Windscribe Features
Rating:4/5
Price:Free, $1 – $9 per month
Refund period: 3 days
Based in which country: Canada
# devices per license: Unlimited
# servers: Unknown
Server locations:110 locations in 67 countries, including USA, Canada, UK, Japan, Russia, France, and Germany
Streaming sites unblocked: Netflix, Disney+, BBC iPlayer, ABC, and NBC
Supports torrenting: Yes
Does VPN keep logs:No
24/7 customer support: Yes
Website: https://windscribe.com/

Windscribe started up in 2016, and it has its headquarters in Richmond Hill, Ontario, Canada. This VPN system entered a market that already had a number of excellent VPN providers, and so the company had to work hard to get noticed. Windscribe focused on innovative privacy tools in its browser extension that showed the established VPN services what could be done. Many rivals followed Windscribe’s example by adding tracker blockers and a Web page scanner for malware.

One of the reasons that users subscribe to VPN services is to unblock geo-restricted access to video streaming services. The development team made sure that Windscribe works well with Netflix, and particularly US Netflix, which everyone wants to get into. In the VPN industry, cracking the proxy detection system in the Netflix server is the touchstone of achievement.

The outstanding feature of Windscribe is its free VPN service. This is one of the best in the business and offers some of the best privacy features of the paid version, which is called Windscribe Pro. Over its years of operation. Windscribe has focused on improving and extending its privacy and anti-malware tools, which makes this one of the best systems available for Web cybersecurity.

The Windscribe marketing team constantly thinks up quirky promotions and makes entertaining promotional videos that endear existing customers to the VPN service and win new fans.

Privacy and security are the strong points of the Windscribe app. The VPN provider has invested a lot in expanding its security features.

Legal protection

Canada is a Five Eyes nation – a collection of English-speaking countries (USA, UK, Canada, Australia, and New Zealand) that share intelligence information. The Five Eyes secret services get around national laws that prevent them from spying on their own populations by allowing each other to spy within their borders and then pass the information on.

Internet service providers (ISPs) in Canada are expected to retain all activity data on their customers for 6 months, which can be extended to 12 months with a court order. These obligations do not extend to VPNs. However, a court order can make a VPN gather and hand over data as part of an investigation.

Copyright lawyers, including those from the USA, are allowed to prosecute private individuals for illegal downloads and torrenting under copyright infringement laws. The compensation that can be sought under the Copyright Modernization Act is capped at $5,000 per infringement.

The location of Windscribe’s head office means that the activities of its users are subject to Canadian laws even if they never go there. However, the circumstances around data retention requirements for VPNs make it unlikely that any Windscribe customer will ever be caught out for copyright infringement.

Windscribe logging policy

The question of whether a VPN service retains logs is very important. In the case of Windscribe, the short answer is that it doesn’t keep any activity logs. This has to be modified in the long version because the company does record some information about the VPN connections of its users.

The main requirements for this data retention relate to billing rather than torrenting. As the users of the free VPN have a data throughput limit each month, the system needs to record how much data has passed through each account. That cumulative number gets resent each month.  The system also records a timestamp of the last time an account was active. These two pieces of data would be of no use to copyright lawyers or law enforcement agencies.

Windscribe’s Privacy Policy states that live connections are managed in memory on the VPN server. That means that there are never records written to a hard disk on the VPN server.

A VPN replaces the IP address of its customer with one of its own IP addresses for the duration of a VPN session. The Windscribe website doesn’t explain exactly how they implement this. However, the service seems to manage that mapping, with is called Network Address Translation (NAT) in memory. There is no need to retain that information once the session ends.

Every computer connected to the internet has to have an address that is unique throughout the world. This is called the IP address.  So, your computer is assigned an IP address, and every Web site that you visit has an IP address. When your browser sends a request to a Web server for a page, your ISP records that you accessed that website and keeps that record for 6 months (in Canada) – in other countries, that period might be longer.

A VPN masks traffic between your computer and its server. This is called a tunnel, and it encrypts all traffic so that your ISP can’t see which Web server you are really in connection with. It only sees the address of the VPN server.

Your traffic passes through the VPN server, and when it does, the VPN service takes out your IP address in the source address field and puts in one of its own. When the Web server receives a request, it sees who it came from, and that isn’t you. The server sends back a response. That goes to the return address, which is owned by the VPN. The VPN server looks in its NAT table, sees that address represents you, replaces it with your real address, and then sends it to you through the protected tunnel.

