When we first started this project, we kept asking ourselves... "How can we make this VPN different? Better? Make it have the best security possible?", well we kept coming up with ideas, tossed some out and kept others and addded them in... But one idea really stuck out.
What if we simply encrypt the entire database, every single user who makes an account, there email, username, etc.. We would just not have access to it. How is this possible you say? Well we have no reason at all to have your data, or even fetch any of your data without your request.
So what we do is your Username, Email, Key(used to track how many connections are active without using username), concurrents, and all data that could EVER be used to trace back to you will be encrypted with AES-256 with a unique IV code OR your username as such will be hashed with SHA512, and the encryption key is also unique... It will be your hashed password. Now how can we decrypt data with your hashed password? Simple the data only gets decrypted when you login, or when you make a connection. We do not see ANY of the decrypted results. Only YOU will EVER get the decrypted results. The only exception is when you verify your email and the email that is sent will be in our "sent" inbox, do not worry as ALL emails will be deleted right after being sent.
And your password will be hashed/salted in the database, so we also can't have access to your unhashed password. It only decrypts when you put in your password.
So you might ask... "How do you know my username, email, or my connections I have on the members panel?"
Well we can't check ourselves... It only checks how many connections when a user generates a file or makes a connection and decrypts it. The data gets decrypted when a user logins.
Here's how it works:
User logins with there unhashed password and unencrypted username.
We hash the username with SHA512 (longer the username, more secure), we do this so we can still find who you are in the database when you login.
Now once the login script finds you in the database, it will fetch the encrypted data such as key, email, username. It will then make these into PHP sessions, which are also encrypted with a public key, and also the entire process is done over a SSL encryption as well.
You could also ask "Doesn't this cost more resources, or waste more time loading pages?", at high load times it could and we are looking to add more servers to combat this.... But we simply want the best security for our users, to the point where we have no idea who our users even are.