
Don't Use VPN Services - ductionist
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
======
thothamon
While it's true that your VPN provider _may_ be lying about their "no logging"
policy, at a minimum, you get additional layers of protection. Your source IP
is masked. A subpoena would be required to reveal your source IP, and perhaps
your VPN provider is telling the truth about not keeping logs. If your VPN
endpoint is in a different country than your network endpoint, then the legal
obstacles get even higher.

Surely you shouldn't depend on that alone. Tor would be a wise additional
layer of protection, if applicable. But to suggest that you get no privacy
benefit at all from a VPN is like saying your host may be compromised, so you
might as well use regular telnet rather than SSH.

~~~
chinhodado
Yeah, I hate extreme opinions that say not to do something just because it's
not 100% effective. It's like saying don't bother using a lock because all
locks can be picked and cut anyway.

~~~
technion
I consulted to an organisation that spent multiple years refusing to allow any
form of MFA.

Everyone agreed it was extremely important and some password protected data
was very sensitive. But the conversation about authenticator apps always got
bogged down with risks about malware on phones. I would get asked "will you
stake your career on it never happening?" Of course not. Therefore "for
security reasons" we never supported authenticator apps. Of course it was
pointed out that people might lose hardware tokens, so they didn't happen
either. Because mobile MFA isn't perfect, I had directives to stick with
easily phished passwords for years.

~~~
ben509
> I would get asked "will you stake your career on it never happening?" Of
> course not.

"Let's make a bet over whether a customer reports an authenticator app gets
hacked before a customer's account without an authenticator is broken into. If
the authenticator app is hacked first, I'll resign. If an account with no 2FA
is compromised, you resign."

~~~
sjy
This is probably just meant to be a joke, but I have been in that situation
before and I don't think offering to gamble away your job would be an
effective way to convince others to accept your advice on risk management. I
still don't know how to effectively convince others to take on new risks in
order to avoid bigger risks presented by the status quo. Given the additional
risk that my risk assessment is deficient, doing nothing is usually the easier
decision.

~~~
cs02rm0
_I still don 't know how to effectively convince others to take on new risks
in order to avoid bigger risks presented by the status quo._

I think you just need to be talking to someone who can understand the risks
you convey, has the responsibility for both risks and the authority to effect
the necessary change.

IME that's straightforward in most small companies and in large government
departments it's rarely one person but multiple committees of people who you'd
never be able to explain the risks to and who won't make a decision.

Feel my pain?!

------
linsomniac
"... because the provider can see all your traffic!"

However, if you don't use a VPN: Your ISPs (Broadband, coffee shop, whatever)
can see all your traffic!

20 years ago I passed _ALL_ my traffic on my laptop through a VPN, I just
happened to run my own. But back then much less of the standard traffic was
encrypted. Now, pretty much all web traffic is encrypted. So that makes the
VPN less of a concern, IMHO. Depends on what you're doing though...

There was this one time I went to Defcon. Installed a scratch laptop for it.
The firewall on it would only allow DHCP and OpenVPN on the physical
interfaces.

~~~
Johnny555
Exactly - I trust my VPN provider not to use or abuse my traffic data
(websites visited, DNS queries, etc) more than I trust my ISP (Comcast)

~~~
kgwxd
VPN companies are explicitly built on reputation for not doing that. ISPs
don't give a damn about reputation and are usually a monopoly, or the other
options are just as bad.

~~~
azinman2
What reputation? Where is the dispensing of knowledge? And how do you know
violations are evening coming back to the surface? With the ease of starting a
new service, and the typical anonymity of who is running it, I don’t believe
one bit in being able to let the decentralized world determine is trustworthy
here. The space is full of shady operators.

~~~
sjy
We don't know that all violations are coming to the surface, but we can be
pretty sure that if there are VPN honeypots then they are either obviously
sketchy services or part of an expensive, sophisticated, secret and therefore
targeted attack. Based on their website and other public information (like
their WireGuard advocacy), I think Mullvad is more trustworthy than the
average ISP, which in turn is probably more trustworthy than the average fly-
by-night VPN operation.

------
tomxor
I mention this every time this comes up but it's info worth spreading...
"sshuttle", make any server into a VPN without VPN server-side software, this
takes the pain out of doing your own VPN, gives you far more obscurity, lots
of flexibility and in my experience it also performs much better - which I
believe is due to the TCP deconstruct-reconstruct vs traditional VPN which
does TCP over TCP. The only disadvantage is it's only for TCP (no UDP or
multicast).

For routing all your internet it's as simple as this (on the client only, no
server setup):

    
    
        sshuttle -r user@1.2.3.4 0/0
    

That's it... server requirements are met by almost anything, you don't need
root access, but it does need python, which most distros have by default. Now
you can use your own little obscure server, yes it's not invulnerable a VPS
provider can still look at you if they wish, but it's far less of a target
than a purpose built consumer VPN provider.

It's also far more powerful for slicing up and mixing subnets or only routing
specific targets ... for example unblock a specific site, but don't re-route
other traffic:

    
    
        sshuttle -r user@1.2.3.4 sci-hub.tw
    

[edit]

Minor issue worth mentioning, not to disappoint people trying this out - it's
currently necessary to use the -x option to exclude the server itself from
being routed on Linux, I think this is due to a kernel bug? which is a little
annoying, hoping this will go away eventually. This is not relevant to BSD or
Mac, although on Mac you have other kernel bugs to worry about in XNUs network
stack.

    
    
        sshuttle -r user@1.2.3.4 -x 1.2.3.4 0/0
    

[edit]

As "icelancer" has pointed out bellow, please note that using your own server
ties your activity to your identity more definitively if you are the only one
using the server and you pay for the server in your name. Not being a purpose
built consumer VPN makes it a less likely target through significant
obscurity, however in the event it IS targeted, it's uniqueness will make it
easier to associate activity with you via the VPS provider.

> This also ties your identity to a provider definitively. That's fine, as
> long as you tell people that's what is happening. A good consumer VPN that
> isn't a garbage one offers plausible deniability.