So, no one logs your activities in either direction.

Copyright lawyers might get hold of ISP logs, but they won’t see that you have been downloading movies without paying because all of your connections are addressed to a Winscribe server. Getting a court order to force Windscribe to start tracing your activities would be a little more difficult than just seizing existing records. The copyright lawyers and law enforcement agencies would need to have proof of your illegal activities before gaining that enforcement. They can’t use the process to look for proof.

As recording your activities would require Windscribe to create new programs and working practices, you can bet that you would hear about such events should they ever occur. The fact that Windscribe does not have those facilities in place shows that they have never been served.

Windscribe VPN protocols

Activities on the internet and on networks are governed by protocols. These are guidelines and sets of standards that outline how software and equipment provided by different companies can connect to each other. They coordinate procedures. There are a number of VPN protocols available, and Windscribe uses three of these:

  • OpenVPN – This is an open source system, and it is the most widely-used VPN protocol in the market. The service is listed as TCP and UDP in the VPN apps.
  • WireGuard –This is a new VPN protocol that is being quickly adopted by most VPN providers because it does roughly the same as OpenVPN, but with a lot less code, so it is faster to operate. However, it is less tested by use, so might turn out to have a security weakness that no one has discovered yet.
  • IKEv2 / IPSec – This is a well-established combination of two protocols, which is faster and more lightweight than both OpenVPN and WireGuard. It is generally favored in mobile devices because it puts less drain on the device’s battery. Windscribe makes this the default protocol in all of its apps.

Windscribe offers two other options, which are Stealth and WStunnel. These are both wrappers around OpenVPN connections. Some authorities, such as the Chinese internet system, look for identifiers of VPN activity. The Stealth mode makes the connection look like an HTTPS tunnel. The Chinese authorities would never interfere with such traffic because it is the core of eCommerce, which they do not want to disrupt. WStunnel uses the WebSocket for protection instead of HTTPS.

The OpenVPN UDP and TCP options refer to some fundamental networking protocols that are as old as the Internet Protocol. TCP is the Transmission Control Protocol. It marshals traffic in a connection to ensure that lost packets get retransmitted and that packets are arranged in the correct order in a buffer if they arrive out of sequence.

For decades, TCP was the only Transport Layer protocol used on networks and the internet. However, when video streaming and IP telephony came along, TCP slowed down traffic to the point of being a problem, so the makers of these systems switched to TCP’s neglected alternative – UDP. The User Datagram Protocol provides no transmission assurance at all. Basically, TCP is termed “connection-oriented,” and UDP is called “connectionless.”

The browser extension of Windscribe doesn’t offer the option of VPN protocol. Reading between the lines of the Windscribe website, it seems that the browser version isn’t a true VPN but a “secure proxy” instead.

Windscribe encryption

Whatever VPN protocol you choose in Windscribe, you get the same encryption systems. The VPN uses 4096-bit RSA for session establishment and AES-256 for the main tunnel encryption cipher.

The Advanced Encryption Standard (AES) is a symmetric encryption cipher. That means the same key is used for encryption and decryption. This is the best encryption system available at the moment. It was commissioned by the US government for use by its own agencies, including the CIA and the US military. The strength of a cipher increases with its key length. The 256-bit key that Windscribe uses for AES is the longest available, and it is uncrackable.

A big problem with symmetric encryption systems is that one side has to generate it and send it to the other side. Until the key has been shared, the connection cannot be encrypted by AES. So, Windscribe uses a different encryption cipher to protect the transmission of the key.

Windscribe uses a public key encryption system called RSA for session establishment. With public-key systems, the encryption key and the decryption key are different but complimentary. You can’t guess the decryption key if you know the encryption key, and you can decrypt a text with the key that encrypted it. So, it is safe to publish the encryption key, and this is known as the public key. The decryption key is kept private.

Both the client and the server have a key pair, and they use these to safely identify each other and then pass the AES key. As with any encryption cipher, a longer key makes the encryption harder to crack. Windscribe uses a 4096-bit key for its RSA cipher, and this is impossible to crack.

