Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can't imagine that he's using an email service that doesn't use HTTPS. Is he logging into his bank account? I doubt any bank nowadays still uses plain old unencrypted HTTP. Is he watching cat videos on YouTube? Well, even that's encrypted.
Remember, his argument is that VPNs don't provide privacy--so that's not the reason. And this is the section where he's talking about public networks, not about other rationales for VPNs like geolocking or ISP blocking. It weakens the argument of his essay to say that he needs a VPN at the airport or cafe.
But, of course, there is more to it than that. What about the unencrypted connections? DNS access and logging? Ironically these are what people tend to worry the least about but are the most likely to be compromised. A VPN can be very helpful here.
The article brushed across this distinction in a way that I think may have just been confusing to anyone that didn't already understand it. The net effect is that they might see these two pieces of advice as contradictory.
I think other considerations include whether or not the sites that you visit implement HSTS. While many sites do support HTTPS-only logins, several webservices are actually quite vulnerable to software such as SSLstrip, which redirects hijacked users to plaintext HTTP pages whenever feasible.
While many sites implement TLS, several sites don't implement HSTS. I am not sure about the HSTS policies of the top 3000 sites so I will not comment on that.
Because the airport made a shitty choice in designing it's wifi, and people who connect to such networks are making shitty choices.
HTTPS is nothing more than a content protocol wrapped in a transport encryption layer used for a subset of your overall traffic.
When you connect to an open wifi network your device is literally screaming 1s and 0s into the air like a maniac. A subset of these 1s and 0s are the things you're actively telling the computer to do. Most of this stuff is things like ARP, Name resolution services and other stuff that isn't encrypted for perfectly understandable reasons.
Instead, when connecting to an open airport wifi network, a personal decision is made that the connectivity is more important than encryption. Airport wifi connections could and should be encrypted with AP client isolation, but they aren't.
This hasn't been possible until WPA3, which has barely started rolling out.
Take the example that you are connecting to an SSID named "Airport_Guest_WiFi". In the case of OWE you simply connect and now everything between you and "Airport_Guest_WiFi" is encrypted. In the case of PSK with SAE you connect to "Airport_Guest_WiFi" and exchange information to generate secret keys only you two know. The problem in either scenario is you've just set up encryption not trust. How do you know the "Airport_Guest_WiFi" you connected to was the airports or the attackers?
WPA3 Enterprise solves this issue somewhat but is not realistic to deploy for temporary guest networks.
I argued ever since I heard OWE was going into draft it should have some optional mode for PKI validation. E.g. if you connect to the SSID "guestwifi.airport.com." and the airport signed the hello with the cert for that domain then the client could validate that against it's root stores and have the same level of identity trust it does when connecting to usersbank.com. Clients need not be forced to validate it but at least it gives a realistic option to connecting to such networks.
Make the password widely-known. Announce it over the intercom. Post it on the walls.
Offer both encrypted and non-encrypted SSIDs. The non-encrypted SSID could even just be a captive portal with instructions to connect to the encrypted SSID.
If you're feeling wild, use WPA2 Enterprise, and accept any credentials.
Because the Internet is more than the stuff that lives on port 443?
What does the author do about UDP packets?
It’s interesting that you mention email. SMTP can use TLS of course but I know of plenty of POP3 email providers that still send unencrypted and even if it were, it’s not using HTTPS.
What about DNS requests too? Those are still often sent in cleartext.
Even with actual HTTPS with a browser, the domain itself is visible.
In short - the Internet is not just the web.
> Networks like these make it easy for attackers to get a copy of your network data, and if you send something unencrypted, the results can be quite harmful.
The web should be ideally end-to-end encrypted with HTTPS. But in case this assumption breaks down, VPN gives an additional headroom for security. Not much (as explained in the article, and thus should not be advertised so), but still useful.
No. People designing public access networks should use encryption and AP client isolation.
What percentage of (typically rushed) people at an airport will notice that a website is loading over http instead of https? SSLsplit is pretty useful.
For literally years I've been telling people that a VPN run by a third party does not enhance privacy or security, but because the consensus is "VPN = secure" it's a losing battle, and I sound like a tinfoil-hat-wearing loon.
Most VPN services are not designed to provide privacy or security, and if you have a subscription to one, that's probably not the reason you bought it either. They're designed to provide the minimal amount of traffic hiding required to allow you to pirate TV/movies/video games without getting in trouble or hitting blocked URLs. And it works, or you wouldn't still have the subscription.
Now, as both the buyer and the seller need a non-shady cover story, they describe hiding your suspect downloads as "security and privacy" - it's not utterly inaccurate, but it implies far more than what's happening.
The problem with the narrative is that it makes laypeople think they are "more secure" when using a VPN, when in reality, the opposite is true.
As an example, when I perform a Google search, my traffic is encrypted over SSL, so my ISP can't see that. My ISP can see the domain name of the result I click, and a VPN would mask that from them. But now a new third party (the VPN provider) can see that instead. This makes sense if you're downloading pirated media (as the VPN service doesn't care), but the buyer is in effect trading:
1) An ISP, which is in most western countries heavily regulated, with legal commitments to auditing and your privacy (just not from law enforcement).
2) Some computer somewhere that is run by an utterly unregulated company or individual that may or may not know how to configure OpenVPN correctly and that you don't know anything about, other than they run a shady business based on allowing you to download pirate files on the internet. Also they're not at all regulated or audited, and may not even be in a jurisdiction that requires them to protect your data at all.
Given this trade-off, trusting a VPN to do a better job of protected your privacy than an ISP seems like madness to me, given that they could easily sell whatever information they have on you on and there's nothing you can do about it (and you'd likely never find out). It may not even be a crime depending on where they're located.
There's arguments for VPN in preference to unsecured Wi-Fi, but in reality, how often is that an issue? How many scenarios are there where you can't use mobile data instead? (And even where/when you can't, you still have all the downsides above which may or may not be better).
Most VPN's raison d'être is providing privacy. If it's publicly known that they don't then that kills their business.
An ISP is tasked with connecting prior to the internet, they don't make claims about privacy, they can reveal information about clients without necessarily putting anyone off, most of the clients for large ISPs have probably never heard of a VPN.
If a VPN wanted to they could get audits by pen-testers to warrant their ability to provide secrecy.
A VPN provider that's been around a while and claims to offer a high level of privacy probably does.