~~~
cyphar
These days WireGuard is just as easy to set up, and has lots of benefits over
sshuttle (it's UDP based, supports roaming a-la Mosh, has a much more solid
cryptographic design, and so on).

~~~
icelancer
From the WireGuard installation instructions:

"Generate a private and public key pair for the WireGuard server:"

"umask 077 wg genkey | tee privatekey | wg pubkey > publickey"

"This will save both the private and public keys to your home directory; they
can be viewed with cat privatekey and cat publickey respectively."

"Create the file /etc/wireguard/wg0.conf and add the contents indicated below.
You’ll need to enter your server’s private key in the PrivateKey field, and
its IP addresses in the Address field."

That's not within reach of your average computer user.

~~~
ekianjo
> That's not within reach of your average computer user.

Same for sshutle.

~~~
tomxor
I don't think anyone is under the delusion that non-technical users are going
to use sshuttle, but not everyone has the will to invest the time and effort
doing server side configuration of a VPN client for their personal use.
sshuttle makes it simple for anyone who is the least bit familiar with ssh and
has some kind of server access or is happy to spin up a VPS quickly, nothing
more is necessary.

~~~
cyphar
There are plenty of scripts online that make it incredibly trivial to set up
WireGuard (here's mine[1]). This isn't like configuring OpenVPN -- it actually
only takes a minute or two to set up.

Given that WireGuard is headed for inclusion into Linux mainline soon, it
probably would be a good idea for folks to take a few minutes to learn how to
use a technology that is going to be part of core Linux.

[1]:
[https://github.com/cyphar/dotfiles/blob/master/.local/bin/wg...](https://github.com/cyphar/dotfiles/blob/master/.local/bin/wg-
enroll)

~~~
ekianjo
There are scripts To install OpenVPN in 5 minutes as well so Wireguard has
absolutely no advantage there.

~~~
cyphar
Well yes, but OpenVPN has many dozens of different options and my experience
with it is that it's a pain in the ass to get the right set of options (on
both the client and server) which result in minimal latency and maximum
throughput.

But you're quite right that if you already have a config that you know works,
WireGuard has no _significant_ advantage in this area (in terms of ease-of-
configuration -- though the keys being quite short is nice for SSH-like key
distribution). But if you're starting from scratch then you need to first
figure out what is the right configuration to use (or you need to pick from
the many dozens of "set up OpenVPN quickly" scripts) and then you need to hope
that your configuration is not insecure.

WireGuard can be set up and work just as well as any other configuration
without a script in a couple of minutes (or less than a minute with a script).
The script that was linked in a sister comment to "set up OpenVPN quickly"
also sets up Apache for god's sake...

------
unicornfinder
This post makes good arguments, but there's a very real reason to use a VPN
provider over your own server - plausible deniability. With a VPN your traffic
is mixed in with many, many other users', whereas with your own server, any
traffic coming from that IP can safely be presumed to be yours.

~~~
savethefuture
When the vpn company is subpoenaed because someone saw suspicious traffic
coming out of their servers, regardless of the number of people, the logs and
connections would point directly to you.

~~~
juped
This only applies if their claim to keep no logs is false; some have
demonstrated in court that their claim is true.

~~~
geofft
Why not use Tor? Isn't its whole purpose to solve this problem in a
trustworthy way?

~~~
RandomTisk
I'm no expert on Tor but when I researched it years ago, it seemed like your
privacy on tor was only as safe as the exit node you happen to go through. If
you're in North Korea trying to get out and happen to go through an exit node
run by the NK government, they could theoretically decrypt your traffic in
some cases. If all the nodes you're going through are theirs, then they know
exactly who you are even if they can't inspect the traffic.

Edit: I must stress I'm not an expert, and would love to hear if the above is
wrong.

~~~
cyphar
No, that's not entirely true. No single node in a Tor circuit knows both who
the user is and what site they are going to. In order to compromise a user's
anonymity, you need to do a traffic correlation attack (where you look at
packets going through both the guard node and the exit node and match up the
timing of packets). There are some protections against this attack in Tor
(guard nodes are not changed often by clients, relays need to be running for a
long time in order to be permitted to be guards, and there is some randomised
traffic sent to the guard by the client) but it is definitely not a solved
problem.

But of course, if you aren't using TLS then your traffic is not encrypted as
it leaves the pipe. So obviously you should use TLS over Tor.

------
bArray
Other reasons you might want to use a VPN:

* Geoblockers - Much media content is blocked based on geolocation, specifically geolocation based on your IP. (Netflix, Youtube, etc.)

* IP blacklist - I know a few people that have inherited a blacklisted IP simply through unlucky ISP IP allocation.

* ISP logging - So not a hostile ISP, but one that actively tries to log your data. (If you live in Europe, this is almost definitely happening. Apparently in the US ISPs even sell this data.)

* Speed - A few people report being able to get a faster network connection. (I'm not entirely sure why this is the case, but I can imagine there being edge cases where this is possible.)

Setting up your own VPN is NOT solution to every problem mentioned here,
especially if you want to switch server location on a whim or are not
technically minded.

