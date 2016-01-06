If you're more into the finance side of things, CXO's home clickstreams would probably be enlightening. Or hedge fund managers. Some will be fully encrypted and secure, but just the dns would be a strong signal about what companies they're researching.
That is the kind of business that will drive privacy legislation.
The solution is getting strong, enforced laws that protect our privacy and punish those who break them.
But for the moment, with advertisers viewing themselves as gods gift to the internet who think that all your information belongs to them simply by virtue of existing, and who will go to great lengths to acquire and store it all (for perpetuity), a solution is needed, and part of that is VPN's.
Tangential point, I've heard from a friend how much you can earn by being involved in a "premium" ad network, and it's basically around 100x what I can make as a SWE freelancer. I also remember a HN user claiming they make $30k/month from a simple "YouTube downloader" kind of site.
Edit: Also, you can pick VPN providers outside your adversary's sphere of influence. That's standard advice for users in China, for example.
If it really matters, you use nested VPN chains. Three deep is my standard, and I've managed six. Latency can be a couple seconds, but hey.
If you chain VPNs, however, it certainly makes sense to lease the second/indirect VPN anonymously.
[1] https://github.com/jlund/streisand
https://github.com/trailofbits/algo
Matt Green's audit of OpenVPN, when completed, may lead to more light on the matter. Otherwise, we're just relying on informed intuitions.
https://en.m.wikipedia.org/wiki/IPsec#Alleged_NSA_interferen...
As a "security people" I think me and tptacek could split a great number of hairs and get not too far on this one, but I am open to new info. I know a lot can hide in the complexity of OpenSSL. Maybe the whole thing with IPSEC was to sway us toward OpenVPN likes. Regardless, I still lean slightly towards OpenVPN
But honestly I am out to defeat ad networks. I only aspire to give nation states indigestion (at a mass scale). Individually if a well funded adversary wants any one of us I think they have us.
This should help figure things out:
http://calculator.s3.amazonaws.com/index.html
And obviously, you gain a good deal of latency, especially if you use an overseas exit point.
And now we get to deal with shitty services like Netflix punishing privacy-conscious users and blocking access to paid accounts while your VPN is up.
I notice little if any change in speed. If anything, download speeds seem more consistent in speed without long pauses (or momentary bursts in speed).
It's very easy to install and configure, but I'm not sure how good it is at addressing the point of having a VPN, since I don't know how well the software has been audited by other people, and I wouldn't know where to begin. The same goes for how I must trust the VPS provider.
OpenVPN can be fairly slow if you are sharing CPU usage (ex. VPS provider) with other users. You are also most likely implementing NAT on your VPN server which is probably not accelerated unless you are paying for an expensive appliance that does so.
I'm not saying that VPNs are the solution, but an awareness and higher usage of them should lead to better solutions such as improved onion routing.
VPNs at least fix the "does Google and the ad industry know my IP address" problem.
There's a couple of things that do this actually: the AdNauseum plugin will hide ads for you, but will also click through on them often as well which helps pollute advertiser data capture. It won't of course be able to replicate you browsing on the page, but it'll go a long way to frustrating the efforts of 3rd parties who won't have access to the landing page metrics anyways.
There was also a post on /r/InternetIsBeautiful that was supposed to do something similar: essentially destroy your browsing habits by performing additional searches and following links in the background, but I think that relied upon a hardcoded list of searches, so it's ongoing functionality was somewhat limited.
A big challenge to making something that continually obfuscates your browsing habits is making sure it doesn't accidentally end up going throw actually sketchy or illegal stuff (i.e. sites/etc that could get you on lists/attention) and making it work in a way that isn't easily detectable/filterable as 'machine traffic'.
I guess that means you'd have to build in functionality to replicate following pages several links deep, not making successive requests immediately (sleeping execution/simulating scrolling), simulating some kind of 'natural' interaction: mouse movement + hovering over things + other things that users might do?
I'm sure most of that stuff is totally possible, probably even easy, might make for a fun personal project...
It would be costly to maintain the interception/analysis infrastructure required for such data collection.
I daresay it would cost more than what they would make off the data.
I don't want to speculate further as I don't know what margins for transit providers in NA look like.
You still need the technical know-how to set up a DNSCrypt recursive resolver. The resolver then talks to the respective recursive chain in plain text as DNSCrypt is not something that is widely adopted.
[1] https://community.akamai.com/docs/DOC-4219
I think that the SNI note below is probably the bigger hole.
Example:
any traffic to 17.0.0.0/8 = user probably has an Apple device
I believe policy is important as a part of the solution because it is a matter of protecting the general public not just a select technically capable.
Yes, policy is hard and can be useless but I still believe it is an important goal to fight towards.
You can care about your privacy, use a VPN and use the democratic process to enact policy change. Those things need not be mutually exclusive. VPNs are only a part of the solution and incomplete, not the solution.
The impossible task of creating a “Best VPNs” list today
https://arstechnica.com/security/2016/06/aiming-for-anonymit...
The limitations are: no ipv6 support :(, sometimes leaks dns, and always crashes shortly after it is first started (then works fine when you start it again). There seems to be little active development.
To work around the limitations, I mostly use SOCKS (curl also supports SOCKS), plus run sshuttle to try to catch any additional traffic. For that matter, SOCKS alone would at least catch the most sensitive traffic for most people (and would make it easy to have another browser profile for watching netflix).
I get a $15/year OpenVZ account from ramnode.com, which supports VPN usage. I haven't had an issue with bandwith (it seems to undercount quite a lot) but don't watch netflix or otherwise use that much bandwidth.
The main issue I've had is that some websites (google, amazon, gog) will default to various other languages that I assume other people who are doing the same thing speak. Fixed by logging in to the site and they then seem to remember for a while even if you don't log in, but eventually they switch again.
The nice thing is that the remote server can be configured to just have an SSH server on port 80 (in case you ever want to use it from restrictive public wifi; I first stated to do this after seeing SSL downgrade errors on public wifi) with public key authentication, so there is much less to worry about in terms of being responsible for a system open to the internet all the time. In SSH, I set:
KexAlgorithms=curve25519-sha256@libssh.org
HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
Ciphers=chacha20-poly1305@openssh.com
MACs=hmac-sha2-256,hmac-sha2-512
Edit: Speed is quite good with this setup and while I haven't done extensive comparisons, it does not seem to lower the connection speed by much.
UDP is not tunneled at all.
[1] https://europa.eu/european-union/about-eu/countries_en
[2] https://www.purevpn.com/blog/data-retention-laws-by-countrie...
[3] https://www.privateinternetaccess.com
https://thatoneprivacysite.net/vpn-section/
[1] http://www.cnn.com/2013/07/05/world/europe/france-surveillan...
On that site he has a massive spreadsheet of many if not all VPN providers and the various pros and cons.
How well might connectivity limitation work? It took China immense centralization and a lot of technical effort to build the great firewall, which is not exactly impenetrable, though.
http://www.pcmag.com/article2/0,2817,2495932,00.asp
https://www.bestvpn.com/best-linux-vpn/
That being said I used it and ended up choosing one that they recommended basically due to lack of info from other sources that is timely. Was a couple months ago.
VPN tech is cheaper and more likely to succeed.
