Hacker News new | past | comments | ask | show | jobs | submit login
Don't Use VPN Services (gist.github.com)
408 points by ductionist on Oct 22, 2019 | hide | past | favorite | 257 comments

While it's true that your VPN provider _may_ be lying about their "no logging" policy, at a minimum, you get additional layers of protection. Your source IP is masked. A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs. If your VPN endpoint is in a different country than your network endpoint, then the legal obstacles get even higher.

Surely you shouldn't depend on that alone. Tor would be a wise additional layer of protection, if applicable. But to suggest that you get no privacy benefit at all from a VPN is like saying your host may be compromised, so you might as well use regular telnet rather than SSH.

Yeah, I hate extreme opinions that say not to do something just because it's not 100% effective. It's like saying don't bother using a lock because all locks can be picked and cut anyway.

I consulted to an organisation that spent multiple years refusing to allow any form of MFA.

Everyone agreed it was extremely important and some password protected data was very sensitive. But the conversation about authenticator apps always got bogged down with risks about malware on phones. I would get asked "will you stake your career on it never happening?" Of course not. Therefore "for security reasons" we never supported authenticator apps. Of course it was pointed out that people might lose hardware tokens, so they didn't happen either. Because mobile MFA isn't perfect, I had directives to stick with easily phished passwords for years.

> I would get asked "will you stake your career on it never happening?" Of course not.

"Let's make a bet over whether a customer reports an authenticator app gets hacked before a customer's account without an authenticator is broken into. If the authenticator app is hacked first, I'll resign. If an account with no 2FA is compromised, you resign."

This is probably just meant to be a joke, but I have been in that situation before and I don't think offering to gamble away your job would be an effective way to convince others to accept your advice on risk management. I still don't know how to effectively convince others to take on new risks in order to avoid bigger risks presented by the status quo. Given the additional risk that my risk assessment is deficient, doing nothing is usually the easier decision.

I still don't know how to effectively convince others to take on new risks in order to avoid bigger risks presented by the status quo.

I think you just need to be talking to someone who can understand the risks you convey, has the responsibility for both risks and the authority to effect the necessary change.

IME that's straightforward in most small companies and in large government departments it's rarely one person but multiple committees of people who you'd never be able to explain the risks to and who won't make a decision.

Feel my pain?!

It's meant to be talking trash online, so you're right to take it with a grain of salt.

But I'll stand behind the view that when ideas are being shot down with challenges like "would you stake your career on this" then a bull-headed approach is worth a try.

> I don't think offering to gamble away your job would be an effective way to convince others to accept your advice on risk management.

It won't persuade technically minded people, but it tells decision makers that you're confident, and offers them a measure of accountability.

> I would get asked "will you stake your career on it never happening?"

Was anyone being asked to stake their career on all the existing security practices? I've worked on a couple of projects with politics similar to what you described, yet they had encrypted (unsalted, decryptable) passwords in a database, and only about 3 tech people seemed to understand the implications of that.

Who was staking their career on that?

> Who was staking their career on that?

Potentially - everyone who worked there, including you. :/

That's implying there are consequences for dire mistakes, which I don't think has been demonstrated so far. In fact, I'd almost say there are barely any consequences at all.

That is exactly why I don't use a lock on my house. Obviously, I can't keep any stuff in my house - my belongings are strategically buried around the tri-state area, it takes me about three hours to dig up my clothes ever morning - but the peace of mind is definitely worth it.

Sure, I went on holiday to Jacksonville - thought I would take in some culture - and the copper was stripped out of my house. But they can only rob you once ;) I go number two in a field a few miles out of town now...total peace of mind.

The author is a bit opinionated to say the least. He's also on a crusade against JSON web tokens and MongoDB.

[0] http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-fo...

[1] http://cryto.net/~joepie91/blog/2015/07/19/why-you-should-ne...

He's not wrong about either of those.

Hmm... so he's right on 1/3 issues.

JWT is fine when implemented properly for the types of use cases it was intended for. Which in 2019 is the vast majority of libraries available.

And, to be clear, using them for sessions is not one of those intended use cases, as joepie91 is arguing in that article. Using an actual server-side solution is easier and safer.

For posterity, here's the second part to his crusade: http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-fo...


Whats wrong with MongoDB?

Mongo is the wrong choice for a solid 75% of the places it's used. In the vast majority of cases, it was brought in to replace a relational db because developers though it would be faster to not have a schema / constraints / relationships, etc. It usually lets you develop faster, at the cost of blowing up in your face a few months/years down the line, when you have to rebuild your app to use a real database because your devs remembered why relational dbs are useful in the first place.

Mongo is a document store, not a relational db. Mongo is a good choice if you're looking to replace ElasticSearch, not if you're looking to replace MySQL.

Nowadays not much, but it used to be overrated and had serious reliability problems.

Your startup probably doesn't need Big Data (TM). Just use a relational database like Postgres and learn a bit of SQL. IIRC, Postgres outperformed Mongo at JSON processing, which was supposed to be one of the stronger points of MongoDB.

Indeed. This fallacy has a name ("perfect solution") and seems more and more ubiquitous to me.


Simplist yet best analogy ever for this. Thanks for bringing some sense to this.

Don't use condoms: they can break!

Your reasoning assumes that a VPN couldn't hurt, but it can. If someone wants to track you and you don't have a VPN, they need to compromise your ISP. If you do have a VPN, they need to compromise your ISP or your VPN.

Am I not understanding your argument?

> they need to compromise your ISP or your VPN

Part of the point of a third-party VPN is that the ISP/router can't tell what you're doing -- you assume that they're untrustworthy. Compromising the ISP would be useless, unless your VPN is for some reason sharing the same info with your router, in which case... install a competent VPN client.

I don't see how you're adding an additional failure point, you're just moving the same failure point somewhere else.

Yes, once the VPN endpoint makes the request, an ISP can still intercept it. But this is one of the few cases where adding an additional network hop very likely does not matter at all for your privacy. Once your request is going over the open Internet there are already so many opportunities for people to spy on it. The benefit is in disassociating that request from you, not in hiding it once it goes public.

The confidentiality protection is not really absolute - the encrypted VPN traffic is susceptible to traffic analysis[1]. For example, your traffic pattern fingerprint could be correlated and matched to your online identity if your ISP and an ad network or another globally positioned middleman actor colluded on it.

[1] A term of art in intelligence & cryptanalysis, https://en.wikipedia.org/wiki/Traffic_analysis

Respectfully, unless your adversary is the NSA, and they are targeting you, your argument is full of shit.

Why do you think it would be unworkable for a corrupt ad network in cahoots with your corrupt ISP to correlate your web requests based on time, length and previously seen traffic from the VPN IP?

Because it is way too much effort with questionable return on investment.

I agree that the business case is not that obvious but converting a "can't be done" argument to a "not interesting enough" is already pretty significant. The amortized cost per user would be very low after all, assuming this was used for automated mass surveillance.

> [...] The amortized cost per user would be very low after all, assuming this was used for automated mass surveillance.

Honestly I think this is the total opposite case. "Full take" collection systems are notoriously money pits due to the nature (hence, full take). Targeted surveillance will ALWAYS be far more cost efficient than blanket mass surveillance.

This is much different from full take, as there is a well defined equation to be solved. There would be no need to store the traffic contents, just size+ timestamp + addrs, info that will compress very well.

Can't it be automated?

No, they need to compromise your ISP and your VPN -- that's the whole value. With a VPN, your ISP doesn't see your traffic anymore, they just see you connecting to your VPN provider. Meanwhile your VPN provider can see the site you're connecting to, but they can't tell who you are, just "someone is ISP X's IP range".

>A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs.

Not to mention the legal trouble for an LEO to be granted a subponea in a different country. By the obstacle of "a different legal system protects this part of my data chain" alone a VPN is worth it.

