So I’ve noticed that some of the ZenMate VPN servers will give you an error screen when a site doesn’t exist that appears to be powered by the squid proxy server (they removed the tag at the bottom, same page design and same error codes). Their support denied that they are logging traffic. When I sent them the same image they didn’t respond again.
It looks like they’re hiding something. You can see a screenshot of the error at: http://imgur.com/EGnrAg3 Now with that screenshot (I cropped it as to avoid showing other information that was open in my browser at the time) do you think that the ZenMate VPN is monitoring / logging their users usage of the service?
The screenshot doesn’t say anything.
You send a request to your VPN (lets say google.com). The VPN takes this request. Yes, they do know and must know that it is google.com, they actually store this information until the full request is finished (so they know where to send the response) and you got your result back, this does not mean that they write any permanent logs. Now it tries to find the server IP via normal DNS lookup (looking in internal cache, if this fails asking the next best DNS server if it ever heard of a thing called google.com, which may in turn go up the DNS hierarchy). It fails on all DNS levels.
Now it could just return that error and you would get the normal error message that your browser shows in such a case. But for some reason their server seems to be configured to wrap the error in this HTML page. Not exactly necessary but also no clear sign that they would store any data or spy on you.
They responded with the following
Anna (ZenMate Support)
Jul 19, 18:45 CEST
Hi again Nathaniel,
Thanks for getting back to me. Please be assured that we are not spying on our users. As a security company based in Germany, under strict German laws, we cannot, nor do we want to store or log any personal data of our users.
Regarding your initial question, by anti-virus, I’m assuming you are referring to our Web Firewall (ad-blocker) browser extension. Please correct me if I’m wrong.
In order for the malware protection in the Web Firewall to function, the extension reads the URL request and compares it against a malware list. If a match is found, the URL gets blocked. If there are no matches, the request goes through.
To handle these requests, a Squid, or something similar is required. Without this, the service would be impossible to provide. Squid logs exactly what you tell Squid to log. We have told Squid to log only the minimum data required so that these requests cannot be assigned to any users.
I hope this answers your question! If I misunderstood you, or if anything is still unclear, please let me know.
All the best.
Anna || ZenMate Support Team
Zenmate have added adware to the extension today, so you might as well uninstall it anyway. 
Exactly their server modified the request rather than forwarding traffic. It means they modified My Traffic before sending it back. Also from what I understand the squid proxy server keeps access logs with the user ip address and the accessed site. How hard would it be now to use those logs, link them to accounts (and their version of the squid proxy server looks ever so slightly custom), and then hand them over upon request. It’s a possibility that the intercepting proxy that wraps the errors is also configured to log your traffic.
Sure. But tat holds true for every VPN service. They must know what you want to get out of the web. The term ‘google.com’ must exist in clear text for some time at least in the proxy memory. Also they must store at least some request id to be able to return results (this may be anonymous somehow).
The DNS server will always return the requested URL with the error message, so even if they would not store it, they would have it again now and can wrap it into that page.
More or less every proxy server can be configured to store permanent logs if this is wanted or it can be turned off if not. (Also even if the proxy server itself wouldn’t do it they could just put some other software in between, you wouldn’t notice that).
If they keep permanent logs may mostly be a question of local law.
So conclusion: Sure it’s possible. But nothing from that screenshot makes it look more likely than for any other VPN. All you can actually see is that they wrap one error message instead of passing the error.
Just the fact that they’re using a proxy is concerning but they have the capability to start logging in mere minutes (simple to add two lines to the configuration and reload). There isn’t a reason that they can’t simply pass the error message. It’s only on one of their servers not all. But still the fact they’re doing it is very suspicious.
touch person frame snobbish abundant deserve work silky distinct squash
This post was mass deleted and anonymized with Redact
