Don't forget ProtonVPN links to Tesonet, which they're trying hard to "debunk" (though no clue why, I have nothing against Tesonet). They only shared employees and accidentally signed apps with the same certificates, but are "totally unrelated". Their PR people are already on this thread.
If they didn't try so hard to fight it, people might care less.
"Links to" is doing a lot of work in that sentence. ProtonVPN is owned by Proton, which has no legal ownership ties with Tesonet. During Proton's expansion into Eastern Europe, Tesonet initially assisted Proton with HR, payroll, and local regulation, so for a period of time, people working for Proton were employed by Tesonet, since Proton had no local subsidiary that could hire them. These were not "shared employees", they worked exclusively for Proton.
In 2016, Proton created its own subsidiary, and these people are now employed by Proton. But for this historical reason, the ProtonVPN keystore on Android still lists Tesonet as the organization name, even though it is fully controlled by Proton.
None of this is "debunking"; these are just the facts. You can make of them what you will, but you should be honest about what actually happened when you talk about it.
I've been part of a European startup that added offices in Asia and the US, and we initially always partnered with local companies to do this. It's mutually beneficial. It allowed us to grow more quickly, and it allowed them to make relatively easy money (and, in our case, to dump some of their shittier employees on us without us knowing).
In Proton's case, they already knew each other because Tesonet had previously offered to provide infrastructure during a DDoS attack against Proton.
So maybe it's a conspiracy, or maybe it's just how things go. You can make up your own mind, but you should provide the facts when you make sinister insinuations.
I would assume that if they were astroturfing, they would be smart enough to use more than one account. Given that, I'm inclined to believe that you are part of an astroturfing campaign.
The summary is: if you use someone’s VPN, Tor, etc. you’re just setting yourself up. There is no privacy, and if you act like you want privacy, they’re going to pay more attention to you.
> "Links to" is doing a lot of work in that sentence.
How? it is obvious.
> During Proton's expansion into Eastern Europe, Tesonet initially assisted Proton with HR, payroll, and local regulation, so for a period of time, people working for Proton were employed by Tesonet, since Proton had no local subsidiary that could hire them. These were not "shared employees", they worked exclusively for Proton.
So basically same people managed teams, same people paid the employes, but my "Links to" is doing heavy lifting and in the previous sentence you say "ProtonVPN is owned by Proton, which has no legal ownership ties with Tesonet."? Who is doing the heavy lifting here?
How much is Tesonet or Proton paying you to post in here?
> How much is Tesonet or Proton paying you to post in here?
Sadly, they're not paying me anything, but I would suggest that any belief system in which information contradictory to your belief reinforces your belief is inherently problematic.
> so for a period of time, people working for Proton were employed by Tesonet, since Proton had no local subsidiary that could hire them. These were not "shared employees", they worked exclusively for Proton.
In 2016, Proton created its own subsidiary, and these people are now employed by Proton. But for this historical reason, the ProtonVPN keystore on Android still lists Tesonet as the organization name, even though it is fully controlled by Proton.
So either:
1. Tesonet/Nord are loose with their private keys.
2. Proton isn’t being truthful.
Anyone who understands crypto and key management knows “not your keys, not your _____.”
If those staffers worked for Proton and not Nord, why did they have Nord’s key?
This level of negligence with private key management really can’t be explained away.
I suppose you're free not to believe them, but I'm unsure what exactly you believe is happening here and what exactly Proton is lying about. Tesonet secretly owns them and has been running a decades-long misinformation campaign to trick you into thinking they don't? To what end? It's not like Tesonet is some nefarious company we should all be afraid of. What would they gain from lying about this if it were true?
And how can they make such an obvious mistake with their certs and then not make another one for the next decade? It's just not plausible.
At some point, you've gotta use some common sense.
My comment still applies regardless of any level of “explaining” [1]:
1. Either Nord/Teso are loose with keys (horrible)
Or
2. Proton isn’t being truthful.
I don’t think it’s a conspiracy or anything that it is Tesonet/Nord. Rather, the problem is you cannot trust someone with your privacy if they can’t even manage their own keys.
[1] The explanation is poor at best and doesn’t explain why they worked so hard to try to delete all of the evidence (all of which was archived already). Additionally, nothing can explain away the lack of security with key management across these two orgs.
They worked pretty hard as detailed in an archived article changing names and any records they could [1], but you're right - not good enough [2].