~~~
sjy
I often get really slow download speeds from the GitHub CDN, which my ISP must
not peer with or something. My ISP has faster routes to most of the rest of
the internet, including some VPN endpoints, so a VPN can be used to cut out
the bottleneck and allow me to download large binaries off GitHub at 2 MB/s
instead of 80 KB/s.

~~~
oefrha
GithHub uses S3 for artifacts. If your typical S3 download speed is ~80KB/s, I
suspect it would be a similar story for Cloudfront, in which case a huge part
of the Internet would be painful to use...

~~~
bArray
< 80kB/s is what a large majority of the internet experiences with page
viewing times is excess of 30 or 60 seconds...

~~~
oefrha
Been there.

------
juped
The primary reason people use VPN services, which articles like this always
fail to address, is best illustrated at this URL:
[https://iknowwhatyoudownload.com/](https://iknowwhatyoudownload.com/)

~~~
sincerely
Okay, so I just checked this out, and there is a non-zero amount of child porn
on the list. Is my roommate downloading CP? Is there any other explantion?

~~~
gabriel34
keep an eye on that list, the last seen column should tell you if this is
current of ancient activity, if he/she is seeding, correlating this with times
your roommate is home (or his/hers pc on) should give you a good idea of
whether this is him/her or someone else sharing your IP. Another such file
coming up on that list is a strong indicator as well, and could help you even
if he/she is no longer seeding. Keep in mind that remote control of a torrent
client is possible. If you control the router you could try getting a new IP.
All this without downloading the actual file

~~~
sincerely
Thanks for the advice I'll keep an eye on it. As far as I'm aware he's home
basically 100% of the time so that unfortunately doesn't help narrow anything
down lol

------
vesche
[https://thatoneprivacysite.net/#detailed-vpn-
comparison](https://thatoneprivacysite.net/#detailed-vpn-comparison)

Sure, you're always trusting a VPN at their word that they don't log, the
above gives a detailed analysis of which ones you probably shouldn't trust.
You can always host your own: [https://github.com/n1trux/awesome-
sysadmin#vpn](https://github.com/n1trux/awesome-sysadmin#vpn)

You can also VPN chain (l2iptables), tunnel over TLS, etc. That gist post is
pretty dumb imo

~~~
Topgamer7
The post is targeted to those who are not sufficiently technically adept to
know of these techniques.

~~~
Mirioron
How many non-technical people read things on github? I'm seriously wondering,
because whenever I see a link to something posted on github I always assume
that it's intended for an audience with some technical understanding. I know
that some laws and what not have put up onto github to provide easier access,
but it never seemed like that non-technical people started using it.

~~~
lucasmullens
I think if someone shared it to their facebook, a non-technical user wouldn't
be much less likely to read it than say a medium article. Non-technical users
don't really care about the domain.

Certainly most readers of github are technical, but that doesn't necessarily
make it less suitable for non-technical people.

------
octorian
This actually reminds me of an episode that happened to me many years ago.
Back then, it was "web anonymizers" (not VPN providers) that were all the
rage. These programs would maintain a database of open proxies, and route
peoples' web activity through those proxies.

Well, I had Apache misconfigured just long enough to get picked up by one of
these apps. For years afterward, my server logs were chock full of attempts at
logging into various accounts via HTTP. I seriously had thousands of Yahoo!
username/password pairs just sitting in plaintext inside my server logs.

------
S-E-P
> And remember that it is in a VPN provider's best interest to log their users
> - it lets them deflect blame to the customer, if they ever were to get into
> legal trouble.

Hmmm? If you don't have record of it, the courts don't do much, at least in
the US. If they subpoena you, and you don't have logs, nothing ever comes out
of it. Outside of fines and things of that nature.

> The $10/month that you're paying for your VPN service doesn't even pay for
> the lawyer's coffee, so expect them to hand you over.

How do you think insurance works, or why airlines habitually overbook? A
trivial word problem if you will: If you had 10,000 users, you were subpoena'd
and only 100 users did anything worth prosecution, that's what. For one
lawyer, drinking a $10 coffee (or two $5 dollar) every week day for a month.
that's 20 days, $200 a month. $2,400 annually. Assuming in this example only
1% of your users need defending, that's 99% of your coffee budget you don't
have to worry about! For 10,000 users, a yearly subscription pulls in about
$1,200,000 (we aren't doing any adjustment for taxes and all that garbage). If
99% of your users are behaving themselves.. or at least not doing something
bad enough for the courts to take notice (which in the digital age, things
like piracy are white noise) that means you still have $1,188,000 to help you
in those, typically blanket cases (i.e. a court case in which 20 of your users
were downloading illegal movies, and MGM got really upset). Since if you
aren't logging, these infractions are dealt with in aggregate usually, since
it can't be quantified. So number of lawsuits < bad users.

That's not bad, if all your lawyers needed was coffee monthly, then you could
support, with 99% of your users cash, 495 lawyers coffee for a year! more than
enough coffee to defend your business. Don't forget you can still use the
"blood money" you got to buy them coffee!

The basic principle behind my oversimplified, and somewhat tongue-in-cheek
example was to remind you that insurance is a lucrative business. I wonder how
they survive if your monthly cost for liability (up to $500,000) isn't
$500,000 per month!?!

------
danShumway
Reposting the last response I gave when this article came up.

\----

> Your IP address is a largely irrelevant metric in modern tracking systems.

I don't believe this for one second.

Your IP address on its own is not sufficient to identify you. That doesn't
mean your IP address is not helpful in identifying you.

If you have Javascript disabled, it is a heck of a lot easier to identify you
with a combination of an IP address, user agent, and OS than it is to identify
you without the IP address cutting down the pool of potential visitors.

On top of that, if you're targeting me and do a geo-location of my IP address,
it will get you within 5 miles of my house. That's close enough that you'll
know which county I'm in, which with a few other easily-obtained pieces of
information will let you pull up my voter registration, which will give you my
exact street address.

Of course, you could mitigate this by setting up your own VPN on something
like Linode, but unless you're regularly rotating IP addresses, you've just
traded a pseudo-identifier that multiple people/devices share for a persistent
identifier.

This argument comes up all the time, and I have never heard anyone explain it
in a way that passes my sniff test. If you want me to stop using a VPN, you
need to do a lot better than just claiming that IP addresses don't matter --
you need to show some kind of evidence to back that up.

\----

Broadcasting your IP address to every website you've ever visited is a
completely valid concern that gets hand-waved out the wazoo whenever this
subject comes up.

I've sent bug reports to sites that publicly tied IP addresses to
comments/accounts so anyone could track your movement patterns over time. Yes,
that info can be useful to an attacker trying to deanonomyze you. Yes, that
info can be used to link users together. Yes, that info can be used to narrow
the pool of potential visitors so other fingerprinting techniques are more
powerful.

It is blanketly ridiculous to claim that an approximate county-level
geolocation isn't a useful data-point to attackers. If IP addresses weren't
useful, the Tor project wouldn't be going to such lengths to hide them.

