12 Reasons Prolaag is more secure than every other VPN

The Prolaag Hardware VPL (Virtual Private Link) is a special type of VPN appliance - it uses encryption to securely tunnel traffic between private networks, but it also provides air-gap style network isolation. Here’s a list of some of the reasons this approach - and our particular implementation of it - are unparalleled in terms of digital security.

  1. Physical Separation between public and private networks. This little box has two CPUs, each with its own distinct physical memory. One CPU (“black side”) handles internet communication while the other (“red side”) provides cryptography and internal private networking. The black side never has access to keys or plaintext, and the red side never has access to the internet. This helps keep your sensitive data out of reach.
  2. No Middle Man. Although intermediaries can make things convenient - a trusted third party can help you locate your peers, set up encrypted channels, etc - these conveniences come at a price. A compromise of that third party also compromises your privacy. With Prolaag’s hardware VPL there is no middle-man to breach or receive an NSL with your name on it. All connections are 100% peer to peer. This also means that once you’ve got the hardware, it’s free to use forever.
  3. Aggressively Symmetric Crypto. Public-key schemes like RSA only make decryption “infeasible”, where the definition of feasibility is subject to the technology and resources of your adversary. Prolaag’s hardware VPL uses AES and One-Time Pad. The downside: you have to distribute keys yourself. The upside: you have a little black box sitting on your desk that offers provably secure encryption.
  4. Quality Entropy is essential to cryptography. Each Prolaag device comes with an auditable hardware random number generator for pad and key generation, as well as an environmental software entropy pool for an independent overlay.
  5. Full Key Erasure in both AES-only and OTP modes. A compromise of an active endpoint in an ongoing communication does not compromise prior communications - Prolaag’s VPL forgets its chain secrets on each reconnection (and in OTP mode, on each packet). Key information is securely erased from persistent storage on both ends of a connection before it’s used. This means that if law enforcement records your encrypted traffic, and then raids your property and seizes your appliance, they still can’t decrypt your conversation.
  6. Minimized Attack Surface Area. We’ve gone to great lengths to reduce the executable footprint of our appliance. There’s no operating system, no 3rd party device drivers, and no irrelevant code. The black side only contains about 3,100 lines of code (less than 1% the size of OpenSSL), including all firmware, embedded DNS and DHCP clients, and just enough of an IP stack to route VPN packets. It doesn’t even have TCP support. This means fewer potential footholds for attackers and better focus for code audits.
  7. Focus on Testing. Most of our development effort is spent building automated, demonstrative tests. We have multiple overlapping test frameworks that simulate all the way down to discrete hardware components and all the way up to multiple connected networks. These allow us to write meaningful tests at every abstraction layer and strictly maintain 100% line coverage for both our software and our firmware.
  8. Tight Memory Management helps us eliminate some of the most dangerous software design pitfalls. Heap space is not allocated or freed after system initialization, stack growth is fully characterized and tightly constrained, and all buffer accesses are protected by stack and heap canaries. The red side, for instance, uses exactly 108.6kB of heap space regardless of what it’s doing, and within that footprint it provides encryption, manages configuration, gathers entropy, charges pad devices, and runs a minimized TCP/IP stack with DNS, DHCP, TFTP, SIP, and HTTP services.
  9. No 3rd Party Dependencies. Other than libc (2nd party), no software libraries are used by the Prolaag Hardware VPL. The product’s web UI (optionally) uses javascript libraries to improve user experience, but all the firmware, hardware, and software running on this appliance was designed and developed in-house.
  10. No printf()-Style Calls. Avoiding these functions eliminates another class of potential insecurity - format string vulnerabilities.
  11. No DRM. Ever.
  12. Experience. Everyone at Prolaag - from development to marketing to fabrication - joined the company with years of professional security experience. Half of us have worked as cleared defense/military contractors inside the US, and we’ve come together from companies like Ball Aerospace, Internet Security Systems, Lockheed Martin, Microsoft, Amazon, and McAfee to build products of uncompromising security.
Share this Post: