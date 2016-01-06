Hacker News new | comments | show | ask | jobs | submit login
VPNs are not the solution to a policy problem (asininetech.com)
Lots of people seem to think the right answer is selling improved security. I disagree. It would be much more exiting to get the data coming from politicians homes, and the homes of their staff. It would be a fantastic way to generate news. Why is senator X's household researching cancer treatment? Will they step down this year? I can't help but think military bases would google their next deployment, that's another set of huge news articles.

If you're more into the finance side of things, CXO's home clickstreams would probably be enlightening. Or hedge fund managers. Some will be fully encrypted and secure, but just the dns would be a strong signal about what companies they're researching.

That is the kind of business that will drive privacy legislation.

Those people will have VPNs and other security measures. This is about exploiting ordinary people to widen the power differential between the two.

I think somebody's doing a kickstarter exactly for what you're talking about.

Got a link?

No, they're not.

The solution is getting strong, enforced laws that protect our privacy and punish those who break them.

But for the moment, with advertisers viewing themselves as gods gift to the internet who think that all your information belongs to them simply by virtue of existing, and who will go to great lengths to acquire and store it all (for perpetuity), a solution is needed, and part of that is VPN's.

> advertisers viewing themselves as gods

Tangential point, I've heard from a friend how much you can earn by being involved in a "premium" ad network, and it's basically around 100x what I can make as a SWE freelancer. I also remember a HN user claiming they make $30k/month from a simple "YouTube downloader" kind of site.

In general, you can still identify users for advertising purposes without knowing their IP address.

3rd party cookies and fingerprinting js is hugely different from "full take" at source.

But even with laws, you can't trust ISPs and governments that pwn them. So yes, using VPNs is prudent.

How do VPNs protect you against advertisers?

Because ISPs can't read your traffic

But now the VPN provider can just track you and sell all your browsing history instead of the ISP, so how is this better?

Because you have much more choice for VPN providers than for ISPs. And you can change VPN periodically, far more easily than changing ISP. Also, you can use nested chains of VPNs, much like Tor, to distribute trust. So adversaries must compromise multiple providers, quickly enough that logs will be available.

Edit: Also, you can pick VPN providers outside your adversary's sphere of influence. That's standard advice for users in China, for example.

And now both of your vpn owners have your data connected to your ips. You do have more choice but if both of them sell the data, it doesn't make any difference.

reply


Right, you still need to trust someone.

If it really matters, you use nested VPN chains. Three deep is my standard, and I've managed six. Latency can be a couple seconds, but hey.

Also, you can pay for a VPN without revealing your identity. Not so with ISPs. I use a VPN, for instance, to mask my Tor usage from my ISP. (I'm an American using the Internet in the United States.)

True. But the VPN provider effectively knows who you are, because they see your IP address. Or rather, a resourceful adversary can get your IP address from the VPN provider, and then get your identity from your ISP.

If you chain VPNs, however, it certainly makes sense to lease the second/indirect VPN anonymously.

It's not. There's no way to verify the VPN provider is not keeping logs and tracking you.

Yes, but every website you visit can potentially ID you with cookies or browser finger prints.

Well, you compartmentalize in multiple VMs. Using different VPNs, Tor, and nested chains of them.

A heads up: theres a really nice project called Streisand[1] which provides a multi-protocol VPN with very little effort. You can launch one on a cheap cloud provider (like DO, if their policy allows).

[1] https://github.com/jlund/streisand

I've used streisand on DO (while traveling in China) and it worked well. There's also a similar project called algo[1] which provides a single protocol with maximum security, in contrast to streisand's multi-protocol flexibility (and increased surface area).

https://github.com/trailofbits/algo

Would a 512mb RAM DO server be enough for this? I've been looking for an alternative to a VPN for a while, but it would only be cost effective with the $5 option.

Why does he refer to OpenVPN as a "risky server"? Does it have a history of embarrassing security vulns?

I think a recurrent concern is OpenVPN's reliance on TLS, and its codebase complexity as a result of being built on OpenSSL--but with far less attention and resources and vuln hunting compared to say, actual browsers. Complexity + lack of auditing person-hours is never a good combo. (See https://twitter.com/tqbf/status/806646188158152705)

Matt Green's audit of OpenVPN, when completed, may lead to more light on the matter. Otherwise, we're just relying on informed intuitions.

Except all the shenanigans with IPSEC.

https://en.m.wikipedia.org/wiki/IPsec#Alleged_NSA_interferen...

