Hacker News new | past | comments | ask | show | jobs | submit login
PIA: Our Merger with Kape Technologies – Addressing Your Concerns (reddit.com)
452 points by rahuldottech on Nov 23, 2019 | hide | past | favorite | 212 comments

It might be that PIA is not going to start doing anything shady, and they'll still be a (relatively) well-respected VPN company after the merger. But if you're currently a PIA user, it would be foolish to keep using them while you're waiting for them to prove that. Cancel PIA for now, and if a year from now they're still on the level, you can make a more informed decision about whether or not to go back.

There's no reason for you personally to be the canary in the coal mine, just use someone else while you're waiting to see what happens.

I advocate somewhat strongly for paid 3rd-party VPNs, not because I think they're great, but because I think they are sometimes the least-bad option -- 3rd party VPNs address privacy problems that self-hosted VPNs can't, and unlike Tor, VPNs actually scale well for regular Internet browsing.

I do however fully acknowledge that shifting trust can be dangerous, so I recommend people be willing to quickly jump ship between VPNs, and possibly use different VPNs for different services. You should be a little nervous around your VPN provider, and you should hold them to really high standards.

In PIA's case, I notice looking at their pricing page that they offer 1-2 year plans in addition to monthly plans. Not everyone has the money to ignore deals, but if you do have the money, paying an extra $35-40 a year so just so you can easily switch VPNs on a whim is probably worth it. In general, for services that can pivot in quality quickly (like a VPN) it is usually worth paying monthly rather than yearly (again, assuming you have the extra money to do so).

> I advocate somewhat strongly for paid 3rd-party VPNs, not because I think they're great, but because I think they are sometimes the least-bad option -- 3rd party VPNs address privacy problems that self-hosted VPNs can't

Well said. I would add that they're also useful in situations where you don't care about privacy at all. E.g. you don't care if your ISP logs that you're watching Netflix, you don't care if your VPN logs that you're watching Netflix, but you (and to some extent Netflix) have an interest in making it seem like your computer is located in a different country than it is.

Region-shifting and preventing non-government adversaries from discovering your real identity from your IP address are both valid reasons to use a commercial VPN. I suppose the reason why those who oppose commercial VPNs discount these two is that they're mostly used for IP infringement.

> But if you're currently a PIA user, it would be foolish to keep using them while you're waiting for them to prove that. Cancel PIA for now, and if a year from now they're still on the level, you can make a more informed decision about whether or not to go back.

how will they prove it in a year?

and what threat is it you think the shady guys are going to pose? they'll start spending more money to keep logs? i guess they could get in bed with law enforcement but i doubt that pays well. maybe the RIAA/MPAA will pay them off?

Logging data costs money, but selling data earns money. Also, if the parent company is known for malware then getting mitm-attacked by your VPN sounds like an actual risk if you have any unencrypted traffic passing through it.

Or encrypted traffic for that matter -- a lot of VPNs install root certs on your OS.

Would you be alright if a VPN profiled and sold your browsing habits, engaging in very traditional, even benign business model similar to what everyone else is (e.g. credit cards, etc) doing -- but with the knack of keeping your real identity strictly anonymous and detached from these activities?

In other words, would you be alright if the VPN built a profile of your VPN identity? The corollary, I think, asks if you're interested in a VPN to separate your activities, or to thoroughly diffuse them for actual information loss.

No. You could associate the two profiles later on

So what’re the recommendations for alternatives? It seems like quite a lot of VPNs play their cards close to the vest - and at the end of the day, all I want is a modicum of privacy and to safely torrent a movie for my PLEX server instead of having to dig up my Blu-ray reader and rip it myself once in a while.

I can't give you a checklist for how you should determine who you trust -- that's one of the reasons why I don't advocate for or endorse any particular VPN, and one of the reasons why I don't disclose which VPN providers I use. The difficulty of determining which VPNs to trust is why I call them a "least-bad solution" rather than a "good solution."

There are a few other people on this post who are recommending specific VPNs, and you can (and should) look through some of their justifications for why they like their providers. A couple of things you can look into if you want to know where to start:

- What technologies are they using, contributing to, etc? Do they have a good rapport with Open Source communities?

- Do they support OpenVPN/wireguard? I advocate against using a custom VPN client, I don't want my provider to ever touch my computer, only my traffic.

- What's their privacy policy look like? Do they make public commitments to destroy logs? Are their claims on-their-face absurd? There's no such thing as a VPN that does zero logging at all, so if someone is claiming perfect anonymity, I distrust them from the get-go.

- Have they had data breaches in the past (for example, NordVPN)?

- Are there any high-profile cases of them refusing to provide logs to someone?

- What country are they located in? Depending on the country, a foreign VPN can complicate collusion efforts.

- Do they pay for ads, and how do they advertise? Do they make inaccurate guarantees about what a VPN can and can't do? A VPN isn't going to protect you from the police, and a VPN on its own will not make you private, so I distrust companies that make those claims.

- Do they seem competent? Do they have instructions on how to deal with things like DNS leaks, or how to set up killswitches?

That's not an exhaustive list. It is absolutely a pain to determine trust -- this is the biggest problem with 3rd-party VPNs. Don't go crazy with it; a VPN is just one layer in your privacy setup, so it's OK to have something imperfect. Don't aim for perfect privacy, aim for "better than what I currently have."

You come off rather imperious in your comments here. Between the number of "I" self-references in your first post, to this saccharine checklist that is more show-off than informative.

As usual, I think the reaction of PIA's corporate restructuring is a lot of hot air over nothing. Typical of most hot air, it is released to draw attention to the source and not convey any real concern.

People should be really careful before they jump to a VPN provider. The amount of data transmitted over the connection and exposed to the VPN as an intermediary is grossly underestimated. The only real explanation for so many iffy VPN providers popping up over the last few years is that they're mining the data for something, whether its selling analytics, setting up a honeypot, manipulating traffic/piggybacking on VPN users as a botnet (cf. Hola), or whatever.