Say you use a Russian VPN provider. Sure, they can see that you're connecting to whatever site, but the actual data is protected end-to-end by TLS (hopefully). Meanwhile your local ISP can see you're connecting to something in Russia, full stop. For someone to track you down, they'd have to get the compliance of both your ISP and your Russian friends... AFAIK, there are exactly zero cases on record where this has been successfully done.

This. If we always assume the worst, we may as well stop using passwords or strong ones anyway, because we can assume that our machines per definition are hacked and local network infiltrated. Not happening, right? That’s what i thought...

If you were running a VPN service would you rather: a. Pay for legal counsel and fight court orders for someone paying $10/mo or b. Just give up all info?

For someone paying $10/mo? No. For the trust of my thousands of customers paying $10/mo and to keep my public reputation afloat? Hell yes. A VPN service that hands over customer information constantly will very quickly go out of business.

As mentioned in the article, HideMyAss gave up customer info in 2012 and is still in business today.

Exactly, PIA did that twice and I know quite a few people who use them because they've proven they don't keep logs in court.

How would anyone know?

> A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs.

I doubt this is necessarily true in the US due to the 3rd party doctrine (which I abhor). I think they may refuse and request a subpoena, though. But, nothing stopping a company (generally) from handing over your data if asked for. Maybe T.O.S?

Well in America, we have National Security Letters, which are a legal cluster fuck on their own.

Yes, exactly! I use VPN exclusively for downloading movie torrents so I don't get nasty letters from my ISP. I have a friend who has gotten several such letters.

They _were_ also not disclosing that they were hacked last year.


Yes, people would rather give their entire packet to a hacker than five eyes, wouldn’t they?

NordVPN, according to this leak https://web.archive.org/web/20190603203749/https://ghostbin....

was logging client connections as recent as 2018 despite claiming they do not log https://nordvpn.com/features/strict-no-logs-policy/

see openssl/server.cfg it should contain special lines to disable logging https://www.lowendtalk.com/discussion/107379/how-to-disable-...

But the article points out that your IP address is irrelevant in tracking these days.

It's not for legal repercussions, though. If you were engaging in file sharing, your IP is pretty much all that matters.

The article is just wrong the way it is. It would be correct if it was titled "Don't use VPN Services as your only means to ensure perfect privacy".

It's not. I know of several instances where IP is at least used as a filter. Esp. the combination of user agent and IP require no JS and can help you to track users across domains easily for small to medium sized websites.

Yes, if it is available it can be used.

The point of the assertion is that you can be tracked even if your IP address is obscured, mangled, or spindled.

"... because the provider can see all your traffic!"

However, if you don't use a VPN: Your ISPs (Broadband, coffee shop, whatever) can see all your traffic!

20 years ago I passed ALL my traffic on my laptop through a VPN, I just happened to run my own. But back then much less of the standard traffic was encrypted. Now, pretty much all web traffic is encrypted. So that makes the VPN less of a concern, IMHO. Depends on what you're doing though...

There was this one time I went to Defcon. Installed a scratch laptop for it. The firewall on it would only allow DHCP and OpenVPN on the physical interfaces.

Exactly - I trust my VPN provider not to use or abuse my traffic data (websites visited, DNS queries, etc) more than I trust my ISP (Comcast)

Comcast is a local monopoly in my area. As such, users have little recourse when Comcast abuses their power. I think given what we know about Comcast it is fair to assume that they would misuse all traffic on their network if it makes them more profitable. Their incentives are not aligned with their users. Why not save all your customer's web traffic and sell it to advertisers... Why spend any money securing all that data? what are our customers going to do? Go back to dial up?

VPN services have to compete with each other. Consumers can't really be sure their provider is doing the things they say they are, but at least their incentives are somewhat more in line with doing the right thing. I hope so anyway. Hopefully, VPN customers are a little more informed than the article suggests. I guess we will see how much NordVPN was punished in the market over the next few months.

That said, don't trust anyone on the internet - to the extent that you can - especially Comcast.

VPN companies are explicitly built on reputation for not doing that. ISPs don't give a damn about reputation and are usually a monopoly, or the other options are just as bad.

What reputation? Where is the dispensing of knowledge? And how do you know violations are evening coming back to the surface? With the ease of starting a new service, and the typical anonymity of who is running it, I don’t believe one bit in being able to let the decentralized world determine is trustworthy here. The space is full of shady operators.

We don't know that all violations are coming to the surface, but we can be pretty sure that if there are VPN honeypots then they are either obviously sketchy services or part of an expensive, sophisticated, secret and therefore targeted attack. Based on their website and other public information (like their WireGuard advocacy), I think Mullvad is more trustworthy than the average ISP, which in turn is probably more trustworthy than the average fly-by-night VPN operation.

Indeed. Someone, somewhere, can see your traffic. It's inevitable, the only thing you can do is making the dots as hard to connect back to you as possible.

I mention this every time this comes up but it's info worth spreading... "sshuttle", make any server into a VPN without VPN server-side software, this takes the pain out of doing your own VPN, gives you far more obscurity, lots of flexibility and in my experience it also performs much better - which I believe is due to the TCP deconstruct-reconstruct vs traditional VPN which does TCP over TCP. The only disadvantage is it's only for TCP (no UDP or multicast).

For routing all your internet it's as simple as this (on the client only, no server setup):

    sshuttle -r user@ 0/0
That's it... server requirements are met by almost anything, you don't need root access, but it does need python, which most distros have by default. Now you can use your own little obscure server, yes it's not invulnerable a VPS provider can still look at you if they wish, but it's far less of a target than a purpose built consumer VPN provider.

It's also far more powerful for slicing up and mixing subnets or only routing specific targets ... for example unblock a specific site, but don't re-route other traffic:

    sshuttle -r user@ sci-hub.tw

Minor issue worth mentioning, not to disappoint people trying this out - it's currently necessary to use the -x option to exclude the server itself from being routed on Linux, I think this is due to a kernel bug? which is a little annoying, hoping this will go away eventually. This is not relevant to BSD or Mac, although on Mac you have other kernel bugs to worry about in XNUs network stack.

    sshuttle -r user@ -x 0/0

As "icelancer" has pointed out bellow, please note that using your own server ties your activity to your identity more definitively if you are the only one using the server and you pay for the server in your name. Not being a purpose built consumer VPN makes it a less likely target through significant obscurity, however in the event it IS targeted, it's uniqueness will make it easier to associate activity with you via the VPS provider.

> This also ties your identity to a provider definitively. That's fine, as long as you tell people that's what is happening. A good consumer VPN that isn't a garbage one offers plausible deniability.

These days WireGuard is just as easy to set up, and has lots of benefits over sshuttle (it's UDP based, supports roaming a-la Mosh, has a much more solid cryptographic design, and so on).

From the WireGuard installation instructions:

"Generate a private and public key pair for the WireGuard server:"

"umask 077 wg genkey | tee privatekey | wg pubkey > publickey"

"This will save both the private and public keys to your home directory; they can be viewed with cat privatekey and cat publickey respectively."

"Create the file /etc/wireguard/wg0.conf and add the contents indicated below. You’ll need to enter your server’s private key in the PrivateKey field, and its IP addresses in the Address field."

That's not within reach of your average computer user.

It is just as easy as sshuttle to set up. I never said it was easy for an average computer user. Average computer users will probably buy some service which uses WireGuard under the hood.

> That's not within reach of your average computer user.

Same for sshutle.

I don't think anyone is under the delusion that non-technical users are going to use sshuttle, but not everyone has the will to invest the time and effort doing server side configuration of a VPN client for their personal use. sshuttle makes it simple for anyone who is the least bit familiar with ssh and has some kind of server access or is happy to spin up a VPS quickly, nothing more is necessary.

There are plenty of scripts online that make it incredibly trivial to set up WireGuard (here's mine[1]). This isn't like configuring OpenVPN -- it actually only takes a minute or two to set up.

Given that WireGuard is headed for inclusion into Linux mainline soon, it probably would be a good idea for folks to take a few minutes to learn how to use a technology that is going to be part of core Linux.