~~~
ogeiczvm
> Of course, you could mitigate this by setting up your own VPN on something
> like Linode, but unless you're regularly rotating IP addresses, you've just
> traded a pseudo-identifier that multiple people/devices share for a
> persistent identifier.

This actually happened to me. I'm using a persistent VPN (50% to access my
private infrastructure and 50% because I have a hostile ISP).

I mostly don't use any Google services (maybe one google search a month and
the occasional google map search but I avoid when I can) and I was very
surprised when once I did a google search and saw my postal code at the end of
the page. The IP address was for a VPS (in the same city but with a different
post code). I found it unusual but didn't pay too much attention. A few months
later I moved places (different post code) and after a while google had my new
post code at the end of their search page. That's when I found it troubling
and assumed that a family member's iPhone was using Google Maps and based on
the 'directions' usage they figured out that that IP address has a home
address for those GPS coordinates. (The iPhone in question is reasonably
'hardened' with background updates off and location services only 'when app
opened' and disabled for most system services). That was the only plausible
correlation between IP address and location google could have done
automatically - neither I nor the said family member no longer login to old
google accounts we had many years back.

That's when I started rotating IP daily (which is trivial in my case as I use
lightsail, I issue a shutdown from a different server and then a power on, AWS
rotates the IP automatically out of a very large pool - so far I haven't
gotten the same IP twice).

The only problem I have with lightsail is that I often get a 'dirty' IP so I
rotate 4-5 times before getting a good one (I test this by going a curl on a
website that sends google captcha on dirty IPs but lets the 'good' ones
straight in).

------
alkonaut
I use a VPN because I want a proxy, and for e.g iOS it seems a VPN is the
easiest way to set up a proxy.

The article lists several reasons to use VPNs but isn’t the biggest one these
days simply to circumvent geographical content limitations for online services
such as video streaming? Nearly everyone I know has used a VPN service at some
point, and if you asked any of the non-technical ones what it _is_ they might
say ”a think that lets me watch the game broadcast when I’m in another
country”.

People want proxies and the VPN providers provide VPNs that work like proxies.
I can’t really see the downside to using the VPN as a proxy?

------
cracker_jacks
A terrible summary of why VPNs are useful. Goes on and on about privacy with
no mention of bypassing censorship. It must be nice living in a place where
you don't have to worry about access.

There's no point in privacy without access.

------
devy
The title should be renamed to "Don't Use 3rd Party VPN Services".[1]

On-prem VPN deployments with solutions like AlgoVPN[2] from TrailOfBits is
still very useful. Let alone mass majority of the the corporate IT's internal
VPNs that is required for some workforces to perform their jobs remotely on
public Internet.

[1]:
[https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistco...](https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistcomment-2197521)

[2]:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
jplayer01
I’ve seen a complete lack of arguments for why anybody should use Algo or
Streisand. I don’t see the point. If you don’t trust VPN's, why trust
literally anybody you choose to host a VPN, especially if there is arguably
even less anonymity to be had.

~~~
devy
> If you don’t trust VPN's

That's the exactly the misnomer that the title didn't do justice. Of course
you MUST trust VPN in order to make sense of using it. The differentiation is
whether that VPN is some 3rd party manage it or you manage it on your own.
With 3rd Party VPNs you have no idea how they setup it and no transparency how
they secure the VPN node. If you manage your VPN node on your own, you have
full control what algorithms and configuration you are using and you pick the
right node in an "secure" environment, all are risks factored into the big
picture.

~~~
jplayer01
> If you manage your VPN node on your own, you have full control what
> algorithms and configuration you are using and you pick the right node in an
> "secure" environment, all are risks factored into the big picture.