That said, if you really need a third-party VPN, FoxyProxy's branded VPN service available through https://getfoxyproxy.org is probably pretty good odds. I've never used personally so I can't vouch all the way, but it's supporting an open-source project by someone who seems to really care about his users and has put more than a decade into supporting a great extension, so that puts it far ahead of most of 'em from the get-go.

The wirecutter did an article [1] on VPNs and recommended tunnelbear. I’m not sure who to trust but I’m going to at least give it a re-read

[1] https://thewirecutter.com/reviews/best-vpn-service/

If we're talking spending extra for switching flexibility, just abandoning PIA midway through your year-long subscription term and writing off whatever you paid, works too.

>and unlike Tor, VPNs actually scale well for regular Internet browsing

What is "regular internet browsing"?

Streaming, downloading multi-GB files like games or HD movies, playing games online while avoiding (at least some) latency, uploading content or hosting your own file-sharing servers.

It's not just a speed problem. Within the Tor community I personally still see a lot of people saying that behaviors like these are selfish because they take up too many volunteer resources. Maybe it's a little unfair of me, maybe those people are misinformed -- but I interpret that as meaning that the community doesn't think Tor can scale to meet those demands.

With either a 3rd-party or a self-hosted VPN, you can reroute literally all of your network traffic from all of your devices without giving it any thought, and the only time you'll really need to get off is if you're accessing a blocked website or doing something that demands very low latency.

IMO defining all of those things as "regular usage" is problematic.

In regards to your specific list, that's above average internet user, in which case I think a better solution is diversifying your network connection methods. Trying to use one tool for that entire range of traffic centralizes it needlessly, and you'll get more effective privacy by avoiding that.

Furthermore, if you want more speed out of tor I'd argue step one is running a node and contributing and/or donating at least.

> playing games online while avoiding (at least some) latency

Also at most some latency. /pedantism

Unless this has changed in the last few years, anyone can set up an exit node on Tor and begin proxying your traffic. It's just a switch in the config.

The risk profile is somewhat lower now that HTTPS is prevalent, but it's still unnecessarily exposing at least one side of the conversation to literally anyone. Most of the time, you're better off just using your ordinary connection -- then you at least know that it's $LOCAL_TELCO sniffing the packets.

Tor is excellent and it has uses, but I've had to explain to many people over the years that day-to-day browsing like checking email, checking bank accounts, etc., is far less safe through Tor than through a direct connection (at least for people in the US -- if you're using Tor for its intended purpose of thwarting oppressive regimes, crossing your fingers on the exit node lottery is probably preferable).

I don't really understand your point. I think most people would agree that TLS ought to be considered baseline, as sites are often (even in this thread) ridiculed harshly on HN for NOT using TLS.

>The risk profile is somewhat lower now that HTTPS is prevalent, but it's still unnecessarily exposing at least one side of the conversation to literally anyone. Most of the time, you're better off just using your ordinary connection

I think this is simply wrong, and lacks any threat model at all. Why do you care that encrypted bits can be sniffed by an exit node? The node can't even determine the 2nd hop, much less the origin.

> The node can't even determine the 2nd hop, much less the origin.

The point is that users should be cautious about what they do over Tor because exit nodes can eavesdrop on (and potentially manipulate) the conversation.

The onion mechanism isn't relevant here. It prevents peers from identifying each other within the onion, but it doesn't do anything to prevent the exit node from accessing the raw packets involved in the conversation -- indeed, the exit node must access those packets to proxy them. It's true that some of the traffic will be protected via HTTPS, but even encrypted packets can be made useful in various ways.

The reality is that you're introducing a random computer into your network path and that you're trusting that computer to proxy your connection without a) eavesdropping; or b) modifying contents. The prevalence of HTTPS may or may not be sufficient mitigation for some, but any analysis of the propriety of Tor to access non-onion sites is fundamentally incomplete if it doesn't acknowledge, contemplate, and address the implications of inviting a random computer to MITM the connection (as the Tor FAQ has done for at least the last 10 years: https://2019.www.torproject.org/docs/faq.html.en#CanExitNode...).

>The point is that users should be cautious about what they do over Tor because exit nodes can eavesdrop on (and potentially manipulate) the conversation.

No, they can't. Unless you don't use TLS...which is addressed in the FAQ you linked. Who is it that can break TLS that you're concerned about? Again, without threat modeling this is all lacking a lot of context and purpose.

HTTPS doesn't change the attack surface, it's just assumed to make it inaccessible. The exit node is still in the middle, and they absolutely can still listen.

TLS will probably defeat script kiddies that are just after the "thrill" of voyeurism, but more advanced operators will make use of the attack surface you're offering them, even if they aren't ever able to decrypt the payloads (not necessarily a guarantee). There's lots of room to analyze and manipulate encrypted HTTPS traffic in interesting ways (SNI, non-secure cookies probably good starting points).

TLS depends on correct configuration on both the client and server-side to be effective (and an interested proxy could try to modify the handshake to downgrade the connection's security). Whole versions of SSL/TLS have been deprecated after fundamental flaws were discovered; things like Heartbleed, POODLE, and Debian's low-entropy key debacle were all real things that made TLS much less secure than expected. An exit node operator that knew about these flaws prior to disclosure could've been having a heyday while users just said "Welp if I use HTTPS Everywhere it'll be fine".

Even without bugs, when TLS is ostensibly working completely properly, the trust model is frequently hijacked. See the CACert wiki [0] for a list of several dozen well-known attacks on CAs, many of which allowed imposters -- on multiple occasions state-level actors -- to issue fake certificates for specific domains, which a malicious exit node could inject.

The incontrovertible point is that using exit nodes exposes some prime attack surface to literally anyone, and yes, that's still attack surface, even if you're 1000% sure that your encryption is so super-duper strong that literally no one will ever be able to break it.

