Recently the company Proton Technologies announced the opening of the source code for client programs ProtonVPN for Windows, macOS, Android, and iOS (the Linux console client was initially opened). The code is open under the GPLv3 license. At the same time, reports on the independent audit were published of these applications, in which no issues were found that could lead to decryption of VPN traffic or increased privileges during the audit.
For those unaware of ProtonVPN they should know that is a virtual private network service provider (VPN) operated by the Swiss company Proton Technologies AG, the company behind the ProtonMail email service.
ProtonVPN uses OpenVPN (UDP / TCP) and the IKEv2 protocol, with AES-256 encryption. The company has a strict no-logging policy for user connection data and also prevents DNS and Web-RTC leaks from exposing users' true IP addresses.
ProtonVPN also includes Tor access support and a kill switch to close Internet access in the event of a VPN connection loss.
Proton Technologies was founded by several CERN researchers (European Organization for Nuclear Research) and is registered in Switzerland, which has strict legislation in the field of privacy protection, which does not allow intelligence agencies to control information.
The project ProtonVPN provides a high level of protection for the communication channel using AES-256, key exchange is based on RSA 2048-bit keys and HMAC, SHA-256 is used for authentication, there is protection against attacks based on data stream correlation), refuses to keep records and focuses not on making profit, but on increasing safety and privacy on the web (The project is financed by the FONGIT fund, supported by the European Commission).
ProtonVPN goes open source
Unlocking the code by ProtonVPN is open as part of an initiative to ensure project transparency so that independent experts can verify that the code complies with the established specifications and verify the correctness of the security audit.
We are happy to be the first VPN provider to open source code apps on all platforms (Windows, macOS, Android, and iOS) and undergo an independent security audit. Transparency, ethics, and security are at the core of the internet we want to build and the reason we created ProtonVPN in the first place.
As part of a collaboration with Mozilla, which is developing a paid VPN service, Mozilla engineers also have access to other ProtonVPN technologies for auditing. It should be noted that the next step will be the transfer to the category of open applications and other ProtonVPN applications.
Among the previous incidents with ProtonVPN, It is possible to identify a vulnerability in the Windows application that allowed the user to elevate his system privileges to the administrator (the vulnerability was caused by an incorrect interaction between the unprivileged GUI client and the system service).
An audit of the Windows application code that ended a few days ago revealed 4 vulnerabilities (two of medium severity and two minor): storage in session tokens and credentials in the process memory, predefined VPN server keys in the configuration file (not used for authentication), inclusion of debugging of information and reception of connections in all network interfaces.
There are no vulnerabilities in the macOS version. In the iOS version, two minor vulnerabilities were found (SSL certificate binding is not used and works on devices after jailbreak is not blocked).
Four minor issues were found in the Android version (enable debug messages, failure to lock backups using the ADB utility, encryption of settings with a predefined key, lack of SSL certificate binding), and a medium severity vulnerability (incomplete logout that allows token reuse session).
Source: https://protonvpn.com