Interesting to note that you've hosted your beta clients on Kim Dotcom's Mega service. This is the first time I'm coming across a legit & popular service hosting its public client files on Mega.
I love PIA but I was too afraid to use it at Black Hat / DEFCON this year. If you use L2TP (required for iOS, handy for OS X because there is a native client) there is no certificate to prevent a MITM. Is there any way to address this? Can you use a certificate instead of a pre-shared key?
nitpick: There is a native OpenVPN client for iOS in the AppStore. I don't know how they managed to, but it's plugging into the native iOS VPN functionality and it works perfectly well.
To my knowledge, there are 7 companies including OpenVPN who have been granted access to private VPN APIs. I personally use the OpenVPN iOS client for "always-on" phone VPN.
We'll use standard DHE if the user selects an RSA cert (2048, 3072, or 4096). And we'll use ECDHE if the user selects an Elliptic Curve cert. We'll also be displaying a disclaimer about the potential issues with ECC (certain experts believe TLS curves may be compromised/weakened) if the user selects that.
For OpenVPN - which is the only protocol we advise for real security (PPTP and IPSec/L2TP are fine for just hiding your IP) - we don't use pre-shared keys. OpenVPN uses TLS for exchanging strong symmetric keys. Your password is only used for authentication and its entropy isn't related to your session's security.
PPTP is well documented as being broken at this point but I have not seen any equivalent for IPSec/L2TP. Please quote sources as I would be interested in researching further as well as the rationale for OpenVPN being the only "real" security.
Uh, no. We aren't subsidized by the NSA or any part of any government or any organization or person for that matter. We bootstrapped Private Internet Access with 500$ and a lot of caffeine and have been profitable since our second month in operation.
We believe what the NSA is referring to when talking about "VPN startups" is the initial stages of PPTP sessions. PPTP has been crackable for a while, check out moxie's cloudcracker.com. We believe it highly unlikely that they have broken OpenVPN (which is what our application uses) or SSL.
Looks like app.net isn't perfect either. Their HSTS isn't implemented correctly. Only 'alpha.app.net' and 'join.app.net' are protected while 'app.net' is not. They fell into one of the common pitfalls with their http->https redirects: http://coderrr.wordpress.com/2010/12/27/canonical-redirect-p...
You can verify this at: chrome://net-internals/#hsts
Has anyone else not been receiving 'charge.succeeded' events on their Stripe webhooks? We have been receiving all events except that one, even when all charges are succeeding as verified through the management panel. This is a big problem as that is the event that's used to actually process a payment and create a new account.
The problem seems to have been going over for around 8 hours now.
We've received no reply from their support in 4 hours.
Anyone have any ideas how to get in contact with them at this time?
You're correct HTTP connections over flash will use HTTP proxy settings. The problem is many sites don't stream over HTTP, they use some custom streaming protocol using raw flash sockets. And these do not respect SOCKS proxy settings.
I just remembered it's not actually custom protocols with raw sockets that are common and don't respect SOCKS settings but rather Flash's RTMP protocol.
