name and enforcing its accuracy via the terms, their logging policy has been revised to collect less meta data.
- Some other tweaks, such as a correction on the country they are based in (Israel vs US).
- Default encryption upgraded to AES-256.
- Raising the number of simultaneous connections.
- Clarifying that privacy causes are supported by the company.
|FROM THE VPN COMPARISON CHART|
|JURISDICTION||Based In (Country)||Israel|
|Enemy of the Internet||No|
|Logs DNS Requests|
|Logs IP Address||No|
|ACTIVISM||Anonymous Payment Method|
|PGP Key Available||No|
|Gives back to Privacy Causes||Yes|
|Meets PrivacyTools IO Criteria||No|
|LEAK PROTECTION||1st Party DNS Servers||No|
|IPv6 Supported / Blocked||No|
|Supports TCP Port 443|
|Supports SSL Tunnel|
|Supports SSH Tunnel|
|Other Proprietary Protocols|
|PORT BLOCKING||Auth SMTP|
|SPEEDS||US Server Average %||93.45|
|Int’l Server Average %||10.7|
|SERVERS||Dedicated or Virtual|
|SECURITY||Default Data Encryption||AES-256|
|Strongest Data Encryption||AES-256|
|Weakest Handshake Encryption|
|Strongest Handshake Encryption|
|AVAILABILITY||# of Connections||3|
|# of Countries||24|
|# of Servers||150|
|Linux Support (Manual)||Partial|
|WEBSITE||# of Persistent Cookies||11|
|# of External Trackers||2|
|# of Proprietary APIs||14|
|Server SSL Rating||A|
|SSL Cert issued to||Self|
|PRICING||$ / Month (Annual Pricing)||$5.99|
|$ / Connection / Month||$2.00|
|Refund Period (Days)||14|
|ETHICS||Contradictory Logging Policies||Yes|
|Falsely Claims 100% Effective|
|Incentivizes Social Media Spam|
|Requires Ethical Copy||Yes|
|Requires Full Disclosure||Yes|
|AFFILIATES||Practice Ethical Copy||No|
|Give Full Disclosure||No|
If you like the project and find my work useful, please consider donating – your generous contributions help pay for the hosting, tools, and time I need to do my research and keep the data fresh.