BolehVPN Traffic Obfuscation Keeps You out of Trouble, Even in China

Please provide some background on BolehVPN: What's inspired you to start a VPN service initially?

In 2007, the Chinese government started filtering traffic; that was the first intentional slowdown on p2p, followed by censorship on moral grounds, and nowadays even on political grounds. At that time there were few available VPN options out there, and many providers kept on shutting down, so we decided to come up with our own VPN, for our own personal use, and find others to share the server with us. Little did we know that we would grow to where we are today, with an ever growing global clientele.

Your traffic obfuscation technology allows users to hide the fact that they're using a VPN. Please explain how this is done and why is it an advantage over your competitors?

Traffic obfuscation is done via an XOR patch, which basically scrambles each buffer of traffic that is sent between the OpenVPN client and server. There are more advanced methods such as OBFS4, but that adds additional overhead and a separate client and server need to be run again.

In terms of the average user, we are of the opinion that the XOR patch currently provides a satisfactory level of obfuscation without compromising usability and performance to a significant extent. This solution allows users to bypass restrictions imposed by countries that block VPN usage. Additionally, we also extend Shadowsocks support to those who specifically request it from our services.

Most VPN providers do not implement obfuscation, which means VPN traffic can be readily identified. Although they do not know what you are doing within the VPN tunnel, this can 'flag' your usage as potentially suspicious, similar to what is happening with TOR usage.

What is the "Five eyes" jurisdiction and why is being located outside these countries an advantage?

The Five Eyes is an intelligence alliance which consists of Australia, Canada, New Zealand, the United Kingdom and the United States.  Together they cooperate to monitor billions of private communications worldwide and as revealed in various leaks including from Snowden, they run many surveillance programs that cast a wide net which includes ordinary citizens. The Five Eyes have actually expanded themselves to include Denmark, France, Holland, Norway, Germany, Belgium, Italy, Sweden and Spain, and thus is often known as Fourteen Eyes. Being a part of the Fourteen Eyes also means that countries who may be legally unable to spy on their own citizens can get other member countries to spy on their behalf and to share that intel with them.

If your VPN provider is located in these jurisdictions, there's a much stronger possibility that such countries will take measures to request for data from VPN providers, given their policy on mass surveillance. In many of these countries it would be legal for the government to demand for the VPN company to disclose whatever data it has and possibly even turn on logs.

Although we remain outside their jurisdiction, we still take extra caution, and issue a warrant canary on a monthly basis.

What are some of the risks related to the "Internet of things" and what can users do to protect themselves?

With more and more items having an internet connection and smart capabilities, they become attack vectors for potential hackers. Given that many of these items are embedded in your home, they pose significant privacy risks. Worst of all, security updates for these devices tend to be slow, and even if they are released, users are often slow to update. Being small and with limited processing power, manufacturers concentrate more on usability than security. NortonLIfeLock did a recent study on this and it showed that many of these devices do not implement basic encryption.

Most of these devices also communicate to their service providers through insecure channels, making it easy to gather a lot of private data about you and potentially your usage habits. Do you want someone to know whenever you turn lights or your coffee drinking schedule? While this may seem innocuous when in isolation, imagine a situation where your ISP or government or a third party can basically track your movement around your house based on the data gleaned from various IoT devices?

A VPN can be installed at the router level so that all traffic from your home goes out encrypted. Admittedly, a VPN does not solve all of the security risks IoT presents, but it will at least plug one hole by encrypting all traffic going out and making it harder to glean personal information from your usage of IoT.

What new trends can we expect to see in the near future in the world of VPN and online security?

There is increasing awareness of the necessity of internet security in the age of mass surveillance, but the general population still remains unaware on how to secure themselves, as currently tools to protect yourself like PGP are cumbersome to use. This is beginning to change. For example, end to end encryption is gaining increasing adoption in instant messaging apps such as Whatsapp, but meta-data still remains hard to secure and remains the valuable information that companies such as Twitter and Facebook use. It would be interesting to see tech developments in protecting meta-data which give away our behaviour patterns. E-mail in particular remains relatively insecure and there are some promising developments in this area such as Dark Internet Mail Environment (DIME). As previously mentioned, IoT security and privacy is going to be a much bigger issue in the coming years.

I do think decentralized anonymity networks such as TOR/I2P will be further developed and perhaps for VPNs to be hosted in a trustless manner.