As a "security people" I think me and tptacek could split a great number of hairs and get not too far on this one, but I am open to new info. I know a lot can hide in the complexity of OpenSSL. Maybe the whole thing with IPSEC was to sway us toward OpenVPN likes. Regardless, I still lean slightly towards OpenVPN

But honestly I am out to defeat ad networks. I only aspire to give nation states indigestion (at a mass scale). Individually if a well funded adversary wants any one of us I think they have us.

Both Tor and OpenVPN have been successfully traffic-analysized and using either will expose your server to censorship and your server IP gets banned in no time.

reply


I think "other risky servers" may refer to the lesser-known servers that streisand includes, like shadowsocks.

I've had a few problems getting it running on AWS but setup was a breeze on GCE. So far it's been cheaper (and safer) than most VPN providers I've seen. YMMV

Any estimate on EC2 costs using this moderately?

reply


That would depend on your traffic levels and which instance type you want to use.

This should help figure things out: http://calculator.s3.amazonaws.com/index.html

You would be better of putting it on a Digital Ocean and then create / destroy a droplet when you need it. It is what I do and my cost is like $1.50 per month (as opposed to $5).

Another thing often overlooked with VPNs is that they're just not that fast. I have a 600/40 connection, and I've tried at least six for-pay VPN providers. The fastest one I found (won't mention as my goal isn't to advertise for them) hits, at best, 100/30. And even then, only over L2TP. For whatever reason, OpenVPN is always slower on every PC I've tried this with.

And obviously, you gain a good deal of latency, especially if you use an overseas exit point.

And now we get to deal with shitty services like Netflix punishing privacy-conscious users and blocking access to paid accounts while your VPN is up.

I've used SoftEther VPN software on the type of cheap VPS you find on lowendbox.com.

I notice little if any change in speed. If anything, download speeds seem more consistent in speed without long pauses (or momentary bursts in speed).

It's very easy to install and configure, but I'm not sure how good it is at addressing the point of having a VPN, since I don't know how well the software has been audited by other people, and I wouldn't know where to begin. The same goes for how I must trust the VPS provider.

I've been using PIA for a few years and have been disappointed to see an increasing number of websites blocking VPN access.

Try switching your server. Routing through Norway, Switzerland, Sweden or the American Midwest almost never results in adverse effects. The only times I route through the default option are when I'm using LTE or GoGo.

Plus you will be banned participating from so many places because the vpn and vps ip blocks are over abused and blocked.

VPNs will definitely incur overhead and latency costs, yeah.

OpenVPN can be fairly slow if you are sharing CPU usage (ex. VPS provider) with other users. You are also most likely implementing NAT on your VPN server which is probably not accelerated unless you are paying for an expensive appliance that does so.

The incentives are aligned currently so that governments agencies are hacking citizens and extracting data nearly at will, with laws usually through secret courts. Assuming we can fix this from a policy perspective is a little naive.

I'm not saying that VPNs are the solution, but an awareness and higher usage of them should lead to better solutions such as improved onion routing.

VPNs at least fix the "does Google and the ad industry know my IP address" problem.

Perhaps one solution might be to poison the data and have your router/device make spurious random DNS lookups and HTTPS connections. Ensure the list of random websites includes the top few hundred companies likely to be in the market for usage data. If enough people did this it would make the data useless.

Data poisoning is a fantastic approach: flood the captures with so much, and with so much trash that it becomes an increasingly large amount of work to just sort out the 'real' traffic (even before any advertiser analysis of what that real traffic contains).

There's a couple of things that do this actually: the AdNauseum plugin will hide ads for you, but will also click through on them often as well which helps pollute advertiser data capture. It won't of course be able to replicate you browsing on the page, but it'll go a long way to frustrating the efforts of 3rd parties who won't have access to the landing page metrics anyways.

There was also a post on /r/InternetIsBeautiful that was supposed to do something similar: essentially destroy your browsing habits by performing additional searches and following links in the background, but I think that relied upon a hardcoded list of searches, so it's ongoing functionality was somewhat limited.

A big challenge to making something that continually obfuscates your browsing habits is making sure it doesn't accidentally end up going throw actually sketchy or illegal stuff (i.e. sites/etc that could get you on lists/attention) and making it work in a way that isn't easily detectable/filterable as 'machine traffic'. I guess that means you'd have to build in functionality to replicate following pages several links deep, not making successive requests immediately (sleeping execution/simulating scrolling), simulating some kind of 'natural' interaction: mouse movement + hovering over things + other things that users might do?

I'm sure most of that stuff is totally possible, probably even easy, might make for a fun personal project...

How would one go about doing this? More importantly... Is there a simple cross platform application I could have my friends and family install that takes little to no effort on their part?

reply


reply


If I was a betting man - backbone providers don't do this (sell to advertisers).

