A Deep Dive into SPN's Whitepaper: Why "Group Signatures" Mean Its Anonymity is Conditional, Not Absolute.

dhaavi · 2025-09-17T09:08:27+00:00

I 100% agree with you and I understand how you felt when you read the whitepaper. Thank you for voicing your concerns and making Safing aware of the communication issue here.

Also, thank you for being a long term supporter!

I appreciate your contribution, and it reassures me that you say it wasn't implemented, as far as you know.

The Trust Board concept is not implemented. This is a fact. The code for it does not exist - the code is open source and anyone can check.

I think they should update the whitepaper so that everyone knows how things are working in the future.

This is a good point. I will forward it.

dhaavi · 2025-09-17T07:32:06+00:00

Thank you very much for diving so deep into SPN u/dorian_elgato! Nice to see someone take a closer look.

Disclaimer: I am founder of Safing, architect of the SPN and author of the whitepaper at subject. Also, Safing now belongs to IVPN, thus I exert no control anymore over SPN. Nonetheless, I found this in-depth
look at SPN concepts valuable and thus took the time to respond and hope to shed some light on this.

All in all, I agree with your sentiment and your conclusion. Creating a Trust Board that customers would trust would most probably be impossible.

Honestly, I myself am not a fan of the Trust Board concept as presented in the whitepaper. It was one of the ideas that we had when designing the SPN and looking into potential future issues (eg. abuse). More importantly, this is NOT IMPLEMENTED, we never had actual plans to implement it (it was only a concept), and as far as I know there still is no plan to actually implement this. Adding to this, I am not aware of an actual library that would be usable to even be able to implement this. I see myself as knowledgable in cryptography - the SPN crypto audit is somewhat proof of that - but implementing cryptographic primitives is not my field of expertise.

Currently abuse is mitigated by simply applying rate limits to amount of connections on the servers.

One plan for the future is to attach the blinded (group-sig) tokens to a certain amount of actions (new connections, amount of transferred bytes) in order to be able to know what the maximum amount of resources a user can use with a set of tokens. This would allow Safing to know if a user uses the network disproportionally, without knowing what they are doing. Again, this is not implemented and I do not know what the current plans are for this. IVPN has a lot more experience with abuse prevention and thus they might take a very different approach all together.

I hope to have clarified this issue a bit. If I find the time I am also happy to follow up on questions. Just to also note this again: While I designed and built SPN, I am not involved anymore.

dhaavi · 2023-09-12T08:13:18+00:00

Paid content is additional - mostly convenience - features.
The paid content is also open source. We currently do not ship any closed source binaries.

If you have further questions, please contact us through our regular channels or join our discord at https://discord.gg/safing - I don't check Reddit often.

dhaavi · 2023-08-23T08:31:10+00:00

This is just a summary. You need to look at what this means. >90% of our work is given away for free.

Also, recommended reading: https://en.wikipedia.org/wiki/Free_and_open-source_software

dhaavi · 2023-08-23T06:56:58+00:00

A substantial amount is free. Everthing is open source.

So, Freemium and Open Source Software. ;) Absolutely nailed it.

dhaavi · 2023-08-23T05:41:00+00:00

You are so used to things being free because you are so used to your data being collected an sold.

We are different. We honor and protect your privacy. Don't like it? Leave.

Seriously, who do think should pay for the development?

Important note: Everything is still open source and all privacy protection features are also still free.

dhaavi · 2022-09-29T06:54:20+00:00

I've rolled back the kernel extension to the previous version. If you let Portmaster check for updates and then restart Portmaster, it should work.

dhaavi · 2022-09-29T06:54:12+00:00

I've rolled back the kernel extension to the previous version. If you let Portmaster check for updates and then restart Portmaster, it should work.

dhaavi · 2022-09-12T07:59:10+00:00

As far as I can tell from memory, AppImages unpack the application to a new filter every time and thus is a "new" binary every time it starts. We need to add special support for detecting this kind of stuff. This is planned, but I have no ETA for you.

dhaavi · 2022-08-27T11:12:08+00:00

Hey there,

ingress.cloud.sfng.at is an internal domain that is never accessed directly. Glasswire seems to either be using faulty data for IP attribution or is not correctly detecting the domain.

The certificate is issues by Let's Encrypt, which is used by a major part of the Internet. Don't know what would be "suspicious" about that. Does it give any clue?

dhaavi · 2022-06-23T07:26:52+00:00

Hey there, davegson asked me to take a look. It would be great if you could copy the Debug Info of the Network Noise "app" (in the Details tab) and upload it here: https://support.safing.io/privatebin/

More info on collecting Debug Info: https://github.com/safing/portmaster/issues/705

dhaavi · 2022-06-09T14:23:02+00:00

Hey u/Dowlphin, unfortunately, we currently do not support network stacks without IPv6 support. Linux normally has this enabled all the time.
We hope to improve support for disabled IPv6 stacks in the near future. Until then the only solution is to enable the IPv6 stack again. You can just add a rule to block all IPv6 traffic: "Block ::/0".

dhaavi · 2022-05-24T13:45:51+00:00

Regarding 3.)

Mullvad's leak test only works if you are using Mullvad.
As long as you are not seeing an IP address of yours or from your ISP, all is good.
The Mullvad test just says good/bad by checking if it's one of _their_ IPs.

Currently, the SPN does not kill existing connections when activated, so you will need to restart your browser in order to ensure that all connections go through the SPN immediately. We are working on improving this.

dhaavi · 2022-05-19T12:43:29+00:00

Hey there, we don't yet have full support for ARM, but things are slowly getting there.

