In this article, we’ll cover eight steps you can easily take to secure your network — no matter where your employees are working.

1. Offer reliable, secure hardware and software
2. Require two-factor authentication
3. Instruct your employees to change their home router password
4. Select the right VPN
5. Ensure VPN use
6. Limit access to internal servers
7. Encrypt group calls
8. Protect employee text messaging

We’ve also included an employee checklist at the end of this article to help you guide your remote employees in securing their work.

What are the threats?

First, it’s important to understand what you’re securing your workplace from.

In most cases, you’re simply trying to protect your company from the common cybercriminals who target all of us online to steal personal data for financial gain. They may not actually be singling out your business, but their impact can be huge. Internet scams cost businesses and individuals a combined $10.3 billion in 2022 in the US alone — and likely more, as cybercrime is underreported. 

These include all kinds of attacks, ranging from phishing to ransomware. If a hacker steals your data and demands payment, you may decide you have no choice but to pay. Or if your customers’ personal data leaks onto the dark web, you could be subject to huge fines for violating data protection laws.

Secure your remote workforce

There are multiple ways to mitigate the risks. Many of these start with prioritizing security, both at a management level and in your employees’ habits. We address this in the checklist below. But apart from training and awareness, there are also technical safeguards you can put in place. Here are eight you can work toward right now.

1. Offer reliable, secure hardware and software

Businesses are responsible for their employees’ hardware and software, even when the devices are outside office walls. Employees may choose hardware and software that are ill-suited or not secure for their work if left on their own. While your employees are responsible for following security best practices, expecting them to assess software and hardware security is unfair and unlikely to lead to good results.

Have a security expert, ideally your IT support team, advise employees on what hardware they should choose, including laptops, printers, cellphones, external microphones for remote meetings, etc.

Also advise them on what basic software they need. This includes office suite software, internet browsers, and email clients.

2. Require two-factor authentication

Whether your employees work from home or the office, you should require two-factor authentication (2FA) on all workplace accounts and encourage it on personal accounts. This adds an extra authentication layer when logging in, so even if an attacker steals someone’s username and password, they won’t be able to access the account. 

2FA should be enabled for email, VPN, chat apps, cloud storage, CRMs, and anywhere else your employees access your network. Typically you can require 2FA from your administrator settings.

3. Instruct your employees to change their home router password

Personal home routers usually come with a default password printed on the bottom. Many people never take the time to change these passwords, making their routers vulnerable to hacking. Make sure your employees change and save their router password, just like they would manage any passwords in the office (using the password manager that you have provided them).

4. Select the right VPN 

As a company with a remote workforce, you need a high-quality VPN, or virtual private network. A VPN will protect your employees’ privacy and security no matter where they are connecting to the internet. We developed Proton VPN for Business specifically to address the most critical security needs of small- and medium-sized businesses.

Here is what to keep in mind when selecting a VPN:

• High speed — Don’t settle for a VPN that slows your remote workforce down. Proton VPN for Business’s VPN Accelerator technology uses advanced networking techniques to reduce latency, cut down on protocol inefficiencies, and overcome CPU limitations. Plus, all Proton VPN servers have a minimum of 1 Gbps bandwidth, with 10 Gbps servers available if you need them.
  
• Secure VPN protocols — Business VPN servers should not support the PPTP and L2TP/IPSec VPN protocols as they aren’t secure. At Proton VPN for Business, we only use the VPN protocols known to be secure. These protocols are WireGuard, OpenVPN, and IKEv2.
  
• Strongest encryption — Your remote workers’ security is only as strong as their VPN’s encryption. Proton VPN uses the strongest encryption possible: AES-256 or ChaCha20 for network traffic, 4096-bit RSA for exchange keys, and HMAC with SHA384 for message authentication. Additionally, all our cipher suites use perfect forward secrecy, meaning we generate a new encryption key every time your employee connects to the VPN.
  
• Network protection — Proton VPN for Business’s Secure Core servers are in hardened data centers in Switzerland, Iceland, and Sweden, protected with full disk encryption. Proton is also protected by some of the strongest privacy laws in the world since it’s a Switzerland-based company. That’s why we can maintain our strict no-logs policy.
  
• Open source and audited — Only trust a VPN that is transparent and independently audited. Our Proton VPN apps are 100% open source. On top of that, we regularly commission independent, professional audits and publicly publish the full results.

5. Ensure VPN Use

No matter how advanced your VPN is, if your employees struggle to use it or avoid using it, that VPN is not valuable. 

To ensure VPN use, enable the Always-on and kill switch features that your VPN provider should offer. The Always-on feature ensures your employee’s device always connects to the internet through the VPN server. If that secure connection is lost for any reason, the kill switch feature kicks in and stops traffic to keep your employee safe.

Another common reason remote workers avoid working through a VPN is that they get blocked from websites that interpret them as threats. Proton VPN’s alternative routing technology allows your employees to bypass most firewalls and VPN blocking methods so they can go about their work unimpeded.

6. Limit access to internal servers

Even if you’re a small business, not all employees need access to all internal resources and databases. This kind of access can be especially dangerous if workers are remote. Set up your VPN to control access permissions.

As the admin of the VPN, you can assign an employee or group of employees to one or more dedicated VPN server IP addresses (also known as ‘gateways’) based on what you want them to have access to. Through this segmentation system, your company’s internal server(s) will recognize and allow access requests from the VPN servers you have configured for that permission, rejecting all requests from any other VPN or regular internet servers.

Beyond giving you flexible, granular control of access, this adds an additional layer of protection: Even if a bad actor obtains the username and password to an internal server resource, they will not be able to access it because their device will not be using the assigned VPN server.

7. Encrypt group calls

With remote work comes remote meetings. Make sure you are protecting those meetings.

Wire is a group audio and video conference platform that utilizes zero-knowledge encryption similar to the model we use in Proton services. It can host up to 100 users in a meeting at the same time. It is independently audited and open source.

8. Protect employee text messages and emails

Remote employees are more likely to text and email each other than in-office employees are. As a business, you need to protect that remote work product too. 

