Despite its playful design, TunnelBear takes its security seriously. This is a secure VPN — for the most part.
Both the free and paid versions use the AES-256 cipher for Windows, macOS, iOS and Android.
The OpenVPN protocol is used by default and the WireGuard, IPSec, and IKEv2 protocols are also available on iOS and Windows.
Both WireGuard and OpenVPN are secure and reliable VPN protocols, though WireGuard is the current industry-standard and our preferred protocol.
Worrying HTML5 Geolocation leaks
IP and DNS leaks can expose personal information like your IP address, physical location, and browsing activity.
Using our IP and DNS leak test tool, we found TunnelBear passed our IPv4/IPv6 leak tests, DNS leak test, and WebRTC test, but it failed to mask our geolocation.
We’re extremely disappointed that even when using TunnelBear’s web browser extension, our HTML5 geolocation was exposed. All top-tier VPNs have some sort of leak-protection or geolocation spoofing in browser extensions and clients to prevent this from happening.
TunnelBear should not leak geolocation details.
Leaking HTML5 geolocation information is very concerning, but it’s not as severe as leaking your IP address or DNS requests. As a worst case scenario, it means users will be blocked from more streaming services and won’t perform well in regions with online censorship.
Ultimately any sort of information leak disqualifies Tunnelbear from ever being a top-tier VPN.
However, it’s not completely beyond salvaging, as you can deny permission for websites to collect your HTML5 geolocation.
HTML5 geolocation is strictly permission-based, meaning each website has to request this information via a pop-up notification, so you can easily deny permission. Making sure to deny permission will ensure that TunnelBear doesn’t leak your HTML5 geolocation.
TunnelBear Owns its Bare-Metal Servers
All TunnelBear servers are physical (bare-metal), rather than virtual. They are physically located where you expect them to be.
Furthermore, TunnelBear owns its entire server network, including private DNS servers, so no additional third parties are involved in the maintenance of its servers.
Controlling your server infrastructure goes a long way in preventing security incidents. The NordVPN hack proved that using third-party data centers can pose significant risks.
A report by the Center for Democracy & Technology revealed that each TunnelBear server is protected by full disk encryption, malware scans, and intrusion protection software.
Not many VPNs own their entire server network, let alone an entire bare-metal server network based in the correct locations, which makes TunnelBear stand out among other mid-tier VPNs.
Effective VigilantBear (Kill Switch)
TunnelBear’s VPN kill switch is called “VigilantBear.” It blocks web traffic if the VPN connection gets disrupted. This prevents your true IP address from being exposed, and is an essential feature of any top-tier VPN.
TunnelBear passed our kill switch test on macOS.
VigilantBear is available on Windows, Mac, and Android devices, but not on iOS devices.
This is common due to Apple’s strict guidelines, but it’s still disappointing as it’s not impossible and VPNs like PIA and NordVPN offer a kill switch on iOS.
Additional Security Features
Another useful feature is TunnelBear’s GhostBear protocol. It’s designed to mask your VPN traffic as ‘normal’ HTTPS traffic, making it harder for governments, businesses, and ISPs to detect and block your VPN connection. It will slow your traffic, though.
TunnelBear’s additional features are easy to navigate.
There’s also RememBear (password manager) and SplitBear (split tunneling) for Android.
Regular Security Audits Keep TunnelBear Safe
To prove its commitment to transparency and user safety, TunnelBear has undergone multiple independent security audits.
TunnelBear commissioned cybersecurity company Cure53 to carry out five yearly independent security audits since 2017. These audits looked into TunnelBear’s apps, code, and infrastructure.
In 2019, Cure53 discovered 12 vulnerabilities of varying severity, and helped TunnelBear fix them and future-proof them. The audit concluded that TunnelBear is “a clear frontrunner among its VPN competitors when it comes to security.”
In 2020, there were “two low, two medium and one high-risk vulnerability” identified. TunnelBear claimed to fix the high-risk vulnerability immediately.
In 2021, Cure53 found four low, nine medium, three high, and three critical-risk vulnerabilities – many more vulnerabilities than the year before.
Importantly, the critical vulnerabilities were found in TunnelBear’s admin platform. They would’ve let attackers hijack admin accounts to “create a new administrator and thereby fully access both the TunnelBear and PolarBear admin portal.”
Cure53 also found one unresolved low risk vulnerability that they had previously reported on in 2018 but was still present in 2021.
While it’s great that TunnelBear commissions regular security audits and addresses most issues quickly, we are concerned that the Cure53 continues to find more critical, high risk, and medium risk vulnerabilities each year.
Missing Technical Features We’d Like to See
TunnelBear is missing some security features we’ve come to expect from premium VPN services. Here are some featured we’d like TunnelBear to add:
- Kill switch on iOS.
- Effective leak protection and fixes on geolocation leaks.
- Dedicated or static IP address to counter IP address blocklisting and annoying CAPTCHAs on search engines.
- Double or multihop VPN servers to enhance your security and privacy on your VPN connection.
- Open-source software code to improve transparency and allow users to analyze TunnelBear’s security.
- Smart DNS for bypassing streaming service geo-restrictions.