As pointed out on this reddit post [3], Proton's appears to contradict itself a number of times.
It's a good thing trust based VPN's are obsolete. After all, trust isn't constant [4] as seen in this article showing how Proton supplied IP addresses to "authorities."
You're on the Internet. How are you surprised that someone is repeatedly responding in a thread about a very obscure topic, especially when people are posting conspiracy theories?
It's interesting to have these discussions. But it is funny that people's conspiratorial thinking now makes me a part of the conspiracy merely for pointing out easily verifiable facts.
>What is your relationship to either company?
I subscribe to Proton's services, so I was originally interested in finding out what actually happened. Now I'm interested in pointing out people's flawed reasoning because I think Proton is doing something valuable, and I don't want these attacks against them to go unanswered.
Since we're now part of this thread, as the attack on Proton was orchestrated initially by a competitor and seemed to use bot accounts on Twitter, how much do they pay you to try to discredit me?
Just kidding, see above. You and I, we are the same. We do it because it is interesting.
what makes your vpn verifiable? can i verify you run specific oss on your servers? secure enclave is just management's idea of implementing crypto. everyone out here knows that it is highly flawed and intel with their management engine bullshit can't be trusted at all.
Re verifiability: the point isn’t trust us, it’s that you don’t have to.
We built it so anyone can independently confirm what’s running.
1. All server and client code is published.
2. Builds are reproducible.
3. Each node provides cryptographic attestations of its runtime and routing identity.
4. Enclaves are used for verifiable isolation.
You can peruse the code yourself to see exactly why the transparency we bring makes legacy “trust based” VPNs obsolete: https://github.com/vpdotnet/vpnetd-sgx
It looks like this boils down to 'check the magic number in the code against the magic number our server gives you. It matches!!!'
Is there some indication the user has that your server isn't simply hard coded to return the right magic number? I don't understand how this provides any assurance of anything.
The SGX certificate is signed by intel and includes a certification of the hash of the code loaded in the secure enclave ("MRENCLAVE").
When the client connects to the server, the server presents a tls certificate that includes an attestation (with OID 1.3.6.1.4.1.311.105.1) which certifies a number of things:
- the TLS certificate's own public key (to make sure the connection is secure)
- The enclave hash
It is signed by Intel with a chain of custody going to intel's CA root. It's not "just a magic number" but "a magic number certified by Intel", of course it's up to you to choose to trust Intel or not, but it goes a much longer way than any other VPN.
I did not sell PIA. I entered into a merger agreement to create a publicly owned privacy company. Without getting into detail, I left the company on principle receiving only 1/3rd of the value for the shares.
Used to love? What changed? PIA hasn't always had the best performance but they are on the list of VPNs who were subpoenaed and had no data to give the court.
my $.02 : I tried them, but found their "we support Wireguard" a bit misleading. They only did so via their app. No way to get a stable configuration for a router (other than run a python script to get one from the app, without any guarantee how long is that config valid for).
I appreciate the engagement, but it’s become clear that this particular user has been repeatedly following my posts to respond negatively - a stalker if you will [1]. I’d prefer to keep the discussion focused on facts, not personalities.
The key point, you don’t have to trust us, and we don’t want you to. Trust code, not people. That’s the foundation of the entire effort.
1. The so-called “takeover” was being organized long before my involvement, as shown by domain registration dates and internal meeting notes. I was a more convenient target than Christel, which might explain why she asked me to buy it from her.
2. False narratives were already being circulated to open source projects before any administrative changes occurred. The subsequent channel topic changes were a reaction to those actions, though I’ve acknowledged those decisions weren’t ideal in hindsight.
On broader context, much of what’s now called “funding FOSS” doesn’t reach active developers. It tends to reward organizers and promoters rather than those writing meaningful code. Supporting individual developers directly remains a better way to sustain real innovation.
Ironically, several of the ex-staff I defended for years against serious allegations (search “OldCoder” if you’re unfamiliar) went on to form Libera, attempted to seize the freenode IRC domain, and created a false narrative about events. It’s disappointing, but not surprising given the leftist politics at play.
If you want to understand the larger trends affecting open source today, I recommend Lunduke’s Journal and similar analyses. Most major FOSS projects are no longer developer run… just look at Mozilla for an example.
The streisend effect. Although, personally I am interested in this topic, as everyone using these VPNs is one ToU change away from being data mined at all time.
If they didn't try so hard to fight it, people might care less.