No, it's the exact same situation. Or do you happen to know exactly how
whatever hosting provider manages the server you're using? They can be trusted
exactly as much as VPN providers. There is no real security once you're using
systems that you don't own, but there are benefits to using a VPN that can't
be realized if your name is on the box.

~~~
devy
> No, it's the exact same situation. Or do you happen to know exactly how
> whatever hosting provider manages the server you're using?

It's not exactly the same. In the case of cloud providers, you know what you
are getting into and mostly having the freedom to setup your own VPC, your VM
image, your firewall, even secure boot/TPM stuff, etc.

As far as the data security goes, many Cloud vendor provide data encryption at
rest with your own keys (Of course data security in transit for a VPN, that
goes without saying). This is even MORE true for Corporate ITs since they own
and operate their own data centers and hardwares too (even with popular trend
cloud computing migration).

Just think about it, if public cloud vendors can get government contracts
(DoD/CIA/NSA), then they can ensure security at a high bar. But keep in mind
that security is NEVER an absolute term, so your argument to me are moot.

------
icelancer
"There is no way for you to verify that, and of course this is what a
malicious VPN provider would claim as well. In short: the only safe assumption
is that every VPN provider logs."

This is demonstrably false; look at any VPN provider that was subpoenaed and
unable to produce documentation.

------
kryogen1c
>Because a VPN in this sense is just a glorified proxy. The VPN provider can
see all your traffic, and do with it what they want - including logging.

This is a tautology. If you use it as a proxy, then its a proxy. VPNs arent
for this, and so are bad at it.

VPN use case is either to securely leave a network (hotel Wi-Fi, airport wifi)
or to securely get to a network (home resources, corporate resources). If you
want a proxy, find a proxy.

~~~
ignaloidas
Proxy is securely leaving the network. There is no real difference in the
principle of operation besides the protocol(SOCKS vs OpenVPN, etc.)

------
johnjungles
What about just setting up your own VPN on a cloud provider or a raspberry pi?
You’d still be responsible for the traffic flowing through but at least you
wouldn’t have ISP logging, get around geoblockers, keep a secure connection in
public WiFi’s, fantastic for devops people who want to have local connections
for debugging networking things on aws/gcp/cloud providers, etc...

I think you mean that you shouldn’t think of a VPN as an anonymous traffic
tool like they advertise.

~~~
benhurmarcel
Where do you connect that raspberry pi? At home, you're using your own IP and
ISP still.

------
computerex
What a myopic viewpoint. ISP's can and do sell customer data:

www.cnbc.com/amp/2017/03/28/congress-clears-way-for-isps-to-sell-browsing-
history.html

It's doesn't take a logical leap to infer that a company whose entire purpose
and business model is to provide anonymization as a service is less likely to
sell out its own customers than the ISP's.

Yes VPN's can log despite claiming they don't. But the well known ones are
highly incentivized to do as they claim because lying would destroy trust and
would ultimately destroy their business. Governments are also more likely to
target giant national ISP's than some VPN provider whose servers are in some
very liberal and consumer leaning countries outside the US. Also securing your
own VPS on the internet and managing it without getting pwned is well outside
the expertise of most people and is probably not recommended.

------
jchw
Although I agree with the general notion, social proof and a good track record
are not bad indicators. I will always recommend Mullvad if you are looking for
a VPN service that is trustworthy. I think VPN services that advertise a lot
are a little sketchier, though surely some of them _must_ be decent... maybe
PIA?

~~~
pnutjam
I use pia, they are inexpensive with plenty of traffic to blend with.

------
tootahe45
Before anyone buys a vps from Lowend talk like he recommends, most of the
providers on there are trash-tier and massively over-sell their services which
is why they seem cheap but performance ends up very poor. And why would i
trust a vps vendor with 10 customers over a VPN provider?

------
badrabbit
Use to have this view,now conceded that a vpn provider with good reputation
and accountability is best. Your local ISP sell whatever data or inject
whatever content thet desire,and your rights mean little if your contract
stipulates they can sell this access to a 3rd party and this 3rd party can
then resell analyzed or raw data to anyone including your own government. If
you perform methodical risk analysis,you will find having the ability to
damage reputation of your first-hop provider is an ideal leverage. Never
negotiate from a position of weakness (e.g.: ISP or Tor exit nodes)

------
bloody-crow
Even if you assume that VPN provider is listening and analyzing all your
traffic, it's still preferential to your internet service provider doing the
same thing. Fost starters, the internet provider just knows more about you.
You probably have a contract with them, they know your exact physical location
and they have your SSN. A malicious actor from within internet provider having
access to all this information could potentially blackmail you by revealing
your porn logs to your spouse, or your unsavory private reddit history to your
employer etc.

Second, your VPN provider could be in a different country, and that would make
data mining your traffic slightly less interesting to them. It'd also make
data acquisition via subpoena of some sort from your country slightly more
bureaucratic.

Third, if you have reservations about your VPN provider, you can just cancel
your account and go to a different one. Changing VPN providers takes 5
minutes, while changing internet service provider can take months, or in some
cases might not even be possible.

------
throwaway13337
This is silly.

Most people use VPNs to get out region restrictions.

These are getting more and more common due to local governments making laws
that affect the whole internet - think GDPR - that individual site owners do
not want to abide by so they block IPs. VPNs solve this very real problem for
those still wanting access to the content.

They're also used for subverting content region licensing. For example, with
Netflix.

~~~
fireattack
Or using it to tunnel to a more torrenting-friendly region.

~~~
chii
I can't believe VPN can give you acceptable speeds for torrents tho...

~~~
jplayer01
I’ve downloaded games over Steam at full speed over my VPN...

