Blog Post

VyprVPN provider starts using proprietary Chameleon protocol for anonymity

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

Virtual private network (VPN) provider Golden Frog says it has come up with a new proprietary protocol for masking VPN traffic, in order to bypass blocks in places like China.

VPNs are quite good at providing privacy, but not generally anonymity – those who run systems such as the Great Firewall of China are quite adept at using deep packet inspection to spot whose traffic is VPN-protected. The new Chameleon protocol, for use by premium customers of Golden Frog’s VyprVPN service, is supposed to thwart such efforts in an easy-to-set-up way.

“The protocol scrambles any of the [VPN] metadata and makes it disappear,” Golden Frog president Sunday Yokubaitis told me. “We’ve had it in beta since the Fall. We have a customer in Iran that’s getting through now – it has a variety of uses for business and getting through when you’re travelling.”

Unfortunately, Yokubaitis wasn’t keen on sharing much in the way of detail about how Chameleon works, apart from that it “randomizes” metadata properties for the traffic and is based on 256-bit SSL, because the protocol is proprietary.

I pointed out that this may make it a hard sell given the current climate of post-Snowden distrust in security mechanisms – open source is no panacea, but it does at least give professionals the chance to poke around and see what’s what. Yokubaitis acknowledged this concern – “transparency creates trust and we understand that” – but said the firm still wasn’t sure whether it would open Chameleon up to inspection or not.

On the plus side, Golden Frog says it manages its own global network of servers, it doesn’t keep traffic logs, and it’s incorporated in Switzerland, a jurisdiction with very strong privacy laws. The company itself is located in Austin, Texas, along with other Yokubaitis family businesses such as data center outfit Data Foundry.

UPDATE (29 January): Golden Frog has sent me the following note to provide a bit more detail on Chameleon’s functioning:

“Chameleon scrambles OpenVPN packet metadata to ensure it’s not recognizable via deep packet inspection, while still keeping it fast and lightweight. The Chameleon technology uses the unmodified OpenVPN 256-bit protocol for the underlying data encryption. The result is that VyprVPN users are able to bypass restrictive networks put in place by governments, corporations and ISPs to achieve an open internet experience without sacrificing the proven security for which OpenVPN has long been known.”

4 Responses to “VyprVPN provider starts using proprietary Chameleon protocol for anonymity”

  1. I was looking to purchase vyprvpn and asked a customer service rep directly what their policy was on logging information. This was the response. Word for word. “We log the time connected and amount of data transferred, this is maintained for use with billing, troubleshooting, service offering evaluation, TOS issues, AUP issues, and for handling crimes performed over the service. We maintain this level of information on a per-session basis for at least 90 days. We may keep upload & download bytes at an aggregate level for longer periods of time.”

    In other words your ISP may not know you’re connected to a VPN and can’t log or see what you’re doing, but if you get caught doing something illegal online they have no problem handing your s***t over to the authorities, as in they log what you’re doing. IMO I would go with cyberghost if you want complete anonymity. Check out their terms/FAQ, they’re pretty hard pressed about the issue.

  2. I would stay away from this for many reasons.. Proprietary is not as safe as open source. Clever people could try to reverse engineer chameleon and exploit it.

    Also on Golden Frogs page shows they keep 90 days of logs, and as for Swiss having very strong privacy laws — didn’t they hand over swiss bank account information to the USA Feds when pressured?