IVPN web infrastructure security audit concluded

IVPN News By Nick Pestell | Posted on April 11, 2024

We’re pleased to announce that a sixth annual independent security audit has concluded. The assessment focused on Web UI, backend components, API endpoints, underlying web servers, and web infrastructure.

We’d like to share two key excerpts from the report:

“The IVPN Customer website and underlying servers presented a substantially secure posture during the assessment. This is reflected in the limited findings identified within this report, consisting solely of two Low-severity vulnerabilities and two general weaknesses. The successful mitigation of a wide range of common web application risks is a testament to the effectiveness of the security measures implemented by the project overseers.”

“To finalize, Cure53 is undeniably impressed with the overall security posture of the IVPN Customer website and its underlying infrastructure. The codebase exhibits assured standards of quality, while the implemented architecture and frameworks demonstrate a strong foundation in secure design principles.”

Audit results

The Cure53 team conducted the audit over 8 days in March 2024. The audit was divided into three work packages:

A white-box approach was used whereby the auditors had access to our public and private Github code repositories and a dedicated test environment. No access to production servers or infrastructure was granted to members of the Cure53 team.

A total of two vulnerabilities (low severity) and two general issues (info level) were identified. All vulnerabilities have been remediated.

We have made the Cure53 report available for those interested in the details. For transparency we decided to publish the full report with only potentially sensitive information redacted (e.g. internal hostnames).

Commitments going forward

We believe that extensive regular audits are necessary to ensure our customer’s security and continued trust. We continue to commit to an annual security audit where we will focus on those parts of our infrastructure and apps that we believe to be the most critical.

IVPN Team

Audit Apps Transparency
We invite you to discuss this post in our Reddit community or on Twitter. You can also send your feedback to blog@ivpn.net.
IVPN News

Independent security audit concluded

By Nick Pestell

IVPN News

IVPN applications are now open source

By Viktor Vecsei

Releases

Beta IVPN Linux app released

By Viktor Vecsei

IVPN News

IVPN acquires Safing, operator of Portmaster and the SPN network

Posted on December 3, 2024 by Nicholas Pestell Viktor Vecsei

The key points IVPN has acquired Safing ICS Technologies GmbH*, the company behind the consumer firewall application Portmaster and the SPN network Over the coming months, the IVPN team will take over the operation of the Portmaster and SPN services IVPN is committed to continuing the improvement of the VPN service, Portmaster, and the SPN network with a focus on better integration across our services The why and how We believe a trustworthy VPN service is just one part of the essential toolkit for resisting online surveillance.
DNS traffic leak outside VPN tunnel on Android IVPN News

DNS traffic leak outside VPN tunnel on Android

Posted on June 13, 2024 by IVPN Staff

Recently we were made aware of a potential DNS traffic leak outside the VPN tunnel on Android. Even with Android OS “Always-on VPN” and “Block connections without VPN” options enabled, as per the report the plaintext DNS traffic can be observed outside the VPN tunnel.
Spotted a mistake or have an idea on how to improve this page?
Suggest an edit on GitHub.