Signal is considered the most secure messaging app. It end-to-end encrypts one-on-one messages as well as group messages. It works on both Android and Apple phones, as well as Linux and Windows setups.

Proton Mail is our email service and the largest end-to-end encrypted email provider in the world. It offers advanced features like expiring and Password-protected Emails, encrypted search, and productivity features like snooze.

Remote employee security checklist

People are usually the weakest link in the security of any system, including your organization’s network. Phishing attacks are designed to take advantage of this fact. To mitigate this, we recommend regular security trainings and reminders.

Below is a security checklist you can share with your employees and modify to suit your workplace as needed.

Use your work device securely

• Keep non-essential applications off your work device and secure it when not in use, even at home.
• Lock your device screens with strong passwords any time you are not using them.
• Report lost or compromised devices immediately to ensure sensitive data is secured.
• Turn off Bluetooth if you’re not actively using it.

Data encryption

• Encrypt the hard drives of your work devices to safeguard sensitive data.
• Activate encryption systems on Android, iOS, macOS, and Windows devices and securely store the recovery codes.

Encrypted communications

• Use Proton Mail for private and secure communication.
• Set expiration dates for sensitive messages to enhance privacy.

Update your software

• Keep all operating systems, programs, and applications up to date. New software versions often contain patches for security vulnerabilities.

Strong passwords

• Use strong, unique passwords (at least 16 characters) for each account.
• Utilize a reputable password manager for password management.

Two-factor authentication

• Enable 2FA on all accounts to add an extra layer of protection.
• Use an authenticator app such as the one built into Proton Pass rather than SMS or other less secure forms.

Secure network access

• Avoid sending sensitive information through unsafe external applications.
• Connect to your work computer through a VPN with secure protocols for added security.

Secure home WiFi network

• Change the default password on your home WiFi router to a strong, unique one.
• Enable encryption, preferably WPA2, on your home WiFi to prevent unauthorized access.

VPN usage

• Connect to your company’s VPN when accessing company resources.

Video conference security

• Ensure no sensitive information is visible during video conferences or screen sharing.
• Password-protect all conference calls to prevent unauthorized access.

Stay alert for social engineering and phishing attacks

• Never click links, download attachments, or scan QR codes from unknown or unexpected senders.
• Refrain from sharing screenshots of video conferences or sensitive information on social media.

The post 8 tips to secure your remote workforce (plus an employee checklist) appeared first on Proton VPN Blog.

More and more, Google is using privacy washing, a form of false advertising designed to trick people into thinking their products are private.

Before IP Protection, there was “enhanced ad privacy”, another Chrome feature designed to trap you inside Google’s surveillance network to the exclusion of other companies.

The idea behind IP Protection is much the same. It shields your computer’s IP address from other websites while passing all your web traffic through a server owned by Google. This gives Google a God’s-eye view of every website you visit at all times while using Chrome, whether you are logged in to your Google Account or not. There is zero privacy benefit to IP Protection in its current form, and we strongly recommend people do not enable it.

Other privacy advocates are also raising the alarm. Developers reviewing the codebase have strongly criticized Google. 

“This doesn’t have anything to do with security,” one developer wrote. “This is all about control, harvesting data, and ensuring Google’s position as the advertising leader on the internet.”

Why is Google doing this?

Google’s competitive advantage is its highly targeted advertising, with 80% of its $224 billion in revenue coming from ads. These ads are only valuable so long as Google knows all about your interests from your searches and browsing activity.

As the world’s most popular web browser, Chrome is Google’s window on billions of people, particularly when combined with other data sources, such as Google Search or Google Maps. If you’re logged into your Google Account, for example to access your Gmail, the company can then associate all your searches with your account. The company has ways to track you even if you’re using Incognito Mode.

This is why IP Protection is a sham. In its initial stage of development, Google Chrome is using its own proxy server to generate a temporary IP address to conceal your real IP address from a list of specific websites that Google owns. To enable IP Protection at this stage, you must opt in.

In future stages, Google says it may add a second proxy server operated by another company. The “second hop”, as they call it, would only see the temporary IP address from the first server and the website you plan to visit. This other company is supposedly independent, but Google would presumably choose the provider and define its policies. 

The two-hop system may look like a privacy benefit — except that Google already has numerous other ways to track you. Google sees your search history, Google Analytics, your Chrome history, cookies in its ad network, mobile location, inbox, calendar, and on and on. What’s the point of a second privacy layer when Google can monitor your activity in so many other ways?

IP Protection is about two things: privacy washing and building a moat.

Google wants to convince you its service is private while simultaneously collecting your intimate data and preventing competitors from doing the same. IP Protection walls off your data from the rest of the internet while sealing Google’s surveillance apparatus on your side of the wall.

What can you do instead of IP Protection?

It’s easy to start building a privacy wall with Google on the outside. 

You can protect your browsing activity and accomplish what IP Protection claims to by simply using a privacy-protecting browser and a VPN. One of Google’s objectives for IP Protection might actually be to stop users from using independent VPN services, particularly since the better VPN services have ad and tracker blocking technologies built in (such as NetShield in Proton VPN).

Use a private browser

Google Chrome is terrible for privacy. But there are alternatives that respect your privacy. While Chrome gathers data about what you do online, browsers like Firefox don’t. If you’re someone who cares about privacy improvements in Google, you should just stop using Google.

Use a real VPN

While Google will monitor your browsing activity through IP Protection, a trustworthy VPN will never do that. A VPN creates an encrypted tunnel between your device and the rest of the internet, hiding your browsing data from your local network while shielding your IP address from the websites you visit.

Proton VPN has a strict no-logs policy which has been independently audited. Google can also be compelled to log user activity under US law. But because Proton is based in Switzerland, you are legally protected from logging orders by Swiss law.

In addition to protecting your IP address, Proton VPN also protects you from ads, trackers, and malware thanks to NetShield ad-blocker, which is something else Google won’t ever do.

Most importantly, Proton’s business model is based on providing privacy-first services to customers who pay for subscriptions. So Proton’s financial incentives are to protect people from online surveillance, while Google is incentivized to do the opposite.