For an indication of how the combination of 4096-bit RSA and 256-bit AES compares to the major rival VPNs that compete with Windscribe, ExpressVPN and NordVPN use exactly the same combination. IPVanish uses AES-256 but only a 2048-bit key for its RSA implementation.

The browser extension is a little different from the mobile and desktop apps. This uses a different method to protect key exchange, and its tunnel is created with 128-bit AES encryption.

Windscribe DNS leak protection

The Domain Name System (DNS) is a global cross-reference that maps between website addresses and internet addresses. A Web address is called a URL, and the key part of it is the domain, which is the something.com part. The Web browser needs to find the server that hosts that site, and the DNS returns the internet address for a given domain. The internet address is called the IP address.

You can specify a particular DNS server in the network settings on your computer. However, most people don’t by default, your ISP defines which DNS server to use.

A VPN obscures the destination IP addresses on the front of the data segments, called packets, that leave your computer. This prevents the ISP from logging the real destination of the connection. However, the DNS request can tell the ISP exactly where those packets were really going.

When the VPN app on your computer establishes a connection to one of a number of servers listed in the app’s interface, encryption keys are agreed upon, and then all of the communications between the two computers are then encrypted. That includes DNS queries.

The Windscribe service includes a private DNS server, and all of your computer’s DNS queries go to it instead of to the DNS system of your ISP. The local DNS package is called a resolver. It doesn’t hold the IP addresses for all of the websites in the world. Instead, it fetches addresses from DNS servers that are further away. It keeps the most recently requested addresses locally in case they are asked for again. That record will eventually age out for infrequently accessed sites, but websites that are always in high demand, such as goggle.com or facebook.com, will always be retained.

The DNS lookup process gives your ISP another opportunity. It can use its DNS resolver to make websites disappear. If an ISP doesn’t want its customers to access a particular site, it just creates a blank page or an error for the given domain. Thus, any browser that seeks the address for the blocked site will receive back an error, such as blocked by child safety controls or an SSL certificate error. Once you turn on the Windscribe service, all of those disappeared sites suddenly become available again.

Windscribe automatically blocks WebRTC and IPv6 traffic.

Windscribe IP leak protection

An IP leak occurs when the real destination IP address of a connection is revealed to an ISP. This event is almost impossible as long as the VPN is turned on.

The most common cause of IP leaks is a brief loss of internet service. The connection management processes in TCP will try to re-establish the connection for a few minutes before timing out. So, if the connection is only lost for a short space of time, it just seems to the user that a Web page is very slow to load.

A break in the connection, no matter how brief, will drop the VPN connection. This means that, while often, the internet connection resumes, the VPN protection does not. As nothing seems amiss, the user carries on without checking the VPN, and all traffic is exposed.

Many VPN providers prevent the IP leak scenario from happening by making sure that no traffic can go out on the internet if the VPN is not active. This is called a kill switch, and it is only a partial solution because it will only operate if the VPN app is open. So, if the user shuts down the VPN app completely, there will be no kill switch.

Windscribe calls its kill switch the Firewall in the desktop app, Smokewall in the browser extension, and Always On VPN in the mobile app. With this service turned on, the VPN app controls the network interface as soon as the app opens. Traffic can only get to the network card through the VPN connection, so if there is no VPN connection active, no traffic gets through. In this event, it seems to the user that the internet connection has closed down.

The power of the kill switch can be enhanced by setting the service to open on startup, so you never have an internet connection on your computer without the VPN being active. It is also possible to specify a default VPN server and automatic connection, so the VPN app will start up and then set up a VPN connection automatically, ensuring that you can get active on the internet straight away.

It is possible to set up the VPN app so that it doesn’t apply to all traffic. This is called “split tunneling,” and Windscribe implements the system in two ways – split-include and split-exclude. With the first of these, the VPN will only protect traffic for the apps and IP addresses that you put on the list. In the Exclusive mode, the VPN protects all traffic except for the apps and addresses that you list.

Another way to implement split tunneling is to use only the browser extension. This will protect all traffic from the browser while leaving internet traffic for other software on your device unprotected.

A number of VPN services, notably NordVPN have invested in an app feature that provides a double VPN route. This sends all traffic through one VPN server and onto another VPN server before it arrives at its destination. This system has doubtful extra security because if the VPN was secure in the first place, what’s the point of doubling the protection? Secure is secure, and that’s enough. The downside of a double-hop VPN is that it really slows traffic down. However, it is a favorite feature of the VPN industry.

