what makes your vpn verifiable? can i verify you run specific oss on your servers? secure enclave is just management's idea of implementing crypto. everyone out here knows that it is highly flawed and intel with their management engine bullshit can't be trusted at all.
Re verifiability: the point isn’t trust us, it’s that you don’t have to.
We built it so anyone can independently confirm what’s running.
1. All server and client code is published.
2. Builds are reproducible.
3. Each node provides cryptographic attestations of its runtime and routing identity.
4. Enclaves are used for verifiable isolation.
You can peruse the code yourself to see exactly why the transparency we bring makes legacy “trust based” VPNs obsolete: https://github.com/vpdotnet/vpnetd-sgx
It looks like this boils down to 'check the magic number in the code against the magic number our server gives you. It matches!!!'
Is there some indication the user has that your server isn't simply hard coded to return the right magic number? I don't understand how this provides any assurance of anything.
The SGX certificate is signed by intel and includes a certification of the hash of the code loaded in the secure enclave ("MRENCLAVE").
When the client connects to the server, the server presents a tls certificate that includes an attestation (with OID 1.3.6.1.4.1.311.105.1) which certifies a number of things:
- the TLS certificate's own public key (to make sure the connection is secure)
- The enclave hash
It is signed by Intel with a chain of custody going to intel's CA root. It's not "just a magic number" but "a magic number certified by Intel", of course it's up to you to choose to trust Intel or not, but it goes a much longer way than any other VPN.
I did not sell PIA. I entered into a merger agreement to create a publicly owned privacy company. Without getting into detail, I left the company on principle receiving only 1/3rd of the value for the shares.
Used to love? What changed? PIA hasn't always had the best performance but they are on the list of VPNs who were subpoenaed and had no data to give the court.
my $.02 : I tried them, but found their "we support Wireguard" a bit misleading. They only did so via their app. No way to get a stable configuration for a router (other than run a python script to get one from the app, without any guarantee how long is that config valid for).
I appreciate the engagement, but it’s become clear that this particular user has been repeatedly following my posts to respond negatively - a stalker if you will [1]. I’d prefer to keep the discussion focused on facts, not personalities.
The key point, you don’t have to trust us, and we don’t want you to. Trust code, not people. That’s the foundation of the entire effort.
1. The so-called “takeover” was being organized long before my involvement, as shown by domain registration dates and internal meeting notes. I was a more convenient target than Christel, which might explain why she asked me to buy it from her.
2. False narratives were already being circulated to open source projects before any administrative changes occurred. The subsequent channel topic changes were a reaction to those actions, though I’ve acknowledged those decisions weren’t ideal in hindsight.
On broader context, much of what’s now called “funding FOSS” doesn’t reach active developers. It tends to reward organizers and promoters rather than those writing meaningful code. Supporting individual developers directly remains a better way to sustain real innovation.
Ironically, several of the ex-staff I defended for years against serious allegations (search “OldCoder” if you’re unfamiliar) went on to form Libera, attempted to seize the freenode IRC domain, and created a false narrative about events. It’s disappointing, but not surprising given the leftist politics at play.
If you want to understand the larger trends affecting open source today, I recommend Lunduke’s Journal and similar analyses. Most major FOSS projects are no longer developer run… just look at Mozilla for an example.
Now that I launched a verifiable VPN, they are once again sending legal threats [1].
[1] https://vp.net/l/en-US/blog/Verified-Privacy-vs-Trust