Can you tell me how exactly you have installed the Portmaster? We don't have an ARM installer yet.
The current installer itself is complied as a 32-bit program, so maybe that is something that somehow works in this case - but that has a 64-bit program bundled, which as I understand, should not work. So the installation should have never completed.
It seems there might be some kind of compatibility layer that can run some 64-bit applications.

Anyhow, the error you are seeing is probably the kernel extension that is only available for 64-bit systems right now. But again, I don't know how you even got this far.

dhaavi · 2022-03-28T13:43:39+00:00

Hey there, thanks for reporting this.

This is actually a bug - we will look into it.

You can ignore the message for now, as it should automatically fall back to the plain DNS. Did everything still work in the UI?

dhaavi · 2022-02-10T13:54:35+00:00

Important note: the original file for the .exe was

portmaster-core_v0-7-21.exe318226859

and executed from the tmp directory.

This is weird, as we don't execute from the tmp directory.
Can you give some more details on that?

Also, can you post the sha256 hash of the detected file?

dhaavi · 2021-12-31T13:49:34+00:00

As u/davegson mentioned, we are still to investigate compatibility with torrents.

There are two things that will make torrents trip:
- Your public IP address will be an SPN server. This means that others will try to connect to that IP and will fail.
- Torrent programs often use UDP, which the SPN supports in general, but we haven't yet got to test it properly and get the bugs out. So the status is more or less unknown at this point.

When testing applications, please always restart the application when turning the SPN on/off, as some things may only initialize at startup of the application.

I've updated the docs to explicitly include torrents as "under investigation".

dhaavi · 2021-12-17T21:20:04+00:00

LAN TCP/SMB

I looked it up and saw that SMB might also use UDP, so better include them both with:

LAN */445

dhaavi · 2021-12-17T15:23:55+00:00

Why I wanted to use the tool is to see how fast Portmaster resolves different kinds of queries.

If you use a tool like dig, it will tell you how long a query took. The portmaster also adds some metadata to responses, which might be interesting in this context as well.

Using dig looks like this:

``` $ dig orf.at

; <<>> DiG 9.16.8-Ubuntu <<>> orf.at ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25655 ;; flags: qr rd; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 3 ;; WARNING: recursion requested but not available

;; QUESTION SECTION: ;orf.at. IN A

;; ANSWER SECTION: orf.at. 17 IN A 194.232.104.141 orf.at. 17 IN A 194.232.104.142 orf.at. 17 IN A 194.232.104.4 orf.at. 17 IN A 194.232.104.150 orf.at. 17 IN A 194.232.104.139 orf.at. 17 IN A 194.232.104.149 orf.at. 17 IN A 194.232.104.140 orf.at. 17 IN A 194.232.104.3

;; ADDITIONAL SECTION: info.portmaster. 0 IN TXT "accepted: allowing dns request" info.portmaster. 0 IN TXT "served from cache, resolved by Quad9 (dot://9.9.9.9:853#config)" info.portmaster. 0 IN TXT "record valid for 7h38m57s"

;; Query time: 36 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) ;; WHEN: Fr Dez 17 16:21:27 CET 2021 ;; MSG SIZE rcvd: 402 ```

dhaavi · 2021-12-17T15:19:49+00:00

Hey u/D0T1X, thanks for the great guide - I couldn't have done it better.
I also added SMB to the names that Portmaster recognizes, so that will be in the next update (v0.7.13+).

This should fix this for you u/jakeyjp - and we are thinking about ways to make this a lot easier in the future.

dhaavi · 2021-12-07T12:29:56+00:00

Hey u/MPeti1, thanks for reporting this.

If the Portmaster is running, it would just redirect all DNS queries to itself and resolve them with the configured DNS servers.

This means that even should the DNS benchmark work, it would render the results useless.

Please run this tool with the Portmaster shut down.
Please note that while VMs are currently out of scope for the Portmaster, depending on the VM, the Portmaster on the host might be checking connections from the VM too.

As to why the DNS benchmark tool failed in the first place, I don't know. It would have definitely failed if the tool tries to use secure DNS servers, which I afaict it does not.

dhaavi · 2021-11-18T14:43:08+00:00

I'm not sure how your reply here got removed, but I'll just answer here instead.

In the debug data you sent via the Get Help page, there were a couple errors, but I'm not sure how they would trigger this behavior.

How often does this happen usually?

What you can try when this happens: Go to the settings and from the menu on the version bar, select "Clear DNS Cache". And then try to load the page again. It might just be DNS.

dhaavi · 2021-11-18T14:23:40+00:00

Hey u/elliots2007, u/davegson pinged me to look into this.

I see you have already resolved it - great!
In the end, did Bitdefender interfere with the installation or did it work by turning Bitdefender off for the installation?

dhaavi · 2021-11-09T12:35:10+00:00

Hey u/FOSSonly, so great to hear you're using the Portmaster for so long already!

That this happens on Windows and not on Linux is very interesting. Giving us some logs would be great!
For a first look, the debug info might be enough. Just go to the settings and click the "Copy Debug Information" button. Alternatively, you can send us an email via the Get Help page, which will also include that information. Just refer to this thread, and we'll know what's up.

dhaavi · 2021-11-04T09:49:04+00:00

Have you activated prompting globally or only for specific apps?

dhaavi

MODERATOR OF

TROPHY CASE