TunnelBear Publishes Security Audit

Report PDF: <a href="https:&#x2F;&#x2F;cure53.de&#x2F;summary-report_tunnelbear.pdf" rel="nofollow">https:&#x2F;&#x2F;cure53.de&#x2F;summary-report_tunnelbear.pdf</a><p>The test looks good, down from 3 criticals and 3 high to just 1 high. I&#x27;d be interested if they could expand on the 4 medium findings found. It&#x27;s not the full report.

Some time ago, decompiled the Windows client and presented my findings here: <a href="https:&#x2F;&#x2F;hackernoon.com&#x2F;poking-the-bear-is-tunnelbears-client-safe-to-use-5960f756f4ea" rel="nofollow">https:&#x2F;&#x2F;hackernoon.com&#x2F;poking-the-bear-is-tunnelbears-client...</a>

Can official binaries be independently reproduced from published sources by members of the public?<p>If no, then an audit has little to no value as it still implies trusting the vendor not to fudge the binaries or, more broadly, be malicious.

TunnelBear is a great product, one which I&#x27;ve been using for a few years, and I trust them with my business. I wish services like Netflix didn&#x27;t blacklist their IPs, but it&#x27;s easy enough to get content off alternative sites when I&#x27;m traveling outside the US.<p>Thanks for the good work!

The claims of transparency would be a bit more meaningful if they simply published their source code. It is hard to imagine anything too precious to disclose in the code.<p>Instead what we have is a pdf (4 pages long) with the title &quot;TunnelBear Security Assessment Summary 07.2017&quot; and an equally long web page claiming how awesome and transparent this is.

Never trust a 3rd party VPN for anything sensitive ever, period. Words of assurance and &quot;security audits&quot; are completely meaningless. HTTPS interception and forwarding is a trivial thing to do. For the public who are unable to setup their own VPN, they will have to accept that everything they do is being monitored by a random internet company rather than their ISP now.<p>There can be some use for these services if you are very careful with everything you do while connected. But the risk of transmitting usernames, emails, passwords, and CC numbers accidentally while still connected is too great IMO.

Tunnelbear is a dead-simple VPN (like, &quot;so easy Mom can do it&quot; simple) and their branding is killer. Who doesn&#x27;t love cuddly privacy bears?

GetCloak has also done a 3rd party audit, and is planning their next one: <a href="https:&#x2F;&#x2F;support.getcloak.com&#x2F;faq&#x2F;technology&#x2F;#have-you-had-any-third-party-security-audits" rel="nofollow">https:&#x2F;&#x2F;support.getcloak.com&#x2F;faq&#x2F;technology&#x2F;#have-you-had-an...</a>

Great, what happens to the release iterations between now and when the next test is going to be conducted? Show me the build logs, what changes, etc.

Is there some way to be notified of a TunnelBear ownership change? For example, if Facebook buys them, how would we know?

OFFTOPIC: Does anyone know whether TunnelBear will be available for Linux (or at least Firefox) one day?

Ironic, I cant even enter the tunnelbear website in my country. (Turkey) :&#x2F;