If you put www.findnot.com into your favorite search engine, you will no doubt see several references to potential security breaches in our PPTP VPN connections, and also our SSH tunnel connection. Here are the facts:
In our commitment to keeping our customers' information private, instead of trusting proprietary systems whose sources cannot be verified we purposely use generic ssh and vpn servers. The vulnerabilities are part of the generic software that we use, and furthermore we have (and have had) well known workarounds for these. These 'Security Breach' announcements are typically competitors pointing out known flaws in the generic tools.
One possible 'security breach' that has been reported has to do with the leaking of information should the PPTP VPN connection drop. There are several reasons why this may happen. One workaround is to enable the auto-reconnect feature. In the properties of your vpn connection, click on the "options" tab. Change the "Redial Attempts" to 99. Change the "Time between redial attempts" to 1 second. Last but not least select the option that says "Redial if line is dropped". Now if the line drops you will be notified right away and it will fix itself right away.
Of course if the PPTP VPN doesn't reestablish the connection, it will default to your original IP address. If this poses a privacy issue for you and you need VPN functionality specifically, use the OpenVPN. It is much more stable. We continue to offer the PPTP VPN because it is the only option for some users. Or, if you do not need VPN specifically, use the SSH tunnel. If you lose the tunnel connection the application using the tunnel will not be able to access the internet until the tunnel is reestablished.
Another 'security breach' concerns our SSH tunnel connection. The SSH system is designed for the DNS lookups to be handled by our server, not your ISP. There is an issue with the SSH software that could cause a DNS request to be leaked to your ISP. This information would only contain the site requested, nothing more. However, this does raise a privacy issue for some. There are two options to fix this:
1. The easiest is to download and use FreeCap with your browser, and set it to only allow remote lookups. Instructions for this are here:
http://www.findnot.com/setup.php?setup=ssh
2. You can enable Firefox to do remote domain name lookups. The option network.proxy.socks_remote_dns is available via about:config:
Enter about:config into the address bar, as if it were a URL and hit enter. The resulting page has a text entry at the top labeled Filter. In it, type socks_remote_dns (don't hit enter). As you type the list of settings should shrink until there's only one. Double click it and set the value to 'true'.
In conclusion, it is sad that these supposed 'security advocates' never bothered to contact us, but instead chose to perpetuate misleading information. The only reasoning I can figure is that whatever product they are promoting 'between the lines' cannot stand up to the product that FindNot delivers. The reason why users continually choose FindNot for privacy is our commitment to keeping their information private, instead of trusting proprietary systems whose sources cannot be verified, and who are usually located in privacy-invasive countries like the U.S.! If you have questions or concerns, we are always available: http://www.findnot.com/contact.html. Better yet, try FindNot.com for yourself. We have free trials available, just ask.
Add this link to...
Tell a friend
Bury
Add to:
Of course if the PPTP VPN doesn't reestablish the connection, it will default to your original IP address. If this poses a privacy issue for you and you need VPN functionality specifically, use the OpenVPN. It is much more stable. We continue to offer the PPTP VPN because it is the only option for some users. Or, if you do not need VPN specifically, use the SSH tunnel. If you lose the tunnel connection the application using the tunnel will not be able to access the internet until the tunnel is reestablished.
Another 'security breach' concerns our SSH tunnel connection. The SSH system is designed for the DNS lookups to be handled by our server, not your ISP. There is an issue with the SSH software that could cause a DNS request to be leaked to your ISP. This information would only contain the site requested, nothing more. However, this does raise a privacy issue for some. There are two options to fix this:
1. The easiest is to download and use FreeCap with your browser, and set it to only allow remote lookups. Instructions for this are here:
http://www.findnot.com/setup.php?setup=ssh
2. You can enable Firefox to do remote domain name lookups. The option network.proxy.socks_remote_dns is available via about:config:
Enter about:config into the address bar, as if it were a URL and hit enter. The resulting page has a text entry at the top labeled Filter. In it, type socks_remote_dns (don't hit enter). As you type the list of settings should shrink until there's only one. Double click it and set the value to 'true'.
In conclusion, it is sad that these supposed 'security advocates' never bothered to contact us, but instead chose to perpetuate misleading information. The only reasoning I can figure is that whatever product they are promoting 'between the lines' cannot stand up to the product that FindNot delivers. The reason why users continually choose FindNot for privacy is our commitment to keeping their information private, instead of trusting proprietary systems whose sources cannot be verified, and who are usually located in privacy-invasive countries like the U.S.! If you have questions or concerns, we are always available: http://www.findnot.com/contact.html. Better yet, try FindNot.com for yourself. We have free trials available, just ask.">
| Bookmarks
Discuss
Comments