TunnelBear Publishes Security Audit

by benjyclay on 8/16/2017, 3:28 PM with 58 comments
  • by orf on 8/16/2017, 5:01 PM

    Report PDF: https://cure53.de/summary-report_tunnelbear.pdf

    The test looks good, down from 3 criticals and 3 high to just 1 high. I'd be interested if they could expand on the 4 medium findings found. It's not the full report.

  • by summarity on 8/16/2017, 4:28 PM

    Some time ago, decompiled the Windows client and presented my findings here: https://hackernoon.com/poking-the-bear-is-tunnelbears-client...

  • by huhtenberg on 8/16/2017, 4:26 PM

    Can official binaries be independently reproduced from published sources by members of the public?

    If no, then an audit has little to no value as it still implies trusting the vendor not to fudge the binaries or, more broadly, be malicious.

  • by brndnmtthws on 8/16/2017, 4:45 PM

    TunnelBear is a great product, one which I've been using for a few years, and I trust them with my business. I wish services like Netflix didn't blacklist their IPs, but it's easy enough to get content off alternative sites when I'm traveling outside the US.

    Thanks for the good work!

  • by sigjuice on 8/16/2017, 11:00 PM

    The claims of transparency would be a bit more meaningful if they simply published their source code. It is hard to imagine anything too precious to disclose in the code.

    Instead what we have is a pdf (4 pages long) with the title "TunnelBear Security Assessment Summary 07.2017" and an equally long web page claiming how awesome and transparent this is.

  • by aphextron on 8/16/2017, 7:12 PM

    Never trust a 3rd party VPN for anything sensitive ever, period. Words of assurance and "security audits" are completely meaningless. HTTPS interception and forwarding is a trivial thing to do. For the public who are unable to setup their own VPN, they will have to accept that everything they do is being monitored by a random internet company rather than their ISP now.

    There can be some use for these services if you are very careful with everything you do while connected. But the risk of transmitting usernames, emails, passwords, and CC numbers accidentally while still connected is too great IMO.

  • by ericzawo on 8/16/2017, 5:42 PM

    Tunnelbear is a dead-simple VPN (like, "so easy Mom can do it" simple) and their branding is killer. Who doesn't love cuddly privacy bears?

  • by preinheimer on 8/16/2017, 4:34 PM

    GetCloak has also done a 3rd party audit, and is planning their next one: https://support.getcloak.com/faq/technology/#have-you-had-an...

  • by 5706906c06c on 8/16/2017, 8:46 PM

    Great, what happens to the release iterations between now and when the next test is going to be conducted? Show me the build logs, what changes, etc.

  • by clamprecht on 8/16/2017, 5:00 PM

    Is there some way to be notified of a TunnelBear ownership change? For example, if Facebook buys them, how would we know?

  • by cJ0th on 8/16/2017, 8:25 PM

    OFFTOPIC: Does anyone know whether TunnelBear will be available for Linux (or at least Firefox) one day?

  • by tolgahanuzun on 8/17/2017, 2:20 PM

    Ironic, I cant even enter the tunnelbear website in my country. (Turkey) :/