If no, then an audit has little to no value as it still implies trusting the vendor not to fudge the binaries or, more broadly, be malicious.
Very few software deployment systems make it possible for binaries to be independently reproduced from published sources by the public. AFAIK, it's limited to systems like Nix, Guix, recent Debian, and other participants in the Reproducible Builds project.
However, even within those systems, if you are downloading a compiled binary instead of building it yourself, how can you be sure that you get the "right" binary every time? Does the binary download system periodically "challenge" the binary provider by building from source and comparing with the downloaded binary? If so, does it report its findings anywhere?
It seems to me that even within a software deployment system that enables users to reproduce binaries, you still end up trusting whoever runs the deployment system, because there are no methods of challenging the reproducibility in a meaningful way. The systems I mentioned above sign the binaries, which means that you implicitly trust the holder of the signing key to send you the right binary. But it doesn't mean anything about the relationship of the binary to some source code.
Having said that, if I am using some program by downloading binaries, I am trusting whoever provides the binaries. If I trust them, then a source code audit is valuable to me, even though I can't be sure the compiled binary is related to the source code.
There is some value in 3rd party verifying the system design (the architecture, the protocol, etc.) and general engineering practices in the company, but this still hinges on the need to trust this company not to be (or being coerced to be) malicious. TunnelBear hasn't established the latter, so - yes, there's little to no value in former. There is some marketing value in it though.
PS. Zimmerman's original secure VoIP project was rooted in the idea of reproducible builds. It was open source, but with a license that prohibited any use except for verifying binary builds. It was 20 (?) years ago.
What would it take to convince you that a VPN service was trustworthy?
Given they provide a VPN service, trusting the binaries is only going to take you so far.
There can be some use for these services if you are very careful with everything you do while connected. But the risk of transmitting usernames, emails, passwords, and CC numbers accidentally while still connected is too great IMO.
I stick to openvpn providers and use my own software.
Seriously. Both get paid and provide Internet connectivity. Both have incentives to do something to your traffic, would it have no negative consequences (financial, legal or just moral) for them.
The only non-technical difference is that VPNs have a lot of competition (so free market actually works) and in some countries/areas telcos have near-monopolistic positions.
That doesn't mean that VPNs are universal friends of your privacy and ISPs are its foes. Just that there is some disbalance.
The test looks good, down from 3 criticals and 3 high to just 1 high. I'd be interested if they could expand on the 4 medium findings found. It's not the full report.
Thanks for the good work!
Their Linux support is limited (ie no client), but it is there. You just need to do the configurations (somewhat) manually. Works pretty well when I used it a few months ago on my Mint box.
Instead what we have is a pdf (4 pages long) with the title "TunnelBear Security Assessment Summary 07.2017" and an equally long web page claiming how awesome and transparent this is.