You can learn more about Proton VPN’s privacy features here. 

Google doesn’t want you to use a real VPN or switch to truly private services, instead hoping you’ll accept IP Protection, “enhanced ad privacy”, and its other privacy washing features. Don’t take the bait. A better internet is possible if you choose.

Learn more about our mission here.

The post Google Chrome’s IP Protection is privacy washing appeared first on Proton VPN Blog.

You can download Tor Browser here.

This article explains more about Tor, how Tor Browser works, why you might use it, and some of the browser’s limitations. The app is free to download and use as a service of The Tor Project, a nonprofit that promotes human rights through privacy technologies.

What is Tor Browser?

How does Tor Browser work?

A few limitations to consider

Why use Tor Browser?

Using Tor Browser to access Proton

What is Tor Browser?

Tor Browser is similar to other browsers like Firefox or Chrome that let you visit websites on the internet. When you enter a URL for a website, the browser looks up the location of that website on the internet and downloads the site content. 

But Tor Browser is unique because it has built-in privacy and anonymity safeguards. It also lets you access websites on the dark web that other browsers can’t take you to (more on that below). 

Tor browser has three important privacy features:

1. It blocks surveillance of your browsing activity

With a normal browser, at least one or two observers can potentially keep track of the websites you visit: your internet service provider and possibly your WiFi administrator (if you’re at work or a coffee shop, for example). While TLS encryption prevents them from seeing the information you provide on those websites, they can still see what websites you visit and when. 

Tor Browser prevents this. The only thing your ISP and anyone else on the local internet can see is that you’re connected to Tor.

2. It prevents websites from identifying you

The websites you visit can typically see your IP address. Website operators can use this information to see your general location and potentially to identify you. This piece of information is a critical part of the surveillance economy (along with cookies and other trackers) that give marketers the ability to profile and target you.

When you use Tor Browser, websites can only see the IP address of the last node your internet traffic passed through in the Tor network. 

3. It clears tracking cookies

Another way websites can track you is by planting cookies on your browser. These are small files that log your activities on the internet. Some cookies are useful, such as those that remember your website preferences or the items in your shopping cart. Tracking cookies, which monitor your behavior across other websites, are a threat to your privacy.

Tor Browser scrubs cookies after each session by default.

How does Tor Browser work?

By default, Tor Browser connects your internet traffic to three random relays (also called nodes) in the Tor network before connecting you to the website you want to access. Tor also uses three layers of encryption that get removed with each node — the so-called onion routing from which Tor (“The Onion Router”) derives its name.

The Tor Project depends on thousands of volunteers to operate relays in its network. Each of these nodes can only see the nodes behind them and in front of them. 

Therefore, only the entry node can see your computer’s IP address, but it can’t see what website you’re connecting to. The exit node can only see the IP address of the middle node, but it does know what website you’re connecting to. And the website can only see the exit node as the source of its traffic.

During the leap from the last node to the website, your web traffic is not encrypted and relies on the website’s HTTPS to protect your data. But by then your traffic looks pretty much like all the other traffic exiting the Tor network. It’s extremely difficult to identify you as the source. (Though not impossible — see the next section.)

A few limitations to consider

Tor Browser isn’t a magic invisibility cloak. You can’t use it and expect everything you do online to remain anonymous. In fact, maintaining anonymity on Tor requires a good bit of vigilance on your part.

Here are some limitations of Tor Browser you should keep in mind to increase your privacy:

• Information you give to websites can de-anonymize you. For example, if you log in to your Google account in Tor Browser, Google will know who you are. Any information you submit in forms could also identify you.
  
• A sophisticated attacker can monitor Tor network traffic. Governments may try to identify specific Tor users by watching internet traffic for patterns. This is expensive and probably not something most people need to worry about. Learn more about Tor vulnerabilities.
  
• Attackers and governments can compromise Tor nodes and monitor traffic. If an attacker can see the entry and/or exit nodes, they have a good chance of identifying you. But the odds of this are very low.
  
• File-sharing services aren’t very compatible with Tor. The nature of BitTorrent and other file-sharing sites makes it difficult to stay anonymous. It’s also extremely slow to torrent over Tor.
  
• Tor Browser is slower than other browsers. Because of the extra encryption involved in onion routing and because your connection is often routed across the globe to reach the volunteer-administered Tor nodes, Tor Browser is slower than browsers optimized for speed.
  
• Tor Browser only encrypts your browser traffic. Other internet traffic on your device, including your apps, will not be encrypted in the Tor network and could be used to identify you. If you’re concerned about that, Tor also offers an operating system called Tails that will encrypt all your traffic.

Why use Tor Browser?

The internet is full of marketing trackers, malware, and government surveillance. In some countries, whole parts of the internet are off-limits because of censorship. Tor Browser addresses all these problems.

Here are some of the main use cases:

• You don’t want websites to be able to track you. Tor Browser includes features that scrub cookies after each web session and clears your browsing history automatically. It also makes all traffic exiting the Tor network look the same, so device fingerprinting is much more difficult.
  
• You want to access censored content. A lot of the censorship online is fairly easy to circumvent with a VPN or by using Tor because it interferes with domain names at the level of your internet service provider. When you connect to the Tor network, you prevent your internet service provider from seeing your web traffic and bypass the block.
  
• You don’t want anyone to see your online activity. Tor encrypts your web traffic between your local network and the Tor entry node, preventing your internet service provider and/or your network administrator from monitoring your behavior. Websites can’t see the source of your traffic beyond the Tor exit node. And each of the three random nodes within the network can only potentially see your IP address or the IP address of the site you’re visiting, but not both. Therefore, when used properly, Tor prevents anyone from associating you with your online activity.
  
• You want to access onion sites. Tor offers Onion Services, which are websites that only exist on the Tor network. Sometimes called the dark web, these sites are almost impossible to censor. While some content on the dark web lives up to its seedy reputation, there are also many useful onion sites, including Proton. We’ve compiled a list of the best onion sites you can check out. You can only connect to onion sites through Tor.

