Video: VPN fail: Hotspot Shield flaw gives away network name and location.
Alongside Google’s new plan to help publishers gain paid subscribers and fight fake news, its parent company Alphabet has launched a new virtual private network (VPN) to make it safer for journalists to research stories and communicate with sources.
The VPN, dubbed Outline, comes from Alphabet’s do-good tech incubator Jigsaw, and joins other security-related initiatives such as its Project Shield DDoS protection service, a Chrome password theft alert, and several free-speech initiatives.
Outline promises to solve the double-edged sword of VPN services. There are loads of free VPN services, which in theory can protect sensitive information when using a public Wi-Fi network.
However, as ZDNet’s David Gewirtz has pointed out, you probably shouldn’t entrust these with digging an encrypted tunnel between your computer and another machine.
An alternative option is to pay around $120 a year for a VPN service, but again this requires trusting the provider and weighing up the jurisdiction it operates in.
Outline offers journalists a cheaper way to set up their own VPN server on any cloud provider or on their own hardware, cutting out the need to trust a third party.
“Outline gives you control over your privacy by letting you operate your own server. And Outline never logs your web traffic,” Jigsaw product manager Santiago Andrigo wrote.
“We made it possible to set up Outline on any cloud provider or on your own infrastructure so you can fully own and operate your own VPN and don’t have to trust a VPN operator with your data.”
Download now: IT physical security policy
Jigsaw says the DIY VPN service can be set up with any cloud provider for a cost of around $5 a month and protects internet traffic with AEAD 256-bit cipher encryption, which makes it harder for deep-packet-inspection tools to block.
As Jigsaw highlights in an FAQ, the service is aimed at organizations that need a VPN for staff. The cost per user in an organization with 100 users who need bandwidth usage of 500GB per month works out to be around five cents per user per month.
The other thing Jigsaw has focused on is making it simple to set up the VPN service, which it says can be done within minutes and doesn’t require deep technical skills.
The VPN is based on an open-source proxy tool developed by the maker of Shadowsocks, according to Outline. However, CEO of Trail of Bits Dan Guido says Outline is a clone of his own self-hosted VPN, AlgoVPN.
Jigsaw says it submitted Outline to a third-party code audit by the Netherlands-based non-profit penetration testing, Radically OpenSecurity (ROS).
ROS CEO Dr Melanie Rieback wrote that she “feels comfortable to recommend Outline to users intending to dig encrypted tunnels between supported clients and managed server instances”, though cautioned that users who are at risk from targeted attacks should check the safety of dependencies in the Outline client apps.
Jigsaw has released Outline client apps for Android and Windows and is planning to release one for macOS soon.
Interestingly, Outline’s FAQ notes that the cloud provider DigitalOcean is the easiest option to set up the VPN on. The project also says that Outline doesn’t work as a full system VPN on Windows yet, but that support will be provided soon.
Jigsaw’s Andrigo noted that Outline is still an early-stage product and broader platform support is coming soon.
Previous and related coverage
McAfee plans to embed TunnelBear’s “hardened network” into its Safe Connect product.
ProtonVPN comes to Android, promising no malware, no ads, and no selling of user data.
The bugs can leak real-world IP addresses, which in some cases can identify individual users and determine a user’s location.
Through a feature called Protect in Facebook’s iOS, the firm is pushing its Onavo Protect client that collects user data.