Outages, disconnects, and blackouts

Relakks.com is apparently still undergoing lots of growing pains, as I experienced a handful of disconnects, outages, and outright service blackouts during the weeks when I evaluated their service. Sometimes l2tp.relakks.com wouldn't even respond to pings, while PPTP.relakks.com was fine, so I would be forced to use the PPTP setup. On other occasions my connection would just die, requiring a reconnect.

A quick look at the Relakks.com news page details their ongoing struggle to keep up with hardware and bandwidth upgrades, so I assume the problems I experienced were just a result of their service being overloaded. Relakks would, however, benefit from some sort of server status or upgrades page to give their users some way of checking on their infrastructure status.

How secure is Relakks, really?

This is a discussion well outside the realm of a simple summary, but it is probably the most important question of them all: How secure is Relakks.com?

Many other people, most of them smarter than I when it comes to computer security, have already picked at the Relakks.com rent-a-VPN concept with respect to answering this question. I'll do my best to sum up some of their points - and mine.

Let's take a hypothetical real-world example: You're a Relakks.com user in country A, doing something that the government of that country - or perhaps just major business entities located in country A - would like to locate and/or punish you for.

(And if you think I am describing one situation, you are not thinking hard enough. So my example is purposefully vague.)

There's little question as to whether the connection between your computer and the Relakks.com server is secure. But that's only a small part of the overall equation, which hinges on what you mean by "secure".

Problem #1: You would be open to identification and usage tracking

If your country (or business entity) is powerful enough to single out and identify any people who are connecting to Relakks.com, then those people can be identified and subject to search/seizure and typical police actions simply for using Relakks.com.

With some of the more advanced firewall technologies going into places like China (and, reportedly, AT&T) - firewalls that seek not only to block "bad" sites from users, but to identify "bad" behavior based on service profiling - this could perhaps be the most valid threat to a Relakks user.

Problem #2: You would be open to as-yet untested legal attacks

The Relakks "Swedish legal protection" argument breaks down roughly like this:

Relakks only stores your subscription information - and nothing else.

As a Swedish business, Relakks will only answer to Swedish authorities.

To force Relakks to divulge any information, Swedish authorities would have to prove it involves a case with the minimum sentence of two years imprisonment. Cases involving 'fines' are not enough.

The problem here is that it is as-yet untested. Also, this legal analysis comes only from the Relakks.com staff - no one else within the international law community has weighed in on this analysis as far as I know, so the premise is as yet verified.

Also, for those of you that remember the Pirate Bay raids, the police had the Piratebay servers "in custody" for several days before they were returned and have still not been returned * - and thus could have conceivably recovered the information they needed during that time. One could forsee a similar seizure happening to Relakks.

(* Many people pointed out that when the Pirate Bay servers were seized, the Piratbyrån servers were also taken - even though the Piratbyrån was not charged with any crime - and they have still not been returned.)

Problem #3: Poorly defined list of what information is kept by Relakks

There is a key unanswered question here as well: Relakks says they only store your account signup information. But Relakks also, on the same page, says

"For Swedish authorities to force RELAKKS to hand over 'traffic data' including your RELAKKS IP at a specific point in time, they will have to prove a case with the minimum sentence of two years imprisonment."

So the question becomes: are they storing this 'traffic data' or not? Does the Relakks server keep track of connecting IP's and timestamps, or internet usage traffic, or anything else?

This is a huge, glaring issue that should be addressed immediately by the Relakks service if it wishes to establish further credability.

There are also the Relakks.com account payment records that obviously tie customers back to the Relakks.com service. These are handled by Payex.se - and not Relakks - and would presumably be subject to a different area of Swedish law. Of course - there's the other side of the equation as well, the payment record residing with the purchaser's credit card company.

Update 2007 - now that Relakks.com accepts PayPal, the above goes for them as well. Given their track record, keep that in mind.

It is not out of the realm of possibility that these records are open to attack and seizure as well. Unfortunately there is no easy solution to this problem, as truly anonymous purchases do not yet exist, and Relakks only accepts credit cards.

Problem #4: PPTP is considered 'weak' security (added 02.20.2008)

After many emails from readers, I think this is worth mentioning: PPTP isn't viewed by security professionals as the best way to secure VPN traffic - and there is real concern as to the level of security PPTP actually provides.

To discuss this further is to tread into the nebulous land of computer security professionals and diving into some pretty complex whitepapers and analysis. But I believe this Wikipedia quote, attributed to this paper, sums it up the best:

Security concerns have dogged PPTP since its inception. It is the author’s opinion that PPTP is inherently insecure because there are too many unauthenticated control packets that are readily spoofed.

Long story short: there's a lot of people out there who don't trust PPTP. Some think it is possible for well-trained, well-equipped eavesdroppers to 'crack' PPTP, either by defeating PPTP itself or through various holes in the implementation of PPTP. Refer to Wikipedia for some reading on the subject.

Final thoughts and request for comments

All in all, I'm pretty impressed with Relakks.com. Being able to rent a month on a Swedish VPN for roughly $8 is a great bargain. Despite the random Relakks.com service outage or disconnect, being able to deliver ~200/k of sustained thoroughput over a transtlantic hop is a fairly amazing feat.

It appears that Relakks still has some growth and service related isses to deal with. However, technological solutions are often easy. It is the potential legal problems and solutions that are of particular concern, and I look forward to any comment by Relakks or readers regarding this area.

I will be watching Relakks and any similar services closely on both the technical and legal fronts, as I think both the need for and suppliers of this sort of service will increase in the future. Anecdotally, privacy may not be the saving factor that propels Relakks to fame - there are rising reports of people using Relakks to get around firewall restrictions to play games like World of Warcraft while at school or work.

Regardless of the underlying reason, I suppose, there is a need, and right now Relakks is doing a good job to meet the need.

If you'd like to try Relakks.com out for yourself, remember, it's pretty cheap for a one-month subscription! A little over $7 lets you try Relakks.com for a month to see if it serves your needs ...

A few followup notes

Many readers have sent me email asking about or pointing out similar services. I have not examined or evaluated any of the following sites. They are linked here for reference purposes only:

Findnot.com - anonymous surfing, email, etc. Registered via anonymous hosting service.
MetroPipe.com - anonymous services with proxy, socks, TOR support, etc. Registered in Amsterdam.
Secureix.com - anonymous PPTP provider. Registered in USA (Indiana).
Xerobank.com - offering accounts on a private Tor network. (I'm doing a writeup on this service and will post it when finished.)

As always I welcome reader comments and email, should you have any. Please send them to bhance@gmail.com