>My ISP can see the domain name of the result I click, and a VPN would mask that from them. //
There was a paper a little while ago, they directly identified pages by mitm-ing HTTPS by using meta-data (page size alone IIRC). Success was something like 80%.
Link please. I don't doubt what you're saying, I'm just really interested in reading more about this.
>We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. //
A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.
Payment information - some prefer to use cryptocurrency, which in their minds, is private. Again, once metadata connects you, there's no denying that that's you.
A third party consultant takes your payment? Maybe. Especially if you've got some anonymizing layer to your credit card info that has earned a similar trust. This will of course add to the cost of the transaction.
Even the way you type can connect you. Sufficient amounts of text - such as this reply - are usually enough.
This is probably not going to work with public vpn services because many users share one server, and the server you use changes every connection. Thus facebook can’t really correlate your torrent traffic with your session because it could be anyone else on that server.
Not really. There's not a single documented case of a major VPN user ever receiving a copyright infringement notice. Despite the fact that millions use this exact same use case.
In security it's always important to understand the threat model. If I know I'm being personally targeted by Mossad, that's a very different story than if I'm trying to avoid getting identified in a mass copyright notice from the MPAA.
Facebook would never ever ever in a million years voluntarily give the MPAA unrestricted root access to their IP level user tracking data. If they tried to subpoena it, Facebook can afford much much better lawyers than Warner Brothers.
And I guarantee that at least in the American judicial system, any judge is going to be extremely skeptical against such a sweeping request.
Exactly, and it's usually a cookie or some sort of persistent storage. I use a VPN, but I use it at the router level. https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...
I know my ISP logs my metadata (by law), whereas I trust that my VPN provider does not.
Essentially VLAN2 all traffic is routed direct to my ISP, and VLAN3 all traffic is routed to VPN. My machine normally sits in VLAN3. I make sure not to log into anything social media related or tied to my real identity.
If I need to do banking, Facebook or something like that I'll use a device in VLAN2 (a separate computer).
All phones and devices like that are broadcasting information anyway so those are in VLAN2 as well, unless they are devices with LineageOS and no Google Apps.
> A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.
See in this scenario I would have a system in VLAN3 that I use for my downloading, and another computer in VLAN2 that is used for the facebooking. I use a hardened browser with https://github.com/ghacksuserjs/ghacks-user.js that hardens the browser and helps against fingerprinting.
I also use a number of addons, for various purposes
That requires hardening. Currently I use
* CleanURLs https://addons.mozilla.org/addon/clearurls/ (remove UTM and parameter tracking)
* CSS Exfil Protection https://addons.mozilla.org/addon/css-exfil-protection/
* Decentraleyes https://addons.mozilla.org/addon/decentraleyes/ (prevent tracking via CDN)
* Firefox Multi-Account Containers https://addons.mozilla.org/addon/multi-account-containers/ (used for sites to keep me logged in)
* HTTPS Everywhere https://addons.mozilla.org/addon/https-everywhere/
* Redirect AMP to HTML https://addons.mozilla.org/addon/amp2html/ (no to AMP)
* Temporary Containers https://addons.mozilla.org/addon/temporary-containers/ (Prevents tracking via ETags and other things like IndexDB)
* uBlock Origin https://addons.mozilla.org/addon/ublock-origin/ (block adverts)
* CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker...
* Cookie AutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...
and I block cookies by default using uMatrix.
Thanks for pointing out CSS Exfil Protection. I hadn't seen that one yet.
Edit: I also recently switched to NoHTTP instead of HTTPS-Everywhere. This way I have to explicitly allow any non-HTTPS connections.
> * CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker....
A lot of people recommend that, but you don't need it if you're using ghacks-user.js. The reason is because of privacy.resistFingerprinting.
> * Cookie AutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode....
> and I block cookies by default using uMatrix.
I use CookieAutodelete on my mobile because unfortunately the container API isn't available on the Android version of Firefox.
The reason I don't use it on my desktop is because there are certain types of things that cannot be cleared.
> APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy.
> Edit: I also recently switched to NoHTTP instead of HTTPS-Everywhere. This way I have to explicitly allow any non-HTTPS connections.
I might have to check that out.
But what world are we living in that one needs a specific browser with 10+ addons and tweaks to have some amount of basic privacy. Lunacy!
The setup is aimed to minimize duplication.
> But what world are we living in that one needs a specific browser with 10+ addons and tweaks to have some amount of basic privacy. Lunacy!
Yes, I wish it was like the 90s. . Unfortunately the advertising/tracking industry is insidious and could not care about user experience.
a) Your ISP is almost always in the same legal jurisdiction as you are. A VPN need not be.
b) A VPN has some incentive to deliver on privacy. Your ISP does not.
It's fair to call out that a VPN isn't perfect for either privacy or anonymity. But it clearly can be better than your ISP.
They are by law in the tinpot jurisdiction I live in, required to retain all "meta data" about my internet connection, and provide it to "law enforcement" which has turned out to include not just terrorist and serious drug crime divisions of the police, but also local council garbage services and the taxi commission.
All I need from a VPN service is for it to be slightly more difficult to request all the data invading my privacy than the mandatory legal disclosure of it that I'm subject to anyway. Anything beyond time-zone slowness and paperwork incompetence is just a bonus. I prefer VPN providers based in France or Finland or Iceland - on the perhaps vaguely over reliant on bad stereotypes theory that they'll put English language requests at the bottom of the pile, and that the Sydney Taxi Commission won't have an Icelandic speaker on hand to ask them for my internet date records...
Even if they keep all traffic logs, and even if they happily turn it over without a fight to anyone who can fake a plausible looking LEO email address from Australia, I'm still ahead in at least some important waays privacy-wise over not running a VPN at all... If they really don't keep logs, or really will push back against LEO requests without proper warrants, even better. But not doing that doesn't;t make them useless...
There's no barrier like international bureaucracy and language barriers. Good luck navigating the courts of 3 countries within the time period that any logs might have to be saved for at the last hop.
Also this censoring is poorly executed by some ISPs via simple DNS hijacking. As a result your connection is slow and with terrible jitter.
As for the proverbial airport/cafe WiFi - using VPN is not about not beeing tracked - it is about blocking easy access to your laptops filesystem by attacker on the same network.
Also if you do not trust commercial VPN provider just set up your own.
So, Windows with (default?) settings?
Regarding this point, I think a good strategy here is to acknowledge that ISPs, like most organizations, don’t want to add to their workloads. Of course they aren’t privacy centric, but appeals to them oriented around _not_ having to store a bunch of logs or set up a bunch of processes can help to unite more people around initiatives to make things better for everyone
If everyone has the same ideals then it’s easy to team up. But even if everyone has different ideals, you might all still be wanting 90% of the same result and can still team up!
ISPs can't be blindly trusted. I switched ISPs lately because my previous one started offering personalised TV-ads. This is a very scary topic and in Belgium it has already lead to some fishy things:
Nice quote with regards to personalised tv-ads:
"Er komt ook een nog verdergaande versie waarbij ook het surfgedrag zal leiden tot gerichte tv-reclame. Daarbij wordt gemonitord naar welk type websites er in een gezin vaak wordt gesurfd, om zo interessepatronen te ontwaren die lucratief kunnen zijn voor adverteerders."
"There will be a far-reaching version in which browsing behaviour will also lead to personalised tv-ads. The websites visisted by families will be analysed in order to discover interest patterns that could be lucerative for advertisers."
Add this to the many cases where ISPs have fought for being allowed to use deep packet inspection to monitor what we do and you start to see that ISPs in fact think they have a right to collect and sell our data. Am I not already paying for internet and TV?
What's strange is that Belgium, in the post-GDPR world, has businesses with regressive behaviour wrt user profiling. What gives?
It has to be clearly stated in the signed contract that your data will be shared with third parties, in what way and how they will be processed. The company involved would definitely lose any Privacy Shield provisions for the EU and potentially peering rights.
Losing enough peering is identical to being disconnected.
Class suit of this kind is easy.
If you make them put it in the contract, sure: "We'll share it with all these ad agencies for the purposes of targeting." That doesn't help me at all!
The most valuable companies in the world trade in identity. They spend billions trying to figure out who you are. ISPs have it served on a silver platter, and there is generally little ISP choice. If ISPs haven't written it in contracts already, there must be a political reason for it, otherwise they doubtlessly would. Anyone know what the societal contract with ISPs is?
Most of them are registered in five eyes countries, or twelve eyes. If they have anything in the US even if its just a single server they will claim jurisdiction over the lot.
There are too many agreements and loopholes to rely on the whole jurisdiction thing. Unless you use a 100% Estonia VPN company and server with no other locations you are not safe, even then its not enough. 5 years ago Sweeden was the safest country for privacy, things change.
> A VPN has some incentive to deliver on privacy. Your ISP does not.
While they generally don't an ISP can give you better privacy than a VPN, no worries about dns leaks, they can route every one through a low latency mixer etc.
I would rather pay an extra £20 a month to my ISP for real privacy than pay a VPN £5 a month for fake peace of mind.
In my circle, VPN use starts to be requested by non-technical users that just want to minimize their digital footprint.
Seems amazing to me, since people spend 200$+ on a service for a year, so it seems rather important to them.
No reason not to use globalization to your own advantage.
At least the NSA has a purported requirement not to do domestic spying, even if Snowden proved that's not being followed.
As for "no domestic spying", I thought the five-eyes group spied on each other to order so as to circumvent those requirements in domestic law??
Users trusted PureVPN claims for protecting their privacy but all it took was an FBI investigation and through court documents to find out that they actually were keeping logs, despite all their claims.
>Just because they claim that they protect your privacy that's just a blind faith.
Even if this is the case, it does not make your previous statement true
It's true that VPN services at best provide less anonymity than Tor does. And that some, such as HideMyAss (which pwned that LulzSec dude) provide none. But PIA clearly does, as demonstrated now in two criminal investigations.
Of course, in both cases, defendants pwned themselves through poor OPSEC. But at least PIA didn't give them up.
And the Facebook example. Nobody paying attention expects a VPN service (or even Tor) to hide their identity if they login using their real name. That's just stupid.
A lot of users care about privacy, but have no idea how computer networking works. It's hard for these users to understand whether they're private or not. If you don't believe me, check out the tech support and recommendations over at old.reddit.com/r/vpn -- there's clearly a lack of knowledge about VPNs and computer networking. Probably once a week, someone will ask "How did [paid video streaming service) know I was using a VPN?" Or "X country can only spy on me if I have a VPN in that country, right?"
No VPN service has my "payment info". Or at least, not any meaningful payment info. As you say, I use email accounts created through Tor, and pay with Bitcoin that's been mixed at least three times through Tor, using a different Whonix instance and a different mixer for each mix.
The FBI having access to an NSA-provided tool that takes some IP addresses and returns other "associated" IP addresses (from trivial packet correlation on PIA's upstream) would produce a pattern of investigation that essentially looks the same.
If your threat model includes the NSA or the like, VPN services are at best a minor hindrance. Possible options include Tor and "anonymously" using WiFi hotspots.
I only know of one fundamental fail for Tor: the relay-early bug that CMU exploited. The others have involved Firefox and Windows bugs. People using Whonix in Linux hosts, and hitting Tor through nested VPN chains, would have been safe from any attack that I've heard of. But then, maybe I just haven't heard of the juicy ones.
I've tried the "anonymously using WiFi hotspots" approach. It's a pain in the ass. And in today's high-surveillance environment, I believe that it's a dumb idea.
It's true that VPN leakage is a serious risk. But you can use firewall rules to prevent DNS and traffic leaks. Or you can use VPN services whose client apps do that for you.
Also, I'm talking about desktop use. Doing any of this on mobile devices is a lot harder, I think. I'm not sure that I'd even bother.
And yeah in regards to criminal activity, I think it would be prudent to consider the NSA, specifically bulk processing of dragnet surveillance, part of the threat model in the modern age. It's very easy for the public narrative to focus on a guilt-implying needle in a haystack, regardless of how that needle was actually found.
I thought most folks believe that the NSA/CIA/some other TLA has control of more than 50% of the exit nodes, which should be enough to reconstruct the sources of most traffic.
And it's no accident. Tor was designed that way.
Security wise, we really need to be moving away from this instantaneous-datagram model.
The article makes some valid points but overstates the case. I continue to be happier with trusting my VPN providers than any of the ISPs available to me.
This is false. ISPs do not disclose your personal information for copyright complaints.