[1]: https://github.com/cyphar/dotfiles/blob/master/.local/bin/wg...

Not fair, OpenVPN doesn't take that much more than a "minute or two" to set up and configure. ;) Last time I launched it[1], I could launch and connect to a new OpenVPN instance in less than six minutes, from my iPhone. Desktop is even faster.

[1]: https://github.com/jenh/sevenminutevpn

There are scripts To install OpenVPN in 5 minutes as well so Wireguard has absolutely no advantage there.

Well yes, but OpenVPN has many dozens of different options and my experience with it is that it's a pain in the ass to get the right set of options (on both the client and server) which result in minimal latency and maximum throughput.

But you're quite right that if you already have a config that you know works, WireGuard has no significant advantage in this area (in terms of ease-of-configuration -- though the keys being quite short is nice for SSH-like key distribution). But if you're starting from scratch then you need to first figure out what is the right configuration to use (or you need to pick from the many dozens of "set up OpenVPN quickly" scripts) and then you need to hope that your configuration is not insecure.

WireGuard can be set up and work just as well as any other configuration without a script in a couple of minutes (or less than a minute with a script). The script that was linked in a sister comment to "set up OpenVPN quickly" also sets up Apache for god's sake...

But sshuttle is so much simpler if you have ssh access to a remote server. Just a matter of installing it for your os.


You assume that the user has root access on the remote server, which is not true in many environments (esp. corporate jumpservers).

> has a much more solid cryptographic design

sshuttle uses ssh, which in turn is not wedded to any one cipher. How does wiregaurd improve on this?

I'm not talking about the selection of ciphers (though WireGuard doesn't have cipher negotiation because it has shown to be a universally bad idea because of downgrade attacks -- instead it uses versions and requires strict upgrades to operate).

Among many other things, you cannot do a port scan for WireGuard servers. You can do a port scan for SSH. This is because the WireGuard handshake was designed such that there is no response to unauthenticated packets (the first packet is authenticated by the client knowing the server's public key -- something port scanners won't know).

Jason Donenfeld has a few talks[1] that explain why the cryptographic design is the way it is, and it has several very clear improvements over SSH (as a VPN protocol).

[1]: https://youtu.be/CejbCQ5wS7Q

ok, but if using ssh keys anyway there is basically no difference other than using rsa.

There is still a difference. Even if you use SSH for some things (which you could only expose through WireGuard instead of making it internet-accessible), WireGuard protects your VPN traffic in ways that SSH does not. WireGuard renegotiates the session key every 5 minutes (SSHv2 uses one ephemeral key for the entire session), it has identity hiding (you can't tell at any point the public keys of the server or client), it has pre-shared key support to limit post-quantum or ECDH attacks, and so on.

I really can't overstate how awesome WireGuard is. I really would suggest you take a look at it.

Agile cryptography is bad. Wireguard uses just solid, single, unconfigurable crypto.

Today it's solid. And tomorrow? The story for fixing it if it breaks is a flag day - works fine when you have ten users, not so much when it's ten million.

The "agility is bad" crew have a decade or two to wait before they can show anything at all meaningful beyond "my new thing is newer than your old thing".

That doesn't make them wrong, but it makes their position unproven in practice.

There is plenty of evidence that cipher agility weakens cryptographic protocols.

By having cipher agility, both clients and servers are incentivised to support the widest possible set of ciphers (because nobody can agree on what cipher to use). This means that it's hard for a known-bad cipher to stop being used (see: the entire history of RC4 usage in TLS) and any downgrade attacks become catastrophic (see: the entire history of SSL/TLS). It also ends up adding complexity to the protocol -- which is always a good thing to have in cryptographic protocols (see again: SSL/TLS)!

Most importantly, if all currently-known ciphers are broken tomorrow, then all servers and clients will have to be upgraded in order to be secure. So cipher agility doesn't help you with the doomsday scenario (everyone needs to upgrade anyway) instead it just ensures that older (completely insecure) clients will still be able to communicate with servers. Why is that seen as a feature? If you really want an insecure fallback mechanism you can implement it with non-agile systems by supporting the two most recent versions of the protocol (I expect this is what WireGuard will do once it's upstreamed). But not everyone wants the "feature" that some clients will silently become insecure.

I don't understand what you're saying with this point:

> The "agility is bad" crew have a decade or two to wait before they can show anything at all meaningful beyond "my new thing is newer than your old thing".

How can the "agility is bad crew" prove their point in a few decades if you're arguing that we shouldn't use such protocols? If they followed your advice, there wouldn't be any zero-agility protocols to compare against in a few decades...

Your last point first: Am I arguing that "we shouldn't use such [explicitly never agile] protocols"? I don't see that.

I'm arguing that the case for them is weaker than is often put, but that's not the same as nobody should use them. If a flag day is fine for your use case there's very little reason not to choose this design approach, it is simpler and simpler is good. But you'll notice that the example cited (including by you) for why agility is bad is almost invariably TLS and clearly a flag day isn't practical for TLS because it's far too broadly used.

TLS illustrates my other main thrust of concern on "agility is bad". You describe RC4 as "known bad" and the downgrade attacks as "catastrophic" and this sort of apocalyptic thinking is very popular in the "agility is bad" crowd, but it doesn't truly reflect the ground reality for actual users which is that things went from "It's definitely fine" to "It's probably fine but to be sure we should upgrade". Grey areas are a real thing.

There were protocols that didn't exhibit any cipher agility before by the way. Lots of them. What happened was that they broke, and so agility was added to them retrospectively in new versions that fixed the brokenness. The arguably new thing in the latest round of "no agility" protocols is a supposed determination never to do this. To see how that works out, as I said, you'll have to wait a decade or two.

Okay so this is shockingly impressive.

For those of you who are thinking "eh, I like my `ssh -D8080 user@` solution", sshuttle has the following two advantages:

1. no need to configure your SOCKS proxy in your applications

2. it works even when dynamic forwarding is disabled on the host you're connecting to

How does this work for walled-garden mobile devices (ie, iOS)?

There's a reason VPN providers have exploded in popularity: mobile internet devices have been mainstream for 5-10 years and they are system-locked but you can install apps.

It doesn't. Instead, you install WireGuard for iOS for free and take a photo of the QR code supplied by your sysadmin, which just encodes a simple text configuration file with an ed25519 key. Then your sysadmin can route all your iOS traffic however they want, whether you are connected to the public internet by cellular or wifi.

BTW how do you make sshuttle autoreconnect?

There is a --daemon option but do not know if it includes this behavior, maybe give it a go. I prefer to keep it in the foreground so I can kill it easily.

If you are using ssh keys you can at least use a bash while loop without incurring any password prompts:

    while ! sshuttle -r user@ 0/0; do sleep; done
_Hold_ ctrl-c to escape the loop

> make any server

Any server you have a login to, right? So in some respects wouldn't a commercial VPN be simpler?

Yes you must have a login... but setting up a VPS is literally a button click these days, it's not going to be much more complicated. no need to even login to an interactive shell to configure anything (or at the most `adduser` if there are no default non roots), all you need is a user name and password, any of the generic VPS images will work no configuration beyond an ssh user.

It's almost as simple, faster, and importantly, far more obscure... vs consumer VPNs which are almost honey pots.

It's also more powerful, you can selectively route things through different servers simultaneously.

This also ties your identity to a provider definitively. That's fine, as long as you tell people that's what is happening. A good consumer VPN that isn't a garbage one offers plausible deniability.

If you want to have any hope of anonymity when accessing the internet, use Tor. Don't use a single-hop proxy. Even if you assume that the VPN provider is trustworthy and won't roll over when they're handed an NSL (a questionable assumption), intelligence agencies can just as easily break into all the servers (owned by a single party) and log the traffic themselves. Personally, I would be surprised if they haven't already done this for some providers -- why wouldn't they?