The exposure is real, the risk is real even if not necessarily always immediate, and it needs to be considered along with the other factors. Any risk analysis that involves accessing clearnet resources via Tor exit nodes should contemplate this.

[0] http://wiki.cacert.org/Risk/History

You're clearly not a novice in this domain, but I'm having difficulty understanding your assessment without any sort of threat model.

The risks you're detailing are likely insignificant for 99% of users right now. Using TOR doesn't imply a specific threat model, and that notion weakens tor security and anonymity as a whole.

Fully agree with all of the above. I've been a happy customer of PIA's for years now and, as such, they've built up relatively solid trust with me (for a third-party VPN company). Even still, I only renewed only a yearly basis because a) things in tech, especially security, change quickly and b) companies also change quickly and like today, that change can be greatly for the worst.

I can't personally understand buying in to such a service for a timespan measured in years.

I paid $60 for 3 years of PIA access. From a convenience standpoint alone, I’m happy to think about it and update config every three years.

If things sour over the course of that time, I’m probably only out a few bucks over the annual payment price.

I don't follow here. PIA is a paid third party VPN. So you're advocating to use one just like this, but not PIA?

Yes. He advocates for third party VPNs, but PIA was acquired by a shady company, so not them anymore, because there’s now a reason to distrust them specifically.

It seemed pretty clear to me.

PIA meets 100% of the criteria outlined in that post however with no discussion of how to determine or measure additional criteria like future possible bad behavior based on corporate ownership, which was the genesis of the whole thread.

Ostensibly the "paid" portion of the criteria is a proxy for incentive to not do shady things like show ads or distribute malware.

The lengthy commentary was done more to draw attention to himself rather than convey any real threat by PIA's corporate changes.

This is an interesting turn after PIA committed to "open sourcing our software" in March 2018:


20 months later, PIA open sourced its iOS app, older versions of its browser extensions, and 2 Swift libraries. Everything else is still closed source.


Thanks for bringing this up commoner and really appreciate your patience. You are absolutely right that we are open sourcing our software - there were some delays as we completely rewrote our desktop application from scratch.

This was a major concern from our new partners as well, as they have been asking us to release the code as well - we are all on the same page here.

While I can’t give an exact date, I’m confident that the rest of the code will be released in 2 weeks or less. Along with our QT/CPP cross platform application, we will also be open sourcing our search engine, private.sh!

Hope this helps and sorry again for the delay, Andrew

Two years of patience?

You can still open source in-progress software.

Usually, Subreddits are created by fans of the service. This is the first time I'm noticing a complete corporate subreddit. All the moderators are the staff of PIA. [1]

It will be interesting to see how much they accept criticisms on the subreddit about PIA.

1. https://old.reddit.com/r/PrivateInternetAccess/about/moderat...

The Go language subreddit had been modded by Google employees. They lost interest and decided to shut it down and there was a bunch of hubbub. In the end they thankfully decided to give the subreddit to the community.

Google capriciously shut something down?!

It's not that uncommon. The stadia subreddit mods are all Google employees as well, for example. I agree it's not an ideal setup.

It's technically against the Reddiquette:

  Please Don't


  Take moderation positions in a community where your profession, employment, or biases 
  could pose a direct conflict of interest to the neutral and user driven nature of reddit.

Something to add though, it's informal.

> Reddiquette is an informal expression of the values of many redditors, as written by redditors themselve

But I guess it makes sense for Reddit to move away from that rule. That's how you get big campaigns with companies like Adobe. Not by taking away their sub-reddits.

Personally I think I even prefer that though. Better than having heavily biased "community moderators", which is the case in way too many sub-reddits.

I seem to recall the "League of Legends" subreddit having a meltdown when its mods were found to be simply compromised by the company, rather than employed by it

Reddit was not happy with the r/Blizzard mods during the blitzchung thing.

Redditors are basically never happy with anything. Their ideal world is some place with no rules except that everyone else is forced to read their comments. Unfortunately, such a place does not exist.

Most forums on the internet are like that and it’s not exactly unexpected because people who care about writing something in an Internet forum will also be pedantic about what they want. This forum is no exception (you can pretty much see this in action whenever electron is mentioned)

Many people try to reduce complex multi-variate situations into simple variable situations and then lambast people on other forums if their chosen variable turns out to be different.

I just saw an example of this last week in mobilereads forum. Unhappy with iBooks and the kindle apps I’ve been reliant on Marvin for quite a time. But the dev has vanished from the scene for last 2 years. I just investigated if creating a commercial replacement would be a good idea but good god, the one forum where people have been talking about Marvin can have extremely ultra specific needs for a very unreasonable price expectation. After reading that forum I’m not exactly surprised that the dev chose to abandon the goal post.

I don't really have a problem with it when anybody can create /r/stadia2 and do a better job.

Happens a few times. For the Endless Space/Legends series of games, we made their community manager a mod (they are essentially running the subs, but don’t have founder status and technically we could intervene if they behave in questionable way). It usually depends on who created the sub. Some of them are set up as official channels, others are community-run but with good relationship with the company (an example for the latter would be the paradox subreddits, they are independent but have a good relationship with Paradox).

The Peloton subreddit is full of non-disclosed astroturfing accounts.

What are they astroturfing? TdF vs Giro? Contaminated beefs? Caliper vs disk brakes?

Edit: or are you talking about something else than r/peloton?

They may mean r/pelotoncycle, which is for the in-home exercise bike.

> Contaminated beefs

I’m not that into cycling, what’s this about?

Alberto Contador initially won Tour de France in 2010, but tested positive for traces of clenbuterol. He blamed it on meat he had been eating. It has become a meme in cycling circles.

Whether critical or loving, we really appreciate any and all feedback from our users and the community. We accept all criticism with open arms and, furthermore, will not be censoring our subreddit as that would undermine free speech - the very thing we are fighting for.