If you’re familiar with VPN services, you might notice similarities between what Tor and VPN both offer. Each lets you unblock websites and prevents them and your ISP from watching your activity. The biggest difference is that a VPN can see your online activity (which is why it’s important to choose a VPN you trust). Tor, meanwhile, is a network in which no two nodes will ever know both your identity and your activity. 

When is it better to use a VPN rather than Tor? The clearest use cases are when you want to access blocked content on the internet where performance is also a priority, such as video streaming sites. Additionally, Tor Browser only protects your web traffic, while a VPN protects all the internet traffic on your device.

A good no-logs VPN is adequate to protect most people’s privacy in most situations. Proton VPN also allows you to access onion sites with our Tor over VPN feature.

Using Tor Browser to access Proton

Some countries see online privacy as a threat and try to block services like Proton that make it possible. Tor is a vital technology in the fight against censorship and surveillance. But it can only exist with the support of savvy volunteers to operate the Tor relays and donations in support of The Tor Project. 

This is why Proton is a Green Onion Member of Tor’s sustaining membership program.

And it’s also why we operate and maintain an official Proton onion site. Even if the government blocks Proton where you are, you can still access your Proton Account through our onion site.
We recently updated our onion site so you can use Proton Mail, Proton Calendar, and Proton Drive or sign up for a new account via Tor. You can access our Tor site through Tor Browser or by connecting to a Proton VPN Tor server.

The post What is Tor Browser? appeared first on Proton VPN Blog.

At Proton, our security team is constantly monitoring for new types of cyberattacks. Most attacks fall into one of a few categories, and if you know what to expect, you can take the right steps to prevent them.

Below we’ll explain some of the most common attacks targeting individuals and businesses, followed by a few simple tips to keep your identity, financial accounts, and data safe.

Types of attacks:

Phishing

Malware

Spoofing

Insider threats

Social engineering

Man-in-the-middle attacks

Code injection attacks

DDoS

1. Phishing

Over 500 million phishing attempts were reported in 2022, making it one of the most common types of cyberattack. In a phishing attack, hackers try to get you to divulge sensitive information, such as your credit card details or username and password. It involves some form of deception. For example, they might send you an email designed to look like it’s from a familiar company, asking you to click a link to log in to your account. But the link will take you to a website the hackers control, built for the sole purpose of collecting login credentials.

Phishing attacks can also be used to deliver other attacks, like malware, and they can arrive anywhere: email, SMS, social media accounts, or even through a phone call. The attackers often try to capitalize on a sense of urgency to get you to click a link or download an attachment without thinking too much about it. Sometimes, just clicking or tapping a link or downloading a file is enough to install malware on your device.

Historically, phishing attacks have been fairly easy to spot because they contain low-quality email designs or grammatical errors. Recently, however, we’ve noticed an uptick in the quality of the deception. 

Learn more:

• You can see three examples of high-quality phishing attacks in our recent blog post.
  
• There are several types of phishing attacks, such as spear phishing and whaling. Learn how to spot phishing and prevent it.

2. Malware

Malware — malicious software — is a broad category that includes perhaps dozens of specific kinds of attacks. If the goal of most software is to help you, what defines malware is that it is designed to harm you, your device, or your network.

Different kinds of malware have different purposes, such as stealing sensitive information, holding data hostage, or causing damage to infrastructure. Hackers spread malware by various attack vectors, ranging from phishing attacks to drive-by downloads, in which you accidentally install the malware on your device simply by visiting a malicious website.

Learn more:

• We published a comprehensive guide to malware that explains the most common types of malware and attack vectors.

3. Spoofing

Spoofing attacks trick people by disguising an email address, website, or other form of identification as a trusted source to get what they want. They might use this deception to steal information, break into your network, or get you to download malware. Hackers often use spoofing to conduct other cyberattacks, such as phishing or man-in-the-middle. 

SMTP doesn’t have any authentication mechanism, which predictably made spoofing a common attack in the past. In response, email providers developed the SPF, DKIM, and DMARC authentication methods that allow them to mark spoofing attempts as spam or block them from reaching you. Unfortunately, not all email services have configured or deployed SPF, DKIM, and DMARC.

Domain name spoofing tries to trick you into thinking you’re on a familiar website to distribute malware or to get you to divulge information.

Learn more:

• Email providers such as Proton Mail prevent your email address from being spoofed. We have a support article explaining how to set up anti-spoofing for custom domains. Our articles on SPF, DKIM, and DMARC explain each of these countermeasures.
  
• Proton Mail also helps prevent phishing by displaying a “domain authentication failure” alert if an email appears to be from a spoofed sender.

4. Insider threats

For a business, the people in your organization or contractors with access to your systems are a serious risk to your security. They already have two things hackers try to take by force or deception: your trust and access to your computer systems.

Just like other hackers, insiders might attack you for financial gain, data theft, espionage, or to introduce malware on behalf of someone else. Many well-known examples of insider threats involve corporate espionage, like the Uber executive who stole trade secrets from his previous employer, Google. Others involve data breaches, and some are even committed by accident, such as the Microsoft employee who posted internal login credentials on GitHub.

Learn more:

• If you’re concerned about cybersecurity at your organization, we published a cybersecurity guide for small businesses that includes strategies to mitigate insider threats.

5. Social engineering

Social engineering is a scientific-sounding name for tricking people into doing what you want for the purpose of exposing data or gaining access to systems. In a social engineering attack, a hacker may pretend to be an IT worker asking for personal details to “confirm your account” or someone passing out free USB drives infected with malware.

Social engineering tactics are designed to exploit weaknesses of human psychology, so they prey on emotions that cloud judgment, such as fear or curiosity. These attacks have been implicated in some of the most high-profile hacks. For example, in 2020, hackers used social engineering to take over prominent Twitter accounts to promote a Bitcoin scam.

6. Man-in-the-middle attacks

As the name suggests, hackers use man-in-the-middle (MITM) attacks to position themselves between parties communicating online to eavesdrop on the exchange or alter the parties’ experience. The attacker might do this to steal sensitive information, trick the victim into taking some action, or censor content. Censorship can be done on an individual basis, such as a single hacker going after a specific victim, or on a mass scale, as in the case of authoritarian governments that redirect their citizens’ internet traffic.

