Technical specs / architectural questions

Hi,

 

Have you got a technical architecture / flow diagram of Freedome that can be shown to the customers?

 

Would be nice to see what happens to the traffic, what kind of decision points there are, where the traffic goes and have a list of actions done to the traffic.

 

Without seeing the diagram, I had few open questions that could I could verify to some extent, but it's quicker to just ask:

 

  • Does freedome intercept SSL/TLS traffic?
  • If not, what about tracking cookies or malicious packages inside encrypted traffic?
  • If yes, does it also intercept e.g. web bank traffic?
  • If yes, what kind of cipher suites are used at client side and which CA:s are trusted for server certs?
  • Does one communicate directly with the each country's VPN concentrator, or does the traffic go inside from one country to another inside some kind of internal network?
  • Who and how is decided, which tracking cookies / sites are blocked?

Thanks in advance!

Best Answer

  • BenBen Posts: 2,640
    Accepted Answer

    Hello Psillanp,

     

    Here are the answers to most of your questions:

     

    • Have you got a technical architecture / flow diagram of Freedome that can be shown to the customers?

    Unfortunately, nothing opf the kind is available at this point.

     

    • Does freedome intercept SSL/TLS traffic?

    No, Freedome does not intercept SSL/TLS. Intercepting and decrypting encrypted traffic would be a dangerous capability to have on our servers. It would be very privacy invasive too.

     

    • If not, what about tracking cookies or malicious packages inside encrypted traffic?

    They will all go unnoticed.

     

    • Does one communicate directly with the each country's VPN concentrator, or does the traffic go inside from one country to another inside some kind of internal network?

    The customer communicates directly with the VPN concentrators of the selected country. Going via additional countries would increase latency and reduce performance quite noticeably.

     

    • Who and how is decided, which tracking cookies / sites are blocked?

    F-Secure Labs maintains a database of tracking networks and advertisement networks. Our Labs has 24/7/365 staffing to update the database through our Real-Time Protection Network as necessary.

    The database tags tracking and analytics services so that Freedome blocks the requests completely.

    All cookies are stripped from requests going to advertisement networks, causing advertisements to be shown without any targeting.

Answers

  • PaiviPaivi Posts: 80

    Hello,

     

    Sorry for the delay with our response. We don't,unfortuantely, have such technical documentation available. I will, however, collect the answers to your good questions and get back to you next week.

     

    Best,

    Päivi, Freedome product manager

  • PaiviPaivi Posts: 80

    Regarding the cipher suite question:

     

    Control channel: TLS, 2048 bit RSA auth, typically AES256+SHA1 HMAC but depends on client capabilities
    Data channel: Blowfish with 128-bit key + SHA1 HMAC

     

    For data channel we're about to switch to AES-128 instead of Blowfish.

This discussion has been closed.