I thought that was against Site Rules? To have employees be the mod's

It's tolerated but advised against as far as I know.

the /r/pfSense subreddit also has a bunch of Netgate staff as moderators

r/bitcoin was taken over by Blockstream corporation and it's heavily moderated.

Open discussion of Bitcoin is at r/btc. https://www.reddit.com/r/btc/comments/9lfjrb/frequently_aske...

"Heavily moderated" does it a huge disservice. The narrative is controlled, with any dissenting opinions removed and accounts banned. The sub is completely censored, see for example:





That, of course, has nothing to do with Blockstream.

Except that all Blockstream projects are not only allowed, but promoted on r/bitcoin. If the subs own rules were followed they should be banned.

For example how Liquid, a centralized sidechain that goes against the idea of cryptocurrencies, is promoted as a "solution" to many of Bitcoins problems. But any critique of it is banned.

It's obvious that the mods are somehow associated with Blockstream. Only a Blockstream employee such as yourself would disagree.

This is an outright lie.

In fact, r/btc is controlled by for-profit entity (bitcoin,com which has little to nothing to do with Bitcoin the project) and has advertisements blasted all over the subreddit page.

It is the furthest thing from a lie and can be verified by anyone who wants to try posting to both subreddits. Anyone can also go to a site that shows deleted comments and see the discussions that get deleted on /r/bitcoin.

The point is no one even remotely involved with Blockstream is in a moderator position in r/bitcoin.

This is in contrast to r/btc, which is absolutely indisputably run by Bitcoin,com (the business) employees.

That's an obvious lie, people payed by blockstream directly or indirectly have been in control of the sub for years, deleting any thread or comment that contradicts the narrative they want to push.

The difference between my claims and yours is I challenge readers to validate the claims themselves instead of taking my word for it.


This is a well worn topic and I think you know that. Surely you realize that anyone can google bockstream takeover on reddit, but are counting on people not doing research.




I lost faith in PIA caring about privacy of its customers when I noticed how they use unique tracking codes in their newsletter emails. I never received a response when I asked about it.

Did not know this

Care to explain in detail, please?

Just about every single one of the email newsletters you receive from anyone does this. It's for tracking clicks to links in an email, opens of an email, etc.

Not apologizing for PIA - They definitely shouldn't be doing it if they're trying to advocate for privacy. But just stating it's extremely common practice and the default for most email services. I use it on my e-commerce websites so that I can send specific emails to people who have viewed a certain page, abandoned checkouts, opened a certain email but didn't convert, etc.

We had an issue with PIA's Android VPN breaking our app, they never responded to our PGP'ed ticket and the email address embedded in their PGP keyblock bounces.

I wonder what will happen to Freenode now: https://freenode.net/news/pia-fn

>I wonder what will happen to Freenode now

Well, they're already pushing this cryptocurrency scheme https://freenode.net/news/spam-shake

Thank you for bringing this to our attention mehhh. I will get into this PGP bouncing issue immediately. In the meantime, please feel free to contact me with PGP - my public key is pasted below and you can mail me at a at londontrustmedia.com:


mQINBE28x2gBEACdADSTytv3SNIpOfwQqnWauesXCPgCrOar+Qjt9JITwxZLj/eiYtynG3HNwSo+ VZRQIQqTVO3mtov++Bx7/ZiQC7aylEr4l4g8cL1Y0KtVGWG5GtIBmbP7r4xHZaSlWf0mbNRrjEoT Bn4rQaLuGE8jvPDR9ZszXzgQmDjIXwx1/NJP2+XJ8MghJX3eH7nPyAjDMKM9TsF6KbYrKUPPsH4F jqINMW9Yo24RLdhHnJpLEJLDQNsvakUz8r+YqFTuKsiZcS7BrWWQODTCmWq//HoUUW7UfE76E8Qi mAh8CoRvJktY8cJoHK6fm9oVpKVMp2bhbnha7HbggOdcEnawUqsdjPMY6iA6gx9aqIZ32bjfBx6+ N/XLDh1cLjVLQonRov4DQAve0o4nxKBp6drozhUD8Yw4ROv+vJPxp1wxqq4L0+FEXpORB1rvNewn zyEXNGd8JX3YuStj87isGCytnzcYOc8wa1zhbmF+iM0YIi2DWu9EeWv80oNCA0i+aVcpr3jkARhf ii8w7vSHt3SzaT1TAqtgkH0i9LCXng8jieGgEGWMTXnjcMWeg0tNfAwsUd3ikLw77dN/o/6d0X5S JkDy8003XesclKoJgsVK3l/9yfFVTChHjWJNqx8By2OwRA8ITAaJHb1e/sbqiF+nf1B4A031SxLE xbESOszXuVtJjwARAQABtChBbmRyZXcgTGVlIChyYXNlbmdhbikgPGFuZHlzbEBnbWFpbC5jb20+ iQI4BBMBAgAiBQJNvMdoAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRABYTG6kOhpIQAB D/9HMeFMIWMkYk6dY+039vxlQq2sGl93+/VyCrlgoGm0BFw3oV7xm/uAI1jxJHG2Slt34p7Vzi4w nGi+k65Tj5CwbuPy91zeSpIgh7FPszvZACxg4jR+Rza37sj9FV6CLYQsQ2JWyaiqPOVM4Ejr384a lFkJfItCXxpeGHo42BefIci4NNdCiIWB0xvg38i2y8m9w1/3IaMezjix5QZKfOrD50lQCW5i6M1H FjFwXrE/yL4esUnJamRCSwCfZmCa3PZi+5RWr4vNBXktiUc0Aum/zHsKLHLEKuGoB3bqn9TMEpVE 6akCZnKh4T7oCn3Ou+u5tyi6DFfHbM8qnORl2qf9siJ794+FOdmbrcmxis0MoMRtdCKHLZdYQAol 8X266nKWWm/JFLqM2CcmBuQKWLb4LfAUBhXklnc+606Si4rI02eBcsMEvc/pLB+gZ4eF9dM7n47O PuLTeS0W0khsXvspneDmWN5fYr5hkxsg7FKBjQX6nx4ImnwpBc/ZDCbCEDLvIIXPEDf0pUkNUmh8 6Zh7cx6JKdKgn3GPxHP3sLzOzP7UXsaMdet3/Vcm476nTnHwjDXF5pQJG3hPhcqG1vIjDS/k53xD TDXiK+Ll4oyyNnNhUkFOBhnV3TDUC8+AImoBMhkTRLRlBvmVI5Z45cpPQFx8TLXV52zpT10Q/swC TbkCDQRNvMdoARAAtp38Gnxna31fkzbdXPBlsw9khwHO2AUajJZoDh16HaovFMX4O+T5ILXJxz26 Cd3OD76yhl3mo7gLNiYB8hHjPkftXopGsEWMpsSuID58z7/vz90qvDPCSEGM0EEaI2YZcjgLPNIm KDAe3DDYy7bVkkQR47rzLmFC2HF5IwhwTnpBpYpW2ZjQkAx/H0zwPph1AdxozLHu/yzo+hUhmr8n z2G5B92u04CPhcm4VwCoaP6FSYvpO/12Fc0gN8jvjZgOfYvbhcsA76Snt3u5UtxW2cYx5xlJsRcE bRsowiajc15pZaPxEV/Od5yUFTun6NztGinRmWN0zIhoBaM3dwTDOV0cOuFP6TroYSTyvRAznvpe vqHnxJy42luAHyfc8SeBtVYtCV6dDMOi8ervfa8YWFIjiVpcYAXCkFga1gzNJu14yJkVDFHHEttv VqFids5AoscxyfvT2m46KCH85rHqm6jvkH1cQQkkB6/WiIj5aQhBv3cOJ3R3dsmdTk+/OdIPbVDr oHdrTbxQsmm3AnE4pex5WiGxDt7vh8hvdT272eV6vZaGNZcM9pfFDwQVab1wWamSJ/VGxKEOXckV 2hVzEfmXhe7nmHGQ1hUI0JAZiTREAoDqxYvTOLkKqhb8piVenThwqPoLZyvTLYuVd9daOVPrDDBb M49L0+HctG6Ite0AEQEAAYkCHwQYAQIACQUCTbzHaAIbDAAKCRABYTG6kOhpIQABD/0bH/nYM72c BnSZH/6nYVaT9/xVkFC4er7xhiDQosQlUwv+nwEt9jt6zt7R++jCAefsV2DwybtXo8l0ZXLTOCND Hvq5GEzt+C9lVJffcp8EFl4HGUyc42X3/XtGSiArp1LN7vH9T+BjW7BLhEgtpWYYozaaf5SslqeO EWHdU0hdjSabvD9i1H1JV78TL27WvNXBO5MyDnFiHAB3W8ANI6mtV6o0YrvJRyiuU+P27ML4EoDo ew0BR1kYnCq6zJk6cyGa+i47NrjiSewomAQVGvB8Wk986KiSASzYCkStlIA9Tau/yeLdUkhXk9XD f7ueOggPC4jhIknzGXEMgJgufIfHfXDqxHvKwibU3F9wM6pjB/NrH1Fx6SGruELZvNy4kvKd+L6B Ba5ZAiYtkx7ZcLx/bcfxMcu2dg+sRWW698Vb9KN05kwblXwUPkEw4+00G+OFHJZx9KpezrgnJ0pR Sbv5VscBHyFWsGtzsxRs5dh1OHgnSnqoLsXhP4cT5vYSyvUXKP8jFMqUItVljAt/E3ePXIffIRq7 sreHnGsdDp0DyGZXLW78HnJp6/1QXRzq/URlWarVc98YjPgEkXJviV1o5GAVLsuvN+xRC6Llz2rD bKOq/Tzb1SaHtJOPJomcRP6691h0CHMI4ind71KhyJD2vmHwBA/enYuh0ank5J4LTw== =P6L+ -----END PGP PUBLIC KEY BLOCK-----

Freenode is a non profit organization that benefits from support from Private Internet. It is not owned by Private Internet. We are serious fans of IRC and the open source community, so it makes sense for us to divert profits to orgs like freenode among others.

To be clear, we also donate to other orgs:


Our new merged company will continue to do the same as we are in fact the same company going forward - just much better resourced.

Freenode and PIA have different parent companies, freenode hasn’t changed owners so nothing will happen to it.

You’ve written this twice in this thread but how do you square it with this: https://freenode.net/news/pia-fn

Sure, that was back in 2017 as per the date in the blog post itself. Then this month from Kape themselves I've described here https://news.ycombinator.com/item?id=21614447

You are just plain wrong. They’re both owned by the newly formed “Imperial Family Companies” and they both show up under the portfolio, along with the rest of the brands that used to be part of LTM.


To be clear, this is a brand new site that was created in the last few days, they bought up the domain for 15k a few days ago (https://domainnamewire.com/2019/11/12/21-end-user-domain-nam...)

Any recommendations? This looks bad really bad. Cybergoast a previous VPN bought by Kape went to shit.

For the Pia engineer who ends up reading this. I have bin a Pia user for 5+ years. I have recommended it to friends and family. Now I have to tell them all to cancel.

Mulvad seems to be a good option.

Seconded. It's Mullvad, tho, not Mulvad ;) I have been a customer since a while and cannot complain. They support wireguard, which is nice, and of course plain OpenVPN connections, but offer apps for various platforms too. They do not pay for reviews, which is nice (and quite telling that other do), they are own by to Swedish guys. Their price is a €5/month (for simultaneous 5 VPN connections, no data caps) and you can pay in cash* or bitcoin if you want.

And no, I am not paid or otherwise compensated to write this, or affiliated with them other then being a customer.

[*] They even say: "Please avoid writing your name or address on the envelope."

