What should we require of VPN providers on macOS?

jonah:

think the crux of the issue is that includeAllNetworks simply does not appear to cover the case where you disconnect from the VPN in order to connect to a different server , when it probably should. This is what most people would consider normal kill switch behavior

Gotcha. Without the includeAllNetworks flag, any 3p app can bypass the VPN on iOS / macOS at will. With that flag, 3p apps would be able to bypass only in those specific scenarios that trigger Apple’s implementation bugs. Two very different things.

Similar points were made across multiple threads in multiple replies… here’s one:

Remove ProtonVPN

Security is usually a shared responsibility. If there’s a “killswitch” then a client is better off using it, because if it doesn’t, all bets are off. The traffic may then leak not just because of the OS’ shortcomings but also because of the VPN client’s. The latter is in the control of the VPN provider, the former is not.

For example, VM & sandbox escapes do exist (due to bugs in the implementation or bugs in the OS/Kernel); but that doesn’t mean projects like Whonix/Chrome put the towel in and abandon isolation/sandboxing. Those projects must continue to use the tools made available to them by the OSes and sandbox/isolate to the extent feasible. Without them doing that, all bets are off.