12Bytes.org

Damn her! Naomi Brockwell got my shorts in a knot regarding the VPN Hellscape (read that, seriously). I knew the VPN scene was bad, but i didn't realize how bad until i watched her video, The DARK side of VPNs.

I use AzireVPN because i believe they are worthy of a degree of trust, but believing is not enough and, given my freshly ingested fur-ball of fear due to Naomi's video, i decided to put the screws to Azire and see how they fared.

AzireVPN is one of very few VPN service providers that claim to physically own, secure and install their own servers and, in my book, no company is even worth considering if they can't make that claim (that's right; screw you Nord, PIA, Express, HideMyAss, IPVanish and nearly all of the rest of them!). Furthermore, Azire tells us that they physically seal unneeded ports, run the OS in RAM (no hard drives), and run their servers in Blind Operator mode. And of course they have a zero-log policy and do not require any personal information when creating an account. Even payment can be handled anonymously using crypto currency. But in the end, what is all this talk worth without convincing evidence?

I proposed a few ideas of how Azire could potentially reinforce customer trust:

• By providing purchase orders and receipts for their servers which could potentially be verified by contacting the vendor. My thought here is that, if they provide such evidence, then there is little reason to doubt that Azire is actually using the equipment they paid for.
• More photographic evidence.
• Video of how the servers are prepared showing the sealing of unused ports, removal of hard drives, etc..
• Live-streaming the server installation at the data center during which an Azire customer would provide a random verification string to the installer via an azirevpn.com email address which the installer would then display in the video. The problem with this is that only one, or possibly a small number of people, would be able to verify the installation and every one else could correctly posit that the whole thing was a setup.

Following is their responses to my proposals:

Hi,

Thank you for writing to us, [REDACTED].

We understand your concerns and this is why we have made such an effort to be as transparent and forthcoming as possible in our content and messaging – and also why we have our service in the first place.

As you mentioned, we’ve shown in our various blogs how we transport and install our servers in various datacentres around the world. Adding to this is our documentation (https://www.azirevpn.com/docs/environment#installation), which I am sure you’ve read through by now, where we list as much information about our service as we can without going the opposite direction and compromising our infrastructure’s security, and in effect our user’s security.

We could provide purchase order receipts for the servers and show what we do with them before they get installed, but there is no way for you to know we actually installed the servers we showed. Unless we had a continuous camera shot from arrival of the server at our office all the way through to installation, there isn’t a fool-proof way to show that we do what we say we do – even then, the video could easily be edited.

Moving forward with our new server installations, we will make an effort to provide more details and documentation regarding ownership and installation. However, at a certain point we have to draw a line for our infrastructure’s security, our user’s security, and of course our own personal security.

If you have any specific suggestions, we are eager to hear them.

And in a follow-up email they said:

Hey,

1. Receipts we will begin posting with all servers moving forward, with certain confidential information redacted of course. However, there will be enough to understand we did purchase the specific servers in use.

2. We will do a video demonstrating how we modify servers (some parts may be removed to help preserve the physical security) but the overall outcome and before/after will be shown to illustrate how we handle our servers. Additionally, we will improve the documentation of transportation and installation and security measures we take.

3. The video verification you suggested may be difficult, we are discussing this internally. That said - we do have a semi open door policy where we are happy to invite users to our office in Stockholm and also provide a tour of the datacentre we use here. If this is something you are interested in yourself, please let us know and we are happy to have you come and visit.

If you have any other ideas or suggestions to help improve our efforts towards transparency and security, please let us know. We are happy to improve things always.

I was very pleased with their response and look forward to seeing Azire follow up with tangible results.