Industry, Science and Economic Development Canada explicitly states that subscriber information is only disclosed "if ordered to do so by a court ... as part of a copyright infringement lawsuit." 
Copyright infringement suits are known to have happened, but they are rare because the limit for non-commercial infringement is $5,000, which is generally not worth pursuing through the courts.
The “Notice and Notice” regime legally requires the ISP to pass along a notice from a copyright holder that believes your IP infringed their copyright by uploading their material. It does not permit the ISP to give subscriber information to the copyright holder directly unless ordered to do so by a court.
Here’s Michael Geist, Canadian lawyer, explaining the system and recent developments regarding ISPs seeking to make such information disclosures more difficult for copyright holders, not less
> My Globe and Mail op-ed notes that the Canadian system for online infringement was formally established in 2012 and came into effect in 2015. The so-called “notice-and-notice” approach grants rights holders the ability to send notifications of alleged infringement to Internet providers, who are required by law to forward the notices to the relevant subscriber and to preserve the data in the event of future legal action. The system does not prevent rights holders from pursuing additional legal remedies, but Internet providers cannot reveal the identity of their subscribers without a court order.
> While the system has proven helpful in educating users on the boundaries of copyright, some rights holders have used it as a launching pad for further lawsuits. In fact, thousands of lawsuits have now been filed, with rights holders seeking to piggyback on the notice-and-notice system by obtaining the necessary subscriber information directly from Internet providers at no further cost.
> The question of costs lies at the heart of an important Supreme Court of Canada copyright ruling released on Friday. Voltage Pictures sought subscriber information from Rogers Communications for the purposes of pursuing individual lawsuits. When Rogers advised that it wanted compensation of $100 per hour for the costs associated with fulfilling the request, Voltage responded that Internet providers could not pass along their costs since the notice-and-notice system already required them to identify subscribers and preserve the data without compensation.
> The particular incident may have involved only a few hundred dollars, but the broader principle had the potential to dramatically alter the Canadian approach. If Internet providers were required to disclose subscriber information without passing along the costs, Canadian courts faced the prospect of an avalanche of lawsuits and Internet providers might be dissuaded from carefully ensuring that the privacy of their subscribers was properly protected.
> The Supreme Court understood the broader implications of the case, ruling that Internet providers can pass along the specific costs associated with subscriber disclosures beyond those required for the notice-and-notice system. Indeed, the court recognized the importance of accurate data to safeguard against reputational harm and wrongful lawsuits.
With honest VPNs, court orders won't yield anything.
The point of my post was not about this particular legal issue but about the general fact that ISP choice being largely limited by physical location means that it is easier to choose VPN providers that have interests more aligned with mine than ISPs. Whether ISPs are forwarding threatening letters from copyright holders or giving them contact information directly is not particularly germane to this point.
- Regarding user identification, rolling my IP address is trivial with a VPN. Less so on my static IP.
- The Facebook example without cookie deletion is a low-effort Straw Man
- I reject the leap that "we have figured out that they [VPNs] do not add much to your online privacy". In the very narrow terms defined, yes of course, but either the author has willfully missed out why people use them, or doesn't understand why.
I did enjoy this note though: "Somehow, VPNs have turned them not failing to do their job into something they can market as a special feature."; I think there's some truth to that.
I tunnel my traffic over a VPN to avoid my ISP building a profile on me. I change my IP every-so-often to mess with trackers at large. I accept that browser fingerprinting is probably thwarting my overall effort somewhat, but I'm reducing the vectors that I can. I firmly believe that VPN companies are capitalising on fear but I respect the hustle. I don't think any of those points are particularly niche (niche subject notwithstanding!) so I find it interesting to see this take on it. Perhaps this isn't an article representative of the position of the wider HN crowd?
In ~100% of cases, you're safer SSH-tunneling your traffic to a cheap server at a cloud hosting provider.
What do you believe this profile is made of? I don't mean this sarcastically. Facebook or Equifax's profile of you must be very complete and contextual.
But, your ISP has:
- The domains you visited, but not the specific URLs (via SSL & certificate names)
- The domains you visited, but not the specific URLs (via DNS)
- The IPs you visited.
- The ports of those IPs.
- Any unencrypted traffic, which as noted, is pretty rare these days.
Do you believe that with this information your ISP can build a very meaningful profile? It seems to me that the profile which Amazon, Facebook, and a Bank, (VPN or not) can build is far more damaging. (and, I admit that just because you can't prevent the worse profiling, it doesn't mean you shouldn't mitigate what you can.)
I promise, I don't mean any of this in a negative way. I'm somewhat in your boat -- I tried to do a lot for privacy via blocking and other mitigations, but I often wonder: do Amazon and Gmail effectively defeat my efforts?
> * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA
> * Does not install Tor, OpenVPN, or other risky servers
> * Does not depend on the security of TLS
> * Does not require client software on most platforms
> * Does not claim to provide anonymity or censorship avoidance
> * Does not claim to protect you from the FSB, MSS, DGSE, or FSM
It's incredible how quickly services that massively centralize bulk consumer web traffic were normalized. This is not ok. Further, most of these services are located in "exotic" locales with uncertain legal protections, anonymous or psuedo-anonymous owners, and make barely enough revenue to hire more than 3 or 4 staff members to maintain and secure their own infrastructure. This whole industry is a slow motion disaster.
What do you mean by "risky servers" here? I run OpenVPN on a few servers, is there something I should know?
> Why aren't you using OpenVPN?
> OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of TLS, both the protocol and its implementations, and we simply trust the server less due to past security incidents.
It shouldn't be too bad if you keep your server and clients updated, though (depending on your thread model).
For FSM the best I can do is the Flying Spaghetti Monster, nothing else here makes sense:
FSB - Federal Security Service, Russia
MSS - Ministry of State Security, China
DGSE - General Directorate for External Security, France
FSM - Federated States of Micronesia National Police would be my best guess. They do dignitary protection and counter-narcotics, so I would assume they have at least some intelligence function.
I presume OP meant FSM as in Flying Spaghetti Monster as a stand-in for any organization that might wish to spy on you with its noodly appendages.
PIA has told the feds in the US to fuck off multiple times when asked for logs. You can't provide what you don't have, and lying to the feds is a fast track to PMITA prison (PIA is based in the US). I feel pretty confident they're not risking prison to cover for Joe Blow subscriber. Other "no log" providers have been caught with logs, though.