> bitcoin

Do they take any other cryptocurrencies, or would I have to convert some other coin into bitcoin to pay them?

OpenVPN is nice, since my OpenWRT router can be a client.

EDIT: I emailed Mullvad and received a reply within 15 minutes! and it answered my questions accurately! I think they win the customer service award for today :D

What was the answer?

Bitcoin or bitcoin cash are accepted payment methods.

They have openvpn instructions for openwrt at https://mullvad.net/en/help/openwrt-routers-and-mullvad-vpn/

And their clients are open source: https://github.com/mullvad/mullvadvpn-app

(sorry for not replying earlier!)

Agreed, this looks really bad. And Mullvad is a good option.

So are AirVPN, Insorg and IVPN.

Edit: For background, see https://www.computerweekly.com/news/252466203/Top-VPNs-secre...

Tunnelbear as well.

I'm not a customer of either, just been researching alternatives since tis news hit earlier this week.

IIRC Tunnelbear is known to sell info on the clients. It's not a fringe story to my knowledge, but alas I don't have links on me currently.

Can vouch for Mullvad. A happy customer for years. There customer service is great!

they looked bad long before this. I don't know why this story didn't get me attention:


someone from PIA's patent company was caught trying to smear other VPN's but forgot to hide his profile image.

> Is NordVPN being defamed?

Any article on the internet that uses a question mark in the headline is either clickbait or dealing in suppositions, not facts.

Can wholeheartedly recommend https://ipredator.se

There are real privacy enthusiaists behind ipredator.

Just cancelled my subscription.

Looking for alternatives now. Is NordVPN any good?

Mozilla is planning something, subscribe for updates:


Presumably, they'll partner with a vendor that they can audit, but who knows.

Having worked at Mozilla I'm confident lots of individuals would leak if forced to build backdoors :)

Hard to trust an american company, given the track record of the government influence.

Hard to believe any VPN company provides serious protection from the American government. In the highly unlikely event that the company won't cooperate they can just comprise you outside that channel. See everyone who thought Tor was enough to evade the US government.

I trust Mozilla to not cooperate with anyone less powerful than Uncle Sam which is a lot more than most shady fly-by-night VPN operators.

If you're using your VPN as protection against your ISP, wifi provider (internet Cafe, school, workplace, home), or some other MITM you're better off with a service run by a serious company, with a lot to lose from a scandal and a long track record of not lying and being technically competent.

If you're looking to hide your browsing from the US government you should a) give up or b) definitely not use a commercial VPN.

I would not trust Mozilla in 2019, they have proven time and time again they will sell their users, and privacy down the river for Business Gain

That inevitably leads me to ask about your web browser. What are you using and why?

Any examples?

Really? do you not follow the news at all?

1. Their Backdoor of Advertisements Plugins (Ref the USA network Ads for Mr. Robot)

2. Their Forcing DoH through CloudFlare

3. Their change to require OptOut instead of OptIn for most Privacy violating features (like User Telmentary data)

4. Their starting of the Mozilla Ministry of Truth strait out of an Orwell novel

5. Banning of Plugins due to Ideology

6. Their recent push for Online Censorship

That is just a start

NordVPN is a security nightmare. I usually recommend either Mullvad or TunnelBear depending on whether you care more about quality of service or ease of use.

TunnelBear was acquired by McAfee last year.

I use NordVPN, didn't know it had a bad reputation (purchased it because of a promotional offer). Care to elaborate?

The problem with NordVPN isn't that they had a breach and their keys were leaked (ok, well that is huge fucking problem) due to a forgotten KVM but that they didn't fess up till 18 months later when some independent researcher brought that to light.

Also they spend huge amounts of money on advertisement and their promotions contain lots of misinformation.

Just cancelled too.

Given all the shilling and backstabbing in the online VPN recommendation industry, it’s hard to trust any advice now, not even comments here. God knows who’s a shill.

But those geoblocks and the occasional need to anonymize activities... Really hard to solve. (I know Tor. Tor is too damn slow.)

Actually, far worse than the shills are the cancelling virtue signallers who have nothing better to do than 1) quit a service because someone tells them to; 2) go running to that forum looking for approval by telling them "I cancelled!"

Oh look, you're one of them. (pat on head)

Buy a pre paid Visa card in cash and rent a box from a cloud/VPS. Install OpenVPN etc and set up auto updates.

How many countries are left where you can buy an anonymous credit card in exchange for cash? That is, over the counter in a physical store?

Don't the Know Your Customer laws banks have to adhere to mean that anonymous cards are essentially a thing of the past?

In the UK you can buy a "travel card" with cash at any Post Office counter, they are just regular MasterCard cards and can be used like any other debit card, including online purchases. They are even reloadable and contactless too.

Post Office travel cards are not anonymous. They have to be activated and photo id is required to buy them over the counter [1].

[1] https://www.postoffice.co.uk/travel-money/card

It might be far easier to buy crypto via an ATM. Sure, it will cost a bit more but you will have some anonymity.


Very common in almost many stores in the US, Large companies like Walmart, CVS, Walgreens, sell them

Plus in many places you can bring in Change to a CoinStar can convert your coins to a Visa Gift card

Nord is good - at marketing.

Get ProtonVPN. Same owners as ProtonMail.

I don't recommend ProtonVPN - tried it and if you're torrenting they throttle you to 20Mbps. Shady past connection to NordVPN / Tesonet also a concern.

I’ve never had any throttling occur. Are you using a free plan or paid?

Paid "Plus" plan and connecting to their dedicated P2P servers in Switzerland and Sweden. Definitely getting throttled by them to ~20Mbps while torrenting. Tried a competitor VPN - no throttling, torrenting at full speed. Glad I only paid for a month - they won't be seeing any more of my money once the month's up.

They've got a black friday special for vpn + mail.

...but sounds like their IMAP is broken from googling. Not sure I can live with that.