It would be costly to maintain the interception/analysis infrastructure required for such data collection.

I daresay it would cost more than what they would make off the data.

Thats an interesting bet. If they isolated to the subnets they sell off to ISPs (i.e exclude datacenters and such) what do you think would contribute to the cost/benefit difference of the two?

reply


That is still a significant amount of traffic to analyze and store data for.

I don't want to speculate further as I don't know what margins for transit providers in NA look like.

Frankly I'm surprised they aren't doing this already.

I think the bigger hole is DNS. Full-tunnel VPNs to primarily TLS-encrypted sites seems like overkill. Encrypted DNS plus an "HTTPS Everywhere" plugin should obfuscate enough info for most people without significantly affecting latency.

reply


DNSCrypt + HTTPS everywhere solves the latency issue but it doesn't solve some of the other issues.

You still need the technical know-how to set up a DNSCrypt recursive resolver. The resolver then talks to the respective recursive chain in plain text as DNSCrypt is not something that is widely adopted.

Hosting a private DNS server has its own issues. Many CDNs rely on DNS server to determine which POP to route you to. Pretty common for Australian internet users who switch their DNS to have videos streamed from Southeast Asia rather than Australia. That would cause huge perceived latency issues. Third-party DNS providers solve this with private agreements [1].

[1] https://community.akamai.com/docs/DOC-4219

The ISP can still read the SNI information to see which sites are being used, so there's not so much value in encrypting the DNS.

The IP addresses are still there in the clear. VPNs for everyone for everything is the only long term answer to this problem and others like anticompetitive zero rating practices.

Wouldn't it be fairly trivial to guess most of the domains you're visiting by looking at what IP addresses you connect to?

reply


Yes. To be fair though, many sites are on shared hosts, and lots of traffic goes through a handful of CDN networks.

I think that the SNI note below is probably the bigger hole.

You can guess some of it trivially, cloud services such as AWS are popular and mask the ORG using the IP addresses.

Example: any traffic to 17.0.0.0/8 = user probably has an Apple device

Why aren't VPNs, and more broadly encryption, a solution to this problem? "Waving the wand of a technical solution," as the post pejoratively calls it, isn't such an unreasonable thing to do with an inherently technical problem. This problem only exists because of other technical wands we waved. Why solve this problem with policy? Policy is hard to get passed, hard to keep passed and even when it is passed often times it means nothing. Remember this is the same government that contains multiple organizations surveilling your every move, not because they legally can, because they illegally can. The point is, it's foolish to count on USG to give you a right to privacy, just look at the history on this, it's not going to happen. But it's especially foolish when this is a right that you can enforce for yourself. If you actually care about your privacy use a VPN, or Tor, don't sit around waiting for the government to do it for you.

At the risk of sounding increasingly naive:

I believe policy is important as a part of the solution because it is a matter of protecting the general public not just a select technically capable.

Yes, policy is hard and can be useless but I still believe it is an important goal to fight towards.

You can care about your privacy, use a VPN and use the democratic process to enact policy change. Those things need not be mutually exclusive. VPNs are only a part of the solution and incomplete, not the solution.

At the end of the day, it is obvious that policy is the right direction to stop this bleed of infringement. However; be it noted: those who have the capability to circumvent, or ethically "get around" such enchroachment; have a responsibilty to free those who may be entagled by that which is "freedom limiting". The argugment could be had, however; is it really freedom limiting for others to know your web history? Obviously, there are second, and third abilities to be held when a dominant party knows of the lesser's behavior. Still a great bit to parse. As for me and my house, we will tunnel safely through VPN.

Ya, this sucks... a lot. VPNs are a start with existing tech. I firmly believe new technology will solve this problem. Encryption everywhere. Overlay networks. New fully encrypted and annonymized DNS systems. Digital currency incentivizations. Policy helps but in the absence of policy technology will find a solution.

Until a better solution is found, I think the way the recent IOT botnet stuff + this ISP privacy deregulation is portrayed in the media opens the opportunity for a startup that sells a secure, smart home router + VPN subscription plan.

reply


reply


reply


End to end encryption, keys never leave your premises, routing is randomized? Looks a bit like TOR.

I'm sure you all remember this read from 6/1/2016:

The impossible task of creating a “Best VPNs” list today https://arstechnica.com/security/2016/06/aiming-for-anonymit...

One nice although limited alternative to openvpn is sshuttle: https://github.com/sshuttle/sshuttle

The limitations are: no ipv6 support :(, sometimes leaks dns, and always crashes shortly after it is first started (then works fine when you start it again). There seems to be little active development.