Yes this is true, it really depends what you want from your VPN. For security and anti-cencorship this works, among many other useful things that you can't do with a normal VPN - but if you are evading authorities or something then you cannot be personally associated with the server.

I suppose that negates my point about it's obscurity, since you only care about that if you are evading prying eyes of some sort.

I've updated my original comment to include your point.

SSH is much slower than VPN, it can be an issue in some use cases.

Can you elaborate? i've found the opposite to be true, but then I am usually restricted by crappy ADSL bandwidth of 6mbit or less so i could be more sensitive to different aspects of "slow".

Note that sshuttle deconstructs the TCP packets before sending them over SSH which already uses TCP, it also performs differently to `ssh -D` and manages the buffer to prevent blocking behaviour over bandwidth limited connections:

              Sacrifice latency to improve bandwidth benchmarks. ssh uses  re‐
              ally  big  socket  buffers, which can overload the connection if
              you start doing large file transfers, thus making all your other
              sessions  inside  the  same tunnel go slowly. Normally, sshuttle
              tries to avoid this problem using a “fullness check” that allows
              only  a  certain  amount of outstanding data to be buffered at a
              time.  But on high-bandwidth links, this can leave a lot of your
              bandwidth  underutilized.   It  also makes sshuttle seem slow in
              bandwidth benchmarks (benchmarks rarely test ping latency, which
              is  what  sshuttle  is trying to control).  This option disables
              the latency control feature, maximizing bandwidth usage.  Use at
              your own risk.

I've tried to transfer ~2GB file over SSH tunnel and VPN (on the same host), it was 3-4 times faster over VPN.

This post makes good arguments, but there's a very real reason to use a VPN provider over your own server - plausible deniability. With a VPN your traffic is mixed in with many, many other users', whereas with your own server, any traffic coming from that IP can safely be presumed to be yours.

When the vpn company is subpoenaed because someone saw suspicious traffic coming out of their servers, regardless of the number of people, the logs and connections would point directly to you.

This only applies if their claim to keep no logs is false; some have demonstrated in court that their claim is true.

Well like others have said before, the company most likely wont go down in flames in order to protect you. Not all, but I assume the major providers will roll over.

I would never expect a company that did log to refuse to give those logs to a court. That would be corporate suicide and executives would end up in actual prisons. I also wouldn't expect a VPN provider to refuse a court ordered warrant to begin logging your particular traffic or something like that. So if a company has appeared in court and failed to produce any logs and the court has accepted that information as not existing, it's hard to get stronger verification than that. And that has occurred with at least a few VPN providers (while a few have provided logs to the courts, proving they log).

The better VPN providers will be set up in a way that makes it difficult to touch them in the first place, e.g. they operate from a jurisdiction that sets a high bar for forcing a company to provide customer information.

Is there a list of these somewhere that's maintained?

Thx. Maybe I missed it but I'm looking for a column: "Has proven in court they don't log."

Why not use Tor? Isn't its whole purpose to solve this problem in a trustworthy way?

I'm no expert on Tor but when I researched it years ago, it seemed like your privacy on tor was only as safe as the exit node you happen to go through. If you're in North Korea trying to get out and happen to go through an exit node run by the NK government, they could theoretically decrypt your traffic in some cases. If all the nodes you're going through are theirs, then they know exactly who you are even if they can't inspect the traffic.

Edit: I must stress I'm not an expert, and would love to hear if the above is wrong.

No, that's not entirely true. No single node in a Tor circuit knows both who the user is and what site they are going to. In order to compromise a user's anonymity, you need to do a traffic correlation attack (where you look at packets going through both the guard node and the exit node and match up the timing of packets). There are some protections against this attack in Tor (guard nodes are not changed often by clients, relays need to be running for a long time in order to be permitted to be guards, and there is some randomised traffic sent to the guard by the client) but it is definitely not a solved problem.

But of course, if you aren't using TLS then your traffic is not encrypted as it leaves the pipe. So obviously you should use TLS over Tor.

This is more or less true. The vulnerability of Tor is certainly the exit point.

Incredibly difficult to pinpoint you as the responsible party - but that information could certainly be outputting virtually anywhere, depending on the exit node.

If you are living in a repressive regime with a lot of control over the internet backbone Tor won't protect you.

If you read the original paper the researchers spell out the weaknesses, many of which were made in the name of performance over security.

Tor doesn't work for torrenting and anything high bandwidth.

thats not true, its well documented how various bittorrent clients can work through tor. the main drawback is that its slower than a direct connection, but that does not mean it doesn't work...


Also, when I said doesn't work, I only meant that it's not an acceptable alternative to VPNs.

I got the impression that it's considered bad etiquette to torrent over Tor.

If the choice is between my ISP logging all of my traffic for whatever purposes they choose, commercial or otherwise, or adding the hurdle of someone getting a court order to get logs of my traffic, I'll take the added hurdle every time. I'm not worried about my traffic being "suspicious" - I'm not doing anything suspicious. You also aren't limited to using a single VPN. If you value your privacy spreading your browsing habits around to a variety of VPNs can only help you - there's no downside when the alternative is "trusting" your ISP.

Other reasons you might want to use a VPN:

* Geoblockers - Much media content is blocked based on geolocation, specifically geolocation based on your IP. (Netflix, Youtube, etc.)

* IP blacklist - I know a few people that have inherited a blacklisted IP simply through unlucky ISP IP allocation.

* ISP logging - So not a hostile ISP, but one that actively tries to log your data. (If you live in Europe, this is almost definitely happening. Apparently in the US ISPs even sell this data.)

* Speed - A few people report being able to get a faster network connection. (I'm not entirely sure why this is the case, but I can imagine there being edge cases where this is possible.)

Setting up your own VPN is NOT solution to every problem mentioned here, especially if you want to switch server location on a whim or are not technically minded.

I often get really slow download speeds from the GitHub CDN, which my ISP must not peer with or something. My ISP has faster routes to most of the rest of the internet, including some VPN endpoints, so a VPN can be used to cut out the bottleneck and allow me to download large binaries off GitHub at 2 MB/s instead of 80 KB/s.

GithHub uses S3 for artifacts. If your typical S3 download speed is ~80KB/s, I suspect it would be a similar story for Cloudfront, in which case a huge part of the Internet would be painful to use...

< 80kB/s is what a large majority of the internet experiences with page viewing times is excess of 30 or 60 seconds...

Been there.

Yeah I've heard some gaming folk say that their latency also goes down. I guess it all depends on the pipes your particular ISP has rented and their connecting places.

ISP logging

This also happens in Oz, the government scrapes all ISP browsing metadata. I can't wait to see what happens if/when that data leaks. I'll keep using a VPN thanks.

> I can't wait to see what happens if/when that data leaks.

We can guess: denial, distancing, some weak laws and then nothing. Nobody _ever_ goes to jail. I imagine the five eyes are all sharing this data too.

It's only a matter of time that all data is eventually leaked, in the same way that all things eventually die. Sure, some good eating and exercise slows the process in the same way good security practices does, but eventually a mistake will be made.

This is again why the web needs to get itself decentralized, it'll be faster and securer. We'll get there eventually.

> denial, distancing, some weak laws and then nothing.

That's a bit unfair. Surely there will be a statement about how seriously they take our privacy, too?

Haha sure. Anything to pacify the people.

The primary reason people use VPN services, which articles like this always fail to address, is best illustrated at this URL: https://iknowwhatyoudownload.com/

Okay, so I just checked this out, and there is a non-zero amount of child porn on the list. Is my roommate downloading CP? Is there any other explantion?

keep an eye on that list, the last seen column should tell you if this is current of ancient activity, if he/she is seeding, correlating this with times your roommate is home (or his/hers pc on) should give you a good idea of whether this is him/her or someone else sharing your IP. Another such file coming up on that list is a strong indicator as well, and could help you even if he/she is no longer seeding. Keep in mind that remote control of a torrent client is possible. If you control the router you could try getting a new IP. All this without downloading the actual file

Thanks for the advice I'll keep an eye on it. As far as I'm aware he's home basically 100% of the time so that unfortunately doesn't help narrow anything down lol

Maybe your ISP is using carrier-grade NAT? [0]

[0] https://en.wikipedia.org/wiki/Carrier-grade_NAT

The other explanation is that your ISP doesn't give you a static IP, and customers of your ISP have had this IP.

