Alphabet's Jigsaw Launches Outline: An Open Source and Simple To Use Proxy

Subject: General Tech | March 28, 2018 - 10:59 PM |
Tagged: vpn, socks5, shadowsocks, security, proxy, outline, encryption

Alphabet Inc (parent company of Google) through its Jigsaw subsidiary recently took the wraps off of Outline which is a simple to setup proxy based on the popular Shadowsocks project. Aimed at journalists, small companies, and individuals, Outline is an open source project that comes in two parts: a proxy server and client applications that help configure the connection.

Screenshot (750).png

While companies can take advantage of an advanced mode to install Outline's server components onto an existing cloud server or an internal private server, most users can opt for the basic setup which is about as simple as it gets. Currently, Outline integrates with Digital Ocean using Digital Ocean's API and after signing in and authorizing Outline to make changes, it automatically spins up the lowest cost droplet and sets everything up. You never need to SSH into the VPS to configure anything. Rather, what little configuration there is (not much!) is done using a GUI Outline Manager application on a client device. The connection between the management application and the server is encrypted using a self-signed SSL certificate.

The proxy server is based on a Shadowbox image that is imported using Docker and is kept up to date using Watchtower (which is also installed on the droplet) which checks every hour for updated images. A cron job is also automatically configured to run and apply security updates for the host Ubuntu operating system and reboot as needed. Finally, a web server for management of it is installed in a secret path and run on a random port and only responds to queries if the secret path is specified and only over SSL.

Outline Manager.png

After watching Darren Kitchen and Shannon Morse over at Hak5 check it out, I decided to also fire it up to see if it really was that easy, and sure enough it is! The entire process is very simple taking only a few minutes (the longest step was finding my phone for the two factor authentications haha) and the management of it at least seems very hands off with the automated updates.

On the security front, Outline is a SOCK5 proxy that reportedly uses strong encryption with an AEAD 256-bit ChaCha2020 IETF Poly 1305 cipher which, according to Jigsaw, ticks all at least two boxes corners of the CIA triangle (confidentiality and integrity) along with authentication using the secure keys. I think the hardest part about maintaining that security is going to be sharing the access with others as you would need a secure channel of communication to share the needed information with. While you can generate the key easily enough for them, getting them their key for the client device could prove tricky if you are physically far away from them and do not already have a secure method of messaging (e.g. encrypted email) though for most people sending it through signal or a similar mobile app or encrypted skype/facebook/whatever while not the greatest plan is likely to prove secure enough that it balances security and convenience.

In November, Outline was audited by Netherlands-based Radically Open Security and you can find the non-profit's report here (PDF).

Screenshot (752).png

Things are even simpler on the client side, after adding the server using the access key, all they have to do is hit a single connect button to get things connnected for most modern web browsers and other apps that respect the set Windows registry key. Note that for Android and Chrome OS, Outline acts as a system-wide VPN, but for Windows only TCP traffic is secured and not all applications are supported yet. Support for passing UDP traffic through the SOCKS5 proxy and for system-wide VPN tunneling of all traffic is coming soon but right now the only UDP traffic that is passed through the proxy is DNS which is encrypted and uses the Outline server's defualt DNS resolver rather than passing outside fo the proxy and using the Windows-configured DNS and/or ISP's DNS.

In my case, after hitting connect, Chrome automatically configured the proxy settings and I was on my way. I did run into a hiccup with getting the Outline-client app, however. I was able to download it from the Outline website using Chrome and it installed fine, but when trying to grab it through the Get Connected option in the Outline Manager app, the download link opened automatically in Microsoft Edge which proceeded to flag the file as malicous and would not let me open it (heh). Hopefully they are able to get the false posiitive resolved as that may trip up normal users and make it harder to convince them to use your Outline proxy.

Screenshot (749).png

So far I have not run into any other problems with it and things are running smoothly. Web pages are finally loading as fast as they should be as well which makes me think the problems of super slow webpage loads were not with my computer but with Comcast messing with me (we are talking some pages taking a minute to load on a 90/10 connection, even simple ones like Google and Gmail). 

Outline is not a full VPN, but it is extremely easy to setup and share with others and may well be secure enough for most people. If you want to get a little more geeky, there is always OpenVPN which you can setup with a simple script or projects like Algo VPN or free (as in money) commercial solutions like Pro XPN or the built-in VPN in the Opera web browser. On the positive side, Outline does not store any logs (and since its your sever you can access it and monitor it to be sure) and Jigsaw/Alphabet/Google is up front about what information they do collect which includes server IP and non-identifiable information following crashes. Users can opt-in to sharing anonymous metrics but they do not have to and the default setting is off which is good. The downside is that right now it is still fairly new and not as vetted as some of the other options and while it is open source it is not necessarily free. In its best form which is slick setup using the Digital Ocean integration, it is $5 a month, but if you are privacy concious it may be money well spent and if you already have an existing server you can also use that though in that case the ease of configuration edge may not be as great and you may as well run OpenVPN unless you really dig the simple client apps and not having to manually copy and mange keys around to all your devices possibly in a non-GUI way.

