I've been checking everyday if https://github.com/vpdotnet has started to publish any code so that the "verify" part of their claims can be... well verified. Still nothing there.
eGQjxkKF6fif · 6d ago
Trying it out, so far so good. Worked on my mangled Linux install.
I have and have been using Proton VPN which the free version. If you use it for bittorrent, even to download a Linux ISO which is what I did, will straight up DNS hijack you and feed you a web page instead of the web page you're looking at to scream at you that BitTorrent is only allowed if you're a paying subscriber.
So.. that means they can just access and re-route your traffic however they want and make you see whatever they want.
Fascinating use for SGX Enclave tech, I see in the client debug logs show API hits that do the verification. I'm on an intel i3 with gigabit connection and am pulling 800mbps up/down.
ZBalas · 6d ago
Not that this makes it more safe... But I've been using VPNET for a month and it works well. Midwest. West Coast. Even in Mexico.
phillipseamore · 6d ago
Obscura.net seems to have a simpler and more secure solution than this
rasengan · 6d ago
Obscura looks like it's a double hop system which lacks verification and is based on trust. All it takes is collusion of 2 persons to break this "security" model.
Trust, a non constant, has no place in a security architecture.
Don't trust, verify.
phillipseamore · 6d ago
It seems I have to place the same trust in vp.net, a green check mark in the client is still just a promise of verification to (most) users and under control of the same entity. I finally found links on vp.net to source but it has no public repos https://github.com/vpdotnet.
eGQjxkKF6fif · 6d ago
Check the client debug logs mine has the verification for the enclaves in it although I'm on an intel i3 but that makes sense for Intel's remote attestation that its verifying the enclave's unique hash and showing the MRENCLAVE hexes of the expected result.
phillipseamore · 5d ago
But without the source being available you still need to trust vp.net to be providing the correct hash to compare to, right?
eGQjxkKF6fif · 5d ago
Intel's remote attestation verifies that, with the hash you can use Intel's remote API which is what the client is doing, Intel gets the hash the server sends, verifies it using their encrypted key set and then tells the client that it's valid and verified. Not all processors have SGX capability to verify the hash. Intel provides tools to do the manual verification if you utilize SGX
So you can verify locally and Intel's API also does the verification.
When an SGX Encalve is created, the private key to it goes within it, it can't be accessed. That's the security.
It's a good read if you look in to the tech on Intel's website.
phillipseamore · 5d ago
It verifies that something is running in the enclave. Without the source you can't hash it yourself (don't need an SGX capable system for that, just the SDK) to verify that it's the actual code running.
Have no idea since there isn't any code available for review. Technically what's running in SGX could just be what's enough for it to attest to it's existence [sidenote: how can I be sure this is even the SGX handling my connection and not just any SGX?]. I really like this idea but even if the code was available most users are still just trusting vp.net (won't be doing their own verification [and doing it everytime the hash has changed] but trusting vp.net's own claims in their own client, it's similar to the criticism of many E2EE messaging solutions, everything might be fine over the wire but I'm trusting their client not to collect or transmit anything before encryption or after decryption). If I could build my own client and lock it down to a hash of published SGX code then I'd be happier, or perhaps if an external party would handle the verification. Looking forward to explore this better when any code is made available.
GhostGhillie · 6d ago
Nice breakdown. Less trust the better. Seems obvious
I have and have been using Proton VPN which the free version. If you use it for bittorrent, even to download a Linux ISO which is what I did, will straight up DNS hijack you and feed you a web page instead of the web page you're looking at to scream at you that BitTorrent is only allowed if you're a paying subscriber.
So.. that means they can just access and re-route your traffic however they want and make you see whatever they want.
Fascinating use for SGX Enclave tech, I see in the client debug logs show API hits that do the verification. I'm on an intel i3 with gigabit connection and am pulling 800mbps up/down.
Trust, a non constant, has no place in a security architecture.
Don't trust, verify.
https://www.intel.com/content/www/us/en/developer/tools/soft...
So you can verify locally and Intel's API also does the verification.
When an SGX Encalve is created, the private key to it goes within it, it can't be accessed. That's the security.
It's a good read if you look in to the tech on Intel's website.