Hacker News new | past | comments | ask | show | jobs | submit login
VPN – Very Precarious Narrative (schub.io)
462 points by denschub on April 8, 2019 | hide | past | favorite | 274 comments

> If you are using your device on a public network, VPNs can help you protect your data. I have a ProtonVPN subscription myself, just for those instances where I am sitting in an airport waiting for my plane

Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can't imagine that he's using an email service that doesn't use HTTPS. Is he logging into his bank account? I doubt any bank nowadays still uses plain old unencrypted HTTP. Is he watching cat videos on YouTube? Well, even that's encrypted.

Remember, his argument is that VPNs don't provide privacy--so that's not the reason. And this is the section where he's talking about public networks, not about other rationales for VPNs like geolocking or ISP blocking. It weakens the argument of his essay to say that he needs a VPN at the airport or cafe.

I felt exactly the same way. I've run into people who have the idea that public wifi is insecure, as in don't hit your bank's website over that insecure channel. But in reality, the services that really need security are going over TLS, where at least the connection itself is secure (presuming that you are taking the same safeguards that you'd take on a "secure" network). In reality, no internet network is naturally secure and the only security are these transport level encryptions.

But, of course, there is more to it than that. What about the unencrypted connections? DNS access and logging? Ironically these are what people tend to worry the least about but are the most likely to be compromised. A VPN can be very helpful here.

The article brushed across this distinction in a way that I think may have just been confusing to anyone that didn't already understand it. The net effect is that they might see these two pieces of advice as contradictory.

>But in reality, the services that really need security are going over TLS, where at least the connection itself is secure.

I think other considerations include whether or not the sites that you visit implement HSTS. While many sites do support HTTPS-only logins, several webservices are actually quite vulnerable to software such as SSLstrip[1], which redirects hijacked users to plaintext HTTP pages whenever feasible.

While many sites implement TLS, several sites don't implement HSTS. I am not sure about the HSTS policies of the top 3000 sites so I will not comment on that.


The bigger issue with public wifi is even actually finding your bank's server in the first place. HSTS largely saves the day here, but is far from universal. If any non TLS requests are in the request chain, and you don't have an eagle eye on the address bar, all bets are off.

Right, and he's not counting the metadata an ISP or wifi provider can be collecting about you, they might not be able to see your private traffic to your bank, but now they know who you bank with. You might be passing that information on to ProtonVPN, but I'm more afraid of what someone sniffing wifi traffic can find out about me than a service I'm paying for, its about the same risk with my ISP. AT&T even collects data from its consumers.

> So why does he need a VPN at the airport?

Because the airport made a shitty choice in designing it's wifi, and people who connect to such networks are making shitty choices.

HTTPS is nothing more than a content protocol wrapped in a transport encryption layer used for a subset of your overall traffic.

When you connect to an open wifi network your device is literally screaming 1s and 0s into the air like a maniac. A subset of these 1s and 0s are the things you're actively telling the computer to do. Most of this stuff is things like ARP, Name resolution services and other stuff that isn't encrypted for perfectly understandable reasons.

Instead, when connecting to an open airport wifi network, a personal decision is made that the connectivity is more important than encryption. Airport wifi connections could and should be encrypted with AP client isolation, but they aren't.

How exactly is the airport supposed to offer a WiFi network that is encrypted and open without breaking usability and compatibility?

This hasn't been possible until WPA3, which has barely started rolling out.

OWE and an SAE PSK network with a well known PSK do not solve the trust issue of connecting to public Wi-Fi rather only the encryption issue.

Take the example that you are connecting to an SSID named "Airport_Guest_WiFi". In the case of OWE you simply connect and now everything between you and "Airport_Guest_WiFi" is encrypted. In the case of PSK with SAE you connect to "Airport_Guest_WiFi" and exchange information to generate secret keys only you two know. The problem in either scenario is you've just set up encryption not trust. How do you know the "Airport_Guest_WiFi" you connected to was the airports or the attackers?

WPA3 Enterprise solves this issue somewhat but is not realistic to deploy for temporary guest networks.

I argued ever since I heard OWE was going into draft it should have some optional mode for PKI validation. E.g. if you connect to the SSID "guestwifi.airport.com." and the airport signed the hello with the cert for that domain then the client could validate that against it's root stores and have the same level of identity trust it does when connecting to usersbank.com. Clients need not be forced to validate it but at least it gives a realistic option to connecting to such networks.

Many ways to do this.

Make the password widely-known. Announce it over the intercom. Post it on the walls.

Offer both encrypted and non-encrypted SSIDs. The non-encrypted SSID could even just be a captive portal with instructions to connect to the encrypted SSID.

If you're feeling wild, use WPA2 Enterprise, and accept any credentials.

"WPA and WPA2 don't provide forward secrecy, meaning that once an adverse person discovers the pre-shared key, they can potentially decrypt all packets encrypted using that PSK transmitted in the future and even past, which could be passively and silently collected by the attacker. This also means an attacker can silently capture and decrypt others' packets if a WPA-protected access point is provided free of charge at a public place, because its password is usually shared to anyone in that place. In other words, WPA only protects from attackers who don't have access to the password."


Notably, this is only a problem for WPA2-PSK, not WPA2-Enterprise. But, fair enough -- this does render my first suggestion unsuitable.

Doesn't the widely-known password render the encryption useless to anyone that has captured the 4-way handshake at the beginning of your WIFI-session? With the PSK and your session keys an attacker can decrypt your traffic if I remember it correctly.

It is already possible using a combination of WPA Enterprise (802.1x) and RADIUS. The RADIUS server is configured to accept any username/password combination, effectively providing an open access point but isolating its users because the 802.1x scheme employs different key material for each user (not completely sure about that key material part but I think that's how it works).

>Seems like a contradictory message. He just got through telling us how most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport? Is he checking his email? I can't imagine that he's using an email service that doesn't use HTTPS.

Because the Internet is more than the stuff that lives on port 443?

What does the author do about UDP packets?

It’s interesting that you mention email. SMTP can use TLS of course but I know of plenty of POP3 email providers that still send unencrypted and even if it were, it’s not using HTTPS.

What about DNS requests too? Those are still often sent in cleartext.

Even with actual HTTPS with a browser, the domain itself is visible.

In short - the Internet is not just the web.

That would imply the author cares enough about privacy / security to use VPN to hide for example POP3, but not enough to immediately drop an email provider which uses unencrypted POP3 service. And that's a strange argument.

Probably because a person can more trivially be taught vpn = privacy than understanding ANY of the details and be legitimately better off especially if they are doing other stupid things like using unencrypted pop3 or use the same password at random http site as they use on their bank.

He made this point explicit:

> Networks like these make it easy for attackers to get a copy of your network data, and if you send something unencrypted, the results can be quite harmful.

The web should be ideally end-to-end encrypted with HTTPS. But in case this assumption breaks down, VPN gives an additional headroom for security. Not much (as explained in the article, and thus should not be advertised so), but still useful.

The VPN only protects the first hop, it would not be a good backup for https.

Yes, but if the target site does not use https there is no alternative.

It protects the first hop for request data. But response data could be interfered with too.

The internet is so much bigger than just websites. HTTPS is great but VPNs provide encryption at a much lower level, where it should be. Even when using https you are exposing a lot of unencrypted data because https is an application layer encryption. It's not enough.

> The web should be ideally end-to-end encrypted with HTTPS.

No. People designing public access networks should use encryption and AP client isolation.

They should, of course. And for when they don’t, a VPN can protect you. That’s what the article is saying.

I'm responding to OP's comment, not the article.

>most of the web is now end-to-end encrypted with HTTPS. So why does he need a VPN at the airport?

What percentage of (typically rushed) people at an airport will notice that a website is loading over http instead of https? SSLsplit is pretty useful.

Does your bank, or whatever, not use hsts?

My bank doesn't _and_ there's a redirect to a different domain (rbs.co.uk homepage does to personal.rbs.co.uk, rbs.co.uk/englandandwales or the login link goes to rbsdigital.com). Serve a redirect on the non-HTTPS rbs.co.uk to some other plausible domain with a valid HTTPS certificate, and I probably wouldn't notice.

Last time I checked, about 2 years ago, none of the Swedish banks used HSTS. And a couple of them used HTTP on their main page and and HTTPS on their internet bank which was put on some weird domain. Chrome's changes has since then forced them to move everything to HTTPS but I would be very surprised if they all use HSTS now.

SSL everywhere is also a good workaround for this: https://www.eff.org/https-everywhere

I can't help but shake my head at this whole argument.

For literally years I've been telling people that a VPN run by a third party does not enhance privacy or security, but because the consensus is "VPN = secure" it's a losing battle, and I sound like a tinfoil-hat-wearing loon.

Most VPN services are not designed to provide privacy or security, and if you have a subscription to one, that's probably not the reason you bought it either. They're designed to provide the minimal amount of traffic hiding required to allow you to pirate TV/movies/video games without getting in trouble or hitting blocked URLs. And it works, or you wouldn't still have the subscription.

Now, as both the buyer and the seller need a non-shady cover story, they describe hiding your suspect downloads as "security and privacy" - it's not utterly inaccurate, but it implies far more than what's happening.

The problem with the narrative is that it makes laypeople think they are "more secure" when using a VPN, when in reality, the opposite is true.

As an example, when I perform a Google search, my traffic is encrypted over SSL, so my ISP can't see that. My ISP can see the domain name of the result I click, and a VPN would mask that from them. But now a new third party (the VPN provider) can see that instead. This makes sense if you're downloading pirated media (as the VPN service doesn't care), but the buyer is in effect trading:

1) An ISP, which is in most western countries heavily regulated, with legal commitments to auditing and your privacy (just not from law enforcement).


2) Some computer somewhere that is run by an utterly unregulated company or individual that may or may not know how to configure OpenVPN correctly and that you don't know anything about, other than they run a shady business based on allowing you to download pirate files on the internet. Also they're not at all regulated or audited, and may not even be in a jurisdiction that requires them to protect your data at all.

Given this trade-off, trusting a VPN to do a better job of protected your privacy than an ISP seems like madness to me, given that they could easily sell whatever information they have on you on and there's nothing you can do about it (and you'd likely never find out). It may not even be a crime depending on where they're located.

There's arguments for VPN in preference to unsecured Wi-Fi, but in reality, how often is that an issue? How many scenarios are there where you can't use mobile data instead? (And even where/when you can't, you still have all the downsides above which may or may not be better).

I don't think your analysis is complete.

Most VPN's raison d'être is providing privacy. If it's publicly known that they don't then that kills their business.

An ISP is tasked with connecting prior to the internet, they don't make claims about privacy, they can reveal information about clients without necessarily putting anyone off, most of the clients for large ISPs have probably never heard of a VPN.

