Bear Services: Testing 7 Popular VPN Providers for Privacy

These days, VPNs are essential: anonymity, security, and the ability to bypass regional restrictions and blocks attract not only tech-savvy users but also everyday people. Of course, most users won’t set up and configure OpenVPN on their own server—they’ll choose a provider’s service. But what options are available, and can VPN providers be trusted? Let’s take a look at the most well-known ones and check them out.

Criteria for Evaluation

First, let’s define the criteria we’ll use:

• SSL certification of domains. If there are issues here, MITM (man-in-the-middle) attacks are possible.
• No traps in the license agreement. A provider that truly values user privacy shouldn’t force you to agree to anything questionable.
• Support for strong encryption and modern protocols. In some countries, standard connection types like PPTP, L2TP IKEv1, OpenVPN UDP, etc., are successfully blocked using DPI equipment. A reputable provider should offer ways to bypass these blocks. As for encryption, it’s worth noting that the PPTP protocol, especially with MS-CHAP, was cracked in 2012. Since then, anyone can decrypt traffic for just $17.

CyberGhost VPN

CyberGhost VPN is a German-Romanian service operating since 2007—a rare feat in this industry. It offers three connection types: L2TP, OpenVPN, and IPSec.

There are no built-in ways to bypass blocks, except for connecting via TCP on port 443 with OpenVPN, which is ineffective in countries with DPI. The SSL certificate is issued by Comodo and valid until 02/23/2019.

Two years ago, CyberGhost was at the center of a scandal: one client update installed a root SSL certificate on users’ machines. Why is this bad? When you connect via HTTPS, your data is protected by SSL/TLS, confirmed by a certificate from an authorized company. The browser checks this against the OS’s certificate list. CyberGhost’s update added its own certificate to this list, opening the door to man-in-the-middle attacks.

The company quickly issued a denial, but another issue surfaced: the Windows client logs system data like GPU name, CPU model, and username. This damages their reputation.

Their Privacy Policy is also questionable. While their knowledge base claims no logs are kept, the privacy policy itself suggests otherwise, mentioning anonymization of IPs and some data collection, which contradicts their public statements.

NordVPN

NordVPN is a rapidly growing service registered in Lithuania, operating since 2013. Their website once claimed a CCNP certificate from CISCO, but this information was later removed without explanation.

The Privacy Policy is inconsistent: one section says no logs are kept, while another allows the service to store a limited amount (how much?) of personal data for up to two years.

NordVPN claims to have 5,178 servers in 62 countries, supporting OpenVPN, L2TP, and IPSec. A nice bonus is DPI bypass via stunnel.

However, the CISCO certificate story and vague license agreement allowing data collection (without specifying what data) are red flags. Additionally, independent research by Reddit users suggests NordVPN is owned by the data mining company TesoNet, which may explain their massive advertising budget—$497,000 spent on ads in February 2018 alone, according to adweek.com.

There’s also evidence that NordVPN staff manipulated ratings with fake reviews on trustpilot.com, confirmed by the site’s administration.

Private Internet Access

Private Internet Access (PIA) is well-known among international pentesters. It stands out for detailed encryption settings (port, encryption type, key), built-in DPI bypass, its own SOCKS5 proxy, and SSH tunnel. Impressive, but there are concerns.

First, web.archive.org has no record of the service’s history or old site versions—likely at the request of the administration, which is suspicious.

PIA is based in the USA and owned by a pseudo-conglomerate with interests ranging from VPNs to boutiques. While PIA offers 4096-bit encryption and can bypass DPI, being in the US means all data could be handed over to authorities if requested.

The parent company, London Trust Media, appointed Mark Karpeles (former CEO of Mt.Gox, which was famously hacked) as CEO, which doesn’t inspire confidence.

HideME VPN

HideME is the most well-known VPN in the Russian-speaking internet, operating since 2007. You can only log in with a digital code, which is easily found on forums via Google.

One connection type is PPTP, which is insecure. In 2016, HideME disabled its anonymizer for Russian users at the request of Russian authorities. Their privacy policy is also concerning: while they may have dropped registration, their un-hashed keys can be brute-forced in about three days. The way they handled the Russian government’s request is also troubling. Avoid using this service for anything sensitive.

Hide My Ass! VPN

Hide My Ass! is one of the world’s most famous providers, owned by Avast. It’s been around as an anonymizer since 2005, with VPN functionality added in 2009. Its main feature is a huge number of exit countries, but that’s where the positives end.

In 2011, Hide My Ass! handed over one of the LulzSec hackers, Cody Andrew Kretsinger, to US authorities and even published a long post justifying their actions. While they claimed the log handover was justified, this could happen to any journalist or activist in a repressive country. The takeaway: Hide My Ass! will hand over your data if asked, making it unsuitable for serious privacy needs.

PureVPN

PureVPN, launched in 2008–2009, supports standard protocols: OpenVPN, L2TP, IPSec. It became infamous for handing over logs to authorities in the case of cyberstalker Andrew Lin. Regardless of your opinion on the case, the fact remains: logs are kept.

VyprVPN

VyprVPN has been active since 2010 and is registered in Switzerland. It supports OpenVPN (AES-256), IPSec, and L2TP. It offers DPI bypass via stunnel, branded as “Chameleon.”

Their privacy policy states that your real IP address is stored for thirty days—enough said.

Conclusion

None of the popular VPN services reviewed here passed even a basic privacy check without a technical audit. Personally, I don’t trust these providers. If you care about anonymity and privacy, study the documentation and set up your own OpenVPN server. For DPI bypass, you can add stunnel yourself—there are detailed guides available.