Thanks to TLS, MITM attacks tend to be difficult to execute. Typically, the hacker has to successfully forge a public key certificate. At Proton, we mitigate the risk of MITM attacks through several methods, including Address Verification, which lets you pin trusted keys to your contacts.

They’re also a favorite of some regimes that try to spy on their citizens or restrict their access to information. Kazakhstan, for example, tried to MITM all the encrypted internet traffic in the entire country. And China uses MITM attacks against its citizens for censorship as part of its Great Firewall.

Learn more: 

• TLS certificates are a critical part of stopping MITM attacks. We explain how they work in depth.

7. Code-injection attacks

Hackers use code-injection attacks to insert new lines of code into computer systems that are poorly secured, causing them to execute malicious programs with sometimes disastrous consequences.

In 2012, Yahoo! lost hundreds of thousands of user credentials because hackers injected malicious code into the company’s database through search boxes and other forms on their websites. 

More recently, injection attacks have taken a new turn with large language models. Security researchers have been feeding them faulty data to show how easy it is to train the models in directions their developers didn’t intend. 

Learn more:

• Wired published a comprehensive explainer on SQL injection attacks, referring to the databases that websites often use to store sensitive information.

8. Distributed denial of service

A distributed denial of service (DDoS) attack is a kind of cyberattack that mainly targets businesses’ websites and networks. Hackers use multiple compromised computers to bombard a company’s servers with requests, effectively shutting down operations.  

Attackers typically use DDoS attacks to extort money from their victims, demanding payment to stop the attack. But sometimes amateur hackers will use DDoS as a form of activism or simply for bragging rights. 

DDoS attacks aren’t a major concern for individuals except to the extent they disrupt your ability to use a service you need. You should investigate a company’s service reliability and uptime guarantees if you’re concerned about downtime. Companies that have dealt with DDoS attacks in the past typically invest significantly in infrastructure to prevent them from happening again.

Learn more: 

• There have been a few famous DDoS attacks, including the largest on record that hit GitHub in 2018.

How to mitigate cybersecurity attacks

Mitigating cyberattacks often comes down to choosing security-focused web services and properly securing your accounts. Here are the most important things you can do to stay safe:

• Use strong passwords — Your login credentials are the first line of defense for your online accounts. Always use unique, long, and complex passwords. You can generate and store strong passwords with the help of a password manager.
  
• Use two-factor authentication (2FA) — If hackers obtain your password, your next line of defense is 2FA. Many online services allow you to enable 2FA so that you have to enter a second piece of information, usually a temporary passcode from an authenticator app on your smartphone.
  
• Keep your software up to date — cyberattacks often exploit weaknesses in the software you use. Whenever developers find out about such weaknesses, they build a fix and release a software update. Always promptly install updates to your devices and apps.
  
• Be alert for phishing attacks — Phishing and other types of deception are becoming harder to spot as hackers get more sophisticated. Never click links or download attachments in emails or text messages you weren’t expecting.
  
• Use security-focused services — It’s easier to steal data from systems that don’t use strong encryption and take aggressive prevention measures. At Proton, we develop products with a security-first mindset, meaning we protect as much of your data as possible with end-to-end encryption. Whether it’s your email, calendar events, passwords, files, or your internet connection, Proton never has access to the contents of your data because it’s encrypted on your device before being sent to our servers. Learn more about Proton security.

The post 8 common types of cyberattacks and how to prevent them appeared first on Proton VPN Blog.

This year, as part of our Black Friday offer, we’re also introducing something new. In addition to a discount of up to 50% off Proton VPN Plus and Proton Mail Plus plans, you can also get early access to Proton Drive, our new end-to-end encrypted cloud storage service. 

All Proton VPN Plus and Proton Mail Plus bundle users get early access to Proton Drive. If you already have a Proton VPN Plus account, you can get access to Proton Drive simply by purchasing a Proton Mail Plus account for a discounted price during Black Friday.

As well as being a great bargain, purchasing a Proton Plus plan supports our mission to expand access to online security, privacy, and end-to-end encryption.

Our Black Friday offers are only available for a limited time.

New to Proton?

Already have a Free Proton VPN account?

Our Black Friday 2020 deals

The following offers are available this year for Black Friday for new subscribers (information for existing subscribers is at the end of this post).

• Our best offer is 50% off a two-year subscription to Proton VPN Plus and Proton Mail Plus, including early access to Proton Drive beta ($7.50/month, billed as $180 for two years)
  
• Or get 45% off a one-year subscription to Proton Mail Plus and Proton VPN Plus, including early access to Proton Drive beta ($8.25/month, billed as $99 for one year)

If you don’t need a Proton Mail Plus account right now, you can also upgrade your Proton VPN account at a discounted rate:

• 33% off a one-year subscription to Proton VPN Plus ($6.67/month, billed as $79.99 for one year)

Proton is a community-supported service that makes no revenue from ads. This is why our once-a-year Black Friday offer is one of the rare times that Proton is available at a discounted price.

Benefits of Proton Plus plans

Proton products make the internet a safer, freer, and more private place for our users. We don’t log your online activity, can’t read your emails, and can’t access your data stored in Proton Drive. Here are all the benefits you unlock by upgrading to Plus.

Proton VPN Plus

Proton VPN Plus users enjoy all premium features of our no-logs VPN service. You can access our highest-speed Plus servers in over 50 counties, connect up to five devices at once, and stream services such as Netflix, HBO Max, BBC iPlayer, and many more.

Those requiring additional security can route connections through one of our specially hardened Secure Core servers located in privacy-friendly jurisdictions before accessing the internet through any of our regular VPN servers. 

Proton VPN Plus users can take advantage of our one-click Tor servers for convenient access to .onion sites. Proton VPN Plus also supports BitTorrent traffic and other file sharing protocols.

Proton Mail Plus

As a Proton Mail Plus user, you gain 5 GB of storage, can send up to 1,000 messages a day, and can organize your inbox using labels, custom filters, and folders. Proton Mail Plus users also have full access to all ProtonContacts features and are eligible for storage bonuses.