If a VPN wanted to they could get audits by pen-testers to warrant their ability to provide secrecy.

A VPN provider that's been around a while and claims to offer a high level of privacy probably does.

Slight aside:

>My ISP can see the domain name of the result I click, and a VPN would mask that from them. //

There was a paper a little while ago, they directly identified pages by mitm-ing HTTPS by using meta-data (page size alone IIRC). Success was something like 80%.

>There was a paper a little while ago, they directly identified pages by mitm-ing HTTPS by using meta-data (page size alone IIRC). Success was something like 80%.

Link please. I don't doubt what you're saying, I'm just really interested in reading more about this.


>We present a traffic analysis attack against over 6000 webpages spanning the HTTPS deployments of 10 widely used, industry-leading websites in areas such as healthcare, finance, legal services and streaming video. Our attack identifies individual pages in the same website with 89% accuracy, exposing personal details including medical conditions, financial and legal affairs and sexual orientation. //

It should be noted that SSLstrip is a thing. Those sites would need to properly force HTTPS, which is easy to get wrong. And it's much easier to allow both HTTP/HTTPS.

I think the whole point is you'd want both IPSec and TLS, and just TLS might not be enough. A good VPN impl provides better protection when you're connecting over public networks you don't trust, for protocols that don't use TLS.

We usually do not have a choice of ISP. A VPN gives you the option of where to "attach" to the internet. As an added bonus at that point you can filter ads, malware, tracking.

Im actually glad that the author pointed out that once you log in somewhere that will track you, that connection is associated with you.

A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.

Payment information - some prefer to use cryptocurrency, which in their minds, is private. Again, once metadata connects you, there's no denying that that's you.

A third party consultant takes your payment? Maybe. Especially if you've got some anonymizing layer to your credit card info that has earned a similar trust. This will of course add to the cost of the transaction.

Even the way you type can connect you. Sufficient amounts of text - such as this reply - are usually enough.

>If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.

This is probably not going to work with public vpn services because many users share one server, and the server you use changes every connection. Thus facebook can’t really correlate your torrent traffic with your session because it could be anyone else on that server.

> If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time.

Not really. There's not a single documented case of a major VPN user ever receiving a copyright infringement notice. Despite the fact that millions use this exact same use case.

In security it's always important to understand the threat model. If I know I'm being personally targeted by Mossad, that's a very different story than if I'm trying to avoid getting identified in a mass copyright notice from the MPAA.

Facebook would never ever ever in a million years voluntarily give the MPAA unrestricted root access to their IP level user tracking data. If they tried to subpoena it, Facebook can afford much much better lawyers than Warner Brothers.

And I guarantee that at least in the American judicial system, any judge is going to be extremely skeptical against such a sweeping request.

> Im actually glad that the author pointed out that once you log in somewhere that will track you, that connection is associated with you.

Exactly, and it's usually a cookie or some sort of persistent storage. I use a VPN, but I use it at the router level. https://wiki.alpinelinux.org/wiki/Linux_Router_with_VPN_on_a...

I know my ISP logs my metadata (by law), whereas I trust that my VPN provider does not.

Essentially VLAN2 all traffic is routed direct to my ISP, and VLAN3 all traffic is routed to VPN. My machine normally sits in VLAN3. I make sure not to log into anything social media related or tied to my real identity.

If I need to do banking, Facebook or something like that I'll use a device in VLAN2 (a separate computer).

All phones and devices like that are broadcasting information anyway so those are in VLAN2 as well, unless they are devices with LineageOS and no Google Apps.

> A vpn is not a cure-all. It is only as private as you're willing to make it. If you want to pirate movies and chat on facebook at the same time, you're probably gonna have a bad time. What you do is absolutely a part of your advertising/tracking profile.

See in this scenario I would have a system in VLAN3 that I use for my downloading, and another computer in VLAN2 that is used for the facebooking. I use a hardened browser with https://github.com/ghacksuserjs/ghacks-user.js that hardens the browser and helps against fingerprinting.

I also use a number of addons, for various purposes

That requires hardening. Currently I use

* CleanURLs https://addons.mozilla.org/addon/clearurls/ (remove UTM and parameter tracking)

* CSS Exfil Protection https://addons.mozilla.org/addon/css-exfil-protection/

* Decentraleyes https://addons.mozilla.org/addon/decentraleyes/ (prevent tracking via CDN)

* Firefox Multi-Account Containers https://addons.mozilla.org/addon/multi-account-containers/ (used for sites to keep me logged in)

* HTTPS Everywhere https://addons.mozilla.org/addon/https-everywhere/

* Redirect AMP to HTML https://addons.mozilla.org/addon/amp2html/ (no to AMP)

* Temporary Containers https://addons.mozilla.org/addon/temporary-containers/ (Prevents tracking via ETags and other things like IndexDB)

* uBlock Origin https://addons.mozilla.org/addon/ublock-origin/ (block adverts)

* uMatrix https://addons.mozilla.org/firefox/addon/umatrix/ (block 1st party JavaScript)

I use a very similar list of addons. In addition I recommend:

* CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker...

* Cookie AutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode...

and I block cookies by default using uMatrix.

Thanks for pointing out CSS Exfil Protection. I hadn't seen that one yet.

Edit: I also recently switched to NoHTTP instead of HTTPS-Everywhere. This way I have to explicitly allow any non-HTTPS connections.

I use a very similar list of addons. In addition I recommend:

> * CanvasBlocker https://addons.mozilla.org/en-US/firefox/addon/canvasblocker....

A lot of people recommend that, but you don't need it if you're using ghacks-user.js. The reason is because of privacy.resistFingerprinting.

> * Cookie AutoDelete https://addons.mozilla.org/en-US/firefox/addon/cookie-autode....

> and I block cookies by default using uMatrix.

I use CookieAutodelete on my mobile because unfortunately the container API isn't available on the Android version of Firefox.

The reason I don't use it on my desktop is because there are certain types of things that cannot be cleared.

> APIs do not exist to allow clearing IndexedDB, Service Workers cache, appCache, or cache by host. Clearing cookies & localStorage on their own, and leaving orphaned persistent data is a false sense of privacy.

* https://github.com/Cookie-AutoDelete/Cookie-AutoDelete/wiki/...

* https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1-Exte...

> Edit: I also recently switched to NoHTTP instead of HTTPS-Everywhere. This way I have to explicitly allow any non-HTTPS connections.

I might have to check that out.

Superb list.

But what world are we living in that one needs a specific browser with 10+ addons and tweaks to have some amount of basic privacy. Lunacy!

We've documented it here:



The setup is aimed to minimize duplication.

> But what world are we living in that one needs a specific browser with 10+ addons and tweaks to have some amount of basic privacy. Lunacy!

Yes, I wish it was like the 90s. . Unfortunately the advertising/tracking industry is insidious and could not care about user experience.

Seems to ignore two things...

a) Your ISP is almost always in the same legal jurisdiction as you are. A VPN need not be.

b) A VPN has some incentive to deliver on privacy. Your ISP does not.

It's fair to call out that a VPN isn't perfect for either privacy or anonymity. But it clearly can be better than your ISP.

Not only does my ISP have no "incentive to deliver on privacy, my ISP is _legally required_ not to deliver on privacy.

They are by law in the tinpot jurisdiction I live in, required to retain all "meta data" about my internet connection, and provide it to "law enforcement" which has turned out to include not just terrorist and serious drug crime divisions of the police, but also local council garbage services and the taxi commission.

All I need from a VPN service is for it to be slightly more difficult to request all the data invading my privacy than the mandatory legal disclosure of it that I'm subject to anyway. Anything beyond time-zone slowness and paperwork incompetence is just a bonus. I prefer VPN providers based in France or Finland or Iceland - on the perhaps vaguely over reliant on bad stereotypes theory that they'll put English language requests at the bottom of the pile, and that the Sydney Taxi Commission won't have an Icelandic speaker on hand to ask them for my internet date records...

Even if they keep all traffic logs, and even if they happily turn it over without a fight to anyone who can fake a plausible looking LEO email address from Australia, I'm still ahead in at least some important waays privacy-wise over not running a VPN at all... If they really don't keep logs, or really will push back against LEO requests without proper warrants, even better. But not doing that doesn't;t make them useless...

This is my reasoning behind using a vpn for things other than getting around geoblocked content: I'm adding another layer of international bureaucracy and law enforcement to the process of a copyright's holder getting to me, despite it actually being legal where I live.

There's no barrier like international bureaucracy and language barriers. Good luck navigating the courts of 3 countries within the time period that any logs might have to be saved for at the last hop.

After reading the first sentence of your reply I (correctly) guessed which country you were talking about. It's a depressing state of affairs for sure.

People from the First World have no idea that porn and politically sensitive content is blocked in so many countries. Youtube is heavily censored - you won't be able to watch Charlie Chaplin movies or some lectures on Greek democracy in Thailand.

Also this censoring is poorly executed by some ISPs via simple DNS hijacking. As a result your connection is slow and with terrible jitter.

As for the proverbial airport/cafe WiFi - using VPN is not about not beeing tracked - it is about blocking easy access to your laptops filesystem by attacker on the same network.

Also if you do not trust commercial VPN provider just set up your own.

> Thailand’s Junta Got Charlie Chaplin’s ‘The Great Dictator’ Blocked From YouTube YouTube caved to requests from Thailand's military-backed government to block a Thai-subtitled clip from the renowned political satire.


How would an attacker access your laptop’s filesystem if you’re connected to the same network? I can’t think of any way that would work unless your operating system is horribly misconfigured (maybe to make the entire filesystem a network drive?). And how would a VPN protect you here?

Do you think every single machine/local network access is properly configured, especially with Windows? Not once I have been browsing Point-Of-Sale files in a cafe where I have been using WiFi cause someone did not separate networks. Just an example.

> unless your operating system is horribly misconfigured

So, Windows with (default?) settings?

What would you consider the best/easiest way to setup your own?

Streisand [https://github.com/StreisandEffect/streisand] automates the setup of several different VPN services on cloud providers.

I am running strongswan[1] with IKEv2 on cheap (10$ per year) VPS in Amsterdam, Netherlands. Or you can google for how to set up your own VPN on AWS/Google Cloud free tier.

[1] https://wiki.strongswan.org/projects/strongswan/wiki/UserDoc...

[2] https://medium.com/@tatianaensslin/how-to-create-a-free-pers...

IKEv2 is solid, fast and secure. And major OSes have native VPN clients, including iOS - no need to use 3rd party client software.

> b) A VPN has some incentive to deliver on privacy. Your ISP does not.