I do agree with overall message about VPN advertising. It's presented as a panacea when it's really a single step you can take.
But in any case, I don't count on nested VPN chains for serious anonymity. Mostly I use them to avoid hassle from torrenting. And conversely, torrenting provides cover traffic, and as well a plausible reason for using VPN services.
But mostly I use nested VPN chains to hide Tor use from local observers. Because Tor usage is far less common than VPN usage, and so far more of a red flag for increased surveillance.
There is no legislation in the US that can be used to do this . Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.
Less extreme, Lavabit was hit in court. Lavabit said giving their private key to the government would expose all their users' data. They said it would be bad for their business. The FBI countered that there would be no damage if nobody knew they did that. So, they just wouldn't tell anyone what the judge had ordered. Judge went along with that idea. So, that's how legislation and liability in the U.S. works. Especially when there's secrecy orders.
Pro tip: don't host anything that's supposed to be private in the U.S.. It's a surveillance/police state slash plutocracy disguised as a democracy. Anything that might be private can be ordered to not be private secretly with immunity.
They certainly can, and will, go after any company they want to, without referencing any specific US legislation.
I repeat, after having evaluated this quite deeply, that there are no mandatory data retention laws in the US, period, for ISPs and VPNs. This is contrast to quite a few jurisdictions, and the poor actions taken by ISPs and VPNs in said areas seem to speak louder than words.
That being said, I can relate to the author. Trusting a random service without any reason to trust is definitely blind. However, trust can be earned, over time, and validated, but should never be absolute. Trust is earned, daily, forever.
That being said, at the end of the day, the best bet is to remove trust from the equation - to get closer to a zero knowledge state, thus creating zero trust.
We're working toward that, every single day, and I would love to hear from anyone that's interested in helping or has thoughts.
They could require this in several ways. They could store the data directly on government servers, or set up a third party server and store the data on there, where both parties could access it. Either way, there is no technical reason the data can NOT be collected, so if the big boys want it, they will get it.
Until I see something to convince me otherwise, I assume any sizable organization that is operating within the United States shares any/all data requested. No loophole will protect them. If they don't collect the data, guess what, time to start collecting.
That's a bit like moving from Phoenix to Pyongyang to escape the unconscionable oppression of your local HOA.
We've actually seen this in action throughout the West, including but not limited to the US, recently, so it's not merely a theoretical concern. We are no longer in a world where you need to be personally important to be a target of foreign nation-state information gathering and targeting, because the same factors that make that scale for private actors and your home government make it scale for foreign governments that may potentially be opposed to or wish to influence your home government.
It's really very simple. The VM host that I'm using connects to a mainstream VPN service, which is quite popular for torrenting and such, using a server in the EU. Through that VPN tunnel, I connect with a different VPN service, which operates in someplace like Russia.
Then, through that tunnel, I connect with a third VPN service, which operates in some ~neutral country. And so on, until I'm satisfied, or the latency blows up. I'm happy with 0.5-1 second, for whatever that's worth.
After the third VPN or so, I typically connect with the Tor network. And if I'm really feeling paranoid, I add some hidden service VPS proxies, just for fun. Or a homage to Kevin Mitnick,if you like.
Not if they aren't in US, hence why so many people choose non-US VPNs
White collar criminals typically go to Club Fed, though.
What the ISP doesn't collect or process, cannot be had as historical data for court cases for example. Albeit the GDPR exemption is pretty open for "required to provide service" data processing.
Wiretapping is a separate matter.
Most importantly, any third party data processing and sale has to be clearly outlined including purpose.
- as an ISP, you're required to retain data for a year that would let LEAs map an IP address you manage to a subscriber. If you're giving out public IP addresses to your customers, this can be just an excerpt from your IPAM.
- as an ISP, you cannot give out this data without a court order, and you will be in violation of data protection laws if you do do.
Source: the Warsaw Hackerspace is an ISP.
I subscribed to a small VPN service 5 years ago for one reason: I needed static IP address for work, but my ISP at the time wasn't selling them to private individuals (freelance).
And I couldn't be happier! Wherever I go I don't have any issues with access to my resources or worries that local government will fine me for watching porn (check out UAE or Saudi laws).
Hell, even Skype is blocked by a lot of telecoms around the world since you don't pay roaming fees when calling through it. How ridiculous is that? On VPN it worked everytime.
HTTPS is great, but it is by no means private enough. ISP knows which service you are requesting, they can do SSL inspection and all kind of shady bullshit without your consent. With VPN they only see that I talk to 1 IP address somewhere in Netherlands and that is it!
Maybe you misread? I think he was saying the reverse.
The article touches on the OpenVPN protocol, "commercial" VPN providers (ExpressVPN in the screencap), but just glosses over the availability of better protocols, good providers, useful browser extensions, and democratized DNS encryption.
A combination of a WireGuard VPN provider (Mullvad comes to mind), using only the Firefox browser with a few extensions (such as Multi-Account Containers, HTTPS Everywhere, Privacy Badger, Decentraleyes, etc.), and using DNS over HTTPS (can be enabled in FF as well) will solve most of the problems the article posits. Running AdGuard as a local DNS server with upstream DoH is also something relatively easy to do.
Sure, overall security posture calls for a bit more but a good [VPN + DoH + FF + AdBlocking] setup should be the norm and not the exception; and will definitely pay off dividends rather than just letting a green padlock give users peace of mind.
I'll actually write a how-to on this, since I don't want to seem like I'm just mentioning a solution without actually providing the steps to get there.
Find me a major ISP that publicly claims they don't log any data.
Anyone making a claim remotely similar to those made in https://torrentfreak.com/which-vpn-services-keep-you-anonymo...
If it was the norm for ISPs to claim this, maybe this argument would work. For now, we have many documented cases of ISPs selling your information, and they don't even try to claim that they don't keep logs, while many major VPN services (see link above) explicitly claim to never store logs.
Oh, and btw, here in Europe, it is actually illegal for ISPs to give connection data away for non-law-enforcement purposes. It's sad that there are some US-American ISPs that have a record of selling some information, but the world does not evolve around the USA.
Other fatal flaws in that section, fwiw
>Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.
Plenty of VPNs accept bitcoin, and prepaid anonymous debit cards are widely available.