To work around the limitations, I mostly use SOCKS (curl also supports SOCKS), plus run sshuttle to try to catch any additional traffic. For that matter, SOCKS alone would at least catch the most sensitive traffic for most people (and would make it easy to have another browser profile for watching netflix).

I get a $15/year OpenVZ account from ramnode.com, which supports VPN usage. I haven't had an issue with bandwith (it seems to undercount quite a lot) but don't watch netflix or otherwise use that much bandwidth.

The main issue I've had is that some websites (google, amazon, gog) will default to various other languages that I assume other people who are doing the same thing speak. Fixed by logging in to the site and they then seem to remember for a while even if you don't log in, but eventually they switch again.

The nice thing is that the remote server can be configured to just have an SSH server on port 80 (in case you ever want to use it from restrictive public wifi; I first stated to do this after seeing SSL downgrade errors on public wifi) with public key authentication, so there is much less to worry about in terms of being responsible for a system open to the internet all the time. In SSH, I set:

  KexAlgorithms=curve25519-sha256@libssh.org
  HostKeyAlgorithms=ssh-ed25519-cert-v01@openssh.com,ssh-ed25519
  Ciphers=chacha20-poly1305@openssh.com
  MACs=hmac-sha2-256,hmac-sha2-512
So still not a super easy option but a somewhat easier option than OpenVPN. It would be quite easy with an automated way to set up the remote ssh server correctly.

Edit: Speed is quite good with this setup and while I haven't done extensive comparisons, it does not seem to lower the connection speed by much.

To be clear: sshuttle is more comparable to redirecting system traffic through a proxy than a VPN.

UDP is not tunneled at all.

Ok, so which vpn providers are good?

reply


reply


Sweden is a member of the EU [1]. It has a 6-month data retention law [2]. Much safer to route through Norway, Switzerland or even the United States. (I use PIA [3].)

[1] https://europa.eu/european-union/about-eu/countries_en

[2] https://www.purevpn.com/blog/data-retention-laws-by-countrie...

[3] https://www.privateinternetaccess.com

I went looking for a spreadsheet I once saw, apparently it's become a website.

https://thatoneprivacysite.net/vpn-section/

reply


France runs a mass warrantless Internet surveillance program [1]. It is one of the countries our OpSec consultant specifically recommends taking clean computers to. It is labelled, by "That One Privacy Site" as NOT being an "enemy of the Internet" (whatever that means). Difficult to take the rest of its recommendations seriously.

reply


https://thatoneprivacysite.net/vpn-comparison-chart/

setting up VPNs doesn't scale. the entire internet can't be behind VPNS not to mention people with poor internet will not be able to use a VPN effectively

reply


I don't think the parent was trying to make or ask whether VPNs scale when he/she asked which VPNs are good.

thatoneprivacysite.net

On that site he has a massive spreadsheet of many if not all VPN providers and the various pros and cons.

I had all sorts of VPN problems over the years with various Linux desktops OS. What I do instead is that I have a proxy server with just an OpenSSH daemon on port 443 -- if there's web traffic, add sslh to taste -- and then use the SOCKS v5 proxy built into OpenSSH client and then http://darkk.net.ru/redsocks/ I might be the weird case here but I found this infinitely easier to set up than any VPN.

SSH tunnels work in a pinch (OpenSSH is <3). However for coverage across devices such as smartphones OpenVPN works better long-term.

To each their own. I am hanging in there with proxydroid.

Technology used to trump policy, in an unstable but stubborn way. Napsters and piratebays die, but file sharing lives. It's less intense now nit because of policies, but because legal ways to buy most music and videos became reasonably convenient for the mass user.

How well might connectivity limitation work? It took China immense centralization and a lot of technical effort to build the great firewall, which is not exactly impenetrable, though.

Oh dear, without this crucial legislation in place, people are now going to start getting copyright infringmment notices for downloading and seeding torrents.

reply


http://www.pcmag.com/article2/0,2817,2495932,00.asp

https://www.bestvpn.com/best-linux-vpn/

The PCMag survey felt very heavily weighted to who they get referral fees from. Every top rated VPN had a special link and referral offer.

That being said I used it and ended up choosing one that they recommended basically due to lack of info from other sources that is timely. Was a couple months ago.

The solution to all of this is educating the population.

VPN tech is cheaper and more likely to succeed.

Especially if the VPN Provider is a shell company of the NSA or CIA!

On the contrary, Hanlon's razor could just assume good intentioned VPN hosts failing to secure their design by negligence or ignorance of broken protocols.