Regarding this point, I think a good strategy here is to acknowledge that ISPs, like most organizations, don’t want to add to their workloads. Of course they aren’t privacy centric, but appeals to them oriented around _not_ having to store a bunch of logs or set up a bunch of processes can help to unite more people around initiatives to make things better for everyone

If everyone has the same ideals then it’s easy to team up. But even if everyone has different ideals, you might all still be wanting 90% of the same result and can still team up!

Yes, VPNs might be unjustly talked about as a set-it-and-forget-it way to gain privacy online a bit, but what I find far more harmful is the blind trust people seem to have in their ISP. I often see the argument "You are just shifting trust from one company (ISP) to another (VPN).", yes, that might actually be the whole point.

ISPs can't be blindly trusted. I switched ISPs lately because my previous one started offering personalised TV-ads. This is a very scary topic and in Belgium it has already lead to some fishy things:


Nice quote with regards to personalised tv-ads:

"Er komt ook een nog verdergaande versie waarbij ook het surfgedrag zal leiden tot gerichte tv-reclame. Daarbij wordt gemonitord naar welk type websites er in een gezin vaak wordt gesurfd, om zo interessepatronen te ontwaren die lucratief kunnen zijn voor adverteerders."

"There will be a far-reaching version in which browsing behaviour will also lead to personalised tv-ads. The websites visisted by families will be analysed in order to discover interest patterns that could be lucerative for advertisers."

Add this to the many cases where ISPs have fought for being allowed to use deep packet inspection to monitor what we do and you start to see that ISPs in fact think they have a right to collect and sell our data. Am I not already paying for internet and TV?

What's happening is the service providers are realising that a lot of lucrative billion dollar businesses have been built by selling ads on top of their last-mile services, they might as well do the same. In India, the companies that are ISPs are also Cable Providers and Mobile Network Providers. They have been caught MiTMing Https to inject ads. They do it cause they want their share of the internet ad revenue cake.

What's strange is that Belgium, in the post-GDPR world, has businesses with regressive behaviour wrt user profiling. What gives?

Logs are worth a lot of money to advertisers if your customers can't effectively avoid the process.

And a lot of money to a lawyer who will sue the ISP under privacy laws if it comes to light.

It has to be clearly stated in the signed contract that your data will be shared with third parties, in what way and how they will be processed. The company involved would definitely lose any Privacy Shield provisions for the EU and potentially peering rights.

Losing enough peering is identical to being disconnected.

Class suit of this kind is easy.

I didn't get any money when my cell provider was caught multiple times selling my location history to anyone with a buck, including dangerous vigilantes.

In the US they can share all the site IPs they want.

If you make them put it in the contract, sure: "We'll share it with all these ad agencies for the purposes of targeting." That doesn't help me at all!

> It has to be clearly stated in the signed contract that your data will be shared with third parties

The most valuable companies in the world trade in identity. They spend billions trying to figure out who you are. ISPs have it served on a silver platter, and there is generally little ISP choice. If ISPs haven't written it in contracts already, there must be a political reason for it, otherwise they doubtlessly would. Anyone know what the societal contract with ISPs is?

>Class suit of this kind is easy.

...in US

No, definitely not in the US. They sell everything and our treacherous congress specifically voted to allow it.

If regulations require ISPs keep logs, or if they can make a profit from those logs then the workload is justified in reducing losses (fines from regulatory noncompliance) or increasing profits.

> Your ISP is almost always in the same legal jurisdiction as you are. A VPN need not be.

Most of them are registered in five eyes countries, or twelve eyes. If they have anything in the US even if its just a single server they will claim jurisdiction over the lot.

There are too many agreements and loopholes to rely on the whole jurisdiction thing. Unless you use a 100% Estonia VPN company and server with no other locations you are not safe, even then its not enough. 5 years ago Sweeden was the safest country for privacy, things change.

> A VPN has some incentive to deliver on privacy. Your ISP does not.

While they generally don't an ISP can give you better privacy than a VPN, no worries about dns leaks, they can route every one through a low latency mixer etc.

I would rather pay an extra £20 a month to my ISP for real privacy than pay a VPN £5 a month for fake peace of mind.

So what protection does a foreign VPN provider have from the NSA? The answer: None.

If your threat model includes NSA you need to reconsider lot more than just a VPN

Disk encryption, firmware lockdown, home security with notifications, burner phones, Tails and Tor (via VPN), IRC, fleet of hacked Windows machines to route through, 10 online identities.

Windows Defender oughta do it /s

I always recommend users to pick a VPN service in a country not on friendly terms with domestic agencies. Sure, that country gets your data but have a harder time correlating it with anything.

In my circle, VPN use starts to be requested by non-technical users that just want to minimize their digital footprint.

Seems amazing to me, since people spend 200$+ on a service for a year, so it seems rather important to them.

No reason not to use globalization to your own advantage.

A foreign provide surely has more, in the legal realm, than a domestic one?

What legal protection from the NSA does a foreign (to the USA) provider have? Signals intelligence from foreign sources is the NSA's exact mission.

At least the NSA has a purported requirement not to do domestic spying, even if Snowden proved that's not being followed.

I was thinking that a domestic entity has no protections from the NSA, they have to open up if NSA says so "for national security reasons"? Whilst a foreign entity has not requirements to do so. Both domestic and foreign entities are subject to the same practical abilities; ergo a foreign entity is safer?

As for "no domestic spying", I thought the five-eyes group spied on each other to order so as to circumvent those requirements in domestic law??

No it cannot be better. It can be only equally good or as bad as your ISP. Just because they claim that they protect your privacy that's just a blind faith.

Users trusted PureVPN claims for protecting their privacy but all it took was an FBI investigation and through court documents to find out that they actually were keeping logs, despite all their claims.

It cannot be better but it is a matter of blind faith to trust they are better?

>No it cannot be better. It can be only equally good or as bad as your ISP


>Just because they claim that they protect your privacy that's just a blind faith.

Even if this is the case, it does not make your previous statement true

Damn. I don't even know where to begin.

It's true that VPN services at best provide less anonymity than Tor does. And that some, such as HideMyAss (which pwned that LulzSec dude) provide none. But PIA clearly does, as demonstrated now in two criminal investigations.[0]

Of course, in both cases, defendants pwned themselves through poor OPSEC. But at least PIA didn't give them up.

And the Facebook example. Nobody paying attention expects a VPN service (or even Tor) to hide their identity if they login using their real name. That's just stupid.

0) https://torrentfreak.com/private-internet-access-no-logging-...

> And the Facebook example. Nobody paying attention expects a VPN service (or even Tor) to hide their identity if they login using their real name. That's just stupid.

A lot of users care about privacy, but have no idea how computer networking works. It's hard for these users to understand whether they're private or not. If you don't believe me, check out the tech support and recommendations over at old.reddit.com/r/vpn -- there's clearly a lack of knowledge about VPNs and computer networking. Probably once a week, someone will ask "How did [paid video streaming service) know I was using a VPN?" Or "X country can only spy on me if I have a VPN in that country, right?"

Users are all too clueless, sadly enough. And too lazy, as well. I do what I can, but it's a drop in the bucket.

I think the author's point is that the ads put out by lots of these VPN providers do suggest that they are a one stop shop to hide your identity.

He's right about the scummy advertising, but I think he goes a little too hard-core contrarian in the end by basically suggesting the only reason to have a VPN is for airport/starbucks wifi.

If we talking OPSEC, PIA of out, as any other with your payment info. You'll need to have few different anonymous VPNs and self hosted VPNs/proxies to make random chains. Pay by coins only, throwaway emails.


No VPN service has my "payment info". Or at least, not any meaningful payment info. As you say, I use email accounts created through Tor, and pay with Bitcoin that's been mixed at least three times through Tor, using a different Whonix instance and a different mixer for each mix.

Of course one has to wonder how much of that "poor OPSEC" is actually just parallel construction. The linked article doesn't sound like it. But on the other hand with the way mass market VPN software generally works, how many people are going to be absolutely sure that all of their traffic definitely went out the tunnel?

The FBI having access to an NSA-provided tool that takes some IP addresses and returns other "associated" IP addresses (from trivial packet correlation on PIA's upstream) would produce a pattern of investigation that essentially looks the same.

Sure, a lot of it may be parallel construction. We do know that the NSA shares with the FBI and other TLAs.

If your threat model includes the NSA or the like, VPN services are at best a minor hindrance. Possible options include Tor and "anonymously" using WiFi hotspots.

I only know of one fundamental fail for Tor: the relay-early bug that CMU exploited. The others have involved Firefox and Windows bugs. People using Whonix in Linux hosts, and hitting Tor through nested VPN chains, would have been safe from any attack that I've heard of. But then, maybe I just haven't heard of the juicy ones.

I've tried the "anonymously using WiFi hotspots" approach. It's a pain in the ass. And in today's high-surveillance environment, I believe that it's a dumb idea.

It's true that VPN leakage is a serious risk. But you can use firewall rules to prevent DNS and traffic leaks. Or you can use VPN services whose client apps do that for you.

Also, I'm talking about desktop use. Doing any of this on mobile devices is a lot harder, I think. I'm not sure that I'd even bother.

The quip about someone being sure absolutely no traffic went out their access IP is that without extreme confidence, they won't be pushing their lawyer/team to scrutinize the chain of custody for the server logs, hinging their case on procedural grounds. Someone diligent enough to setup proper firewall rules is probably also forethinking enough to not go cracking random newspaper websites for fun.

And yeah in regards to criminal activity, I think it would be prudent to consider the NSA, specifically bulk processing of dragnet surveillance, part of the threat model in the modern age. It's very easy for the public narrative to focus on a guilt-implying needle in a haystack, regardless of how that needle was actually found.

> Possible options include Tor

I thought most folks believe that the NSA/CIA/some other TLA has control of more than 50% of the exit nodes, which should be enough to reconstruct the sources of most traffic.

It seems rival agencies (Chinese, Russian) should be interested in doing the same, or at least denying NSA this capability. I mean adding some exit nodes is not exactly expensive, seems like a low hanging fruit, doesn’t it?

Yeah, that's another argument. The NSA competes with its counterparts to own Tor infrastructure. And that competition prevents any one from owning enough to pwn users.

And it's no accident. Tor was designed that way.

Listen-only access is non-exclusive, and works for packet correlation attacks.

Security wise, we really need to be moving away from this instantaneous-datagram model.

Some people do. If that's true, all hope is lost ;)

I have a pretty limited selection of ISPs available to me in my area and they make no effort to promise any kind of anonymity or privacy. Indeed here in Canada ISPs have frequently given subscriber contact information to copyright holders to issue warnings based on bittorrent usage without being legally required to. When visiting the UK certain IPs are blocked by ISPs. I can choose from a wide variety of VPN providers in other jurisdictions whose entire business model is based around respecting my digital rights in ways that most ISPs explicitly don't care about. Some of these providers accept bitcoin and other relatively anonymized forms of payment, including VISA gift cards.