I just turned the router off and on again and the IP is the same :$

My ISP assigns me the same IP address for months at a time before changing it seemingly at random. Without knowing how long you’ve had that IP address and how long the linked site keeps data for, it’s not really meaningful information.

Your IP is assigned on rotation by your upstream ISP, your router doesn't get to pick when the address changes unless you contact them and ask to have it changed.

is your IP dynamic? could be someone else on the same isp. Perhaps cgnat?

Curious if this actually lists anything accurate for anyone else. For me:

Home - US, dynamic IP but unchanged in a year: nothing.

Colo - US, static IP for 5 years: 7 things I haven't downloaded and can't find any history of on my disks or backup software.

Seedbox - EU, static IP for 3 years: nothing.

Home probably has <12 downloads, the other two should have thousands from various sources.

It's very limited but tends to show normies some popular movies (and, crucially, embarassing pornography) they've torrented, which makes the overall point

At home it shows me ~20 downloads which I didn't do, and none of the ones I did. Not sure why.

It just scrapes public trackers. If you don't use public trackers, you wont show up.

Pretty impressive. Every anime I torrented off nyaa.si / horriblesubs was listed.

Heh. A single ubuntu iso.

Interesting. I knew there were malicious peers around but that's the first I've seen that's so loud about it.


Sure, you're always trusting a VPN at their word that they don't log, the above gives a detailed analysis of which ones you probably shouldn't trust. You can always host your own: https://github.com/n1trux/awesome-sysadmin#vpn

You can also VPN chain (l2iptables), tunnel over TLS, etc. That gist post is pretty dumb imo

The post is targeted to those who are not sufficiently technically adept to know of these techniques.

How many non-technical people read things on github? I'm seriously wondering, because whenever I see a link to something posted on github I always assume that it's intended for an audience with some technical understanding. I know that some laws and what not have put up onto github to provide easier access, but it never seemed like that non-technical people started using it.

I think if someone shared it to their facebook, a non-technical user wouldn't be much less likely to read it than say a medium article. Non-technical users don't really care about the domain.

Certainly most readers of github are technical, but that doesn't necessarily make it less suitable for non-technical people.

This actually reminds me of an episode that happened to me many years ago. Back then, it was "web anonymizers" (not VPN providers) that were all the rage. These programs would maintain a database of open proxies, and route peoples' web activity through those proxies.

Well, I had Apache misconfigured just long enough to get picked up by one of these apps. For years afterward, my server logs were chock full of attempts at logging into various accounts via HTTP. I seriously had thousands of Yahoo! username/password pairs just sitting in plaintext inside my server logs.

> And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble.

Hmmm? If you don't have record of it, the courts don't do much, at least in the US. If they subpoena you, and you don't have logs, nothing ever comes out of it. Outside of fines and things of that nature.

> The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

How do you think insurance works, or why airlines habitually overbook? A trivial word problem if you will: If you had 10,000 users, you were subpoena'd and only 100 users did anything worth prosecution, that's what. For one lawyer, drinking a $10 coffee (or two $5 dollar) every week day for a month. that's 20 days, $200 a month. $2,400 annually. Assuming in this example only 1% of your users need defending, that's 99% of your coffee budget you don't have to worry about! For 10,000 users, a yearly subscription pulls in about $1,200,000 (we aren't doing any adjustment for taxes and all that garbage). If 99% of your users are behaving themselves.. or at least not doing something bad enough for the courts to take notice (which in the digital age, things like piracy are white noise) that means you still have $1,188,000 to help you in those, typically blanket cases (i.e. a court case in which 20 of your users were downloading illegal movies, and MGM got really upset). Since if you aren't logging, these infractions are dealt with in aggregate usually, since it can't be quantified. So number of lawsuits < bad users.

That's not bad, if all your lawyers needed was coffee monthly, then you could support, with 99% of your users cash, 495 lawyers coffee for a year! more than enough coffee to defend your business. Don't forget you can still use the "blood money" you got to buy them coffee!

The basic principle behind my oversimplified, and somewhat tongue-in-cheek example was to remind you that insurance is a lucrative business. I wonder how they survive if your monthly cost for liability (up to $500,000) isn't $500,000 per month!?!

Reposting the last response I gave when this article came up.


> Your IP address is a largely irrelevant metric in modern tracking systems.

I don't believe this for one second.

Your IP address on its own is not sufficient to identify you. That doesn't mean your IP address is not helpful in identifying you.

If you have Javascript disabled, it is a heck of a lot easier to identify you with a combination of an IP address, user agent, and OS than it is to identify you without the IP address cutting down the pool of potential visitors.

On top of that, if you're targeting me and do a geo-location of my IP address, it will get you within 5 miles of my house. That's close enough that you'll know which county I'm in, which with a few other easily-obtained pieces of information will let you pull up my voter registration, which will give you my exact street address.

Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.

This argument comes up all the time, and I have never heard anyone explain it in a way that passes my sniff test. If you want me to stop using a VPN, you need to do a lot better than just claiming that IP addresses don't matter -- you need to show some kind of evidence to back that up.


Broadcasting your IP address to every website you've ever visited is a completely valid concern that gets hand-waved out the wazoo whenever this subject comes up.

I've sent bug reports to sites that publicly tied IP addresses to comments/accounts so anyone could track your movement patterns over time. Yes, that info can be useful to an attacker trying to deanonomyze you. Yes, that info can be used to link users together. Yes, that info can be used to narrow the pool of potential visitors so other fingerprinting techniques are more powerful.

It is blanketly ridiculous to claim that an approximate county-level geolocation isn't a useful data-point to attackers. If IP addresses weren't useful, the Tor project wouldn't be going to such lengths to hide them.

> Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.

This actually happened to me. I'm using a persistent VPN (50% to access my private infrastructure and 50% because I have a hostile ISP).

I mostly don't use any Google services (maybe one google search a month and the occasional google map search but I avoid when I can) and I was very surprised when once I did a google search and saw my postal code at the end of the page. The IP address was for a VPS (in the same city but with a different post code). I found it unusual but didn't pay too much attention. A few months later I moved places (different post code) and after a while google had my new post code at the end of their search page. That's when I found it troubling and assumed that a family member's iPhone was using Google Maps and based on the 'directions' usage they figured out that that IP address has a home address for those GPS coordinates. (The iPhone in question is reasonably 'hardened' with background updates off and location services only 'when app opened' and disabled for most system services). That was the only plausible correlation between IP address and location google could have done automatically - neither I nor the said family member no longer login to old google accounts we had many years back.

That's when I started rotating IP daily (which is trivial in my case as I use lightsail, I issue a shutdown from a different server and then a power on, AWS rotates the IP automatically out of a very large pool - so far I haven't gotten the same IP twice).

The only problem I have with lightsail is that I often get a 'dirty' IP so I rotate 4-5 times before getting a good one (I test this by going a curl on a website that sends google captcha on dirty IPs but lets the 'good' ones straight in).

I use a VPN because I want a proxy, and for e.g iOS it seems a VPN is the easiest way to set up a proxy.

The article lists several reasons to use VPNs but isn’t the biggest one these days simply to circumvent geographical content limitations for online services such as video streaming? Nearly everyone I know has used a VPN service at some point, and if you asked any of the non-technical ones what it is they might say ”a think that lets me watch the game broadcast when I’m in another country”.

People want proxies and the VPN providers provide VPNs that work like proxies. I can’t really see the downside to using the VPN as a proxy?

A terrible summary of why VPNs are useful. Goes on and on about privacy with no mention of bypassing censorship. It must be nice living in a place where you don't have to worry about access.

There's no point in privacy without access.