Isn’t proton mail a Chinese data collection company?

source? Or am I missing a joke here?

Proton VPN seems to work well, although the privacy advantages of being in Switzerland seem to have eroded over time.

I can vouch for Mullvad. They don't do paid promotions like Nord or Express and enjoy a fairly good reputation. You can actually even pay them cash by mailing a fiver to Sweden with your account number on a note lol.

That's another plus. You don't actually have to register an account with them, but instead their website generates a random number for you that you use to log in. All in all they appear to be very transparent.

I love this one: https://airvpn.org/ "A VPN based on OpenVPN and operated by activists and hacktivists in defence of net neutrality, privacy and against censorship."

Yes, +1 for AirVPN and their client Eddie which is in complete rewrite mode now, so we can expect awesome things. :)

In this space is also https://riseup.net/en/vpn but I dislike they want you to use their custom client, just rubs me wrong.

Cryptostorm.is and ProtonVPN. Mullvad is good too.

So dramatic! I'm sure it is quite a burden on your soul having to tell all your little friends and family to cancel! Oh, the tears!

I've been on the fence about cancelling my subscription to PIA after being a user more than five years. This prompted me to finally do it.

I'm not sure there are any companies left to trust.

This is the problem with several privacy companies and one that we don’t take lightly. At Private Internet, we are heavily focused on research and, specifically, have been focused on creating service architectures that limit or remove the need for trust altogether. That is what Zero Trust and Zero Access are about, and it’s the only direction we are heading. That’s why, for example, we launched private.sh, a search engine that you don’t need to trust.

That being said I do want to mention, most VPN companies won’t sign a binding agreement not to log - whereas our partners at KAPE signed an entire binding mission statement which you can find here:


It doesn't seem very trustworthy when the whole page talks about how much they value privacy, then the video at the bottom of the page requires you to enter an email address to watch it.

Also no https://

This is the kicker here. Nothing else matters.

A business dedicated to privacy is completely incompetent if they can’t even use HTTPS.

I cancelled my sub minutes after learning about the news. I would hope the PIA engineer can see through what buyout propaganda they are being fed and see the writing on the wall.

The user seemed to only omit HTTPS. It certainly is configured for SSL.


The company is still incompetent if they're not forcing that HTTP request to HTTPS.

Server sided redirection mistake. Most likely crappy developers were hired, or they don't care about their website in general.

Incompetent seems a bit harsh. Sloppy or careless is more accurate

Defaulting*, forcing it can ocasionally be an issue.

I'm cancelling mine because of this as well. Your bank should know enough to keep locks on it's doors...

Friendly reminder: Azure and AWS both offer a free tier of VM which are perfectly sufficient for a personal openVPN server. Azure even has a preconfigured option in their marketplace that's easy to set up in a legal jurisdiction of your choice.

Probably so does AWS and even DigitalOcean, but I'm most familiar with Azure because of my own preference for open source (Azure's orchestrator is https://github.com/microsoft/service-fabric/). After the free year, a minimal always-on VM costs about $13/mo.

First that costs too much for many.

Second, you don't just want to prevent MITM, you (hopefully) also care about site's tracking you. For example, you have a Linux/Firefox user-agent and you are browsing HN in private mode, you close the window and start over. No cookies or other artifacts of the previous session remains but your user-agent and IP combibation is unique enough to identify your device. Now if you are using a VPN service there might be at least a handful of Linux/Firefox users out of millions that share the same IP.

Third, most VPN users like the geoip flexibility it allows them (bypass filtering or access different content).

Fourth, a VPS dedicated to this one service means you are now the admin of one more server that needs to be patched and supported by you (admin overhead)

Fivth, some sites block you if you use cloud provider IPs

Sixth, some VPN providers specifically host their infra in privacy friendly jurisdictions and take precautions cloud/vps providers might not (legally and technically).

Seventh, reputation. No one will bat an eye if Microsoft let some country's law enforcement have logs of your traffic in Azure. But by design, outbound VPN traffic can only be logged on the VPN server and it would ruin their reputation if they disclosed logs or tampered with traffic which translates to monetary loss.

VPN services are far from perfect but they hardly have any replacement. Just pick one with a good reputation.

For example with PIA, they are incorporated in the great surveillance kingdom of the UK, which is why I avoided them. They did not take the neccessary legal precautions and their freenode aquisition made little sense from a profit perspective which all in all suggests a grand scheme/vision not obvious to customers.

It depends on your threat model. If you're worried about threats below the level of major nation-states a big company could make more sense. If for example a VPN company was caught bundling malware with their VPN client they would be over, but their owners would loose much less than Google would under the same circumstances.

Google will cooperate with big governments, but you can be confident they aren't owned by the Russian mafia.

If you're dealing with nation states, all the big cloud providers have NSA presence in their network. Even without that,secret warrants are a thing and VPS providers rent datacenters from someone else ,that someone else (azure,hetzner,ovh,etc...) also rents out infra to VPN providers. The only differrence is VPN providets sell VPN while VPS providers let you access the whole vm.

The only differnce is how a VPN provider can be incompetent or malicious. It is less likely for MS to be incompetent but so long as the nation state is a western nation,they are more likely to be malicious.

I guess it does depend on your threat model but I would say for most people who don't have specific threat in mind they should exclude highly sophisticated attackers much like how you don't secure your housr against sophisticated bank robbers that might pull a heist on you.

> The only differnce is how a VPN provider can be incompetent or malicious.

Agree completely

> It is less likely for MS to be incompetent but so long as the nation state is a western nation,they are more likely to be malicious.

Yes, but as I argued in the comment you replied to the difference in maliciousness is effictively infinitesimal because the govt can get access to any VPN provider.