~~~
chii
Steam downloads have nothing to do with torrents.

~~~
jplayer01
Come on. My point being - VPN isn't the limiting factor here. It's the people
you're downloading from. If you can't see the connection I can't help you.

------
breatheoften
Off topic but — anybody know a good/recommendable vpn service that supports
MacOS without requiring third party software and which allows inbound access
to the external ip associated with the service ...?

I need to ssh back to my laptop frequently because of some annoying
restrictions with a service provider I use (heroku). I _can_ do shenanigans
with ssh tunneling on a publicly accessible server I control - but it’s
actually pretty annoying to work that way in my scenarios.

I’ve tried a few vpn services that offer “static ips” but the services I’ve
tried filter inbound connections to that ip ... does anyone know a good vpn
service that can effectively gives me a public IP address so I can make
inbound connections to my developer machine while I’m random shitty coffee
shop WiFi ...?

------
smurda
“remember that it is in a VPN provider's best interest to log their users - it
lets them deflect blame to the customer, if they ever were to get into legal
trouble”

Disagree. It is always easier for the legal team to say, “sorry we don’t store
the logs” as a way to absolve themselves.

------
p0cc
The title is misleading because the article focuses on using VPN providers to
obfuscate traffic when this is one use case of VPN technologies. The gestalt
types of VPN usage are:

* Remote Access VPN: Connect to resources on your corporate network. An example of this is you're in a coffee shop on holiday and need to access a corporate resource.

* Site-to-Site VPN: Connect networks on two sites together. An example of this is you're in a branch office and need to connect to a resource in HQ.

Note that VPN providers give you a limited Remote Access VPN to _their
network_ , which they control. They can do whatever they want to your now-
decrypted traffic before they send it out to the internet. If you want to
obfuscate your traffic, Tor is a better candidate.

~~~
ignaloidas
Quote: > Note: The content in this post does not apply to using VPN for their
intended purpose; that is, as a virtual private (internal) network. It only
applies to using it as a glorified proxy, which is what every third-party "VPN
provider" does.

~~~
p0cc
I agree with you - the gist does have a caveat. The title is still misleading
as _VPN Services_ is too broad for the gist's content.

~~~
joepie91_
"Service" here refers to a service in the "company" sense, not in the "system
daemon" sense. Legitimate VPNs are typically run on one's own network, not
outsourced to a third-party service.

------
dontbenebby
Being able to use airport wifi (or other public wifi) is actually a pretty big
deal IMHO.

I really value not having to constantly leave my phone on, blasting my
location to anyone who cares to ask.

[https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hu...](https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-
hunter-300-dollars-located-phone-MicroBilt-zumigo-tmobile)

(I self host my VPN, so I'm fairly confident the provider isn't going to
jeopardize their entire business model to add extra analytics. Sites I visit
get the IP of the VPN, and conversely my ISP sees my traffic going to a random
server in Denver. It's win-win.)

~~~
jotto
How often do you rotate the IP on the box you're proxying through?

~~~
dontbenebby
It's for security, not anonymity.

I use Tor if I want anonymity.

------
otakucode
>There is no way for you to verify that, and of course this is what a
malicious VPN provider would claim as well. In short: the only safe assumption
is that every VPN provider logs.

If the VPN provider has been ordered by a US court to produce log information,
and they have appeared in court responding that it is not possible for them to
do so as such logs do not exist, and the court has accepted this as true, that
is adequate 'proof' in my eyes. It is something which puts them in the
position of being extremely legally liable for in a way that advertising 'no
logs' does not, since prosecution for false advertising is a joke.

~~~
0xcoffee
I know I'm going fully into the realm of conspiracy theories here, but history
has shown secret court orders are a thing. VPN's are the perfect honeypot for
law enforcement agencies, they wouldn't want to lose this every time they bust
someone. So put on a nice show that they can't get the logs, then secretly
order them to log.

------
baby
I agree with the content, but I would recommend dsvpn instead of the suggested
solutions.

[https://github.com/jedisct1/dsvpn](https://github.com/jedisct1/dsvpn)

~~~
xaduha
It's great, but has no Android support atm. Gotta stick with Wireguard for
now.

------
linsomniac
Aside: 15 years ago all of our employee laptops passed all of their traffic
over our own VPN. One of my employees wanted to quantify how much having all
our traffic go to our server space was slowing it down.

He ran a series of tests comparing latency and throughput of directly visiting
sites on his home Comcast connection, vs. the VPN. Generally, the VPN was
significantly faster.

I wasn't entirely surprised by this. Our facility had multiple high quality
connections (Level-3, InterNAP), and one of those traffic optimizers that
would add intelligence beyond just BGP.

~~~
jrockway
That is my experience today. My Linode is a lot closer to things on the
Internet than my Spectrum connection. For example, if I ping the US/Central
Overwatch server, it's 50ms from my home connection and 20ms from my Linode
(which is 11ms away from home).

It is sometimes as much as 26ms to the first hop after my router, though,
which is pretty amazing. That's enough time for light to travel 5000 miles.

------
systematical
The biggest value I've seen from VPNs is when certain networks block SSH. This
happens to me all the time when staying in hotels. For my work I need SSH.

I've also had edge-cases where I need to obscure my country of origin. For
instance, I couldn't stream Game of Thrones via Hulu/HBO Go this Summer while
in Mexico. For some reason, Mexico is blocked. My VPN solved that.

For security? It's unlikely to help unless I am on an unsecured wireless
network or something like that. Good read nonetheless.

------
user4142
Now, with DoH, VPNs will be nore relevant if you don't trust our IPS.

Today, if you change you DNS to another resolver, your IPS won't bother
because majority will not change and you can pass under their radar.

With DoH, IPSs will be forced to log filtered/mapped IP requests so they can
keep doing whatever they're doing today with DNS queries.

So, when DoH matures, IPS won't see your DNS queries but it won't matter for
them any more as they will be seeing all other requests

------
exabrial
> ... with increased adoption of CGNAT and an ever-increasing amount of
> devices per household, it just isn't a reliable data point anymore.

I know this is not a popular stance on HN, but ipv4 has built in casual
anonymization, whereas ipv6 had built in casual identification. Both systems
are defeatable, but what bothers me about ipv6 is that the invasion of privacy
is the default.

Coincidentally, Google, Facebook, et all are pushing ipv6 very hard.

------
davedx
This reminds me of the “don’t use sms for 2fa” arguments.

------
neumann
This is focused purely on people who think VPN is for privacy/security. I use
a VPN to get around geo-fencing - in Australia there is a lot of media
agreements that mean you can't watch stuff here that is free elsewhere without
paying for cable or a local streaming company. A small VPN with multiple exits
so I can watch content that is free in the US and EU markets.

------
terrycody
This is BS, VPN is an legitimate service and many people rely on such services
to do their things, it may pose some potential security issues, but in most
cases, it won't cause big harm to you even when your credentials leaked.

Just try to use a very random username and password, payment can set to pay as
a VCC or one time method.

------
ComodoHacker
Do random routing features like SecureCore of ProtonVPN add some value? I
think they do in terms of anonymity.

------
jacques_chester
These arguments all assume that ISPs are more trustworthy than VPN providers.

One of these markets involves competing on security and privacy. One of them
involves colluding on influencing FCC policy.

So even if a particular VPN provider is inept or corrupt, my expected return
on the investment is higher than trusting TWC.