Overall, it is a neat solution and I think it has promise. Hopefully if/when Google abandons it for its next big thing they let the community have at it. As of the today, Outline Manager is supported on Windows 7 (or newer) and Linux with Mac OS support coming soon. Outline supports client using apps for Windows 7 (or newer), Android, and Chrome OS with Mac OS and iOS apps coming soon. You can find both the Outline Manager and Outline Client at https://getoutline.org. If you do end up checking it out, let me know what you think about it. More screenshots can be found below.

Source: Jigsaw

AmpliFi Announces Teleport, a Zero-Config VPN For Travelers

Subject: Networking | November 7, 2017 - 10:00 PM |
Tagged: wi-fi, vpn, ubiquiti, networking, mesh, Amplifi HD, amplifi

Earlier this year we took a look at the AmpliFi HD Home Wi-Fi System as part of our review of mesh wireless network devices. AmpliFi is the consumer-targeted brand of enterprise-focused Ubiquiti Networks, and while we preferred the eero Mesh Wi-Fi System in our initial look, the AmpliFi HD still offered great performance and some unique features. Today, AmpliFi is introducing a new member of its networking family called AmpliFi Teleport, a "plug-and-play" device that provides a secure connection to users' home networks from anywhere.

amplifi-teleport-front-back.jpg

Essentially a zero-configuration hardware-based VPN, the Teleport is linked with a user's AmpliFi account, which automatically creates a secure connection to the user's AmpliFi HD Wi-Fi System at home. Users take the small (75.85mm x 43mm x 39mm) Teleport device with them on the road, plug it in and connect it to the public Wi-Fi or Ethernet, and then connect their personal devices to the Teleport.

amplifi-specs.jpg

This provides a secure connection for private Internet traffic, but also allows access to local resources on the home network, including NAS devices, file shares, and home automation products. AmpliFi also touts that this would allow users to view their local streaming content even in locations where it would otherwise be unavailable -- e.g., watching U.S. Netflix shows while overseas, or streaming your favorite sports team while in a city where the game is blacked out.

In addition to traveling, AmpliFi notes that those with multiple homes or a vacation cottage could also benefit from Teleport, as it would allow you to share the same network resources and media streaming access regardless of location. In any case, a device like Teleport is still reliant on the speed and quality of your home and remote Internet connections, so there may be cases where network speeds are so low that it makes the device useless. That, of course, is a factor that would plague any network-dependent service or device, so while it's not a mark against the Teleport, it's something to keep in mind.

Teleport's features, while incredibly useful, are of course familiar to those experienced with VPNs and other secure remote connection methods. In terms of overall functionality, the AmpliFi Teleport isn't offering anything new here. The benefit, therefore, is its simple setup and configuration. Users don't need to setup and run a VPN on their home hardware, subscribe to a third party VPN service, or know anything about encryption protocols, firewall configuration, or network tunneling. They simply need to plug the Teleport into power, follow the connection guide, and that's it -- they're up and running with a secure connection to their home network.

amplifi-teleport-package.jpg

You'll pay for this convenience, however, as the Teleport isn't cheap. It's launching today on Kickstarter with "early bird" pricing of $199, which will get you the Teleport device and the required AmpliFi HD router. A second round of early purchasers will see that price increase to $229, while final pricing is $269. Again, that's just for the Teleport and the router. A kit including two AmpliFi mesh access points is $399. There's no word on standalone pricing for the Teleport device only for those who already have an AmpliFi mesh network at home.

Regardless of the package, once you have the hardware there's no extra cost or subscription fee to use the Teleport, so frequent travelers might find the system worth it when compared to some other subscription-based VPN services.

The AmpliFi Teleport is expected to ship to early purchasers in December. We don't have the hardware in hand yet for performance testing, but AmpliFi has promised to loan us review samples as the product gets closer to shipping. Check out the Teleport Kickstarter page and AmpliFi's website for more information.