The article makes some valid points but overstates the case. I continue to be happier with trusting my VPN providers than any of the ISPs available to me.

>Canada ISPs have frequently given subscriber contact information to copyright holders to issue warnings based on bittorrent usage without being legally required to.

This is false. ISPs do not disclose your personal information for copyright complaints.

Industry, Science and Economic Development Canada explicitly states that subscriber information is only disclosed "if ordered to do so by a court ... as part of a copyright infringement lawsuit." [1]

Copyright infringement suits are known to have happened, but they are rare because the limit for non-commercial infringement is $5,000, which is generally not worth pursuing through the courts.

[1] http://www.ic.gc.ca/eic/site/oca-bc.nsf/eng/ca02920.html

> Indeed here in Canada ISPs have frequently given subscriber contact information to copyright holders to issue warnings based on bittorrent usage without being legally required to.

Citation needed?

The “Notice and Notice” regime legally requires the ISP to pass along a notice from a copyright holder that believes your IP infringed their copyright by uploading their material. It does not permit the ISP to give subscriber information to the copyright holder directly unless ordered to do so by a court.

Here’s Michael Geist, Canadian lawyer, explaining the system and recent developments regarding ISPs seeking to make such information disclosures more difficult for copyright holders, not less


> My Globe and Mail op-ed notes that the Canadian system for online infringement was formally established in 2012 and came into effect in 2015. The so-called “notice-and-notice” approach grants rights holders the ability to send notifications of alleged infringement to Internet providers, who are required by law to forward the notices to the relevant subscriber and to preserve the data in the event of future legal action. The system does not prevent rights holders from pursuing additional legal remedies, but Internet providers cannot reveal the identity of their subscribers without a court order.

> While the system has proven helpful in educating users on the boundaries of copyright, some rights holders have used it as a launching pad for further lawsuits. In fact, thousands of lawsuits have now been filed, with rights holders seeking to piggyback on the notice-and-notice system by obtaining the necessary subscriber information directly from Internet providers at no further cost.

> The question of costs lies at the heart of an important Supreme Court of Canada copyright ruling released on Friday. Voltage Pictures sought subscriber information from Rogers Communications for the purposes of pursuing individual lawsuits. When Rogers advised that it wanted compensation of $100 per hour for the costs associated with fulfilling the request, Voltage responded that Internet providers could not pass along their costs since the notice-and-notice system already required them to identify subscribers and preserve the data without compensation.

> The particular incident may have involved only a few hundred dollars, but the broader principle had the potential to dramatically alter the Canadian approach. If Internet providers were required to disclose subscriber information without passing along the costs, Canadian courts faced the prospect of an avalanche of lawsuits and Internet providers might be dissuaded from carefully ensuring that the privacy of their subscribers was properly protected.

> The Supreme Court understood the broader implications of the case, ruling that Internet providers can pass along the specific costs associated with subscriber disclosures beyond those required for the notice-and-notice system. Indeed, the court recognized the importance of accurate data to safeguard against reputational harm and wrongful lawsuits.

> It does not permit the ISP to give subscriber information to the copyright holder directly unless ordered to do so by a court.

With honest VPNs, court orders won't yield anything.

Sure. OP is still pulling that claim out of his nether regions, though

You've researched this topic more than me. My citation is just knowing lots of people who have received the warning notices and concluded (quite reasonably IMO) that their ISP and/or government is more interested in the rights of copyright holders than those of their customers / citizens and sought solutions to that problem through VPN services.

The point of my post was not about this particular legal issue but about the general fact that ISP choice being largely limited by physical location means that it is easier to choose VPN providers that have interests more aligned with mine than ISPs. Whether ISPs are forwarding threatening letters from copyright holders or giving them contact information directly is not particularly germane to this point.

There's a couple of bad faith arguments in this article that I didn't care for:

- Regarding user identification, rolling my IP address is trivial with a VPN. Less so on my static IP.

- The Facebook example without cookie deletion is a low-effort Straw Man

- I reject the leap that "we have figured out that they [VPNs] do not add much to your online privacy". In the very narrow terms defined, yes of course, but either the author has willfully missed out why people use them, or doesn't understand why.

I did enjoy this note though: "Somehow, VPNs have turned them not failing to do their job into something they can market as a special feature."; I think there's some truth to that.

I tunnel my traffic over a VPN to avoid my ISP building a profile on me. I change my IP every-so-often to mess with trackers at large. I accept that browser fingerprinting is probably thwarting my overall effort somewhat, but I'm reducing the vectors that I can. I firmly believe that VPN companies are capitalising on fear but I respect the hustle. I don't think any of those points are particularly niche (niche subject notwithstanding!) so I find it interesting to see this take on it. Perhaps this isn't an article representative of the position of the wider HN crowd?

What you see as bad faith is actually a direct reflection of the benefits these VPN providers are claiming to provide -- if not explicitly on their own site (publishing false claims in writing often leads to bad outcomes) then at least in the ad copy they give to the Youtube hosts to read.

In ~100% of cases, you're safer SSH-tunneling your traffic to a cheap server at a cloud hosting provider.

>I tunnel my traffic over a VPN to avoid my ISP building a profile on me.

What do you believe this profile is made of? I don't mean this sarcastically. Facebook or Equifax's profile of you must be very complete and contextual.

But, your ISP has:

- The domains you visited, but not the specific URLs (via SSL & certificate names)

- The domains you visited, but not the specific URLs (via DNS)

- The IPs you visited.

- The ports of those IPs.

- Any unencrypted traffic, which as noted, is pretty rare these days.

Do you believe that with this information your ISP can build a very meaningful profile? It seems to me that the profile which Amazon, Facebook, and a Bank, (VPN or not) can build is far more damaging. (and, I admit that just because you can't prevent the worse profiling, it doesn't mean you shouldn't mitigate what you can.)

I promise, I don't mean any of this in a negative way. I'm somewhat in your boat -- I tried to do a lot for privacy via blocking and other mitigations, but I often wonder: do Amazon and Gmail effectively defeat my efforts?

The slimy marketing around centralized VPN services is why I consider it a point of pride to include the following as a "feature" in the AlgoVPN readme (

> Anti-features

> * Does not support legacy cipher suites or protocols like L2TP, IKEv1, or RSA

> * Does not install Tor, OpenVPN, or other risky servers

> * Does not depend on the security of TLS

> * Does not require client software on most platforms

> * Does not claim to provide anonymity or censorship avoidance

> * Does not claim to protect you from the FSB, MSS, DGSE, or FSM

It's incredible how quickly services that massively centralize bulk consumer web traffic were normalized. This is not ok. Further, most of these services are located in "exotic" locales with uncertain legal protections, anonymous or psuedo-anonymous owners, and make barely enough revenue to hire more than 3 or 4 staff members to maintain and secure their own infrastructure. This whole industry is a slow motion disaster.

> * Does not install Tor, OpenVPN, or other risky servers

What do you mean by "risky servers" here? I run OpenVPN on a few servers, is there something I should know?

There's an FAQ in the AlgoVPN documentation that addresses this question (https://github.com/trailofbits/algo/blob/master/docs/faq.md#...):

> Why aren't you using OpenVPN?

> OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update[1] and maintain[2] the software themselves. OpenVPN depends on the security of TLS[3], both the protocol[4] and its implementations[5], and we simply trust the server less due to past[6] security[7] incidents[8].

[1] https://www.exploit-db.com/exploits/34037/

[2] https://www.exploit-db.com/exploits/20485/

[3] https://tools.ietf.org/html/rfc7457

[4] https://arstechnica.com/security/2016/08/new-attack-can-pluc...

[5] https://arstechnica.com/security/2014/04/confirmed-nasty-hea...

[6] https://sweet32.info/

[7] https://github.com/ValdikSS/openvpn-fix-dns-leak-plugin/blob...

[8] https://www.exploit-db.com/exploits/34879/

It uses openssl, which regularly gets security issues published.

It shouldn't be too bad if you keep your server and clients updated, though (depending on your thread model).

FSM == Flying Spaghetti Monster?

You got downvoted, but if you go to github this is exactly what it means lol


Huh? I didn't ask about the FSB (the first initialism). I asked about FSM (the last).

OOps sorry a bit tired and jetlagged.

For FSM the best I can do is the Flying Spaghetti Monster, nothing else here makes sense: https://en.wikipedia.org/wiki/FSM

That is the FSB (or (ФСБ). FSM isn't the acronym or a transliteration of any known national intelligence service.

FSB - Federal Security Service, Russia

MSS - Ministry of State Security, China

DGSE - General Directorate for External Security, France

FSM - Federated States of Micronesia National Police would be my best guess. They do dignitary protection and counter-narcotics, so I would assume they have at least some intelligence function.

Given that Micronesia has a population of 100k, I wouldn't worry too much about their secret service.

I presume OP meant FSM as in Flying Spaghetti Monster as a stand-in for any organization that might wish to spy on you with its noodly appendages.

Then what is the FSB?

>However, the sad reality is, there is no such thing as a “no logs” VPN. Because running it would technically be impossible.

PIA has told the feds in the US to fuck off multiple times when asked for logs. You can't provide what you don't have, and lying to the feds is a fast track to PMITA prison (PIA is based in the US). I feel pretty confident they're not risking prison to cover for Joe Blow subscriber. Other "no log" providers have been caught with logs, though.

I do agree with overall message about VPN advertising. It's presented as a panacea when it's really a single step you can take.

Who cares if they log now? They can be forced to log --- and are in fact running businesses the practically beg the DOJ to force them to log.

Which is why many people don't use US-based VPN services.

So that, instead of the US using legal formalisms to gain access to your data, they can simply (under our law) hack it directly? While at the same time, whatever host country is involved can use their legal formalisms to get access to the data? How is that helping you?

It helps me because I use nested VPN chains. And because I alternate jurisdictions. With the goal of complicating log collection.

But in any case, I don't count on nested VPN chains for serious anonymity. Mostly I use them to avoid hassle from torrenting. And conversely, torrenting provides cover traffic, and as well a plausible reason for using VPN services.

But mostly I use nested VPN chains to hide Tor use from local observers. Because Tor usage is far less common than VPN usage, and so far more of a red flag for increased surveillance.

> They can be forced to log

There is no legislation in the US that can be used to do this [1]. Some very misguided companies may voluntarily log, but those that care about privacy or, at the least, realize that holding people's data is a liability, won't make poor decisions like that.

[1] https://en.wikipedia.org/wiki/Data_retention#Failed_mandator...