Many users upgrade to Proton Mail Plus to gain access to custom domain names and up to five email addresses. Proton Mail keeps your communications secure by utilizing encryption to ensure that no third party (not even Proton) can read your messages.

Proton Drive

Proton Drive is an end-to-end encrypted file storage service. With Proton Drive, you can back up sensitive files online with end-to-end encryption and access them at any time from anywhere in the world. Our use of encryption means that, unlike non-private services like Google Drive, we cannot access or scan your personal files. Our Black Friday 2020 deal gives you early access to Proton Drive beta.

Proton Calendar

Proton Calendar is an end-to-end encrypted calendar that allows you to organize your life without anyone else being able to see your plans. All Proton VPN Plus and Proton Mail Plus users have access to Proton Calendar.

Our vision is to integrate all our products into a single encrypted ecosystem. By taking advantage of our Black Friday 2020 offer, you will join millions of people supporting our effort to build a more private and secure internet for all.

Frequently asked questions

The post Black Friday 2020: up to 50% off new subscriptions, plus early access to Proton Drive appeared first on Proton VPN Blog.

Each year since 2018, we have turned the floor over to our community to decide where we should prioritize our efforts to expand the Proton VPN network.

As a result of the 2019 Proton VPN server poll, we have added new servers around the globe, including Mexico, Taiwan, Costa Rica, Argentina, and Turkey. Today, we have over 1,000 servers in over 50 countries. And we are adding more servers constantly to improve the speed and reliability of Proton VPN in every region.

This year’s poll aims to increase this geographic diversity even more while aligning our efforts with your priorities.

Cast your vote

Everyone gets one vote in the poll. You should select the country you think should be our highest priority. The countries below were selected based on the regions where we get the heaviest usage. We have excluded countries where we already have servers and countries that may pose a risk to privacy. You’ll have about two weeks to make your selection, and anyone is eligible to participate, so please share this poll with your network.

Please answer this survey only once. The captcha is included to prevent abuse and collects only the letters you enter.

This poll will close at 11 PM (Central European Summer Time) on 11 September.

Once we close the poll, we’ll add up the votes and announce the winners. Then we’ll start working to acquire and provision the servers you’ve chosen. 

We will always try to bring new VPN servers online in the order of priority. Still, we must also maintain our high security and reliability standards, and some countries are better equipped for this than others. We will announce new servers as they are ready on our blog.

Thank you for your support

We’re grateful for the support of our community. From our volunteer translators, who increase privacy access to people in more languages, to everyone who votes in our server polls, we depend on you to further Proton’s mission to make privacy and security accessible to all.

And because of our paid users, we can continue to provide the only truly free and open source VPN. In the last year, we have made Proton VPN available on F-Droid and launched support for the OpenVPN protocol on more platforms. These help to make Proton VPN more private, secure, reliable, and resistant to censorship.

Thank you, and happy voting!

You can follow us on social media to stay up to date on the latest Proton VPN releases:

Twitter | Facebook | Reddit | Instagram

To get a free Proton Mail encrypted email account, visit proton.me/mail

The post Where should we install our next servers? appeared first on Proton VPN Blog.

Last week, we stood in solidarity with citizens in the US against the reauthorization of the USA Freedom Act. Today we are standing in solidarity with the people of Hong Kong after the Chinese government announced a new security law designed to stifle free speech and peaceful protest.

When the government tried to do this previously — in 2003 and again in 2019 — Hong Kongers (including many Proton users) successfully defeated these measures by taking to the streets. This time it’s different.

Because of the COVID-19 pandemic, there is no option to congregate in large groups. Moreover, the Chinese government is not working through Hong Kong’s legal system but rather from Beijing. The Chinese National People’s Congress is poised to approve the security law at its annual legislative session, which convened today (May 22).

With physical spaces out of reach, activists must now turn to digital spaces to speak out for democracy and civil liberties. Unfortunately, with the government monitoring all unsecured communications, it can be dangerous to organize and share ideas with others, particularly if the new security decree outlaws “sedition.”

We have previously stood by Hong Kong protesters, including providing encrypted email services for the developers of HKMaps and others. Proton is committed to defending their right to speak out, even when other tech companies take the side of repression and censorship. In fact, we launched Proton VPN specifically because we saw the need to help activists and journalists access our secure email service, Proton Mail, in case of censorship attempts.

Since then, we have consistently supported independent journalists through educational tools, seminars, scholarships, grants, and free services.

Now people are again turning to our privacy tools to defend freedom: As of Friday, Proton VPN is the third-most downloaded app in the Apple App Store in Hong Kong, and we have witnessed a 1,000% increase in the amount of traffic to our website.

Proton will continue to defend the right to free speech and privacy by making secure communication available to all who need it, whether in Hong Kong, or anywhere else in the world. Below we outline steps you can take to avoid government surveillance and maintain access to the uncensored Internet.

Use a VPN to secure your communications and online activity

A trustworthy VPN is still the best way to stay safe from government surveillance. China’s security law is expected to mirror the language of the 2003 basic law, which would have prohibited “any act of treason, secession, sedition, subversion” against China. Obviously, authorities can use this type of broad language to eliminate political opponents and repress people exercising their right to free speech.

This is why it is imperative to encrypt your Internet connection and use secure methods of communication.

If you’re in Hong Kong, we recommend downloading Proton VPN for free as soon as possible. 

1. Download Proton VPN for your device. (Proton VPN is also available on F-Droid if you prefer not to use the Google Play Store.)
   
2. Set up a free account in the app.

Users with a Free plan can connect to any of our free servers in Japan, the United States, and the Netherlands. By upgrading to a Plus plan, you can also access five servers in Hong Kong (including a Tor over VPN server), 32 servers in Singapore, and nearly 1,000 servers in over 50 countries around the world.

Our servers in Hong Kong could become the target of Chinese surveillance and censorship attempts. Therefore, out of an abundance of caution, we recommend Hong Kongers concerned about their security and privacy connect to our servers in Singapore. They are in the region, which reduces latency to a minimum.