Source: Kickstarter

Opera Adds Built In VPN and Ad Blocking To Web Browser

Subject: Editorial, General Tech | October 28, 2016 - 12:46 AM |
Tagged: editorial, web browser, vpn, Privacy, Opera, Blink

It has been some time since I last looked at Opera, and while I used to be a big fan of the alternative web browser my interest waned around the time that they abandoned their own engine to become (what I felt) yet another Chrome (Webkit) clone. Specifically, it looks like the last version I tested out was 12.10. Well, last month Opera released version 40 with just enough of a twist to pique my interest once again: the inclusion of a free built-in VPN.

Opera 41 Built In VPN.png

I (finally) got around to testing out the new browser today, and it works fairly well. While setting the default to share usage data is not ideal, offering to enable the ad blocker after installation is a good touch. The VPN feature is a bit more tucked away than I would like but still accessible enough from the settings menu. Further, once it is enabled, it is easy to turn it off and on using the icon in the search/address bar.

According to Opera, the built-in VPN (virtual private network) comes courtesy of SurfEasy – a company that Opera acquired last year. SurfEasy uses OpenVPN and 256-bit encryption and also lauds itself on being a no-log VPN (they do not maintain logs tracking users' usage). Opera is not currently imposing any restrictions on the free VPN built into Opera with bandwith and data usage not being capped. Not bad for a free offering! For comparison, I've used the free version of ProXPN on occasion (public Wi-Fi mostly), and while the VPN is for the entire PC (not just the browser like in Opera's case) they heavily throttle the download speeds to entice you to pay (heh).

In a quick test, I got the following results:

  Ping (ms) Download (Mbps) Upload (Mbps)
No VPN 13 90.26 12.14
Opera VPN 108 89.72 12.06
ProXPN Basic 38 1.74 11.19

Considering the exit point was much further away (SpeedTest chose a Kansas test server, and it looks like the VPN server may have been in Houston, TX), the performance was not bad. Download and Upload speeds were only slightly slower, but (as expected) the ping was much higher.

Opera offers five locations for its free VPN: Canada, Germany, Netherlands, Singapore, and the United States.

Users can enable the VPN by browsing to opera://settings and clicking on Privacy & Security in the left hand list then checking the box next to "Enable VPN."

On another note, the included ad blocker seemed to work well (it apparently has already blocked 86 ads even though I only hit up a couple sites!). My only complaint here is that it does not make it as easy as AdBlock Plus to block/unblock specific elements (or if there is a way it's not intuitive). It is only a minor complaint though, and not really relevant for the majority of users.

I am by no means a browser benchmarker, but it feels fast enough when switching between tabs and loading websites. Fortunately, Michael Muchmore and Max Eddy put Opera through its paces and compiled the benchmark results from several synthetic tests if you are into the nitty-gritty numbers. From their data it appears that Opera is not the fastest, but by no means a slouch. The one test it fell hard on was the Unity WebGL benchmark, though it was not the only browser to do so (Opera, Chrome, and Vivaldi were all close with FireFox and Edge getting the top scores).

Other features of Opera 40 (41 in my case) include a personalized newsfeed that can be fed with any user-supplied RSS feeds, a new battery saver mode, hardware accelerated pop-out videos, Chromecast support, and a number of under the hood performance and memory optimizations (especially with more than 10 tabs open).

I am going to keep it installed and may switch back to using Opera as my daily browser. It looks like it has come a long way since Opera 12 and while it is similar to Chrome under the hood, Opera is doing enough to set itself apart that it may be worth looking into further.

What are your thoughts on Opera 41? 

Source: Opera

Hold the phones there Hola, you are making a profit off of my bandwidth?

Subject: General Tech | June 11, 2015 - 01:18 PM |
Tagged: security, vpn, hola, fud

If you are using the free VPN service from Hola you really need to find a different solution.  Not only has it been plagued with security vulnerabilities, some of which they have addressed and some of which even they admit still exist, you will also unwittingly be providing exit nodes and bandwidth for anonymous surfers.  To add insult to injury, those users pay $20/GB to Hola for use of your bandwidth and you will never see a penny of that.  Hola's ILuminati service allows you to surf the net anonymously by directing their traffic over anyone using the free VPN, or as they refer to it an unblocking service, so not only is your bandwidth being used, you have no idea what traffic is actually exiting through your VPN. 

That is pretty much the exact opposite of a private network and depending on what is being done and how well the traffic is monitored you could well find yourself embroiled in an investigation you had no idea you were opening yourself up to.  Check out  more on this story at The Register.

original.jpg

"Embattled "free" VPN provider Hola is facing criticism over its practice of turning its users into exit nodes in a paid-for anonymisation service which can easily be used for nefarious activities. Hola's software is also claimed to include "unpatchable" vulnerabilities allowing takeover of user machines."

Here is some more Tech News from around the web:

Tech Talk

Source: The Register