The title should be renamed to "Don't Use 3rd Party VPN Services".[1]

On-prem VPN deployments with solutions like AlgoVPN[2] from TrailOfBits is still very useful. Let alone mass majority of the the corporate IT's internal VPNs that is required for some workforces to perform their jobs remotely on public Internet.

[1]: https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistco...

[2]: https://github.com/trailofbits/algo

I’ve seen a complete lack of arguments for why anybody should use Algo or Streisand. I don’t see the point. If you don’t trust VPN's, why trust literally anybody you choose to host a VPN, especially if there is arguably even less anonymity to be had.

> If you don’t trust VPN's

That's the exactly the misnomer that the title didn't do justice. Of course you MUST trust VPN in order to make sense of using it. The differentiation is whether that VPN is some 3rd party manage it or you manage it on your own. With 3rd Party VPNs you have no idea how they setup it and no transparency how they secure the VPN node. If you manage your VPN node on your own, you have full control what algorithms and configuration you are using and you pick the right node in an "secure" environment, all are risks factored into the big picture.

> If you manage your VPN node on your own, you have full control what algorithms and configuration you are using and you pick the right node in an "secure" environment, all are risks factored into the big picture.

No, it's the exact same situation. Or do you happen to know exactly how whatever hosting provider manages the server you're using? They can be trusted exactly as much as VPN providers. There is no real security once you're using systems that you don't own, but there are benefits to using a VPN that can't be realized if your name is on the box.

> No, it's the exact same situation. Or do you happen to know exactly how whatever hosting provider manages the server you're using?

It's not exactly the same. In the case of cloud providers, you know what you are getting into and mostly having the freedom to setup your own VPC, your VM image, your firewall, even secure boot/TPM stuff, etc.

As far as the data security goes, many Cloud vendor provide data encryption at rest with your own keys (Of course data security in transit for a VPN, that goes without saying). This is even MORE true for Corporate ITs since they own and operate their own data centers and hardwares too (even with popular trend cloud computing migration).

Just think about it, if public cloud vendors can get government contracts (DoD/CIA/NSA), then they can ensure security at a high bar. But keep in mind that security is NEVER an absolute term, so your argument to me are moot.

The article specifically discussed that (using Streisand as the example rather than Algo, though Algo is what you should in fact use).

why Algo instead of Streisand? out of curiosity.

Algo is designed not to install risky VPN software, or to use risky configurations, by subject matter experts.

Thank you for the insight (esp coming from security expert :)).

"There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs."

This is demonstrably false; look at any VPN provider that was subpoenaed and unable to produce documentation.

>Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

This is a tautology. If you use it as a proxy, then its a proxy. VPNs arent for this, and so are bad at it.

VPN use case is either to securely leave a network (hotel Wi-Fi, airport wifi) or to securely get to a network (home resources, corporate resources). If you want a proxy, find a proxy.

I think the crux is you consider "VPN use case is either to securely leave a network (hotel Wi-Fi, airport wifi)" a core VPN use case when the author considers that a proxy use case.

I side with the author on this one, a virtual private network is meant to mean multiple private devices on a single network segment virtualized over some transport. Using it as the place you connect to to shove your internet traffic through a relay definitely fits the secure proxy use case/definition way better.

Proxy is securely leaving the network. There is no real difference in the principle of operation besides the protocol(SOCKS vs OpenVPN, etc.)

Can't easily configure a proxy for a mobile (ATT, VZ, et al) network connection (on iOS, at least), VPNs are easy-peasy to connect, so I use a personal, private VPN as proxy -- it obscures my traffic, blocks ads and malware...and I wouldn't say it was "bad at it" at all...

What about just setting up your own VPN on a cloud provider or a raspberry pi? You’d still be responsible for the traffic flowing through but at least you wouldn’t have ISP logging, get around geoblockers, keep a secure connection in public WiFi’s, fantastic for devops people who want to have local connections for debugging networking things on aws/gcp/cloud providers, etc...

I think you mean that you shouldn’t think of a VPN as an anonymous traffic tool like they advertise.

Where do you connect that raspberry pi? At home, you're using your own IP and ISP still.

What a myopic viewpoint. ISP's can and do sell customer data:


It's doesn't take a logical leap to infer that a company whose entire purpose and business model is to provide anonymization as a service is less likely to sell out its own customers than the ISP's.

Yes VPN's can log despite claiming they don't. But the well known ones are highly incentivized to do as they claim because lying would destroy trust and would ultimately destroy their business. Governments are also more likely to target giant national ISP's than some VPN provider whose servers are in some very liberal and consumer leaning countries outside the US. Also securing your own VPS on the internet and managing it without getting pwned is well outside the expertise of most people and is probably not recommended.

Although I agree with the general notion, social proof and a good track record are not bad indicators. I will always recommend Mullvad if you are looking for a VPN service that is trustworthy. I think VPN services that advertise a lot are a little sketchier, though surely some of them must be decent... maybe PIA?

I use pia, they are inexpensive with plenty of traffic to blend with.

Before anyone buys a vps from Lowend talk like he recommends, most of the providers on there are trash-tier and massively over-sell their services which is why they seem cheap but performance ends up very poor. And why would i trust a vps vendor with 10 customers over a VPN provider?

Use to have this view,now conceded that a vpn provider with good reputation and accountability is best. Your local ISP sell whatever data or inject whatever content thet desire,and your rights mean little if your contract stipulates they can sell this access to a 3rd party and this 3rd party can then resell analyzed or raw data to anyone including your own government. If you perform methodical risk analysis,you will find having the ability to damage reputation of your first-hop provider is an ideal leverage. Never negotiate from a position of weakness (e.g.: ISP or Tor exit nodes)

Even if you assume that VPN provider is listening and analyzing all your traffic, it's still preferential to your internet service provider doing the same thing. Fost starters, the internet provider just knows more about you. You probably have a contract with them, they know your exact physical location and they have your SSN. A malicious actor from within internet provider having access to all this information could potentially blackmail you by revealing your porn logs to your spouse, or your unsavory private reddit history to your employer etc.

Second, your VPN provider could be in a different country, and that would make data mining your traffic slightly less interesting to them. It'd also make data acquisition via subpoena of some sort from your country slightly more bureaucratic.

Third, if you have reservations about your VPN provider, you can just cancel your account and go to a different one. Changing VPN providers takes 5 minutes, while changing internet service provider can take months, or in some cases might not even be possible.

This is silly.

Most people use VPNs to get out region restrictions.

These are getting more and more common due to local governments making laws that affect the whole internet - think GDPR - that individual site owners do not want to abide by so they block IPs. VPNs solve this very real problem for those still wanting access to the content.

They're also used for subverting content region licensing. For example, with Netflix.

Or using it to tunnel to a more torrenting-friendly region.

I can't believe VPN can give you acceptable speeds for torrents tho...

Most of the VPN I've used have as much bandwidth as I originally have.

But the connection is not very stable to say at least, it sometimes drops to zero (but recovers quickly).

VPN barely affects speeds on my end and I have a gigabit connection. Usually the bottleneck is the torrent itself unless it’s extremely popular.

I’ve downloaded games over Steam at full speed over my VPN...

Steam downloads have nothing to do with torrents.

Come on. My point being - VPN isn't the limiting factor here. It's the people you're downloading from. If you can't see the connection I can't help you.

PIA does.


So when should I use a VPN?

3. To watch US Netflix in <insert non-US country>.

Off topic but — anybody know a good/recommendable vpn service that supports MacOS without requiring third party software and which allows inbound access to the external ip associated with the service ...?

I need to ssh back to my laptop frequently because of some annoying restrictions with a service provider I use (heroku). I _can_ do shenanigans with ssh tunneling on a publicly accessible server I control - but it’s actually pretty annoying to work that way in my scenarios.

I’ve tried a few vpn services that offer “static ips” but the services I’ve tried filter inbound connections to that ip ... does anyone know a good vpn service that can effectively gives me a public IP address so I can make inbound connections to my developer machine while I’m random shitty coffee shop WiFi ...?

“remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble”

Disagree. It is always easier for the legal team to say, “sorry we don’t store the logs” as a way to absolve themselves.

The title is misleading because the article focuses on using VPN providers to obfuscate traffic when this is one use case of VPN technologies. The gestalt types of VPN usage are:

* Remote Access VPN: Connect to resources on your corporate network. An example of this is you're in a coffee shop on holiday and need to access a corporate resource.

* Site-to-Site VPN: Connect networks on two sites together. An example of this is you're in a branch office and need to connect to a resource in HQ.

Note that VPN providers give you a limited Remote Access VPN to their network, which they control. They can do whatever they want to your now-decrypted traffic before they send it out to the internet. If you want to obfuscate your traffic, Tor is a better candidate.

Quote: > Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

I agree with you - the gist does have a caveat. The title is still misleading as VPN Services is too broad for the gist's content.

"Service" here refers to a service in the "company" sense, not in the "system daemon" sense. Legitimate VPNs are typically run on one's own network, not outsourced to a third-party service.

Am I better off having my decrypted traffic in a VPN provider's network or in Comcast's network, given the amount of trust that I have for Comcast is not very impressive?

Ok, we put anonymity in the title above. If someone has a better suggestion we can change it again.

The original title ("Don't use VPN services") is appropriate. The article talks about more than just anonymity - it also explains why you shouldn't use VPN services for greater privacy or security.

The article does say it's OK to use VPNs for accessing internal networks, but that wouldn't be a VPN "service".

Ok, we took anonymity away. Happy to keep responding to suggestions, but if this is to stabilize you guys should agree on what's accurate and neutral.

Being able to use airport wifi (or other public wifi) is actually a pretty big deal IMHO.

I really value not having to constantly leave my phone on, blasting my location to anyone who cares to ask.


(I self host my VPN, so I'm fairly confident the provider isn't going to jeopardize their entire business model to add extra analytics. Sites I visit get the IP of the VPN, and conversely my ISP sees my traffic going to a random server in Denver. It's win-win.)

How often do you rotate the IP on the box you're proxying through?

It's for security, not anonymity.

I use Tor if I want anonymity.

>There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

If the VPN provider has been ordered by a US court to produce log information, and they have appeared in court responding that it is not possible for them to do so as such logs do not exist, and the court has accepted this as true, that is adequate 'proof' in my eyes. It is something which puts them in the position of being extremely legally liable for in a way that advertising 'no logs' does not, since prosecution for false advertising is a joke.

I know I'm going fully into the realm of conspiracy theories here, but history has shown secret court orders are a thing. VPN's are the perfect honeypot for law enforcement agencies, they wouldn't want to lose this every time they bust someone. So put on a nice show that they can't get the logs, then secretly order them to log.

I agree with the content, but I would recommend dsvpn instead of the suggested solutions.


It's great, but has no Android support atm. Gotta stick with Wireguard for now.

Aside: 15 years ago all of our employee laptops passed all of their traffic over our own VPN. One of my employees wanted to quantify how much having all our traffic go to our server space was slowing it down.

He ran a series of tests comparing latency and throughput of directly visiting sites on his home Comcast connection, vs. the VPN. Generally, the VPN was significantly faster.

I wasn't entirely surprised by this. Our facility had multiple high quality connections (Level-3, InterNAP), and one of those traffic optimizers that would add intelligence beyond just BGP.

That is my experience today. My Linode is a lot closer to things on the Internet than my Spectrum connection. For example, if I ping the US/Central Overwatch server, it's 50ms from my home connection and 20ms from my Linode (which is 11ms away from home).

It is sometimes as much as 26ms to the first hop after my router, though, which is pretty amazing. That's enough time for light to travel 5000 miles.

The biggest value I've seen from VPNs is when certain networks block SSH. This happens to me all the time when staying in hotels. For my work I need SSH.

I've also had edge-cases where I need to obscure my country of origin. For instance, I couldn't stream Game of Thrones via Hulu/HBO Go this Summer while in Mexico. For some reason, Mexico is blocked. My VPN solved that.

For security? It's unlikely to help unless I am on an unsecured wireless network or something like that. Good read nonetheless.

Now, with DoH, VPNs will be nore relevant if you don't trust our IPS.

Today, if you change you DNS to another resolver, your IPS won't bother because majority will not change and you can pass under their radar.

With DoH, IPSs will be forced to log filtered/mapped IP requests so they can keep doing whatever they're doing today with DNS queries.

So, when DoH matures, IPS won't see your DNS queries but it won't matter for them any more as they will be seeing all other requests

> ... with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

I know this is not a popular stance on HN, but ipv4 has built in casual anonymization, whereas ipv6 had built in casual identification. Both systems are defeatable, but what bothers me about ipv6 is that the invasion of privacy is the default.

Coincidentally, Google, Facebook, et all are pushing ipv6 very hard.

This reminds me of the “don’t use sms for 2fa” arguments.

This is focused purely on people who think VPN is for privacy/security. I use a VPN to get around geo-fencing - in Australia there is a lot of media agreements that mean you can't watch stuff here that is free elsewhere without paying for cable or a local streaming company. A small VPN with multiple exits so I can watch content that is free in the US and EU markets.

This is BS, VPN is an legitimate service and many people rely on such services to do their things, it may pose some potential security issues, but in most cases, it won't cause big harm to you even when your credentials leaked.

Just try to use a very random username and password, payment can set to pay as a VCC or one time method.

Do random routing features like SecureCore of ProtonVPN add some value? I think they do in terms of anonymity.

These arguments all assume that ISPs are more trustworthy than VPN providers.

One of these markets involves competing on security and privacy. One of them involves colluding on influencing FCC policy.

So even if a particular VPN provider is inept or corrupt, my expected return on the investment is higher than trusting TWC.

> One of these markets involves competing on security and privacy.

one of the points raised in the article is that it's difficult to evaluate whether the VPN actually follows its logging policy. if they say they don't log, you pretty much have to take their word for it until information to the contrary somehow goes public. it's entirely possible that LE could be using a VPN as a honeypot and forcing everyone they catch to stay quiet through a plea deal. you'd never know until someone broke ranks. the VPN company could just as easily log your traffic and sell your usage data. unless they're sloppy about it, how would you find out?

Maybe logs vs definitely pipes your GETs straight to Utah.

Figure it out.

Your threat model should also include your VPN provider's ISP.

> One of them involves colluding on influencing FCC policy.

That is an extremely US-centric view.

Aside from that, physical ISPs have something to lose, as they have a very real infrastructural investment; whereas becoming a "VPN provider" literally does not entail more than "rent a few servers, run OpenVPN, buy a billing system license, hire a marketing guy".

It's entirely viable for a VPN provider to just disappear overnight and set up shop under a different unrelated name at virtually no cost to them, if their old brand gets burned. That significantly changes the trust equation, and not in favour of VPN providers.

> physical ISPs have something to lose

Unless they're a (natural or artificial) monopoly, like... pretty much every ISP in North America is. Comcast has the reputation of, well, Comcast, and they're doing just fine.

> Becoming a "VPN provider" literally does not entail more than "rent a few servers, run OpenVPN, buy a billing system license, hire a marketing guy".

Yes, that's a good thing: it means that VPN providers, unlike telcos, are under selection pressure. Which means that for VPN providers, unlike telcos, reputation actually means something; the top VPN provider is striving much harder for your dollar than the top telco is.

Certainly, don't pick a VPN provider at random, but you wouldn't anyway.

> Unless they're a (natural or artificial) monopoly, like... pretty much every ISP in North America is. Comcast has the reputation of, well, Comcast, and they're doing just fine.

Once again, that is an extremely US-centric view.

> Yes, that's a good thing: it means that VPN providers, unlike telcos, are under selection pressure. Which means that for VPN providers, unlike telcos, reputation actually means something; the top VPN provider is striving much harder for your dollar than the top telco is.

