And even in the case of a known-hostile ISP that engages in invasive practices like supercookies or ad injection, it's unrealistic to ask users to set up and maintain their own VPS servers.
For the average internet user, a "glorified proxy" service that is hassle-free to set up is a simple and effective means of protection against such a menace.
He says that VPN providers don't provide more security. They do, and he mentions this himself when it comes to the public wifi argument.
He says that VPN providers don't provide more encryption. They do. Another layer of transport encryption is another layer of transport encryption.
He says that VPN providers don't provide more privacy. They do. Turns out a lot of networks do things like log DNS, which a decent VPN client can tunnel.
He says there are two use cases for VPNs: There are a lot more.
He says that tunneling all of your traffic is a worse case for obfuscating your identity to a third party service. It's not, or at least I can't imagine how it would be.
He says that instead of a VPN, you can use a VPS with a VPN: That's just a VPN. It does all of the same things, including being outsourced to a third-party provider, except you lose a ton of the functionality of a real VPN service like geographical redundancy and spread.
He asks why VPN services exist, if for any other purpose than stealing traffic or data, but fails to understand any way in which a VPN service could be useful.
The entire piece is just the opinions of someone who is failing to see that other people have significantly different use-cases and threat models than he does.
 Especially if you think of "local -> internet" as easier to intercept than "somewhere internet -> otherwhere internet". Which it usually is. One involves something dumb simple like ARP poisoning. Another involves compromising a telco or the VPN provider itself, which is a teensy bit harder. All of this is even sillier if you consider the hostile-network scenario as well.
 Yes, you are offloading 'trust' that the VPN provider doesn't also log your DNS. There's more chance that they don't when they say they don't, than your corporate network doesn't when they say they do.
Imagine if, in response to the question, "how do I protect myself from snooping ISPs" someone provided the answer, "Just use an ISP that specializes in providing anonymity." You'd probably object on the following grounds:
* Saying you provide anonymity doesn't mean that you actually do. And track records tend to demonstrate otherwise.
* Your ISP still knows exactly who you are, even if they promise not to tell.
* ISPs who specialize in shady customers are more likely to be under surveillance themselves, meaning you're now more likely to be under surveillance rather than less.
* You're solving the wrong problem: you need end-to-end privacy, not just customer-to-ISP
You'd be right. But more importantly, these same objections apply to VPN providers. They more-or-less ALL specialize in aggregating known-suspicious traffic, which is not the bundle you want to be tied in with.
In fact, any argument you could make against using a Cloud VPN endpoint can also be made against a VPN service provider. Because, and this should be painfully obvious already, VPN providers just terminate their traffic through Cloud and/or Colo hosting providers as well; usually optimized on bandwidth cost over all else. So by setting up your on VM, you're just cutting out one of the middle men. There's nothing they can do that you can't do just as well without them.
That applies to any service out there. Are you running your own mail server?
And, yeah, I could set up my own VPN on a VPS I rent. They're only $5 a month. I'd just need a couple in the USA, a couple in the UK, a couple in a few different EU countries, a couple in Australia...
The service I pay for from a VPN provider is not ultra secure. It's not even above average secure. It is, however, somewhat secure. And yeah, sometime it lumps me with "known-suspicious traffic", but that's okay: What I'm doing is completely irrelevant to that fact.
Your argument for VPN services completely forgets that a VPN service in this regard is just another ISP.
How do you know you can trust this ISP any more than the one you're already using?
My ISP tells me that they do, indeed, operate legally and collect metadata. They tell me that they do, indeed, inject JS sometimes. They tell me that they do, indeed, reserve the right to resell my anonymised data for marketing purposes.
My VPN service provider tells me that they do none of these things, and in fact have been reported in the tech media for telling courts to kindly go fuck themselves when it comes to logging.
Who do I trust collects less data? Well, to be honest, I'm 100% certain that the ISP is doing the things it tells me it's doing. I'm not 100% certain that the VPN provider isn't doing things it tells me it's not, but it's a damn sight sure less than 100%.
And, y'know, despite all that rhetoric: The main thing I use my VPN provider for is to watch the US version of Netflix.
Simple. For example, you live in a country where ISP's are allowed to do whatever they want (or forced to do what government/letter agencies wants), so if you value your privacy and data, you use VPN company that's based on a country where private data is respected and protected by law.
Your ISP has strong laws that require a court order for anyone to take a peek or identify you. Your VPN provider does not but can legally do whatever they want with your data. Mining, providing/selling personal information etc. (and they are equally forced to reveal everything asked for when faced with a court order).
The combination of using a service such as a VPN (drawing attention to your activities) with less legal protection is in my opinion the biggest arguments against using a VPN.
> You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
I think that covers the case you're worried about.
You can forget Github, Facebook, Instagram, NYT, but I'm not even trying to use those... I want to get my damn work done. If all my contacts were on WeChat, I only wanted to use Weibo, and could search using pinyin, I might be fine.
I agree it should have been much more prominent, because this is exactly why I use one, and why many folks I know use one.
aka "the internet"...
I think that sshuttle changes that calculus.
sshuttle allows you to make any ssh server a VPN endpoint. So you don't need to configure IPSEC or make an SSH tunnel or anything like that - you just need a login on an ssh server somewhere.
If either of them is going to use my traffic data against me, I'd rather it be the former, who I can easily replace within minutes and has less information about me.
I chose one which seems moderately high profile (where a court case could ruin their reputation), and they are apparently planning on supporting wireguard later on. Seems I picked the right one :)
I just trust my VPN provider more than my ISP. The data policy of my VPN is much better: they cannot legally sell my data,whereas my ISP make no such promises.
Based on that, I believe if you want an extra level of security for every day use, then go for a big VPN co. If you're doing highly sensitive style stuff, then there's probably better software and services out there. It's all about your threat model I suppose.
They operate in a jurisdiction where I can actually hold them liable and where I know which of their claims are leally binding.
I think the point of the article is that an arbitrary VPN provider is really no different than an overzealous, data-mining ISP. Unless people can trivially join some sort of anonymized, decentralized mesh network, they are going to be forced to trust a third party at some point.
w/r to package managers, apt is usually unencrypted. Of course, there's signature validation that makes sure you don't get altered packages, but traffic can be snooped none the less.
Not at all useful for the single largest desktop OS, Windows.
Even less sensible for the majority of Internet traffic, which is now on a mobile OS.
<edit I guess should read other comments before posting>
Is it really? I guess it depends on what sort of threat you are trying to protect yourself from.
Using public wifi lots of places leaves different traces at completely disconnected ISPs/service-points. For an attacker, obtaining and correlating all these is probably not a realistic option.
Consistently using a third-party VPN service (as opposed to hosting your own) centralizes all your data in a single point which is much easier to target.
I wrote a post pretty similar to this about Tor several years ago. That's even worse than a VPN.
 - https://www.iei.liu.se/nek/730g83/artiklar/1.328833/AkerlofM...
"Lemons" discusses a buyer and seller having different levels of knowledge about a product, not necessarily one another. The result, in the essay, is that buyers presume lower-quality product, and something of a self-fulfilling prophecy emerges in that sellers are aware that high-quality product won't trade on the market.
This is one of several types of Gresham's Law dynamics, where Gresham's Law can be generalised to describe both asymmetries of information and constraints on complexity.
The knowledge of the counterparty case verges more on one of control, in being able to know the other party's interests, motives, and/or vulnerabilities. That's ... well outside the scope of "Lemons", and has far more to do with power and control dynamics.
(Though it might also result in presumptions on the part of customers of such a monopoly.)
Part of the answer, in both cases, is to provide more information or trust through various mechanisms, including regulation, audits, etc.
The part of the ISP market which is as described in "Lemons" is in knowing what information is or isn't collected, and how it's used. The inability to do so does lead to race-to-the-bottom tendencies, a phenomenon also frequently described as "a (sort of|kind of) Gresham's Law".
Searching for variants of that phrase within Google Books is quite interesting. Examples include: legal citations, neighbourhoods, immigration/immigrants, coin, politicians, divorce law, environmental regulations, mass / popular media, television, bicycles, software, consumer electronics, and more.
See also: the Tyranny of the Minimum Viable User
I've also explored Gresham's Law quite a bit:
Also the end result of a market full of lemons is something that develops over time. I don't think the VPN market is mature enough for buyers to have learned to presume a lower quality product. I would even argue that the information asymmetry is so extreme in the case of VPN services, that a user can purchase a product, user it for years, and still not be able to accurately assess its quality. This would slow down the development of a true market for lemons.
The "Market for Lemons" dynamic has an earlier precursor, the horse trader. In looking up Gresham's Law references, I've run across H.L. Mencken's "Bayard vs. Lionheart" (1926), which references "David Harum". That was a novel, and film, and later (after Mencken's writing) a radio serial, about a horse trader.
Horses, as complex and nonuniform goods, had developed a reputation for unreliable and underhanded dealing. The lasting legacy of the novel itself is the expression "horse trading".
Where it breaks I think is that you can chain as many VPNs as you want, only the last one sees what you are downloading, the others only see traffic to another VPN. So the authority just needs to subpoena that one.
If the “outer” VPN is UDP or IPsec, then not as much an issue, but many of the VPN providers commonly used are TCP based (of the ones I spot checked from a google search anyway). And remember, since they are TCPinTCP already, you are just making the situation even more likely to occur.
Further reading: http://sites.inka.de/bigred/devel/tcp-tcp.html
The exception are things like SSH tunnels using sshuttle but they call themselves a "poor man's VPN" for a reason.
The biggest issue for me is that VPN providers have given me no particular reason to trust them. If I already have reasons to distrust large international corporations that say they care about my privacy, why would I go trust one I've never heard of on the Internet that says it cares about my privacy?
In the EU I've seen this successfully done with ISPs, ie. customers request logs and get a CD by mail. You'll have to insist and it might involve a small service fee.
Note: I write "law" because afaik the current logging directives have been found in violation of the European Human Rights declaration, I hear a legal battle is pending:
"YOU’RE STILL GONNA BE MOSSAD’ED UPON" (from https://www.usenix.org/system/files/1401_08-12_mickens.pdf )
Whether or not your VPN provider gives you any particular reason to trust them - for some of us, the government has passed laws to require our ISPs to be "untrustworthy".
I'd imagine a list of those ones would be considered more credible
I know PIA had an actual FBI subpoena. (literally the first link I find) Of course there are collision based identification methods, but knowing that you use a VPN and were using something on the East Coast isn't much to go off of. Worst case I can see here is "User was the only one connected on the East coast at this time", but with PIA's userbase, that seems like an unlikely scenario.
There's also a list  (little old)
I remember looking a little closer back when the ISP stuff was happening and it wasn't too hard to find cases where specific VPNs were "tested in the field". But I remember coming across a few, I think Norad was also one of them.
So you can open it up in Acrobat, and see everything below.
Are you going to trust a VPN provider that can’t even black out text in a PDF?
For reference, here the content with the blacked out info un-blacked-out: https://i.imgur.com/u1hYerD.png and https://i.imgur.com/1a9YD0f.png
Could it have been done on purpose? To fulfill legal requirements and prove they aren't hiding anything.
Or could it be an accident? If the latter, then there are certainty questions to ask. I'd expect the legal department to have different tech skills than the IT department though. But still questions.
I don't know the answer, and really would like an answer if someone does know the correct one.
I'm not sure why they went through the rigmarole of pretending to black something out. Maybe they were just fucking with him?
So why did they black it out? As a childish joke? Also not inspiring trust in them.
And if they just blacked it out, without need of doing so, and fucked that up, then the question is if they're trustworthy if their security team doesn't double check their blacked out PDFs.
The problem isn't with the content, but with the process.
It's far more likely it was created by some middle-level communications staffer.
If your VPN allows any intern to simply post PDFs online that contain such info, without the legal or security department looking over it, you're not trustworthy.
What's next? Next time they actually deliver someone's info, and it ends up in a PDF everywhere online, too?
Trust is a fragile thing.
VPNs are useful to avoid negative effects of traffic analysis and bad QoS, bad neighbors at a public access point, and give privacy or a different geolocation when accessing specific individual destinations on the web (e.g., an IRC server that would emit your IP into the public log). Generally, VPNs should be used as needed to serve one of these specific purposes, not 24/7.
Expecting protection from your government or ISP for $10 / mo is a tad unrealistic.
I know I certainly don't have the time, inclination, or frankly the expertise, to keep abreast of the internal developments in a VPN provider's business, which will likely be private anyway, as well as the evolving legal/regulatory framework wherever they operate. Similarly, policies regarding logs or data retention can evolve over time, one of course has to trust that any retention policy disclosed in public is actually adhered to in private.
If you really are someone who has to give serious consideration to the risk of logs being pulled, I'm not sure any commercial third party provider is a "safe" option.
Additionally, why would a VPN keep logs at all? With no traces, they have "plausible deniability" that some of their users are doing horrible, horrible things online. This is the main reason I trust my VPN provider to not have logs. IIRC, the only thing they look for is email spam (which is fairly easy to detect with very minimal / time restricted logging), as it spoils their IP addresses too quickly.
That might be a few minutes, hours, or days. Weeks, months, years, not so much.
VPN just substitutes an unregulated ISP for a somewhat regulated ISP.
A more helpful rant than the OP provided, would be one that informs you of ways to evaluate the trustworthiness of various VPN providers.
If you are going to attract the attention of governments (PSN and Sony hacks, etc), yes, don't expect a VPN to shield you.
If you're pirating a show that isn't available in your region, or checking up on an old workplace website, etc, a VPN is likely perfectly fine and will save you from legal scare letters, an old employer seeing your visit, etc.
I occasionally have crons from my personal infrastructure running into an employer for operational purposes (offsite monitoring or whatever), so I’ve blackholed outgoing traffic to former employers to be on the safe side in case I miss one. So I can see where that sentiment is coming from, though I think it’s a legal stretch.
Other than TunnelBear, ProtonVPN is run by the ProtonMail folks and is based out of Switzerland, so they would respond to any foreign subpoena with a polite "fuck off."
Switzerland is no longer the bastion of privacy it once was. In fact, it's been nine years since every single Swiss Bank rolled over on their customers to placate the IRS. And it's only been downhill from there since.
p.s. I pay all my taxes and take all the deductions I can.
Iceland seems to be the best country for that. However, there are few services, little competition, and high costs.
Helps with ISP snooping yes, though I expect it to be more expensive (VM and bandwidth in clouds isn’t cheap).
But if you're just doing stuff like P2P to download content illegally, at least in France they only track IPs for the consumer ISPs. Any other IP, especially out of the country, they'll ignore.
So it doesn't matter if they have the logs, for minor things the government agencies or copyright holders will just give up and focus on the easy targets.
In other countries like China there's no question that a VPN is useful. Actually whoever wrote this article seems a bit clueless about why a VPN is useful. They suggest setting up your own on a VPS but doing this in China will get your server blocked right away. That's why a third party is useful since they can offer various IPs in many countries and quickly setup new servers when they get blocked.
Understand vpn's, understand public VPN providers, evaluate the risk for whatever you're trying to do.
When the setup is complete, you end up with some incredibly well-written instructions that make setting up the tools with any OS dead-simple. It's a really fantastic project.
1) Reputation. A well known,well reputed provider (Fsecure or protonvpn for example) for most users would not be less trustworthy than their ISP. ISPs can easily get away with injecting malware into your http traffic or selling your data. A security company or VPN provider based in a jurisdiction with strict privacy laws and with well known business owners however has a lot more to lose and a lot less legal fighting power.
2) Threat model - you are already trusting someone (ISP) with not only monitoring your traffic but manipulating it. That should already be part of your threat model.when comparing a vpn provider with your ISP, which potential attacker poses a greater risk? For many users,sadly,it is their ISP.
Last note,most vpn users just want to bypass IP restrictions,they don't care all that much about privacy(although that seems to be changing)
I feel like this sets up false equivalency. Tapping VPN provider and tapping individuals last mile are very different things. Of course it is debatable which one is more secure etc, but the fact remains that they have very different characteristics. I'd say that for almost any single attacker moving the hypothetical tap will not be happening at a push of a button, more likely it will not happen at all.
Yes, VPN providers can track - but they make it harder to track you to third parties, unless they are in collusion with those parties, but for average user the chance this is happening - unless they are on the FBI/NSA radar already - is pretty low.
Yes, third parties can fingerprint and use other techniques to track people. That's not the reason to offer them the most easy and readily available means of tracking on a silver plate.
"Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be."
But is that really true - how do I know that Linode, Bluehost, and other VPS providers aren't looking at my traffic?
which is obviously nonsensical because nobody would ever get any work done this way. A sane way to think about it is to make a judgement whether the business you trust has a solid track record, has market incentive to not screw you over, is transparent, is open source and whether your security demand is proportionate to what you're doing.
The only major hickup seems to be the mentioned "HideMyAss" case, where a UK citizen was arrested on hacking charges facing 15 years in prison. Yes if you're trying to break into corporations and want to commit serious crimes don't trust a five dollar vpn provider legally registered in the same country.
If you're trying to circumvent censorship or torrent a movie I think a regular VPN might still be an adequate choice
I would assume that it's because they have no financial interest in the content of your traffic, whereas a VPN-specific service might. Most big VPS providers know that the bulk of their customers are technically minded people who read their own logs and monitor their own traffic, so there's no technical interest for them either.
That said, if you end up abusing their terms (higher than allocated traffic or sustained heavy CPU time, for example), you can expect them to investigate if only to see if it's malicious in nature (DoS, spam, etc) or just a bad configuration.
But again, those are just assumptions on my part. If you have any doubt about a particular service, it's probably best to move on to one you can vet/audit.
Well yeah, that was the point of my comment -- it sounds like unsubstantiated opinion.
If you have any doubt about a particular service, it's probably best to move on to one you can vet/audit.
How is that even possible? Assuming you want to connect to the internet, you have to hand off your traffic to some upstream provider than you can't trust.
I guess we should qualify the term. In my mind, that would be a hostile government who sets up a VPN service for the purpose of attracting citizens who wish to avoid their censorship, and then arresting the users.
There are already large, shadowy forces increasingly differentiating traffic. This also includes access at all via a VPN; more and more, I run into web sites that refuse to serve you at all if you hit them with an IP address associated with a VPN.
Or, they put you through rounds of Recaptcha.
At first, it was just the big commercial streamers. Now, it's a lot more.
I principally use a VPN to keep Comcast and Verizon out of my business (there's no need I endorse for them to sniff -- much less inject into -- my traffic).
As archive.is and others and now increasingly even Google block me and make me jump through hoops, I'd been thinking rolling my own was the next step.
I suppose I can switch to business class Internet at home and run a local server, but...
Curated Internet. One not of our choosing...
I'd much much much rather take my chances with a VPN provider and still route all of my traffic through any other country other than UK, thank you very much.
Data is a liability. Keeping it is assuming responsibility. It is in the provider's best interest to keep the minimum information. If any agency were to ask for data, you can honestly say there is none and be free to continue running your business.
And if you must keep data, keep it encrypted and only decryptable by the customer wherever possible.
Could restriction-avoidance come back to bite you someday via logged behavior? Perhaps, but it sure wouldn't be in the interest of a VPN provider to allow that to happen. Should one lose sleep over appearing to be in the UK in order to stream Eurosport? Tough sell.
"Send all of your traffic through us so that we can keep it private and secure" is absurd on the face of it. I'd like to think many non-technical people can see this, yet want to watch the Olympics on CBC because, more curling!
It's irritating that I have to worry about my ISP, but not irritating enough for me to care. If that changes, I'll spin up a machine on some hosting provider and route traffic through there. It'll suck to have reduced speeds in that case though.
It also stops them from sending me copyright notices which is a verifiable service.
Quoting from this recent news: 
"But Facebook didn’t buy Onavo for its security protections.
Instead, Onavo’s VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps’ new features appear to be resonating with their users, and much more.
This data has already helped Facebook in a number of ways, most notably in its battle with Snapchat. At The WSJ reported last August, Facebook could tell that Instagram’s launch of Stories – a Snapchat-like feature – was working to slow Snapchat’s user growth, before the company itself even publicly disclosed this fact."
My direct ISP is also a vertically integrated global media conglomerate which lobbies for abusive copyright practices, and maintains a large catalog of entertainment IP, which it walls-off from other providers, for the purpose of limiting competition.
My VPN provider may collect data. But they're not fucking evil monopolists.
And the other not-too-delicate point:
MOST of the harm that comes from data collection is not Gillette learning that you have sensitive skin and might benefit from a 7-blade razor.
MOST of the harm comes from LARGE corporate entities aggregating huge datasets from large quantities of people, such that they can draw statistical inferences. There can be a small subset of weirdos - who adblock and vpn. Doesn't matter, because all their neighbors share their data openly. The weirdos who protect themselves are still statistically outed - and even if they aren't the idiot neighbors are exposed to fake news, shitty campaign ads, and they vote, and that affects policy and law which applies to all of us, and that's why we should ALL be using VPN, but that's certainly not going to happen, and if it did, the VPN companies would just sell our data to aggregators anyway.
I would think that setting up https://github.com/trailofbits/algo and getting good at moving around from cloud-provider-of-your-choice VMs wouldn't be a horrible idea.
In the meantime I have a OpenVPN server at home just so I can log into my internal network from everywhere and use it when on public wifi... For the moment it's more than enough for me.
And as always, if you have an APT after you...you have bigger problems than what VPN provider you should use.
This gist is at best a straw man.
The cert. on our NextCloud is a Let's Encrypt job. He was using a laptop provided by a customer (he works there a lot) and they deploy a MitM web proxy that he was perhaps only dimly aware of. I haven't look too deeply into the laptop config but it looks like either the MitM CA wasn't installed as trusted or the NC client is a bit clever. Now, I'll plump for: screw up in other corp. IT.
So we have a techie ignoring warnings from an app that is designed to share data safely. OK, the customer's IT dept have their policies but I would have hoped that the default from my employee would have been to quietly walk away and uninstall NC from that laptop (he did after a few words.)
There's another benefit of VPN that people don't discuss much: your traffic can be compressed with LZO. This can make an unusably slow connection usable. The applicability to web browsing may be somewhat limited if the sites you use all set up their gzip headers properly, but I think that's a stretch when you're going off major properties, and it will compress all the traffic at the network level regardless of protocol-specific options, so it should help some.
It'd be bad for the NSA, too. I assume they are spying but only rarely act on the data they're slurping. If Amazon loses customers, and the NSA has eyes inside, the NSA loses their eyes.
So would any VPN provider. The incentives are no different, and neither are the opportunities, so recommending one over the other is a bit suspect.
If you're not from the US, you might care about your country's spying way more than about US spying.
But if you want VPN service, why not simply setup your own server? They're cheap. There are hosting services that accept cryptocurrencies if you're into anonymity, and then you can be certain there are no logs (unless the hosting provider logs you, of course).
Then I point out that if it's easy for you to get out, it's easy for others (in the other house) to get in. And by extension anyone who visits their house.
That usually makes them think.
Managed/service VPN makes the hole wider or tighter depending on how trustworthy the manager is.
If you assume the service provider is malicious and DOES log, then why is a VPS provider any better than a VPN provider?
No logging on server side guaranteed. AWS could monitor but I do not thinking of that as an issue for my use cases.
I believe if supplied an NSL, I would expect the VPN provider to grant the request. But that would be only for those operating in the US.
It is super easy to get a 2 dollar a month shell account and run psybouncer with a list of hosts you can hide behind. At least then I can double proxy cheaper.
I can think of many situations in which I'd prefer a commercial VPN provider to a private one, or even to running meek on a tor bridge. there are also many situations in which someone else keeping logs is extremely useful :)
"wait -- we don't have to pay to keep/store/rotate/maintain logfiles? and that's a value proposition? yes! pipe them badboys to dev null!"
Just use your DIY VPN (IPsec - strongSwan is very good option, or OpenVPN), don't use any free or untrusted VPN services