Nah, he's right. The Core Secrets leak said the FBI was using some secret method to "compel" domestic targets to do the "SIGINT-enabling" of their networks. It might have been just fines and jail threats under the secret court (FISC). On top of that, the Patriot Act let them hold people indefinitely, they were kidnapping folks at airports for "extraordinary rendition" (torture), and there's the old civil forfeiture laws on top. That's the extreme stuff.

Less extreme, Lavabit was hit in court. Lavabit said giving their private key to the government would expose all their users' data. They said it would be bad for their business. The FBI countered that there would be no damage if nobody knew they did that. So, they just wouldn't tell anyone what the judge had ordered. Judge went along with that idea. So, that's how legislation and liability in the U.S. works. Especially when there's secrecy orders.

Pro tip: don't host anything that's supposed to be private in the U.S.. It's a surveillance/police state slash plutocracy disguised as a democracy. Anything that might be private can be ordered to not be private secretly with immunity.

Oh come on now. The US Government forces tech companies to share information all the time.


They certainly can, and will, go after any company they want to, without referencing any specific US legislation.

ISPs and VPNs have different laws then, for example, email providers. Further, Yahoo Mail, would be storing data (thus "voluntary" logging, or in their case, there's few ways around it to deliver their services in any kind of usable way).

I repeat, after having evaluated this quite deeply, that there are no mandatory data retention laws in the US, period, for ISPs and VPNs. This is contrast to quite a few jurisdictions, and the poor actions taken by ISPs and VPNs in said areas seem to speak louder than words.

That being said, I can relate to the author. Trusting a random service without any reason to trust is definitely blind. However, trust can be earned, over time, and validated, but should never be absolute. Trust is earned, daily, forever.

That being said, at the end of the day, the best bet is to remove trust from the equation - to get closer to a zero knowledge state, thus creating zero trust.

We're working toward that, every single day, and I would love to hear from anyone that's interested in helping or has thoughts.

You're saying that organizations can avoid being subject to providing data if their service does not store the data. But I am not convinced. If the NSA or whatever 3 letter agency demanded the data be made available in a secret court, the company would have no choice but to comply.

They could require this in several ways. They could store the data directly on government servers, or set up a third party server and store the data on there, where both parties could access it. Either way, there is no technical reason the data can NOT be collected, so if the big boys want it, they will get it.

The demands mentioned in your link did reference specific US legislation: FISA section 702.

Before all this information got leaked, nobody knew about FISA section 702, nor had any idea how it was being interpreted and acted on by government agencies. I think it's quite clear that the secret courts in the US put huge demands on organizations to share and collect data on government behalf. Even worse, the organizations can not even publicly disclose information from the proceedings.

Until I see something to convince me otherwise, I assume any sizable organization that is operating within the United States shares any/all data requested. No loophole will protect them. If they don't collect the data, guess what, time to start collecting.

US companies perhaps. That's why so many recommend non-US VPN services

Perhaps not (I’m not certain about the issue), but they can be forced to hand over their private keys to let the NSA [ed: or other agency] do the logging for them – as happened with Lavabit.


Good catch, although... I looked it up, and apparently in Lavabit’s case the demand (under the Stored Communication Act) was actually issued by the FBI?

The FBI is part of the DOJ. :)

So how would the US government force Insorg, which is Russian, to log?

which is Russian

That's a bit like moving from Phoenix to Pyongyang to escape the unconscionable oppression of your local HOA.

Yeah, but why would Russia care about me?

Because if you are going to carry out a propaganda campaign to destabilize or realign <non-Russian country>, then being able to identify them interests and vulnerabilities of each particular propaganda target is useful. Modern international propaganda includes what is exactly, or is equivalent to, targeted advertising, and everything useful to such advertising is useful to nation-state propagandists.

We've actually seen this in action throughout the West, including but not limited to the US, recently, so it's not merely a theoretical concern. We are no longer in a world where you need to be personally important to be a target of foreign nation-state information gathering and targeting, because the same factors that make that scale for private actors and your home government make it scale for foreign governments that may potentially be opposed to or wish to influence your home government.

Clarification: The point is to use nested VPN chains, alternating between jurisdictions that don't readily cooperate. And ideally, are virtually at war. Interleaved with ~neutral jurisdictions, to reduce oversight.

See https://news.ycombinator.com/item?id=19609067

Why would the US care about you? And that's on top of the fact that the policy and regulatory regime in Russia has (over some years and quite openly) moved towards essentially full legal interception capability of everyone's internet comms. Roskomnadzor is out there actually doing the stuff the imaginary messageboard NSA does.

What mostly matters is that the US and Russia aren't exactly on speaking terms.

Does this one end with you saying 'The Aristocrats!' because I really don't follow at all.

The Aristocrats? Lost me there, and I refuse to search.

It's really very simple. The VM host that I'm using connects to a mainstream VPN service, which is quite popular for torrenting and such, using a server in the EU. Through that VPN tunnel, I connect with a different VPN service, which operates in someplace like Russia.

Then, through that tunnel, I connect with a third VPN service, which operates in some ~neutral country. And so on, until I'm satisfied, or the latency blows up. I'm happy with 0.5-1 second, for whatever that's worth.

After the third VPN or so, I typically connect with the Tor network. And if I'm really feeling paranoid, I add some hidden service VPS proxies, just for fun.[0] Or a homage to Kevin Mitnick,if you like.

0) https://www.ivpn.net/privacy-guides/onion-ssh-hosts-for-logi...

Why do you go through this amount of work for preserving your privacy? Honest question out of curiosity.

>They can be forced to log

Not if they aren't in US, hence why so many people choose non-US VPNs

> You can't provide what you don't have, and lying to the feds is a fast track to PMITA prison

White collar criminals typically go to Club Fed, though.

What about European based/GDPR compliant VPNs? Wouldn't they require to truthfully disclose if and what they log?

Not really. The GDPR is overridden by various laws relating to national security, terrorism laws, and whatnot. It does not prevent or forbid EU nations from collecting intelligence on their citizens.

It does prevent unlawful access and unlimited data collection by corporate entities. (Including fruit of poisonous tree doctrine.)

What the ISP doesn't collect or process, cannot be had as historical data for court cases for example. Albeit the GDPR exemption is pretty open for "required to provide service" data processing.

Wiretapping is a separate matter.

Most importantly, any third party data processing and sale has to be clearly outlined including purpose.

But it prevents adtech to collect info.

For what it's worth, Poland is surprisingly good about this:

- as an ISP, you're required to retain data for a year that would let LEAs map an IP address you manage to a subscriber. If you're giving out public IP addresses to your customers, this can be just an excerpt from your IPAM.

- as an ISP, you cannot give out this data without a court order, and you will be in violation of data protection laws if you do do.

Source: the Warsaw Hackerspace is an ISP.

The articles like this are disastrous. So many people are using VPN to bypass government restrictions, protect themselves from ISPs, which are no longer run by idealists dreaming about uncensored access to information, but by managers, that will share your information with any agency the minute request shows up in their inbox. And these people don't always have good knowledge of how security works, and who this article can greatly mislead.

I subscribed to a small VPN service 5 years ago for one reason: I needed static IP address for work, but my ISP at the time wasn't selling them to private individuals (freelance).

And I couldn't be happier! Wherever I go I don't have any issues with access to my resources or worries that local government will fine me for watching porn (check out UAE or Saudi laws).

Hell, even Skype is blocked by a lot of telecoms around the world since you don't pay roaming fees when calling through it. How ridiculous is that? On VPN it worked everytime.

HTTPS is great, but it is by no means private enough. ISP knows which service you are requesting, they can do SSL inspection and all kind of shady bullshit without your consent. With VPN they only see that I talk to 1 IP address somewhere in Netherlands and that is it!

I think the thing that the article is trying to communicate is that people misrepresent whom a VPN protects you from, and how. It protects you in many ways from your ISP and your government. It does not really protect you from Facebook or Google.

a) The unproven assumption you are making is that VPN providers are run by idealists, not by managers. There is no indication for this. b) The article outlines that using a VPN to bypass national censoring measures is perfectly valid. c) Your argument about the ISP knowing everything vs. the VPN provider knowing everything is exactly what the article is about. There is no indication to trust a VPN provider more than your ISP, for a number of reasons.

> a) The unproven assumption you are making is that VPN providers are run by idealists, not by managers. There is no indication for this.

Maybe you misread? I think he was saying the reverse.

It seems that the author's target audience is highly non-technical readers. I'm not sure if the article does more harm than good by just citing existing technologies that aren't used by privacy-minded power users without pointing towards proven solutions as well, even if they may require effort to implement. All is not lost.

The article touches on the OpenVPN protocol, "commercial" VPN providers (ExpressVPN in the screencap), but just glosses over the availability of better protocols, good providers, useful browser extensions, and democratized DNS encryption.

A combination of a WireGuard VPN provider (Mullvad comes to mind), using only the Firefox browser with a few extensions (such as Multi-Account Containers, HTTPS Everywhere, Privacy Badger, Decentraleyes, etc.), and using DNS over HTTPS (can be enabled in FF as well) will solve most of the problems the article posits. Running AdGuard as a local DNS server with upstream DoH is also something relatively easy to do.

Sure, overall security posture calls for a bit more but a good [VPN + DoH + FF + AdBlocking] setup should be the norm and not the exception; and will definitely pay off dividends rather than just letting a green padlock give users peace of mind.

I'll actually write a how-to on this, since I don't want to seem like I'm just mentioning a solution without actually providing the steps to get there.

I'd very much appreciate the write-up... I've not been able to find a very coherent (and current) best-practice document. Where can we find it when it's up?

> Just like you have to trust your ISP that they do not collect data, you have to trust that your VPN provider is not storing the same data.

Bull. Shit.

Find me a major ISP that publicly claims they don't log any data.

Anyone making a claim remotely similar to those made in https://torrentfreak.com/which-vpn-services-keep-you-anonymo...

If it was the norm for ISPs to claim this, maybe this argument would work. For now, we have many documented cases of ISPs selling your information, and they don't even try to claim that they don't keep logs, while many major VPN services (see link above) explicitly claim to never store logs.

We also have multiple documented cases of "no-log VPNs" submitting their logs to law enforcement. I even linked to one case in my post. What's your point here, exactly? Because my point was you have to trust either party.

Oh, and btw, here in Europe, it is actually illegal for ISPs to give connection data away for non-law-enforcement purposes. It's sad that there are some US-American ISPs that have a record of selling some information, but the world does not evolve around the USA.

Which case are you talking about? You have no links in the "no-log" section.

Other fatal flaws in that section, fwiw

>Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.

Plenty of VPNs accept bitcoin, and prepaid anonymous debit cards are widely available.