~~~
joepie91_
> One of them involves colluding on influencing FCC policy.

That is an extremely US-centric view.

Aside from that, physical ISPs have something to lose, as they have a very
real infrastructural investment; whereas becoming a "VPN provider" literally
does not entail more than "rent a few servers, run OpenVPN, buy a billing
system license, hire a marketing guy".

It's entirely viable for a VPN provider to just disappear overnight and set up
shop under a different unrelated name at virtually no cost to them, if their
old brand gets burned. That significantly changes the trust equation, and not
in favour of VPN providers.

~~~
derefr
> physical ISPs have something to lose

Unless they're a (natural or artificial) monopoly, like... pretty much every
ISP in North America is. Comcast has the reputation of, well, Comcast, and
they're doing just fine.

> Becoming a "VPN provider" literally does not entail more than "rent a few
> servers, run OpenVPN, buy a billing system license, hire a marketing guy".

Yes, that's a _good_ thing: it means that VPN providers, unlike telcos, are
under _selection pressure_. Which means that for VPN providers, unlike telcos,
reputation actually means something; the top VPN provider is striving much
harder for your dollar than the top telco is.

Certainly, don't pick a VPN provider at random, but you wouldn't anyway.

~~~
joepie91_
> Unless they're a (natural or artificial) monopoly, like... pretty much every
> ISP in North America is. Comcast has the reputation of, well, Comcast, and
> they're doing just fine.

Once again, that is an extremely US-centric view.

> Yes, that's a good thing: it means that VPN providers, unlike telcos, are
> under selection pressure. Which means that for VPN providers, unlike telcos,
> reputation actually means something; the top VPN provider is striving much
> harder for your dollar than the top telco is.

Except that isn't how the industry works, _at all_. Virtually all "reputation"
that VPN providers have originates from paid product placements (see: the
myriad "VPN reviews" that are chock full of affiliate links, YouTube ads,
etc.), and providers are _assumed legitimate unless shown otherwise_ by
default.

This means that said "reputation" is 100% reproducible under a new brand
without ever having a single long-term customer vouching for you. There's no
competition on quality; the competition is on marketing only.

Exactly why the industry has turned out that way and doesn't follow the
"competition breeds quality" narrative that people on here love to put
forward, is left as an exercise to the reader.

~~~
derefr
> Once again, that is an extremely US-centric view.

It's a Canada-centric view, for me. :)

But seriously, does anyone _care_ about VPNs outside of North America? Why
would you, if your ISPs aren't awful? Do most VPN services even bother to
advertise outside of the North American market?

> This means that said "reputation" is 100% reproducible under a new brand
> without ever having a single long-term customer vouching for you.

Why pay attention to word-of-mouth reputation, when _survival_ under
competitive pressure is a much more objective signal of reputation of its own?

If the bad actors need to restart with a new brand every few years, then why
not just look for the oldest brands around (who must therefore have done this
the least), and then sort those by the number of negative news articles you
can find about them (which _should_ exist, given that they haven't laundered
their brand-identity much)?

It's the same thing you do to figure out who to order from on AliExpress: look
at who's put themselves out there the longest while doing active business,
without accruing negative ratings in the process.

Or, as well, it's the same thing you do when deciding whether it's worth it to
try out a new restaurant in your neighbourhood: you give it a few months, and
if it's still around, then it's probably good.

------
sjy
Can (2015) be added to the submission title? This hasn't been substantially
updated since then.

~~~
tptacek
Why would it need to be?

~~~
sjy
The opinions expressed in the article aren't new to me, but I thought the fact
that I saw them on the front page of HN implied that they were becoming
increasingly popular or there was some new development (eg. confirmation of
certain VPN providers being honeypots). If I had realised this was just a link
to a discussion that happened a few years ago and had no real impact on the
general consensus among IT experts, I wouldn't have clicked on it.

------
cookie_monsta
A slightly less breathless analysis from Krebs (2017):

[https://krebsonsecurity.com/2017/03/post-fcc-privacy-
rules-s...](https://krebsonsecurity.com/2017/03/post-fcc-privacy-rules-should-
you-vpn/)

------
bitL
How about when you get a VPN from a country that has strong privacy laws due
to bad experience with local snitches and which doesn't have intelligence-
sharing treaty with any other country (including US) - like Romania. Wouldn't
that be safer?

------
Havoc
I don't get how using a VPS is any better than just going without anything?
It's got the exact problem as the VPNs...just shifts the end point.

Would there be any benefit in using a number of VPS round robin style? I've
got access to a handful...