Note: Your Internet service provider (and by extension the government) and the VPN service you use can still see that your IP address was used to connect to VPN, so it is important to pick a trustworthy VPN, that has strong values and integrity, even in the face of government pressure.

We say “as soon as possible” because authoritarian governments can and do take measures to block people from getting VPNs in the first place. Proton VPN has some systems in place to bypass these sorts of blocks, including our Alternative Routing feature. But authorities can still make it hard to download VPN apps after restrictions kick in. VPN services themselves, while more difficult to block, can also be blocked so it is good to also have Tor installed as a backup.

To install Tor, go to the Tor project website and download the Tor browser. In the event Chinese or Hong Kong authorities attempt to ban Tor, as a last resort you can use Tor Bridges to circumvent that censorship. Guides for using Tor Bridge can be found online here and here.

Use encrypted email for secure communication

End-to-end encryption (E2EE) is considered the gold standard for secure communication. Proton Mail is the world’s largest private email provider offering this type of strong encryption. With E2EE, messages are only accessible on your device and the device of your recipient. Neither Proton Mail nor any other party monitoring the network can access your messages. Proton Mail, like Proton VPN, is based in Switzerland and therefore protected by some of the world’s strongest privacy and human rights laws. 

Note: When using Proton Mail for very sensitive communications, we recommend that both the sender and the recipient use Proton Mail (it’s free). We also recommend putting the most sensitive information in the message body and not the subject line.

Here’s how to get started with Proton Mail and configure some basic extra security settings:

1. Go to proton.me/mail and create an account.
2. Download Proton Mail for iOS or Android.
3. Enable two-factor authentication. 
4. If you use iOS, enable the AppKey Protection System by enabling PIN, TouchID, or FaceID.

As with Proton VPN, it is possible for Proton Mail itself to be blocked. For this, we offer our email service over Tor. Learn how to connect to our Tor hidden service.

Going forward

We’ll continue to support the Proton community in Hong Kong and elsewhere. We are already monitoring the current usage levels of Proton VPN, and we will take actions as necessary to unblock servers and expand bandwidth.

We created Proton VPN and Proton Mail to defend fundamental rights: democracy, privacy, and freedom of speech. The citizens of Hong Kong deserve the same freedom to exercise these rights as anyone else in the world. Proton has an office in Taiwan so we feel great solidarity with our users in Hong Kong, and a duty to help uphold our shared values.

We’re grateful to our community for supporting Proton and our mission. We will keep supporting you too.

Best Regards,
The Proton Team

The post Proton VPN supports Hong Kong’s right to digital freedom appeared first on Proton VPN Blog.

The OpenVPN protocol is one of the best VPN protocols because of its flexibility, security, and because it is more resistant to blocks. You now have the option to switch between the faster IKEv2 protocol and the more stable and censorship-resistant OpenVPN protocol.

The rollout of OpenVPN for iOS is part of a larger push at Proton to provide more tools to bypass censorship. As more people turn to online tools that keep their personal information safe, some governments and companies have taken more steps to undermine that privacy, including censorship. That’s why we have invested in features like alternative routing and OpenVPN for Android to help you stay securely connected to our servers no matter where you are.

Find out more why you need a VPN app for your Android phone or tablet.

OpenVPN has many benefits over other protocols

There are multiple VPN protocols, and each has benefits and drawbacks. We have previously compared the different VPN protocols in depth on our blog. 

Aside from having no known vulnerabilities, the OpenVPN protocol is great for two main reasons: It’s flexible, and it’s more difficult to block.

Flexibility

OpenVPN’s most useful feature is that it allows you to choose between two transport protocols: Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). We explain the difference between TCP and UDP in more detail elsewhere, but basically UDP is faster and TCP is more stable. 

OpenVPN connects via UDP by default, but if you have a weak Internet connection you might have better luck switching to TCP.

Bypass censorship

That flexibility also serves to mitigate censorship and local network blocks. The IKEv2 protocol, the other option on our app, uses UDP on a well-defined port, which is easier to block and is not necessary for web browsing without a VPN. Your employer or school may also choose to block certain ports to restrict VPN usage on their network, and governments can exploit this limitation for censorship.

TCP, on the other hand, can use numerous ports. We configured our TCP connection to use several ports, including the port that handles HTTPS-encrypted Internet traffic. This makes it more difficult to block without cutting off access to the Internet.

With OpenVPN, you can toggle between UDP and TCP, giving you more freedom to access the Internet unrestricted.

Next steps

Eventually, we want to make it easier for you to connect to the best protocol. Our Smart Protocol feature will help with this by automatically switching to the best protocol for your situation. This feature is already implemented in the Windows and Android apps, and soon it will also be available on our iOS and macOS apps. Sign up for a Free plan for iOS.

We look forward to increasing Proton VPN’s resilience and accessibility as part of our mission to create a safer Internet. This work would not be possible without your support. Thank you.

Follow us on social media to stay up to date on the latest Proton VPN releases:

Twitter | Facebook | Reddit | Instagram

Get a free Proton Mail encrypted email account

The post Proton VPN iOS app now supports the OpenVPN protocol appeared first on Proton VPN Blog.

If you’re a digital nomad, are thinking of becoming one, or simply work remotely from time to time, it’s important to take your online security seriously. As a leading data privacy company, we’ve compiled a list of five essential online security tips for digital nomads. With the summer holiday in full swing, now is a good time for everyone to review these guidelines and avoid becoming a victim of the next big data breach.

Be wary of unsolicited messages

Digital nomads receive a lot of unsolicited emails and even WhatsApp messages. Working independently opens up lots of unexpected opportunities, including from strangers and new acquaintances. But some of those “opportunities” may be phishing attacks or social engineering tactics.

You should treat every unsolicited message you receive as a potential attack. Do not click on links or download attachments in emails or text messages unless you know the sender. Sometimes clicking a link or downloading an attachment can lead to ransomware or spyware being installed on your device. Other times, a phishing link disguised as a password reset can prompt you to divulge your username and password to a hacker.

Generally speaking, you should keep sensitive personal information private, including your family members’ names, your date of birth, and your place of birth. Hackers can use this information to log in to your accounts and steal your data.