>Most VPNs limit the number of devices that can be connected at the same time. For that to work, well, they have to store a piece of information stating which device is connected, and what VPN account it is associated with. They have to associate your VPN session with your VPN account, as counting the number of sessions per account would be impossible otherwise.

This is addressed in the link above. Besides, it's possible to limit simultaneous connections without storing anything to disk.

>What's your point here, exactly? Because my point was you have to trust either party.

The difference is that no major ISPs are claiming not to log.

Bitcoin has very little anonymity as well BTW. Probably less than credit cards.

Sure. And that's why people who want anonymous Bitcoin use mixing services. Such as Bitcoin Fog:[0]

> In December 2013 the site was used to launder a part of the 96,000 BTC from the robbery of Sheep Marketplace.

> In February 2015, a total of 7,170 bitcoin was stolen from the Chinese exchange Bter.com and traced back to cryptocurrency-tumblers like Bitcoin Fog.

0) https://en.wikipedia.org/wiki/Bitcoin_Fog

Many VPN services also accept cash.

> We also have multiple documented cases of "no-log VPNs" submitting their logs to law enforcement.

That's true. And so some of us go out of our way to name names. For example:

EarthVPN - user compromised by datacenter logs

HMA - retained logs, and provided them under UK court order

Proxy.sh - outed someone voluntarily, because they didn't like something he did

PureVPN - retained logs, and shared them with investigators

> Because my point was you have to trust either party.

That's true. Except when it isn't. If you use nested VPN chains, you don't need to trust any of the individual VPNs. It's not as anonymous as Tor, because it's static, and far less complicated to compromise. But it's at least 10x faster. And you can hit Tor through them, which protects you from evil entry guards.

That claim doesn't mean that ISPs do not collect data. It means that your VPN providers must be blindly trusted, like ISPs. IIRC when the UK introduced a law asking all ISPs to keep all user activities in logs, at least some of them complained that the costs were too high to put it in practice. Make of that what you want. Trust or not trust?

I... find it really unlikely that any no-log VPN companies exist for any significant period of time without logging.

I don't just mean law enforcement, though that's probably a problem too, (though I have less experience with that one) I'm also talking about the normal abuse an ISP gets. Spammers, etc... From experience, your upstream will shut you down if your customers aren't well behaved.

They all have anti-abuse mechanisms, but that doesn't mean logging.

Why couldn't you have a flagging system in real-time that shuts down accounts but doesn't save the data to disk?

>Why couldn't you have a flagging system in real-time that shuts down accounts but doesn't save the data to disk?

That's what I described with the deep packet inspection. You could hook up an IDS and block users based on the IDS output, but like I said, the sort of people who like no log VPNs will not like that. At one point I set that up at my VPS company a long time ago, (of course, I was very up front about it and told my customers, and I was surprised that customers were really, really angry about it, so I took it down within a day or two. Sorry guys, I mean, I should have stuck with the traditional route of only examining packet headers.)

If you act in the usual way for an ISP and only examine packet headers, then you will need to react to complaints about your users. Those complaints can roll in up to a week after the abuse happened.

I could believe a VPN service that said it kept logs for a week. That seems possible. (of course, there's still the legal issues, but I personally haven't seen those, while I have been almost disconnected by my upstream for customer abuse before)

It gets worse, too, if I use shared IP addresses. So, the way my VPS company was setup, everyone had a static IP. And that was really pretty easy; an abuse report comes in saying that a certain IP did something at a certain time. As all my customers had their own IPs, all I had to do was make sure the IP hadn't been moved to a different customer recently, and I knew who to go after. Aside from that ill considered day-long experiment with the IDS, I didn't do any network logging at all outside of total packet/byte counts (outside of troubleshooting) because I didn't really have to in order to go after abuse. I knew what IP was owned by who.

But, in a shared-IP system? this is way worse. All your users are behind a NAT, right? so you get that same abuse complaint a few days after a thing happened saying that IP X did this thing at time Y to target IP Z. Well, all your customers are coming out of IP X, so that doesn't help you. In a NAT system, to manage abuse complaints without deep packet inspection, you need to log the headers from every connection. User X connected to IP Y on port Z, etc... It's the only way to trace back the abuse to the customer.

(Things get dramatically easier if every customer has it's own IP; then you just need to record who had what IP when. I don't know how many "no log" VPNs use NAT vs giving each active user their own IP. Of course, things get even easier with IPv6)

>PIA absolutely does not keep any logs, of any kind, period. While this does make things harder in some cases, specifically dealing with outbound mail, advanced techniques to handle abuse issues, and things of that nature, this provides a high level of security and privacy to all of our users. Logs are never written to the hard-drives of any of our machines and are specifically written to the null device, which simply acts if the data never existed.

From https://www.privateinternetaccess.com/helpdesk/kb/articles/d...

They don't say they aren't using deep packet inspection, and it acknowledges that makes it more difficult to handle abuse.

I use VPNs for one main reason: so that my ISP does not build a complete profile of me based on the sites I'm visiting. This can be mitigated to a certain extent by using a VPN. I do not expect to become anonymous or invisible on the internet all of a sudden, I just do not want the guy listening next to my front door to know everything about me.

In the US, where personal data is a free-for-all and everybody and their dog sells data about me to everyone else, this is important.

I agree with the author that VPNs should not be advertised as a complete security and privacy solution, but I disagree with his statement that they can actually do more harm than good.

But all you've done is kick the can down the road, so now your VPN service can build a profile on you instead.

Then use different VPNs for different types activities, combine it with TOR if necessary. It's not like it's a free lunch.

The ISP can easily build a reasonably reliable profile based just on packet size and timing. TLS and most VPNs do nothing to these.

If they actually wanted to. You could sure them under wiretapping laws if they did.

If you cannot trust your ISP, you cannot really have any privacy without truly extensive measures. Not even Tor is enough, it does not pad and change timing enough.

The real problem is cookies, requirement for email backed login and phone home downloads. (E.g. images such as social buttons, JavaScript. They can also leak cookies or make them live longer.)

The last one is combatted to an extent by mix networks like Tor, or better yet, by aggressively caching and/or predownloading.

> You could sure them under wiretapping laws of they did.

I assume you meant "sue", but, no, that's not actually a guarantee, because companies can require that you "voluntarily" agree to mandatory arbitration in order to get any service at all.

Those clauses are illegal, much like indemnification by you of a big ISP. Even clauses of choice of law are very suspect.

Relying on such a clause to attempt to prevent a civil suit is stupidity, if only because people are not properly informed of what the clause meant, making it void. (I could quote a few cases. But I am not a lawyer. Microsoft and EULA comes to mind.)

And by EU law, they are completely null and void by just being illegal.

That said, most of those suits do not reach court by means of settlement, not arbitration.

> Those clauses are illegal

Not in the US!


> If they actually wanted to. You could sure them under wiretapping laws if they did.

Could you? I was under the impression that (in the US) the main difference between a phone line and an Internet connection is that former is legally protected against wiretapping and the latter not so much.

> You could sure them under wiretapping laws of they did.

Has this ever worked though? Cursory searching, I don't see or know of any examples of lawsuits that have actually succeeded on this front. And it's not like ISPs have never given consumers an opportunity before.[0]

[0]: https://www.cnet.com/news/verizon-draws-fire-for-monitoring-...

The cases are almost always settled for reasons I outlined in response to another thread. (mostly related to peering and PR damage, that can kill an ISP)

The app is a tiny blip on the radar waiting for careless. (Read the darn contact, especially if you get a discount.)

You're not exactly boosting my confidence here.

The easy sniff-test for whether or not existing laws are enough to dissuade an ISP from building user profiles is to check to see if it was enough in the past to stop them from doing so.

Do we have any cases of where an ISP broke wiretapping laws and was punished severely enough in a settlement or trial that it either killed the ISP or forced them to restructure or rebrand?

If ISPs can pull off highly profitable abuses and get away with it by just settling when they're called out, that's no guarantee that they aren't going to do the same thing in the future. Verizon bragged that they broke wiretapping laws in 2012. How are they doing now? Still struggling to recover from that, I would expect?

Certainly not selling real-time location data to bounty hunters.

Identifying based on traffic analysis is easily feasible if they collude with advertisers, since they can then correlate traffic by timing. ("Which ISP can sell us subscriber data with TLS traffic to our our ad at the same times that the ad was served with this visitor-id?")

If you use Chrome browser or Android phone then Google is already able to build a profile on you. They have multiple ways to ID every session and individual browsing tab to link them back to your profile. VPN is completely irrelevant in their game.

If Google has my data, does that mean I should also give it to Comcast?

This kind of argument comes up a lot, and I really don't understand it, at all. Privacy is a process, it's something you improve over time. The alternative is completely circular.

I shouldn't care about switching to Firefox, because my ISP is already getting all this data anyway, and I shouldn't care about using a VPN because Google is getting all of this data anyway...

If you want to go from no privacy to decent privacy, it is inevitable that there is going to be a period where you are only plugging some of the holes.

My point is if you are trying to prevent someone to build a profile on you entirely then VPN is useless.

For majority of the public who use a VPN provider, they are essentially shifting all the risks of their personal privacy from a highly regulated industry (ISP) to one that is much less regulated (VPN providers). This is a bit similar to all the ICO scams associated with an unregulated cryptocurrency industry. ISP at least will not sell your data to questionable buyers, but there's no law in preventing a VPN provider not to do so.

If you truly believe VPN providers can survive giving you unlimited bandwidth worldwide for only a few bucks a month, without relying on other sources of revenue, then I have a bridge to sell you.

Most of them don't operate with transparency, not being audited nor being accountable or required by regulation to keep your data safe but yeah let's trust them instead!

> ISP at least will not sell your data to questionable buyers


ISP regulation in the US has completely failed to prevent abuses. I'm not here to argue that you should blindly grab a 4-5$ a month VPN, but absent a technological solution like Tor, this is better than nothing.

But if you really think your ISP is more trustworthy than PIA, set up your own VPN on a Linode server and use that instead. At least then you won't have to trust your university/hotel/business Internet to be configured correctly, and at least then you won't be handing your zip code to every single site you visit.

Even a self-controlled VPN is a strict privacy/security upgrade over connecting your laptop unprotected to a hotel's wifi.

> if you are trying to prevent someone to build a profile on you entirely

If you are trying to prevent someone from building a profile on you entirely, then you are going to need to do a lot more than use a VPN. But that's in addition, not instead. You have to start somewhere.

The only effective way, that I know of, to prevent someone to build a profile on you is by throwing a lot of useless data to confuse them. Blocking their access is not effective because they have multiple ways to get to you, especially when you're just part of a bigger target market. These conventional methods like VPN are simply too easy for them with million of other people also using it.

If you're constantly throwing useless data at them, adding irrelevant URLs or browsing patterns to the data stream then their system will be confused and unable to paint an accurate picture of your profile.