With Windscribe, you use the desktop app and connect to a VPN server. You then open the browser extension and connect to a different VPN server. This means that browser traffic passes through two VPN servers and encrypts the packets of that traffic, putting it inside an outer packet, encrypting that, and putting that encrypted packet inside another packet.

While all that is going on, any internet traffic from other apps on your computer will be passed through the Windscribe server named in the desktop app but not the server in use in the browser extension. If you also implemented split tunneling, any apps that you specified to exclude from protection will travel directly to the host of the accessed service. So, you can have three levels of protection – double, single, and none – occurring simultaneously.

One of the main reasons that people subscribe to VPN services is to unblock geo-restricted websites and streaming services. This is where a Web server first checks on the location of the computer that is requesting content. This is possible because all IP addresses can be located in an actual physical place. When you connect to the Windscribe VPN system, it is important to pick the right location of the VPN server. This is why VPN servers are listed by the country and the city that they are in. When the VPN server receives a packet through a tunnel from a client, it replaces that client’s IP address in the source address field of the packet with one of its own.

When the streaming service receives a request for access, it reads the source IP address, references it to a location, which is where the VPN server is located, and then grants the request if the VPN server is in the right place.

Content is sent back to the return address, which is the VPN server. The server looks at the address that it received the packets at, looks in its reference table for the associated client IP address, encrypts and packages the packets, and sends them back to the client.

Windscribe admits on its support pages that it can’t get past the proxy detection system of the BBC iPlayer or enables subscribers to get into the video library of another country with their Amazon Prime Video account. Customers who Want to switch counties on Netflix need to subscribe to a special server called Winflix. However, just using the standard UK VPN servers (London Crumpets), I got these results:

ServiceTest
NetflixGot in with the desktop app and the browser extension
Disney+Got in with the desktop app and the browser extension
BBC iPlayerGot in with the desktop app and the browser extension
ITV HubGot in with the desktop app and the browser extension
Channel 4Couldn’t get in with any of the VPN protocol options in the desktop app but could get in with the browser extension

Accessing the Chicago Cub Windscribe server in the USA, I got the following results:

ServiceTest
NetflixGot in with the desktop app
Disney+Got in with the desktop app and the browser extension
ABCGot in with the desktop app and the browser extension
NBCGot in with the desktop app and the browser extension

Windscribe does a lot better than its support pages think it does.

Windscribe has three plans: Free, Pro, and Build a Plan.

Windscribe Free

You can use the Windscribe system anonymously, and you get a data throughput cap of 2 GB per month. The speed, bandwidth, and all of the services offered by Windscribe are the same for the free version as they are for Windscribe Pro. One exception to that statement is that only 10 of the 110 locations are available to Windscribe Pro. You can see the others, but you can’t use them.

You can increase your monthly data allowance to 10 GB by adding an email address to your account. This has to be a real address to which you have access because the service will check with a verification email. You can earn extra data by tweeting about the service or recommending Windscribe to friends.

Windscribe Pro

You get unlimited data throughput with the paid Windscribe option. You can pay for Windscribe Pro monthly or by year. The rate per month works out cheaper with the yearly plan than on the month-by-month subscription. These rates are:

  • Monthly Plan: $9 per month
  • Yearly Plan: $69 per year ($5.75 per month)

Windscribe only offers a 3-day money-back guarantee. You can pay with a credit card (Mastercard or Visa), PayPal, cryptocurrency, or online payment processors. Cryptocurrency payments are processed by CoinPayments, and a long list of cryptocurrencies are accepted, including Bitcoin, Ethereum, and Litecoin. The online payment system option is provided by Paymentwall, and that gives access to Alipay, FasterPay, and Mint.

It is possible to add a Static IP to your Pro account for a fee.

Build A Plan

The Build A Plan option allows you to add Pro servers to your Windscribe Free account. You increase your data throughput limit by 10 GB for each server group that you add – you add on countries rather than individual locations.

You have to choose a minimum of three groups, and each costs $1 per month. For an extra $1, you can get unlimited data. That means that for $4, you add on three countries and have no data limits. However, the yearly plan works out at just $5.50 per month — $1.50 per month more, so you need to work out which option will give you the best value.