~~~
savethefuture
Simply layers obscurity, it would be harder to subpoena multiple companies
than a single vpn service. (Plus you "own" the vps and can quickly delete or
create new services whenever) Before you browse, create a new vpn box,
browse..., then delete the box after use. What logs, what box?

~~~
Havoc
Doesn't really get me any anonymity - first VPS box in the chain still has my
name on it (credit card history etc).

Not that it matters - fortunately my traffic isn't all that exciting

~~~
savethefuture
Well if you are really after anonymity, you have to also keep in mind your isp
and browser fingerprinting and the million other things that can expose you
online. :)

~~~
sizzle
Any way to spoof and inject random browser parameters to poison your
fingerprints?

------
nly
I use a third party VPN service to get around the fact that my residence comes
with broadband that hijacks all DNS and routes all HTTP (port 80) connections
through a Squid...

I also feel sharing an IP with many other users adds to the level of
anonymity.

~~~
oil25
> I use a third party VPN service to get around the fact that my residence
> comes with broadband that hijacks all DNS and routes all HTTP (port 80)
> connections through a Squid...

You could set up a local resolver to NXDOMAIN specific IP address replies.
Dnsmasq has an option for this. Regarding Squid, what makes you sure your VPN
services doesn't do the same?

> I also feel sharing an IP with many other users adds to the level of
> anonymity.

Can you explain how you feel this adds anonymity? There is still potentially a
record of you using that shared IP at a certain time to do a certain thing, so
what is your threat model in which the VPN helps anonymity?

------
lugg
"unless you are on a hostile network"

Which I consider my ISP.. no, I can't just change ISP, I live under five eyes.
I don't get a choice.

This article is rediculous. It's just a clickbait title and a whole bunch of
ranting saying the exact opposite.

------
hansdieter1337
If you want privacy use TOR+VPN. TOR for anonymity, a VPN for a “clean”
breakout IP. Oh, and make sure to pay for the VPN using a form of anonymous
payment. And, make sure that your devices won’t give up your identity.

Anonymity is actually pretty hard...

~~~
mantap
VPN is just fine if you want to avoid dragnet surveillance, though choose a
less popular one. If you are actually the target of a nation-state level
adversary then yeah install Tails and use Tor but know that you're probably
fucked.

------
ru999gol
that's an astonishingly idiotic argument, most of what he talks about also
counts for your ISP too. They might log everything too and not tell you about
it, but at least my ISP never made their whole business case around protecting
my privacy.

And also what exactly would be their incentive in building up their
infrastructure to facilitate this logging, do you have any idea how much
storage space each VPN node in their network would need just to log
everything?

And even if they were to log everything you are still sharing a IP with
hundreds of other people making you less identifiable to at least the websites
you are visiting.

100% FUD

------
peterwwillis
I need an IPSec VPN a couple times a year to get around network issues.
Trouble is, when I need it, I can't connect to it to buy it, and I don't want
to pay for it year round. Pay-as-you-go IPSec would be great.

------
to-too-two
I’m way out of my element here, but would it be plausible in the future for
say, Firefox, to offer a simple and free VPN like service? Something in the
vein of incognito mode (it’s UX simplicity).

~~~
miles
Firefox is testing a VPN, and you can try it right now
[https://www.theverge.com/2019/9/11/20861381/firefox-
testing-...](https://www.theverge.com/2019/9/11/20861381/firefox-testing-vpn-
mozilla-private-network-test-pilot-program)

Mozilla tests Firefox VPN service to help protect your privacy
[https://www.cnet.com/news/mozilla-tests-firefox-vpn-
service-...](https://www.cnet.com/news/mozilla-tests-firefox-vpn-service-to-
help-protect-your-privacy/)

------
linsomniac
I've always been amazed at the prices I see for the VPN services, they seem
improbably low. Which makes me wonder where they make their money.

~~~
pnutjam
Bandwidth is cheap.

------
sarah180
The author admits in comments that this is clickbait. Not much to see here
except "the providers you trust might not be trustworthy."

------
TomMckenny
It would be nice if there were an independent auditing organization that could
confirm an ISP's claims.

------
readhn
one thing that was not mentioned- your ISP logging your data. Too much of my
data in my ISP's hands is not a good thing. I'd rather tunnel out through a
"trusted" 3rd party server then give all my data traffic to Comcast or
whatever.

------
Iv
I wholeheartedly agree and I am surprised to not see Tor mentioned as an
alternative.

------
badsavage
Hehe, at least someone is talking about it. Online privacy is a dream in the
2010s

------
drdrey
Seems to be from 2015

------
sarim
Says a person living in a free democratic society...

~~~
mrweasel
That's a fair point of cause, but if you need a VPN to hide from your
government, then you need to be extremely careful about which VPN provider you
pick. Potentially your VPN provider could be forced to, or voluntarily, hand
over data to your government, without your knowledge, leading to a dangerous
false sense of security.

You certainly shouldn't be running your own VPN either, because that would be
much easier to track, seeing as your traffic isn't mixed in with that of
others.

Those of us in free democracies have little need for VPN providers. For those
who do not, I'm not sure that I'd trust a VPN provider how targets gamers via
YouTube ads.

------
jaimex2
Fantastic post. I've long given up trying to explain this to morons paying for
NordVPN and similar products.

------
sidcool
Is 1.1.1.1 a dependable VPN?

------
mcnichol
If it is necessary

Run....your....own....vpn

------
rhacker
Use a VPN and a proxy.

------
diminoten
Wasn't this already recently posted?

Also, it's a _terribly_ constructed article, genuinely terrible. Completely
wrongly assumes a specific threat model that isn't accurate for the target
audience.