>Most VPNs limit the number of devices that can be connected at the same time. For that to work, well, they have to store a piece of information stating which device is connected, and what VPN account it is associated with. They have to associate your VPN session with your VPN account, as counting the number of sessions per account would be impossible otherwise.
This is addressed in the link above. Besides, it's possible to limit simultaneous connections without storing anything to disk.
>What's your point here, exactly? Because my point was you have to trust either party.
The difference is that no major ISPs are claiming not to log.
> In December 2013 the site was used to launder a part of the 96,000 BTC from the robbery of Sheep Marketplace.
> In February 2015, a total of 7,170 bitcoin was stolen from the Chinese exchange Bter.com and traced back to cryptocurrency-tumblers like Bitcoin Fog.
That's true. And so some of us go out of our way to name names. For example:
EarthVPN - user compromised by datacenter logs
HMA - retained logs, and provided them under UK court order
Proxy.sh - outed someone voluntarily, because they didn't like something he did
PureVPN - retained logs, and shared them with investigators
> Because my point was you have to trust either party.
That's true. Except when it isn't. If you use nested VPN chains, you don't need to trust any of the individual VPNs. It's not as anonymous as Tor, because it's static, and far less complicated to compromise. But it's at least 10x faster. And you can hit Tor through them, which protects you from evil entry guards.
I don't just mean law enforcement, though that's probably a problem too, (though I have less experience with that one) I'm also talking about the normal abuse an ISP gets. Spammers, etc... From experience, your upstream will shut you down if your customers aren't well behaved.
Why couldn't you have a flagging system in real-time that shuts down accounts but doesn't save the data to disk?
That's what I described with the deep packet inspection. You could hook up an IDS and block users based on the IDS output, but like I said, the sort of people who like no log VPNs will not like that. At one point I set that up at my VPS company a long time ago, (of course, I was very up front about it and told my customers, and I was surprised that customers were really, really angry about it, so I took it down within a day or two. Sorry guys, I mean, I should have stuck with the traditional route of only examining packet headers.)
If you act in the usual way for an ISP and only examine packet headers, then you will need to react to complaints about your users. Those complaints can roll in up to a week after the abuse happened.
I could believe a VPN service that said it kept logs for a week. That seems possible. (of course, there's still the legal issues, but I personally haven't seen those, while I have been almost disconnected by my upstream for customer abuse before)
It gets worse, too, if I use shared IP addresses. So, the way my VPS company was setup, everyone had a static IP. And that was really pretty easy; an abuse report comes in saying that a certain IP did something at a certain time. As all my customers had their own IPs, all I had to do was make sure the IP hadn't been moved to a different customer recently, and I knew who to go after. Aside from that ill considered day-long experiment with the IDS, I didn't do any network logging at all outside of total packet/byte counts (outside of troubleshooting) because I didn't really have to in order to go after abuse. I knew what IP was owned by who.
But, in a shared-IP system? this is way worse. All your users are behind a NAT, right? so you get that same abuse complaint a few days after a thing happened saying that IP X did this thing at time Y to target IP Z. Well, all your customers are coming out of IP X, so that doesn't help you. In a NAT system, to manage abuse complaints without deep packet inspection, you need to log the headers from every connection. User X connected to IP Y on port Z, etc... It's the only way to trace back the abuse to the customer.
(Things get dramatically easier if every customer has it's own IP; then you just need to record who had what IP when. I don't know how many "no log" VPNs use NAT vs giving each active user their own IP. Of course, things get even easier with IPv6)
They don't say they aren't using deep packet inspection, and it acknowledges that makes it more difficult to handle abuse.
In the US, where personal data is a free-for-all and everybody and their dog sells data about me to everyone else, this is important.
I agree with the author that VPNs should not be advertised as a complete security and privacy solution, but I disagree with his statement that they can actually do more harm than good.
If they actually wanted to. You could sure them under wiretapping laws if they did.
If you cannot trust your ISP, you cannot really have any privacy without truly extensive measures. Not even Tor is enough, it does not pad and change timing enough.
The last one is combatted to an extent by mix networks like Tor, or better yet, by aggressively caching and/or predownloading.
I assume you meant "sue", but, no, that's not actually a guarantee, because companies can require that you "voluntarily" agree to mandatory arbitration in order to get any service at all.
Relying on such a clause to attempt to prevent a civil suit is stupidity, if only because people are not properly informed of what the clause meant, making it void. (I could quote a few cases. But I am not a lawyer. Microsoft and EULA comes to mind.)
And by EU law, they are completely null and void by just being illegal.
That said, most of those suits do not reach court by means of settlement, not arbitration.
Not in the US!
Could you? I was under the impression that (in the US) the main difference between a phone line and an Internet connection is that former is legally protected against wiretapping and the latter not so much.
Has this ever worked though? Cursory searching, I don't see or know of any examples of lawsuits that have actually succeeded on this front. And it's not like ISPs have never given consumers an opportunity before.
The app is a tiny blip on the radar waiting for careless. (Read the darn contact, especially if you get a discount.)
The easy sniff-test for whether or not existing laws are enough to dissuade an ISP from building user profiles is to check to see if it was enough in the past to stop them from doing so.
Do we have any cases of where an ISP broke wiretapping laws and was punished severely enough in a settlement or trial that it either killed the ISP or forced them to restructure or rebrand?
If ISPs can pull off highly profitable abuses and get away with it by just settling when they're called out, that's no guarantee that they aren't going to do the same thing in the future. Verizon bragged that they broke wiretapping laws in 2012. How are they doing now? Still struggling to recover from that, I would expect?
Certainly not selling real-time location data to bounty hunters.
This kind of argument comes up a lot, and I really don't understand it, at all. Privacy is a process, it's something you improve over time. The alternative is completely circular.
I shouldn't care about switching to Firefox, because my ISP is already getting all this data anyway, and I shouldn't care about using a VPN because Google is getting all of this data anyway...
If you want to go from no privacy to decent privacy, it is inevitable that there is going to be a period where you are only plugging some of the holes.
For majority of the public who use a VPN provider, they are essentially shifting all the risks of their personal privacy from a highly regulated industry (ISP) to one that is much less regulated (VPN providers). This is a bit similar to all the ICO scams associated with an unregulated cryptocurrency industry. ISP at least will not sell your data to questionable buyers, but there's no law in preventing a VPN provider not to do so.
