The last few years were marked by rapid Virtual Private Network (VPN) industry growth. However, we can also see some growing concerns about how trustworthy commercial providers can be. It might be caused by confusion about what VPN actually is and what it does, or maybe by reasonable doubts ignited by all 2017–2018 data leak scandals, which changed our view not only of the companies that caused them but other online websites and software that we trusted until then. Consumers aren’t always aware of what’s going on under the hood of a VPN. And now several providers decided to stand up for honesty and transparency by arranging independent security audits and publishing the results for everyone to see. Let’s hope this will be an encouragement for other providers to follow.

Surfshark

Not all of you might have heard of this VPN. It’s still called a newbie, but as many pros have noted, they seem to be quite a competition, even to the big names in the industry. So far they neither triggered some kind of suspicions by reviewers or users, nor got reasonable (or not so much) shadow of doubt thrown by any of their competitors.

Surfshark just released the results of the audit done on their Firefox and Chrome extensions. We are not sure if their applications will be tested later, but the results of this audit are already really promising

“Despite this premise and extensive efforts, the Surfshark VPN extensions held up to the scrutiny of the Cure53 testers. To sum up, Cure53 is highly satisfied to see such a strong security posture on the Surfshark VPN extensions, especially given the common vulnerability of similar products to privacy issues.”

The only two vulnerabilities that have been found were rated as low risk, and Cure53 testers pointed out that one of them isn’t even related to the extension itself, but noticed as a general service weakness. Surfshark responded to it with setting their team to address those issues right away (you can read full blog post here).

Surfshark audit gives us a lot of hope because of a few reasons. First of all, even though they had no scandals or suspicions surrounding them, they chose to get audited, which might trigger other providers to follow them. And secondly, their audit report proves that some of the newcomers are capable of providing high-quality service from the very beginning.

You can find the full audit report right here.

TunnelBear

TunnelBear announced their 2nd annual security audit back in October (this is the blog post about it). Their first audit has been noticed and talked about, but somehow it went past other providers. No other VPN had followed their steps last year.

The very first audit (November 2016 — June 2017) had listed quite a few vulnerabilities of various risk levels. However, TunnelBear expressed their regret and was fast to address them.

The risks listed after 2016 tests: 3 critical, 3 high, 13 medium, 8 low, 13 informational.

The risks listed after 2017 tests: 1 high, 4 medium, 3 low, 5 informational.

Here you can find a full report of the 2017 audit.

TunnelBear does have an obvious weakness that affects the view of professionals though. It’s widely known that the trustworthy provider should be located outside 5/9/14 eyes jurisdiction, which puts TunnelBear at a disadvantage as Canada belongs to 5 eyes. Also, they have been purchased by US company McAfee at the beginning of this year, which made many users and even some of their biggest promoters to walk away. Anyhow, the loyal users and VPN reviewers do respect their honesty and transparency.

To summarize 2018 audit results, Cure53 does see the improvements that TunnelBear is doing. However, they did find risks that had to be addressed by the company: 2 critical, 5 high, 3 medium, 7 low and 5 informational.

Hare is a full report of the 2018 audit.

NordVPN

NordVPN is a well-known provider. However, what comes with popularity, is the scandals, competition, tricky questions, and tricky situations. This year offered quite a challenge to NordVPN team, with numerous accusations questioning their policies, structure, ethics, and connections. They have addressed the claims publicly both on their social media and a blog post (you can read it here), which explained that claims came from their competitors and understanding that the best option to protect their reputation would be an independent 3rd party audit.

“We understand that these facts alone may not be enough to clear our name. Therefore, we are hiring one of the largest professional service firms in the world to run an independent audit and verify our ‘no logs’ claim.”

Their audit results should be on the way already.

Other VPN providers

Other providers, such as ExpressVPN and AirVPN, do say to perform audits to confirm compliance with policy and reassure that no issues appear in their service. However, they do not publish the official reports so you simply have to choose to trust their word when it comes to published results. Hopefully, they will be encouraged to take the next step and publish the actual reports.

OpenVPN audit

A group of security experts from QuarksLab spent the first few months of 2017 reviewing the source code for OpenVPN — one of the protocols used by most (if not all) VPN providers. The audit was funded by the Open Source Technology Improvement Fund (OSTIF).

The issues found were primarily related to denial-of-service threats. For example, an attacker could potentially crash an OpenVPN server after transferring more than 196 GB of data through a single VPN session. Anyhow, OpenVPN developers quickly addressed all the issues in the release of OpenVPN 2.3.15.

“We have verified that the OpenVPN software is generally well-written with strong adherence to security practices.”

Here is a full report.

These audits aren’t an instant solution to clean the industry of issue ridden providers or providers that knowingly use their own customers as their business fuel. However, they do give a chance for the user to see what is happening behind nice logos, polished interface and between the lines of the superscript. With this clarity and understanding, users will be able to make a choice based on actual proven facts, instead of having to blindly trust what is flashed at the front page of the VPN websites.