This is borrowed from a similar strategy used by professionals who have gone off-grid and wanted to avoid being tracked. They would pay multiple other people to use their credit/debit cards at various different locations around the world so the system tracking them would be confused and could not pin point their exact current location.

> For majority of the public who use a VPN provider, they are essentially shifting all the risks of their personal privacy from a highly regulated industry (ISP) to one that is much less regulated (VPN providers).

But I don't like the logs that my ISP is _required_ to keep, an and the organisations that have access to them as a result. A VPN removes that.

> but there's no law in preventing a VPN provider not to do so


(for a UK perspective)

While there is plenty of nuance that VPN advertisements gloss over, this article is also simply verbose FUD. It shamelessly does the same exact thing that VPN ads do - attempt to replace one uninformed default option with another.

> The reality here is that your IP address is only a tiny piece of your trackable profile

Yes, a tiny piece you can never shake off besides with a tunnel ("VPN"). On this front, OP is effectively making the argument that surveillance by IP address is simply never done, even if all the other tracking signals are removed. This is doubtful.

> the location of a piece of large network equipment of your ISP, and not your location

Yeah which is still pretty damn indicative of my location, despite the "streams coming together" narrative. One less signal available to the surveillance advertisers is a good thing. One more feeling of "otherness" to an ad you're being forced to see is a great thing.

> The only secured [encrypted] channel here is the route between your machine and the VPN server

Yes, simply hiding your traffic from your ISP is itself a huge win. They don't spend millions on DPI gear without clear ROI.

Given that a vibrant market for VPNs provides for copious tunnel endpoints, and that common people imperfectly using VPNs still frustrates bad actors like banks and geofencers, I'll forgive the messaging. They're certainly more legitimate than pharmaceutical or political ads.

They are some valid points in the post, but ISPs collect and will market your data, including browsing data. They recently changed positions and claim they won’t anymore, but there’s no reason to trust them and they’re still using your data for targeted ads meaning they still retain the data.


The point of the post isn't that you should trust your ISP.

Indeed. Instead it falsely implies that you don’t need to, by glossing over the limits of what HTTPS encrypts and what it doesn’t. And it encourages users to avoid VPNs, making them subject to data collection by their ISP whether they know it or not.

All I know is that since I got a VPN my ISP no longer sends me letters warning me that I have 7 more warnings until I'll be admonished for archiving movies.

Which VPN?

PIA. It's cheap and used to be fast but a lot of people have started using it so they are now having to raise price / regulate bandwidth. However, they let you log on 5 or 10 devices simultaneously on different servers all over the globe,

> Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.

Check out https://mullvad.net if you want a VPN that takes anonymity serious. They don't even have real accounts, you just pay (preferably via BTC or even cash via postal mail) towards an account number that is also used as an identifier to authenticate towards the service. While there is no 100% guarantee, I would trust their claim that they do not log.

The article seems to talk about all kinds of things VPNs are not about, and criticises them for those, and give a thin touch, if any, to the actual reasons VPNs are useful and why they were designed in the first place. Weird.

Very misleading, factually wrong post.

"Log in to your Facebook account. Connect VPN. Did Facebook forget who you are?" He forgot step to open new private window to clear login cookie.

VPN is a must for everybody in there days of data harvesting. We will be sorry tomorrow, seeing many new ways it can be used by global corporations and governments.

This seems to be the YouTube video in question if anyone was curious


>In most circumstances, VPNs do absolutely nothing to enhance your data security or privacy.

>Acting as they do, and promoting commercial VPN providers as a solution to potential issues does more harm than good.

I think this ignores the fact that some users have different threatmodels, sometimes the privacy threat model of a user does include their ISP for various reasons (think China).


Starting with the obvious, if you pay for a VPN service, they have to keep your user account and associated payment information and your payment history. So, unless you are using a fake identity and an anonymous credit card (is that even possible these days?), your VPN account will be linked to your actual identity.

Depends on the VPN, some VPN providers actually don't keep that kind of history or provide options to operate and pay an account anonymously.

As far as I know you can still get anonymous credit cards, and if not most VPNs accept mailed cash. I doubt that your VPN will try to collect DNA from all mailed in cash.

Some of them are valid concerns.

But the article should have touched on _how_ one would actually achieve the privacy levels that the VPNs claims to offer. For example, using TOR rather than a VPN is a much better guarantee of privacy against IP based tracking (and what the draw-backs of TOR is - such as accidental real-ip leaks via javascript).

A lot of users simply trust the marketing of VPN providers - because it's cheap, and it doesn't look like it'd do harm. Like how multi-vitamin pills are marketed as a cheap silver bullet for a complicated problem.

4K video: possible on VPN, impossible on TOR. Agree?

What you really want for privacy & anonymity are anonymizing proxies, which are not mutually inclusive with VPNs. Proxies work best at the app level, not network level. Proxies can also be located anywhere and hide your request origin, and your browser can even forward DNS requests through them. But to strip every inch of personal information out of HTTPS traffic you may need to accept a custom CA, which reduces your security. So use a VPN for security, and proxies for privacy & anonymity.

The real problem with VPNs is that they are sold as a full privacy and security solution to people who don't understand what's going on technically.

There are some legitimate reasons to use a VPN. Those are far fewer than the marketing claims of those companies. What I've seen over time:

* hide your IP from the service you're using (related to geoblocking)

* get around limitations of your ISP (blocked ports or throttling, torrenting)

* hide traffic/service you use from your ISP/government (China, UAE, Iran)

* get around bad routing of your ISP

A large number of free VPN users seem to be students, using them to get around their schools blocking access to Facebook etc.

I'm surprised he doesn't mention torrenting directly. I have no stats to back this up, but I would assume the vast majority of people who get VPNs do so for torrenting. I agree that the current advertising riding the wave of the facebook hate/privacy "awareness" is scummy, but nothing in the article seems to say VPNs aren't effective from hiding your TPB traffic from your ISP, which if I had to guess is the real most popular use-case.

These past few months I have noticed several popular posts dissuading people from using VPNs. What do these people have to gain from people _not_ using VPNs?

Author has a computer science understanding of VPNs but is breathtakingly ignorant as to the actual use cases of commercial VPNs. They're used for getting around geoocming and media throttling sure, but the biggest use is piracy.

Also, his disbelief of anonymous payment methods is incredibly stupid. I can walk into a store right now and get a prepaid visa using cash, no crypto currency shenanigans required.

> I can walk into a store right now and get a prepaid visa using cash

WalMart, Target, and many other large retailers retain photographic records of all purchasers. Many cases have been broken by police claiming to have found a match at a WalMart for the purchase of items committed in some crime.

So cash purchases of cards is not always a completely anonymous choice.

Got a source on that? - Would be surprised (and disappointed) if Target/Walmart keep pictures of non-authenticated customers linked to the invoice record. Have Google'd around but haven't found anything on that.

Sure, if you are doing illegal stuff very little of what you can find online will protect you. But if you are hiding from non-law enforcement it is easy to get pretty anonymous.

I guess since I have nothing to hide I have nothing to fear! Thanks friend! We are definitely not living in a surveillance state and we have nothing to worry about as long as we do our jobs cheerfully, obey authority, and conform. I love my life, my job, and my government. There is nothing to see here, everything is normative and fine.

Those engaging in crimes though, such as watching region locked content outside the region in violation of copyright law, rightly should fear. But that is OK since they are criminals subverting the establishment of course. Along with those such as gays in regions where being gay is illegal. Or apostates where apostasy and heresy are death penalty crimes. And numerous other examples of despicable criminal behavior in violation of local laws.

I'm not trying to imply this is ethically or morally right. I am trying to say that if you want to hide from the law using a VPN or anything that is easy to find on the internet is not going to help you and believing so is harmful in that you will choose a technology that you think helps you but does not and take too large risks.

Same here, friend :)

Well sure you can. But what about all those surveillance cameras? And the license plate cameras? Me, I wouldn't count on those giftcards.

if they don't accept bitcoins, then it's not anonymous.

Some also accept cash by snail mail.

Did the author ever claim that the other use cases were prominent uses? He spends the entire blog talking about encryption and anonymity which would be related to hiding piracy.

Personally, the only reason I use VPNs is for region-locked content. How are you sure this isn't a bigger use case than you think?

That's amazing that you can do that.

Anonymous credit cards are ruled out by law basically everywhere in the European Union. Assuming that I live in the US, and that everyone on this planets is doing so, is - as you call it - incredibly stupid.

The only way to get on a network is via an ISP or mobile provider and this step itself gives up your identity and credit card/financial details and your browsing history, location data and other metadata is available to any state entity and the private surveillance economy. If you use a VPN you paid for that is the same thing.

There is no way to get absolute privacy in this context for the average user. Journalists and activists should be aware there is no technology solution to protect them from spying by any sufficiently committed actor, with state actors all bets are off.

It's false self empowerment by some technical folks to presume there is a technical solution against state actors who are well staffed, have near endless resources and are working 24/7 to thwart any localized technical solutions.

If there is a way to get online truly anonymously ie public wifi points, mesh networks these will immediately be subverted by state actors with things like illegal porn, terrorism and made illegal or compromised and used as honey pots. There is no winning here.

Regarding "no logs", it is true that the VPN has to check if your account is valid, or maybe how many devices you can connect. But one thing is monitoring and another, different thing is to log that information.

Also, this doesn't mean that the traffic or destination addresses are also logged at the VPN (the most important data).

But, is also true that you'll never know.

Just a thought—Couldn’t there be a service In front of ~5-1,000 different vpn services that would locally (depending on your subscription level) send each request to a random list of vpn providers (like a random dns provider? Somewhat complicating/obscuring the issue that arises with centralizing your traffic to single endpoint?

It's called Tor. And you don't even need a subscription for that.

Although I’m familiar with Tor, my thinking was packaging that concept in a better way, similar to how vpn services market themselves.

You want to sell TOR? - please don't.

I thought with tor you still connect to a single gateway and all traffic is sent to that remote endpoint? Or is it done locally?

Tor, originally from "The Onion Router", works by routing your traffic through multiple Tor nodes. Like an onion, each node only peels off one layer and passes the packet on to whoever is addressed on that layer. Each node only knows the details about the next node. Eventually, the packet will hit an "Exit-Node", at which point it will be routed via the internet through the endpoint, but it's not a single route.

And while that does not change for every request (that would be highly unpractical), all Tor clients offer you a very quick "get a new route" with just one click.

Just to clarify, it's Tor clients that select which relays (entry guard, middle and exit) to use in circuits. Also, each relay in a circuit knows (or at least, could know, if it wanted to) both source and destination. But with three-relay circuits, no relay know both user identity and destination.