Except that isn't how the industry works, at all. Virtually all "reputation" that VPN providers have originates from paid product placements (see: the myriad "VPN reviews" that are chock full of affiliate links, YouTube ads, etc.), and providers are assumed legitimate unless shown otherwise by default.

This means that said "reputation" is 100% reproducible under a new brand without ever having a single long-term customer vouching for you. There's no competition on quality; the competition is on marketing only.

Exactly why the industry has turned out that way and doesn't follow the "competition breeds quality" narrative that people on here love to put forward, is left as an exercise to the reader.

> Once again, that is an extremely US-centric view.

It's a Canada-centric view, for me. :)

But seriously, does anyone care about VPNs outside of North America? Why would you, if your ISPs aren't awful? Do most VPN services even bother to advertise outside of the North American market?

> This means that said "reputation" is 100% reproducible under a new brand without ever having a single long-term customer vouching for you.

Why pay attention to word-of-mouth reputation, when survival under competitive pressure is a much more objective signal of reputation of its own?

If the bad actors need to restart with a new brand every few years, then why not just look for the oldest brands around (who must therefore have done this the least), and then sort those by the number of negative news articles you can find about them (which should exist, given that they haven't laundered their brand-identity much)?

It's the same thing you do to figure out who to order from on AliExpress: look at who's put themselves out there the longest while doing active business, without accruing negative ratings in the process.

Or, as well, it's the same thing you do when deciding whether it's worth it to try out a new restaurant in your neighbourhood: you give it a few months, and if it's still around, then it's probably good.

> Virtually all "reputation" that VPN providers have originates from paid product placements

I can think of a few prominent counter-examples, those being sold by security vendors. I run Freedome because I trust the people behind F-Secure to be doing approximately the right thing.

I would guess that it's because higher quality is pretty hard to achieve relative to most services. You can only offer a few things, stability, speed, perceived security and given the ease of use of the cloud, providing all three of those is relatively simple. The smattering of new VPN services are a little like altcoins in that respect. Going from perceived security to demonstrable security will require a strong demand and right now it seems ignorance is blunting that demand for individuals, where companies just roll their own servers they know they can trust and have access to.

> That is an extremely US-centric view.

I'm an Australian citizen living in NYC. If you think Telstra behaves any better than the lot over here you may be in error.

So I guess that makes my view Pacific-centric.

One of these markets involves specifically trying attract customers who have be worried about sensitive information or activity.

Can (2015) be added to the submission title? This hasn't been substantially updated since then.

Why would it need to be?

The opinions expressed in the article aren't new to me, but I thought the fact that I saw them on the front page of HN implied that they were becoming increasingly popular or there was some new development (eg. confirmation of certain VPN providers being honeypots). If I had realised this was just a link to a discussion that happened a few years ago and had no real impact on the general consensus among IT experts, I wouldn't have clicked on it.

A slightly less breathless analysis from Krebs (2017):


How about when you get a VPN from a country that has strong privacy laws due to bad experience with local snitches and which doesn't have intelligence-sharing treaty with any other country (including US) - like Romania. Wouldn't that be safer?

I don't get how using a VPS is any better than just going without anything? It's got the exact problem as the VPNs...just shifts the end point.

Would there be any benefit in using a number of VPS round robin style? I've got access to a handful...

Well, you now control the endpoint and have a lower probability of your traffic being snooped, as major VPN's have a concentrated stream of "interesting" traffic while random VPS's don't.

Simply layers obscurity, it would be harder to subpoena multiple companies than a single vpn service. (Plus you "own" the vps and can quickly delete or create new services whenever) Before you browse, create a new vpn box, browse..., then delete the box after use. What logs, what box?

Doesn't really get me any anonymity - first VPS box in the chain still has my name on it (credit card history etc).

Not that it matters - fortunately my traffic isn't all that exciting

Well if you are really after anonymity, you have to also keep in mind your isp and browser fingerprinting and the million other things that can expose you online. :)

Any way to spoof and inject random browser parameters to poison your fingerprints?

Is it guaranteed that your host doesn’t keep connection logs? They’re the endpoint. They see everything going to you and every site you go to regardless of VPN.

Correct, the endpoints are the weakness. My point was about being more difficult to find and not bringing attention by paying for a vpn service, a vps could be anything.

I think the author is implying that you have some level of control versus none.

I'd prefer anonymity over control. Cause VPS box still has my name on it

I use a third party VPN service to get around the fact that my residence comes with broadband that hijacks all DNS and routes all HTTP (port 80) connections through a Squid...

I also feel sharing an IP with many other users adds to the level of anonymity.

> I use a third party VPN service to get around the fact that my residence comes with broadband that hijacks all DNS and routes all HTTP (port 80) connections through a Squid...

You could set up a local resolver to NXDOMAIN specific IP address replies. Dnsmasq has an option for this. Regarding Squid, what makes you sure your VPN services doesn't do the same?

> I also feel sharing an IP with many other users adds to the level of anonymity.

Can you explain how you feel this adds anonymity? There is still potentially a record of you using that shared IP at a certain time to do a certain thing, so what is your threat model in which the VPN helps anonymity?

If you want privacy use TOR+VPN. TOR for anonymity, a VPN for a “clean” breakout IP. Oh, and make sure to pay for the VPN using a form of anonymous payment. And, make sure that your devices won’t give up your identity.

Anonymity is actually pretty hard...

VPN is just fine if you want to avoid dragnet surveillance, though choose a less popular one. If you are actually the target of a nation-state level adversary then yeah install Tails and use Tor but know that you're probably fucked.

I need an IPSec VPN a couple times a year to get around network issues. Trouble is, when I need it, I can't connect to it to buy it, and I don't want to pay for it year round. Pay-as-you-go IPSec would be great.

that's an astonishingly idiotic argument, most of what he talks about also counts for your ISP too. They might log everything too and not tell you about it, but at least my ISP never made their whole business case around protecting my privacy.

And also what exactly would be their incentive in building up their infrastructure to facilitate this logging, do you have any idea how much storage space each VPN node in their network would need just to log everything?

And even if they were to log everything you are still sharing a IP with hundreds of other people making you less identifiable to at least the websites you are visiting.

100% FUD

I’m way out of my element here, but would it be plausible in the future for say, Firefox, to offer a simple and free VPN like service? Something in the vein of incognito mode (it’s UX simplicity).

Firefox is testing a VPN, and you can try it right now https://www.theverge.com/2019/9/11/20861381/firefox-testing-...

Mozilla tests Firefox VPN service to help protect your privacy https://www.cnet.com/news/mozilla-tests-firefox-vpn-service-...

Opera Browser offers a free built-in VPN.

I've always been amazed at the prices I see for the VPN services, they seem improbably low. Which makes me wonder where they make their money.

Bandwidth is cheap.

The author admits in comments that this is clickbait. Not much to see here except "the providers you trust might not be trustworthy."

It would be nice if there were an independent auditing organization that could confirm an ISP's claims.

one thing that was not mentioned- your ISP logging your data. Too much of my data in my ISP's hands is not a good thing. I'd rather tunnel out through a "trusted" 3rd party server then give all my data traffic to Comcast or whatever.

I wholeheartedly agree and I am surprised to not see Tor mentioned as an alternative.

Hehe, at least someone is talking about it. Online privacy is a dream in the 2010s

Seems to be from 2015

Says a person living in a free democratic society...

That's a fair point of cause, but if you need a VPN to hide from your government, then you need to be extremely careful about which VPN provider you pick. Potentially your VPN provider could be forced to, or voluntarily, hand over data to your government, without your knowledge, leading to a dangerous false sense of security.

You certainly shouldn't be running your own VPN either, because that would be much easier to track, seeing as your traffic isn't mixed in with that of others.

Those of us in free democracies have little need for VPN providers. For those who do not, I'm not sure that I'd trust a VPN provider how targets gamers via YouTube ads.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact