- When using Brave or Chrome, if you access a website immediately upon launching the browser or if the browser is set to resume previous sessions, your IP address will be exposed before the Proton VPN extension fully loads/connects. This presents a significant security issue.
- Again with the Chrome/Brave Extension, if you enable “Secure Core” and “Auto Connect” it will auto connect without connecting to Secure Core. It’s not until you disconnect and reconnect that it connects via Secure Core.
I was very impressed with Proton’s desktop and iOS VPN app, but it is concerning they would release have baked Chrome Extension like this with obvious security flaws.
Note that the root of this issue is how the browsers work, and a VPN browser extension (ours or any other) cannot bypass it. The Proton VPN browser extension is intended to complement the Proton VPN desktop app, providing a quick and convenient way to protect your privacy when browsing the internet. We’ve solved this on the desktop apps (Windows and Linux ones) with the Permanent Kill Switch. If your threat model includes advanced security and anonymity, you should use the desktop and mobile Proton VPN apps only: https://protonvpn.com/support/browser-extensions/#faq.
Regarding the second issue, this should be fixed in the latest version (1.0.5), so please check whether your app is up to date. If it is and you’re still experiencing this, contact support, and we’ll have a closer look.
Browser extensions don’t have the power to force browsers to wait for them to be running before starting to do requests if they decided other way.
AFAIK, no VPN extension can work again this limitation (issue 1.)
Also note this quote from
https://protonvpn.com/support/browser-extensions/#features
> you should use our full VPN app if security is a high priority for you
Browser extension is convenient for geo-blocking and as a complementary helper, it’s also better than nothing if you cannot install the desktop app on the device, however if you can, then desktop app is the way to secure your entire traffic.
Are you trying to say it’s technically not possible to add a “kill switch” like feature into a Chrome extension?
how do ublock have an option to block all browser traffic until filter lists are loaded then?
or, install Proton on your router, and just set it up and forget it
You make a valid point about the limitations of browser extensions in controlling the browser’s start-up requests. However, I believe the issue lies not in the initial loading of the extension, but in the time taken to establish a connection. A potential solution for this would be for the extension to block all TCP/IP communication from the browser until it establishes a connection, especially if set to ‘auto connect’. Given the emphasis on security, it’s surprising that this feature isn’t already implemented in their Chrome/Brave extension. Moreover, incorporating a kill switch into the extension seems feasible and important, as it would use similar mechanisms to those needed during the connection phase.
The only thing worse than a lack of security is the illusion of security.
Correct. The delay in loading a local extension is very short in comparison to the delay in connecting to a remote server.
This discussion isn’t about best practices for security, but rather two security flaws found in ProtonVPN’s Chrome/Brave extension which should be addressed immediately. Everyone has different use cases.
When you don’t follow “best practice” it causes to issues like the one you are having. It isn’t a “security flaw” at all. It is a limitation of the most insecure way to use proton.
Sorry bud, hard disagree. Tunneling exclusively all HTTPS traffic though a VPN doesn’t need to be inherently insecure. The only reason it is insecure is because of these two oversights. If those two oversights were corrected, the extension would be just as secure for browsing as a system wide setting or a router based solution for HTTPS traffic. It’s wild to me how this subreddit isn’t encouraging Proton to make better products, but rather excusing their shortcomings. I’m a big fan of ProtonVPN, that’s why I am posting this, so they can better their software.
Love it when someone starts off with Bud, what if the poster is female? Is she still a bud ? Also you must have skipped the part where they talk about all extensions having to wait on the browser.