Also, by default, Tor changes circuits at 10-minute intervals.

If you hit an onion link, then that doesn’t even require an exit node.

Thanks for clarifying.

The main problem I have with all the VPN services I see springing up is that you’re basically paying to be man-in-the-middled.

I see people commenting ‘I use company X, they are great’ seemingly ignoring the fact that they have no real clue as to what Company X is actually doing.

It all comes down to this:

> With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.

This is where a lot of people would disagree. A known, reputable, audited, privacy-focused vpn provider, for example, could be more trustworthy than an ISP.

Has anybody evaluated whole-network hardware filter+VPN solutions that filter cookies ( such as Winston https://winstonprivacy.com/ ) in the context of this article? I was planning on testing Winston at some point at my home, but Winston requires a separated modem and router as opposed to the combo box I have.

I think the declarations in the article do confuse the issue a bit - some of the benefits of a VPN such protecting against DNS logging are real but are probably not as useful to VPN marketing people as a "pitch", because they're a bit tougher to explain to laypersons.

I still have a few questions after reading that text:

1) I'm not entirely convinced on the IP address tracking thing yet. Sure, you probably sit behind a NAT device on your home internet connection. But what about mobile? Are cellular networks NATed? Also, do trackers really not use IP addresses for tracking? It seems like a stable identifier as long as the "victim" is not obscuring it and as long as you can somehow link it to the victim's next IP address (unless it's static).

2) How are DNS queries not sensitive information? They tell what services you use on the web. It's how you use the internet. I don't really want any untrusted party to see that.

VPNs still give you some protection especially for illegal activities.

I was recently a victim of a password cracking attempt from someone using a vpn. I tried reporting the incident by sending the logs to the vpn abuse email, and they ignored it. I looked into VPN company itself, and it was owned by some Russian in Panama. I tried emailing a lawyer there and he said that he couldn't help me because he did work for that person.

I have no doubt that most of the major vpn providers are similarly structured so that they can just ignore all complaints except from the largest corporations.

I got a question:

So lets say you visit a website p0rn.xxx without a VPN, but this target website indeed gets HTTPS version of encryption, in such case, does your ISP know which website u visit?

Another case, when you connect to a VPN, your ISP indeed know you connected to an IP right?

Any more similar cases to let me learn more about what data gets encrypted and whats not?

The reason people pay for these "VPN services" is trying to hide from the extortionists and even the law in some countries, when using BitTorrent to download the latest GoT episode?

All other problems aside, how successful defence against that is this? Article doesn't adress that as far as I could see.

VPNs can certainly be useful to hide your identity from a specific host and probably to hide your browsing habits from your ISP but does probably nothing against the Government (ie: if the NSA logs all packets worldwide, it should be trivial to connect the dots). But I prefer to use tor in my case.

The short story about the green padlock stating your connection is ‘secure’ is also not true. It depends on the encryption type they use. I don’t have time to go in detail, though for outdated browsers ssl 3.0 is still stated as green...

People advertise these because of the nice kickbacks. They make good money and spend all day on social media downvote the truth and promoting VPN's with the other paid affiliates pointing to random articles that cause fear.

I have kind of a lot of issues.

First, the downplaying of IP location lookups. If you do a lookup on my home IP address, it'll get you within 5 miles of my house. From there, the only other information you need is my name and potentially one or two more details like a birthday (easy, I use my real name online) and you can get access to my voting data -- and that'll give you an actual address, not just a zip code.

OP is correct that your IP address doesn't directly leak your home address, but in many cases it can be a pretty helpful clue. In a small town, a zip code and a name can be good enough on its own for a stalker to find someone even without voting data or public records to pull from.

OP is also correct in that there are plenty of other ways to get this data, but I fail to see how opening yet another trivial hole in my identity helps with that.

Second, the downplaying of encryption concerns. We've come a long way on SSL, but it's frankly irresponsible to say that users should just assume all of their browsing will automatically be covered, regardless of what the top sites are doing. I am primarily visiting tech sites nowadays and I still occasionally run into sites that aren't encrypted. And that's nothing to say to the fact that there are multiple ways of configuring SSL and not all of them are equally secure.

This is just in my browser, which punishes sites with insecure warnings if they're not encrypted. How many native apps are sending unencrypted data given that there's no punishment and that the user gets zero indication of the SSL status? We know from the IOT industry that a lot of these products and apps are regularly getting rushed out the door.

Of course, VPNs only encrypts the data between you and the provider. But we don't live in a world where people are primarily using desktop computers. Most users are going to be on tablets, phones, and laptops, and they travel. And no, public networks are not the only risks -- even if a network forces you to put in a password you still don't know how that network is configured, you still don't know what vulnerabilities exist on it.

If you don't know who set up the network, you should treat it as if any unencrypted data could be intercepted before it reaches the router. And you should be suspicious of the router/provider itself, particularly if it's wifi being offered by a store/hotel/airport, or other commercial entity.

And that leads to the final, big objection -- the idea that VPNs are harmful because all they do is shift the trust model. If you're in the US, unless you are very, very lucky, you can not trust your ISP. Shifting the trust model is not a fatal flaw, it is literally the entire point.

Yes, needing to trust someone is not ideal. But my VPN provider has more of an incentive to take care of my data than my ISP does. If you're using something like Proton or PIA, then I feel very confident saying that I trust both of them more than Verizon or Comcast.

So I agree that bulletproof claims that come from VPNs are often inaccurate. I agree that there are problems. I don't see this article as any less sensationalist and inaccurate than the provider claims though. VPNs are just a kind crappy solution we're stuck with, and absent everyone moving to Tor, I have yet to see anyone propose a better solution.

Why would everyone have to move to Tor? It already works, and the are good solutions for securely running it, like whonix. (Much better than just Tor browser alone, which is still necessary.)

Compare that to random commercial VPN app...

You may have misinterpreted what I meant by that, or maybe I didn't phrase it clearly.

I don't mean that Tor will work better if everyone uses it. Quite the opposite, it will slow down considerably.

I mean that anyone who isn't using Tor needs a different solution. We have two solutions being proposed to the problem of leaking IP addresses: VPNs and Tor. Unless our plan is to move literally everyone onto Tor, we need a non-Tor solution for the people we don't move over.

So if VPNs are basically no good for keeping yourself anonymous, how do you?

Or is the solution multifaceted and you should use a combo of VPN, don't logon to services connected to first party data etc.?

Yep. And use Tor instead.

I remember specifically the same video the author was talking about (http://youtu.be/1PGm8LslEb4), and I also cringed when Destin read the ad copy for ExpressVPN.

Commercial VPNs are the homeopathy of the Internet.

They're selling snake oil. For all but the most impossibly pathological customer scenario, nothing that a commercial VPN can give you will actually protect you in any meaningful way. But they can hurt you. Since there's no quality control of any sort, and since their customers are self-selecting for dangerous behavior, it's a horrible environment to go mixing your traffic into.

Each time a podcast praises the credibility of a VPN sponsor, it reduces the credibility of the very show in my mind.

What VPN provider would you guys recommend?

For several years, I've been recommending AirVPN, Insorg, IVPN, Mullvad and PIA. So at this point, I can say that they've all been around for several years, and I've heard nothing bad about them.

Ones I have heard bad things about are EarthVPN, HideMyAss, Proxy.sh and PureVPN. And although I've heard nothing bad about ExpressVPN or NordVPN, the fact that they've bribed so many review sites to recommend them annoys me.

And yes, I have written stuff for IVPN.

I signed up for ExpressVPN before visiting China due to all sites recommending this (I badly wanted Google maps and Google to work). ExpressVPN does not work in China so either something changed very recently or a lot of people have been bribed to lie.

I would not trust ExpressVPN anymore for anything.

ExpressVPN works well in China, although there was a week in March where it was very spotty. I'm using it right now.

I agree that it's annoying how many review sites are getting paid to recommend them, but the service actually has been good for the last year.

I've tested several VPNs here, including Mullvad and Nord. ExpressVPN has the fastest speeds by a quite a bit.

However, self-hosted is much faster still. Unfortunately, it's less reliable.

"Works in China" as an unqualified statement is useless, equally "ExpressVPN does not work in China."

Are you in Beijing or Shanghai? Are you on China Telecom or China Mobile? Are you using the Sweden 2 or the Hongkong 3 server? Every permutation of those variables can have a different answer, and that answer can change from day-to-day.

My experience is that in southern provinces and bigger cities it is _more likely_ to work at any given time. But things change.

> However, self-hosted is much faster still. Unfortunately, it's less reliable.

Using a CN2 VPS is definitely a :racecar: in my experience. I primarily use shadowsocks instead of a proper VPN because moving to a different port when the interference starts is usually sufficient.

I disagree that the statement is useless, but here's some more info for you. I use China Telecom and China Mobile. Haven't tried China Unicom.

ExpressVPN has a message on most of their apps saying to use Tokyo 1, HK 4 or 5, Los Angeles 5, or UK Wembley when in China. I have used all of those servers, although HK 4 and 5 are the fastest.

I've used Shadowsocks and ShadowsocksR for my VPS. Switching ports will work for a while, but I've always found the server will get blocked eventually, possibly due to "active probing" as defined in this paper[1].

This person[2] suggests hosting a website from your Shadowsocks server as a cover, but I haven't tried it yet.



wow man thanks. I'm reading your Privacy Guides and they're quite quality materials!

TOR browser, or TAILS in a vm are both far superior to a VPN if you actually care about privacy. It is less convenient than using a VPN though - so lots of people sacrifice privacy and money for convenience and the feeling of privacy.

I agree but your bandwidth will take a massive hit. I pay for my fiber so I can have fast internet, with TOR I would only be able to use a fraction of that.

You can e.g. use Tor for surfing and no proxy for YouTube and other places you need speed for.

Also interested in this! Also why VPN vs just setting up one yourself on digitalocean or something like that?

(The reason why I'm not with a VPN yet is because it would compromise my speed. Am I overestimating the impact?)

A VPN won't compromise your speed if you have powerful enough equipment on both ends to encrypt/decrypt at speed. Latency will take a hit though.

If you setup your own VPN on some leased VPS, then you're the only user. So there's zero help re anonymity. And re privacy and security, you need to trust the VPS provider.

No free lunch :(

But a VPS on DO, AWS or gcloud also has numerous services on the same physical machine. It's not like every request coming from that machine is from you or am I missing your point?

Sure. But each VPS has its own IP address. The VPS provider probably retains logs. And its ISP probably also retains logs. And everything involving that IP address is associated with you.

For incoming traffic yes, but outgoing traffic is heavily dependent on what you use. A lot of virtual spaces use the same outgoing IP

I don't recall seeing that. VPS got their own public IPs. Which would show up in ipchicken or whatever.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact