WireGuard 上 macOS 了...

在「WireGuard for macOS」這邊看到 WireGuard 進到 Apple 家的 Mac App Store 了。

除了是透過 app store 下載外,另外的重點在於整合了 NetworkExtension API

This is built from the same code base as our existing iOS app and makes use of Apple's Network Extension API to provide native integration into the operating system's networking stack.

這樣可以確保相容性,而且可以用內建的 VPN 機制管理。另外也給了一些 screenshot 可以看,可以看出來就是走 Mac 上的管理方式:

Facebook 花錢向使用者購買他們的行為記錄

這則從 Nuzzel 上看到的,國外討論得很凶:「Facebook pays teens to install VPN that spies on them」。

Facebook 付錢給使用者,要他們安裝 VPN (以及 Root CA,看起來是為了聽 HTTPS 內容),然後從上面蒐集資料,這本身就不是什麼好聽的行為了,但更嚴重的問題在於包括了未成年人:

Since 2016, Facebook has been paying users ages 13 to 35 up to $20 per month plus referral fees to sell their privacy by installing the iOS or Android “Facebook Research” app. Facebook even asked users to screenshot their Amazon order history page. The program is administered through beta testing services Applause, BetaBound and uTest to cloak Facebook’s involvement, and is referred to in some documentation as “Project Atlas” — a fitting name for Facebook’s effort to map new trends and rivals around the globe.

這個計畫在 iOS 平台下架了,但 Android 平台看起來還是會繼續:

[Update 11:20pm PT: Facebook now tells TechCrunch it will shut down the iOS version of its Research app in the wake of our report. The rest of this article has been updated to reflect this development.]

Facebook’s Research program will continue to run on Android. We’re still awaiting comment from Apple on whether Facebook officially violated its policy and if it asked Facebook to stop the program. As was the case with Facebook removing Onavo Protect from the App Store last year, Facebook may have been privately told by Apple to voluntarily remove it.


AWS 提供 OpenVPN-based VPN 服務

不知道為什麼在 feed reader 裡面沒注意到這則,後來是在 Facebook 上看到的。

AWS 推出了 OpenVPN-based 的 VPN 服務 AWS VPN:「Introducing AWS Client VPN to Securely Access AWS and On-Premises Resources」。


AWS Client VPN pricing
$0.05 per AWS Client VPN connection hour
$0.10 per AWS Client VPN endpoint association hour

所以服務本身的費用要 $72/month 左右,另外 client 接上去的費用另外算?


AWS Client VPN is available in US East (Virginia), US East (Ohio), US West (Oregon) and EU (Ireland) AWS Regions. Support for other AWS Regions is coming soon.

解 ocserv 因為沒有使用 DTLS 而導致速度很慢的問題...

最近偏好用 ocserv 來跑 VPN。在連上 full-route VPN 後測試發現速度偏慢,發現是沒有走 UDP 的 DTLS,只有 TCP 的 TLS 流量... 找了一下發現用有人遇過了,可以用 workaround 解:「OpenConnect not working with DTLS」。

作者發現是 ocserv.socket 有問題,打算整個抽開。方法是註解掉 /lib/systemd/system/ocserv.service 裡的 Requires=ocserv.socketAlso=ocserv.socket,然後在 systemd 裡一起處理:

sudo systemctl stop ocserv
sudo systemctl disable ocserv.service
sudo systemctl disable ocserv.socket
sudo systemctl daemon-reload
sudo systemctl start ocserv
sudo systemctl enable ocserv

重新連上去後跑 tcpdump 可以看到是 UDP 了,測速也可以看出來快不少...

在 Android 上支援 DNS over HTTPS 的 Intra

IntraAlphabet (Google 母公司) 旗下 Jigsaw 所開發的 app (目前只有 Android 的,依照說明需要 4.0+),透過 VPN 的架構換掉 DNS 設定,透過本機的 DNS Proxy 改走到外部的 DNS over HTTPS 服務上。

走 DNS over HTTPS 可以降低 DNS 被干擾 (security issue) 或是被監控 (privacy issue) 的風險。

在軟體內已經先內建了兩個 DNS over HTTPS 清單,一個是 Google 的 Google Public DNS,另外一個是 Cloudflare1.1.1.1,除此之外也可以自己輸入。

由於是 Alphabet 家的軟體,預設是用 Google 的服務。

軟體本身是 open source 專案 (Apache-2.0),程式碼在 Jigsaw-Code/intra 這邊可以取得。

最近討論頗多的 NordVPN

最近 NordVPN 的隱私問題被拿出來討論的蠻凶的,應該是從「Is NordVPN a Honeypot?」這篇開始的...