We examined the performance of the Windscribe service to discover its influence on connection speeds. These tests were carried out in the UK on a mobile Wi-Fi hotspot provided by the 3 networks. Tests were carried out using the Ookla system at speedtest.net.

To establish a performance baseline, we tested a connection to a nearby server:

The download speed shown was 8.05 Mbps, and the Upload speed was 5.50 Mbps. Using the browser extension blocked all uploads, which made testing difficult. Checking with the Garry customer support chatbot at the Windscribe site, it turns out this is standard behavior for the Windscribe system – other VPNs do not do this. The download speed dropped to 6.19 Mbps.

Switching to the desktop app for Windows, using OpenVPN over UDP, we connected to the London Custard server.

This option slowed down the connection a little further, with a download speed of 5.33 Mbps. The desktop app didn’t block uploads and registered an upload speed of 3.93 Mbps.

A major problem arose when using the Autopilot option in the browser extension. This didn’t change my IP address at all – a complete IP leak.

As there is only a very short money-back guarantee for Windscribe. It is better to start off with the Windscribe Free service. Once you are happy with the system, you can choose to upgrade either with the Windscribe Pro option or the Build A Plan system.

1. Go to the Windscribe Download page. The site automatically detects your operating system and browser type.

2. You can get the app for iOS devices (iPhones and iPad) from the Apple App Store, and the Android version is available from Google Play.

3. Click on the download button for your operating system to get the desktop app, and then click on the downloaded file to run the installer.

4. The first screen just presents an Install button, which you press.

5. When the installation completes, the app opens. Click on the Get Started button to use the system anonymously.

6. This opens a page on the Windscribe website where you create an account.

7. You don’t have to give any identifying information – just create a username and password. Click on Create Account.

8. You will get a warning that you will only get 2 GB of data if you don’t enter an email address. You can choose to sign up anyway or go back and add an email address. You can add an email address to your account later to get 10 GB of data throughput per month.

9. You will be presented with a Captcha challenge. After entering the text, press Create Account again.

10. This takes you through to your account details page. You can add your email by pressing the Upgrade button on the Account Status line.

11. Whether you add your email or not, go back to the app and press the Login link. Enter the credentials of your account to open the app.

12. Click on the Locations tab to expand the list of server locations. The regions in the list can be expanded by clicking on the plus sign at the end of the line. Server locations with a star on them are reserved for Pro users. The three bars sign against each location gives the latency (connection speed) to that location if you hover the pointer over it.

What is Windscribe R.O.B.E.R.T.?

R.O.B.E.R.T. is a package of privacy tools in the Windscribe app. It includes an ad blocker that also roots out tracker cookies, and the service will strip out social media widgets that include trackers. The service lets you block certain types of websites, and it will also scan every Web page that you visit for viruses before it lets the page load in your browser.

Who is Garry in Windscribe?

Garry is a chatbot that fronts Windscribe support. You can also access Garry through the Support page on the Windscribe website. When chatting to Garry, you get asked a series of questions that gradually get more specific until you get an answer to your problem. If that doesn’t help, you get put through to a real person.

Does Windscribe have setup guides?

Look on the Support page of the Windscribe website for Setup Guides. This page also gives access to a FAQs section and a searchable knowledge base.

What is whitelisting in Windscribe?

The R.O.B.E.R.T. system blocks ads on Web pages. However, some sites won’t give you access unless you turn off your ad blocker. Whitelisting tells R.O.B.E.R.T to stop ad blocking on specific sites.

What is Windflix?

Windscribe has a few special servers that are tuned for accessing the Netflix media library that is presented in another country. There is one each for Netflix in the USA, the UK, Canada, and Japan. These can only be accessed through the browser extension.

To sum it up

Windscribe is a very good VPN service, and the free VPN is a very good service. I was able to dodge VPN detection systems and geo-restrictions at the major streaming services with just the VPN servers available on the free plan, and I didn’t need to sign up for the special Winflix servers in order to get cross-border access to Netflix.

The slowing down of connections was a little disappointing. However, other major VPN services with claims to high speeds fared worse – CyberGhost, for example.

Windscribe is a fun and easy-to-use VPN service. There are lots of detailed extra free services that you can play around with if you want. However, if you just want to get going, click on a server and hit the big button to get connected.

Watch out for the Autopilot option in the browser extension – it offers no protection at all.