If you truly believe VPN providers can survive giving you unlimited bandwidth worldwide for only a few bucks a month, without relying on other sources of revenue, then I have a bridge to sell you.
Most of them don't operate with transparency, not being audited nor being accountable or required by regulation to keep your data safe but yeah let's trust them instead!
ISP regulation in the US has completely failed to prevent abuses. I'm not here to argue that you should blindly grab a 4-5$ a month VPN, but absent a technological solution like Tor, this is better than nothing.
But if you really think your ISP is more trustworthy than PIA, set up your own VPN on a Linode server and use that instead. At least then you won't have to trust your university/hotel/business Internet to be configured correctly, and at least then you won't be handing your zip code to every single site you visit.
Even a self-controlled VPN is a strict privacy/security upgrade over connecting your laptop unprotected to a hotel's wifi.
> if you are trying to prevent someone to build a profile on you entirely
If you are trying to prevent someone from building a profile on you entirely, then you are going to need to do a lot more than use a VPN. But that's in addition, not instead. You have to start somewhere.
If you're constantly throwing useless data at them, adding irrelevant URLs or browsing patterns to the data stream then their system will be confused and unable to paint an accurate picture of your profile.
This is borrowed from a similar strategy used by professionals who have gone off-grid and wanted to avoid being tracked. They would pay multiple other people to use their credit/debit cards at various different locations around the world so the system tracking them would be confused and could not pin point their exact current location.
But I don't like the logs that my ISP is _required_ to keep, an and the organisations that have access to them as a result. A VPN removes that.
> but there's no law in preventing a VPN provider not to do so
(for a UK perspective)
> The reality here is that your IP address is only a tiny piece of your trackable profile
Yes, a tiny piece you can never shake off besides with a tunnel ("VPN"). On this front, OP is effectively making the argument that surveillance by IP address is simply never done, even if all the other tracking signals are removed. This is doubtful.
> the location of a piece of large network equipment of your ISP, and not your location
Yeah which is still pretty damn indicative of my location, despite the "streams coming together" narrative. One less signal available to the surveillance advertisers is a good thing. One more feeling of "otherness" to an ad you're being forced to see is a great thing.
> The only secured [encrypted] channel here is the route between your machine and the VPN server
Yes, simply hiding your traffic from your ISP is itself a huge win. They don't spend millions on DPI gear without clear ROI.
Given that a vibrant market for VPNs provides for copious tunnel endpoints, and that common people imperfectly using VPNs still frustrates bad actors like banks and geofencers, I'll forgive the messaging. They're certainly more legitimate than pharmaceutical or political ads.
Check out https://mullvad.net if you want a VPN that takes anonymity serious. They don't even have real accounts, you just pay (preferably via BTC or even cash via postal mail) towards an account number that is also used as an identifier to authenticate towards the service. While there is no 100% guarantee, I would trust their claim that they do not log.
"Log in to your Facebook account. Connect VPN. Did Facebook forget who you are?" He forgot step to open new private window to clear login cookie.
VPN is a must for everybody in there days of data harvesting. We will be sorry tomorrow, seeing many new ways it can be used by global corporations and governments.
>Acting as they do, and promoting commercial VPN providers as a solution to potential issues does more harm than good.
I think this ignores the fact that some users have different threatmodels, sometimes the privacy threat model of a user does include their ISP for various reasons (think China).
Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.
Depends on the VPN, some VPN providers actually don't keep that kind of history or provide options to operate and pay an account anonymously.
A lot of users simply trust the marketing of VPN providers - because it's cheap, and it doesn't look like it'd do harm. Like how multi-vitamin pills are marketed as a cheap silver bullet for a complicated problem.
There are some legitimate reasons to use a VPN. Those are far fewer than the marketing claims of those companies. What I've seen over time:
* hide your IP from the service you're using (related to geoblocking)
* get around limitations of your ISP (blocked ports or throttling, torrenting)
* hide traffic/service you use from your ISP/government (China, UAE, Iran)
* get around bad routing of your ISP
Also, his disbelief of anonymous payment methods is incredibly stupid. I can walk into a store right now and get a prepaid visa using cash, no crypto currency shenanigans required.
WalMart, Target, and many other large retailers retain photographic records of all purchasers. Many cases have been broken by police claiming to have found a match at a WalMart for the purchase of items committed in some crime.
So cash purchases of cards is not always a completely anonymous choice.
Those engaging in crimes though, such as watching region locked content outside the region in violation of copyright law, rightly should fear. But that is OK since they are criminals subverting the establishment of course. Along with those such as gays in regions where being gay is illegal. Or apostates where apostasy and heresy are death penalty crimes. And numerous other examples of despicable criminal behavior in violation of local laws.
Personally, the only reason I use VPNs is for region-locked content. How are you sure this isn't a bigger use case than you think?
Anonymous credit cards are ruled out by law basically everywhere in the European Union. Assuming that I live in the US, and that everyone on this planets is doing so, is - as you call it - incredibly stupid.
There is no way to get absolute privacy in this context for the average user. Journalists and activists should be aware there is no technology solution to protect them from spying by any sufficiently committed actor, with state actors all bets are off.
It's false self empowerment by some technical folks to presume there is a technical solution against state actors who are well staffed, have near endless resources and are working 24/7 to thwart any localized technical solutions.
If there is a way to get online truly anonymously ie public wifi points, mesh networks these will immediately be subverted by state actors with things like illegal porn, terrorism and made illegal or compromised and used as honey pots. There is no winning here.
Also, this doesn't mean that the traffic or destination addresses are also logged at the VPN (the most important data).
But, is also true that you'll never know.
And while that does not change for every request (that would be highly unpractical), all Tor clients offer you a very quick "get a new route" with just one click.
Also, by default, Tor changes circuits at 10-minute intervals.
I see people commenting ‘I use company X, they are great’ seemingly ignoring the fact that they have no real clue as to what Company X is actually doing.
> With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.
This is where a lot of people would disagree. A known, reputable, audited, privacy-focused vpn provider, for example, could be more trustworthy than an ISP.
I think the declarations in the article do confuse the issue a bit - some of the benefits of a VPN such protecting against DNS logging are real but are probably not as useful to VPN marketing people as a "pitch", because they're a bit tougher to explain to laypersons.
