IVPN no-logging claim verified by independent audit

IVPN News By Nick Pestell | Posted on March 21, 2019

From the start of IVPN, almost 10 years ago, we engineered our systems to not log any data that could be tied to an individual user account. Until now our customers had no way to verify this but today we’re proud to announce the results of an independent audit conducted by Cure53.

Below is an excerpt from the conclusion (Download the full unredacted report from Cure53’s website)

“To conclude this Cure53 audit and verification of the IVPN privacy-related claims yielded very positive results. The outcomes of this March 2019 audit, paired with fluent communications as well as the general handling of every aspect discussed during the assessment, attest to the considerable dedication to privacy matters at the IVPN project. Based on the findings, it is safe to say that all of the IVPN’s privacy statements could be verified as truthful within the defined scope. The requirements for both general security claims to be considered appropriate were successfully well met for all VPN gateways.”

The scope of the audit was to verify the no-logging claims made in our privacy policy and included all IVPN systems that are involved in serving a customers VPN connection, including the VPN gateway servers and authentication servers. A total of 3 auditors spent 7 days performing the audit during March 2019.

When we setup IVPN and configured the our systems not to log, it required a lot more than directing logs to the null device. We have a complex configuration of scripts that set up and tear down dynamic configurations for port forwarding, multi-hop etc. These scripts communicate and store state information without persisting any data to disk, one of many design decisions we’ve made as a security-focused company.

Cure53 was able to identify only one issue which they classified as ‘low’ impact and which they said “does not negatively impact this conclusion”. The issue was that our DNS servers temporarily cache their responses to improve performance however none of this data is related to a customer IP address or user account in any way and is only stored temporarily until the cache timeout. This means that if an adversary had access to a DNS server they could see what domains had been recently resolved but not which customer IP had sent the request. Regardless we decided to disable the caching so this issue has been fully mitigated.

We expect this report to provide another strong signal that we take our customers privacy and security very seriously and are dedicated to being as transparent as possible. If you have any questions relating to this audit please do not hesitate to contact us.

Audit Security
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.

5 Comments

Liz_siz

03.08.2019

Bravo, excellent idea

Adilalhawa

09.08.2019

Hello world

yizakqsdux

09.12.2019

I diverse these this prepackaged (fit the most part)

Anonymous

10.12.2019

Well done on passing the audit! Although it should be noted that this audit did not investigate all of your systems. Basically, this audit only covers yours servers. It doesn’t cover your client software (ie apps) nor your other systems, such as customer support and billing. Do you have any plans to have those audited?

Viktor Vecsei

10.12.2019

Thanks for your comment! A comprehensive audit is under way right now. Please see more here: https://www.ivpn.net/blog/ivpn-to-undergo-extensive-security-audit/
IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN preparing for 6th annual security audit IVPN News

IVPN preparing for 6th annual security audit

Posted on February 15, 2024 by Nick Pestell

Consistent with our pledge to conduct a yearly review of our systems, we have commissioned the independent security auditing organisation Cure53 to perform a security audit in March 2024. As we remarked last year, audits we arrange focus on parts of our systems that received significant updates.
IVPN News

Change of company name to IVPN Limited

Posted on August 10, 2023 by IVPN Staff

We have officially changed the name of the company operating IVPN from Privatus Limited to IVPN Limited. Ownership structure, jurisdiction, address and administrative registration details are unchanged. The reason for this move is to bring our product and brand name into alignment, reducing confusion and providing clarity to customers, partners and other parties about the operator of the service.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.