Learn more: Check out these other email safety tips

Always use your own computer

You may, at some point, find yourself in a bind and need to use a public computer in a library or Internet cafe. We would discourage ever doing this. Public computers can easily be infected with keyloggers that can steal your account credentials or other sensitive information that you type. These computers may also be connected to insecure WiFi networks that are monitoring your activity.

If you must use a computer that isn’t yours, avoid entering any sensitive information. Check the device for suspicious hardware, such as a USB drive, and inspect the list of installed software applications. You can also view the Task Manager of the device to see what programs are running. These solutions aren’t 100% effective though, because a keylogger may be disguised as a legitimate application. It’s best to use your own device for your work.

Use strong, unique passwords

Everyone needs good password habits, but digital nomads should especially take care with their passwords. Being on the move and working in public places can leave you particularly vulnerable to password theft. For example, if you keep your passwords written on pieces of paper, you could easily forget it or leave it exposed if you’re working in a cafe. Shoulder surfing, or people reading your screen or watching you type, is another way an attacker could steal your password when you work in public places. 

It’s important to use a unique password for each of your devices and accounts. That way if one account is compromised, the others will remain secure. Passwords should be at least 12 characters or four unusual words if you use a passphrase. For storing all your passwords, we recommend using a trusted password manager (a list of good password managers is contained in the article linked below).

Just as crucial as using strong passwords is enabling two-factor authentication (2FA). With 2FA enabled, you’ll need your username, password, and a one-time code on your device to access your accounts.

Learn more: How to create a strong password

Data security when crossing borders

Digital nomads travel by definition. You may have wondered what can happen to your data while crossing international borders. It turns out that many countries have broad authority to search, confiscate, and break into your devices when you’re trying to enter. Visitors to a country typically have even fewer legal protections than citizens. 

There are many legitimate reasons to want to protect your personal or your company’s data from inspection. The best way to protect your data while going through customs is to back it up to the cloud, wipe your devices, and turn them off. Then you can reinstall your data and apps once you’re through immigration. However, while you are going through customs, be polite, comply with commands, and don’t lie (that includes techie tricks to deceive border officers). See our full recommendations in the link below.

Learn more: How to protect your device when crossing borders

Get a trustworthy VPN for digital nomads

A virtual private network (VPN) is an indispensable online security and privacy tool for digital nomads. A VPN has several benefits. First, it protects you from network surveillance, whether you’re concerned about hackers on public WiFi hotspots, or governments or Internet service providers logging your activity. Second, a VPN improves your privacy by masking your true IP address. And third, VPNs break down the barriers of geographical restrictions on content. So whether you’re trying to access Netflix or Hulu securely, bypass state censorship, or use websites as though you were back home, a VPN is like a virtual passport for your device.

But beware: when you connect to a VPN, the company running the VPN service has access to all your browsing activity. So it’s important to choose a trustworthy VPN that has a strict no logs policy and doesn’t monetize your data. Proton VPN meets these criteria, and our latest security audit results confirm our no logs policy.

With hundreds of servers in dozens of countries, Proton VPN provides fast download speeds anywhere in the world. As the only truly free VPN, we don’t log your data or sell it to third parties, and our Free plan offers unlimited browsing so that everyone has access to private Internet. Our Free plans are subsidized by paid accounts that offer more servers, one-click Tor access, advanced security features, and faster speeds. 

For digital nomads, every day is an adventure. But there’s no need to risk your online security. By following these five online security tips, digital nomads can stay safe while living the dream.

Best Regards,
The Proton VPN Team

You can follow us on social media to stay up to date on the latest Proton VPN releases:

Twitter | Facebook | Reddit | Instagram

To get a free Proton Mail encrypted email account, visit: proton.me/mail

The post Five essential online security tips for digital nomads appeared first on Proton VPN Blog.

Attacks from nation states may not be part of your threat model, but they are part of ours. We’re happy to announce an important security upgrade that will help mitigate certain resource-intensive attacks that can come from unfriendly governments in the countries where we have exit servers, such as Russia. With full disk encryption, Proton VPN will be safer from sophisticated man-in-the-middle attacks.

Why disk encryption is important

When you connect to Proton VPN, you are establishing an encrypted tunnel between your device and one of our servers around the world. While this prevents surveillance on your local network and at the level of your Internet service provider, it theoretically gives Proton VPN the ability to see your activity. (Hence why it’s crucial to use a trustworthy VPN.) Proton VPN does not keep logs of your activity, so there is virtually no information about our users saved on our servers that could be divulged to governments in the countries where we operate.

Nonetheless, our servers are still an attractive target. One way for an attacker to compromise a VPN would be to seize the VPN server, steal the server certificate, and redirect users’ traffic to servers they control. A server certificate is the cryptographic version of an ID badge. It tells your device that the server is trustworthy and it’s safe to establish an encrypted connection. With a stolen server certificate, the attackers could trick your device into sending them your data.

This is not an easy attack to pull off, but a government could do it. As we expand our VPN service to even more countries, including high-risk countries, we are taking precautions to ensure Proton VPN users can continue to browse safely. This includes disk encryption, which secures all the configurations and software contained in each exit server (including server certificates). That way, even if a server is compromised, the attackers will not be able to access it.

What this means for you

Disk encryption won’t change anything about your Proton VPN experience. All users will benefit from this security upgrade without any action required.

During the transition to disk encryption, there will be some temporary outages as we reboot each exit server in turn. The majority of users won’t notice any down time. If you do, simply switch to a different VPN server. You can also enable kill switch (if supported on your device) so that even if your VPN connection drops, your device is blocked from sending unencrypted traffic over the network. Full disk encryption is already active on Proton VPN’s Russia servers, and we will be rolling out this upgrade across our entire fleet of servers.

If you have any questions about disk encryption in Proton VPN, feel free to join the conversation on Reddit or Twitter.

Best Regards,
The Proton VPN Team

Get a free Proton Mail encrypted email account

The post We’re adding full-disk encryption to harden our servers against MITM attacks appeared first on Proton VPN Blog.