1) I'm not entirely convinced on the IP address tracking thing yet. Sure, you probably sit behind a NAT device on your home internet connection. But what about mobile? Are cellular networks NATed? Also, do trackers really not use IP addresses for tracking? It seems like a stable identifier as long as the "victim" is not obscuring it and as long as you can somehow link it to the victim's next IP address (unless it's static).
2) How are DNS queries not sensitive information? They tell what services you use on the web. It's how you use the internet. I don't really want any untrusted party to see that.
I was recently a victim of a password cracking attempt from someone using a vpn. I tried reporting the incident by sending the logs to the vpn abuse email, and they ignored it. I looked into VPN company itself, and it was owned by some Russian in Panama. I tried emailing a lawyer there and he said that he couldn't help me because he did work for that person.
I have no doubt that most of the major vpn providers are similarly structured so that they can just ignore all complaints except from the largest corporations.
So lets say you visit a website p0rn.xxx without a VPN, but this target website indeed gets HTTPS version of encryption, in such case, does your ISP know which website u visit?
Another case, when you connect to a VPN, your ISP indeed know you connected to an IP right?
Any more similar cases to let me learn more about what data gets encrypted and whats not?
All other problems aside, how successful defence against that is this? Article doesn't adress that as far as I could see.
First, the downplaying of IP location lookups. If you do a lookup on my home IP address, it'll get you within 5 miles of my house. From there, the only other information you need is my name and potentially one or two more details like a birthday (easy, I use my real name online) and you can get access to my voting data -- and that'll give you an actual address, not just a zip code.
OP is correct that your IP address doesn't directly leak your home address, but in many cases it can be a pretty helpful clue. In a small town, a zip code and a name can be good enough on its own for a stalker to find someone even without voting data or public records to pull from.
OP is also correct in that there are plenty of other ways to get this data, but I fail to see how opening yet another trivial hole in my identity helps with that.
Second, the downplaying of encryption concerns. We've come a long way on SSL, but it's frankly irresponsible to say that users should just assume all of their browsing will automatically be covered, regardless of what the top sites are doing. I am primarily visiting tech sites nowadays and I still occasionally run into sites that aren't encrypted. And that's nothing to say to the fact that there are multiple ways of configuring SSL and not all of them are equally secure.
This is just in my browser, which punishes sites with insecure warnings if they're not encrypted. How many native apps are sending unencrypted data given that there's no punishment and that the user gets zero indication of the SSL status? We know from the IOT industry that a lot of these products and apps are regularly getting rushed out the door.
Of course, VPNs only encrypts the data between you and the provider. But we don't live in a world where people are primarily using desktop computers. Most users are going to be on tablets, phones, and laptops, and they travel. And no, public networks are not the only risks -- even if a network forces you to put in a password you still don't know how that network is configured, you still don't know what vulnerabilities exist on it.
If you don't know who set up the network, you should treat it as if any unencrypted data could be intercepted before it reaches the router. And you should be suspicious of the router/provider itself, particularly if it's wifi being offered by a store/hotel/airport, or other commercial entity.
And that leads to the final, big objection -- the idea that VPNs are harmful because all they do is shift the trust model. If you're in the US, unless you are very, very lucky, you can not trust your ISP. Shifting the trust model is not a fatal flaw, it is literally the entire point.
Yes, needing to trust someone is not ideal. But my VPN provider has more of an incentive to take care of my data than my ISP does. If you're using something like Proton or PIA, then I feel very confident saying that I trust both of them more than Verizon or Comcast.
So I agree that bulletproof claims that come from VPNs are often inaccurate. I agree that there are problems. I don't see this article as any less sensationalist and inaccurate than the provider claims though. VPNs are just a kind crappy solution we're stuck with, and absent everyone moving to Tor, I have yet to see anyone propose a better solution.
Compare that to random commercial VPN app...
I don't mean that Tor will work better if everyone uses it. Quite the opposite, it will slow down considerably.
I mean that anyone who isn't using Tor needs a different solution. We have two solutions being proposed to the problem of leaking IP addresses: VPNs and Tor. Unless our plan is to move literally everyone onto Tor, we need a non-Tor solution for the people we don't move over.
Or is the solution multifaceted and you should use a combo of VPN, don't logon to services connected to first party data etc.?
Commercial VPNs are the homeopathy of the Internet.
They're selling snake oil. For all but the most impossibly pathological customer scenario, nothing that a commercial VPN can give you will actually protect you in any meaningful way. But they can hurt you. Since there's no quality control of any sort, and since their customers are self-selecting for dangerous behavior, it's a horrible environment to go mixing your traffic into.
Ones I have heard bad things about are EarthVPN, HideMyAss, Proxy.sh and PureVPN. And although I've heard nothing bad about ExpressVPN or NordVPN, the fact that they've bribed so many review sites to recommend them annoys me.
And yes, I have written stuff for IVPN.
I would not trust ExpressVPN anymore for anything.
I agree that it's annoying how many review sites are getting paid to recommend them, but the service actually has been good for the last year.
I've tested several VPNs here, including Mullvad and Nord. ExpressVPN has the fastest speeds by a quite a bit.
However, self-hosted is much faster still. Unfortunately, it's less reliable.
Are you in Beijing or Shanghai? Are you on China Telecom or China Mobile? Are you using the Sweden 2 or the Hongkong 3 server? Every permutation of those variables can have a different answer, and that answer can change from day-to-day.
My experience is that in southern provinces and bigger cities it is _more likely_ to work at any given time. But things change.
> However, self-hosted is much faster still. Unfortunately, it's less reliable.
Using a CN2 VPS is definitely a :racecar: in my experience. I primarily use shadowsocks instead of a proper VPN because moving to a different port when the interference starts is usually sufficient.
ExpressVPN has a message on most of their apps saying to use Tokyo 1, HK 4 or 5, Los Angeles 5, or UK Wembley when in China. I have used all of those servers, although HK 4 and 5 are the fastest.
I've used Shadowsocks and ShadowsocksR for my VPS. Switching ports will work for a while, but I've always found the server will get blocked eventually, possibly due to "active probing" as defined in this paper.
This person suggests hosting a website from your Shadowsocks server as a cover, but I haven't tried it yet.
(The reason why I'm not with a VPN yet is because it would compromise my speed. Am I overestimating the impact?)
No free lunch :(