This post is out of date! To read about TunnelBear’s current encryption, check out this updated blog post.
We get plenty of questions about the encryption TunnelBear uses to protect your privacy. This blog post will provide a brief overview of what we use to create our tunnels.
Encryption is a complicated topic and it’s often not as simple as comparing bitrates and selecting the highest number. If you aren’t familiar with encryption at all, it’s not a bad idea to have a quick read of Wikipedia’s encryption wiki.
A Virtual Private Network (VPN) like TunnelBear is comprised of a protocol and multiple types of encryption: data encryption, data authentication and handshake encryption.
Protocols and devices
TunnelBear uses two different VPN protocols on our network. If you’re using PC, Mac or Android, you’ll be using OpenVPN. OpenVPN is an industry standard, open source protocol. If you’re using an iOS device you’ll be using IPSec, which works best on iOS devices.
This is the symmetric encryption that TunnelBear performs on the data that leaves your computer or device before it travels across TunnelBear’s network and out to the Internet.
HMAC using Secure Hash Algorithm (160bit)
Any information that is sent or received from your computer must be authenticated before it can be decrypted. Data authentication is used to ensure you are who you are and prevent things like a “Man in the Middle Attack”.
TLS v1.2 – Certificate signed with SHA256
RSA-2048— 2048bit Ephemeral Diffie-Helman (DH) key exchange and 2048bit RSA certificate for verification.
An encryption handshake prevents you from unwittingly connecting to an attacker who is impersonating a TunnelBear server.
These protocols and encryption were selected after extensive research and real-world performance testing. So when TunnelBear is “On” you should feel safe and snug knowing you’re in a (strongly encrypted) bear hug.
For additional questions, feel free to email privacy [at] tunnelbear.com.