作者一開始就有提到並不只有 NordVPN,而是整個 VPN 產業其實都有類似的情況,只是現在可以找到比較多證據可以推測 NordVPN 後面並不單純。

首先是 NordVPN 買了大量評論,後來被發現是假的而被移除,而移除後的分數掉了非常多。再來是 NordVPN 居然花了五十萬美金在 CNN 的廣告上,這對於 VPN 產業的成本來說很不可思議...

另外一個是 NordVPN 的母公司 Tesonet 就是做 data mining 的,「整理」各種資料拿出來賣的...

基本上這類服務只能拿來翻牆用 (翻進日本或是翻進美國),不要認為隱私性有多高... 需要隱私還是得透過其他方式降低風險 (沒辦法完全保護,只能降低)。

蘋果以隱私為由,下掉 Facebook 在 App Store 上的 Onavo App

Onavo 是個提供 VPN 服務的公司,跟一般的 VPN 服務一樣,以隱私為主打,後來在 2013 年被 Facebook 買下,但在今年三月的時候就有媒體有報導 Facebook 打算蒐集 Onavo 上的資料:「Facebook-owned Onavo quietly launches Bolt App Lock, a data-tracking app that locks other apps」,當時 Facebook 不怎麼鳥各家媒體的看法,就放著...

不過直到八月的時候才被 Apple 下架:「Apple removed Facebook’s Onavo from the App Store for gathering app data」,引用 Apple 發言人給 TechCrunch 的句子:

We work hard to protect user privacy and data security throughout the Apple ecosystem. With the latest update to our guidelines, we made it explicitly clear that apps should not collect information about which other apps are installed on a user’s device for the purposes of analytics or advertising/marketing and must make it clear what user data will be collected and how it will be used.


WireGuard 被收進 Linux Kernel 了...

Twitter 上看到 WireGuard 被收進 Linux Kernel 了,等 review 完後就就會正式納入了... 而且 Linus 給的評價還蠻高的:

找了一下起源是「[PATCH v1 3/3] net: WireGuard secure network tunnel」這邊,而 Twitter 上面引用的是「Re: [GIT] Networking」這篇...

Cloudflare 推出 Cloudflare Access,實作 Google 推出的 BeyondCorp

Google 之前發表的 BeyondCorp 採用不同的認證方式,改變企業會假設「內部網路是可信任」的這件事情:「Google 推的 BeyondCorp」,而 Cloudflare 也照著這個概念實作出一套產品,包成服務來賣:「Introducing Cloudflare Access: Like BeyondCorp, But You Don’t Have To Be A Google Employee To Use It」。


Access integrates out of the box with most of the major identity providers like Google, Azure Active Directory and Okta meaning you can quickly connect your existing identity provider to Cloudflare and use the groups and users already created to gate access to your web applications.

也可以走 TLSclient certificate 架構認證:

You can additionally use TLS with Client Authentication and limit connections only to devices with a unique client certificate.

而企業內部的服務剛好可以透過 Cloudflare 之前推出的 Wrap 串上去,不需要用 VPN 打通內部網路 (參考先前寫的「Cloudflare 推出的 Wrap 讓你不用在本地端開對外的 Port 80/443」):

If you want to use Access in front of an internal application but don’t want to open up that application to the whole internet, you can combine Access with Warp. Warp will make Cloudflare your application’s internet connection so you don’t even need a public IP.

費用的部分,第一個使用者免費,後續的使用者費用是 USD$3/month:

Access takes 5-10 minutes to setup and is free to try for up to one user (beyond that it’s $3 per seat per month, and you can contact sales for bulk discounts).

ExpressVPN 在土耳其的 VPN server 被抄...

ExpressVPN 在土耳其的 VPN server 被抄,為了調查大使的刺殺案件:「VPN Server Seized to Investigate Russian Ambassador’s Assassination」。

A VPN server operated by ExpressVPN was seized by Turkish authorities to investigate the assassination of Andrei Karlov, the Russian Ambassador to Turkey. Authorities hoped to find more information on people who removed digital traces of the assassin, but the server in question held no logs.

ExpressVPN 官方的回覆在「ExpressVPN statement on Andrey Karlov investigation」,主要的部份是:

As we stated to Turkish authorities in January 2017, ExpressVPN does not and has never possessed any customer connection logs that would enable us to know which customer was using the specific IPs cited by the investigators. Furthermore, we were unable to see which customers accessed Gmail or Facebook during the time in question, as we do not keep activity logs. We believe that the investigators’ seizure and inspection of the VPN server in question confirmed these points.