There are different factors to consider,even if Microsoft intentionally infected people with ruddiam malware, at worst they get a fine and bad PR with tech circles -- their cash cows windows and azure remain unaffected. With a VPN provider like say Freedome , any sign of malice will cost them not only their VPN business but Fsecure's ability to provide infosec services. Same with ProtonVPN and ProtonMail, and unlike Microsoft the CEOs are much more likely to be held accountable since they reside in countries like Finland and Switzerland where privacy laws are very strict. Those countries may not like it if Microsoft did the same thing but they can't extradite Microsoft's CEO and even if they do the company is not incorporates in those countries. You want a VPN provider to be run by well known people that are not too powerful or too connected and reside in countries that will hold them accountable. Their main revenue stream needs to also depend on the reputation of the VPN service.

> Their main revenue stream needs to also depend on the reputation of the VPN service.

I disagree with your last statement completely. A company dependent on VPN revenue will be incentivized to do whatever they can to get and monetize VPN customers. A company that offers VPN services as a side operation that isn't financially key to their operations won't be incentivized to lie to gain users, cut costs to compete with other VPN operators, or use malware to monetize their user base.

Microsoft could not care less if you pay them a few dollars a month for a VPN. They're certainly not writing software to target people running VPNs on Azure and inject tracking and ads to make a minuscule profit. But - if news broke that they were abusing any Azure users - Microsoft would lose a significant amount of corporate and government business.

Can you name a single example of Microsoft exploiting anyone with malware? No, because the resulting reputational crisis would devastate their ability to sell their "cash cows".

Fsecure's infosec business is worth a minuscule fraction of Microsoft's businesses, and thus the potential losses from being exposed as a scam are much less.

In contrast, 57% of the top 150 free VPN apps on the Google Play Store contain code to get the user's last location, and a small number request permission to read SMS messages and take pictures https://www.bleepingcomputer.com/news/security/malware-user-...

Your comment on extradition isn't particularly relevant. Users abused by Microsoft could sue Microsoft in US court, and Microsoft would face significant legal and reputational penalties if they broke the law.

In contrast, while Finland and Switzerland do have strong privacy laws, that doesn't mean it's impossible for a "Finnish" or "Swiss" VPN provider to get away with violating user privacy. A criminal VPN provider could for example claim to operate in a country they didn't, or incorporate in a country while residing in a country less likely to prosecute them. Not saying I have evidence this happened, I am however saying that the fact that European countries in general care more about privacy doesn't make it impossible for a European company to get away with violating user privacy.

>For example with PIA, they are incorporated in the great surveillance kingdom of the UK, which is why I avoided them. They did not take the neccessary legal precautions and their freenode aquisition made little sense from a profit perspective which all in all suggests a grand scheme/vision not obvious to customers.

This summarizes my thoughts very well.

If the reason you are using a VPN is to avoid potentially untrustworthy middlemen, sure. But if you are after the privacy benefits of sharing an IP address with thousands, then a self hosted VPN won't help you.

Why not ? Unless your instance has a reservation of public IP you are sharing the outbound IP with thousands of other traffic. The actual problem with such setups and VPNs is the constant captcha because you are not using a residential IP range

> Unless your instance has a reservation of public IP you are sharing the outbound IP with thousands of other traffic

On which cloud provider do you share an outbound IP with others? AWS, Linode and Digital Ocean all assign a public IP per instance.

To add: with my own DigitalOcean VPN I rarely see captchas, but some sites block that ASN (like crunchyroll).

Isn't $13/mo quite expensive compared to the cheapest VPS on any cloud providers ?

The bandwidth on Azure might be better, but the first tier on OVH, DigitalOcean and Scaleway begins at 3$/mo and you still have 100mbps.

>Friendly reminder: Azure and AWS both offer a free tier of VM which are perfectly sufficient for a personal openVPN server.

No, it's not. Both have zero or very low amount of free egress (5GB max). After that you're paying $0.1 per GB of egress traffic.

>After the free year, a minimal always-on VM costs about $13/mo.

It's $5 at Linode, and that's not run by a company known for spying on users.

I think Vultr has the cheapest option at $2.5 for a VPS with allowance 1TB of traffic. Scaleaway offers similar options, too.

Also see a recent news.yc discussion on cheaper hosting: https://news.ycombinator.com/item?id=21172818

>I think Vultr has the cheapest option at $2.5 for a VPS with allowance 1TB of traffic.

AFAIK that option uses NATed ipv4, so it could dicey unless you know that you have ipv6 everywhere you go.

Kinda defeats the purpose though?

You lose the benefit of your traffic being aggregated with lots of other traffic.

AWS bandwidth is a killer though

Use a LightSail instance and get 2 TB of data transfer included for $5/month.

Digital ocean would be $5 per month. I’m not sure what their logging/privacy policy though because I found their terms documents so broad and confusing

I pay ~$3.5 for my dedicated server and already consider it expensive...

For a dedicated server? Or a VPS?

dedicated server

> Subscribed since: November 23, 2014 12:10 (Yearly payment)

I could simply not have asked for a better day for this to surface on HN :D

PIA also very strangely bought freenode and has since engaged in a number of suspect activities.

Could you elaborate on this?


Announcement: https://freenode.net/news/pia-fn

Weird ad for PIA guys cryptocurrency scheme: https://freenode.net/news/spam-shake

PIA and freenode have different parent companies, but what are these suspect activities? The network would be in an uproar if they existed.

PIA is a trade name of London Trust Media, not a separate entity. The copyright on the bottom of PIA's homepage names LTM, and you can see the registration if you search for 20181014437 at https://www.sos.state.co.us/biz/BusinessEntityCriteriaExt.do

Freenode's registration doesn't show any change in ownership since their acquisition: https://freenode.net/news/pia-fn https://beta.companieshouse.gov.uk/company/10308021/filing-h...

If you believe there are different parent companies involved, please link sources.

From a quick search: http://investors.kape.com/~/media/Files/K/Kape-IR/reports-an...

  announces the proposed acquisition of LTMI Holdings
Freenode was bought under LTMH. Confusingly similar names, but different companies.

  o Plus Ultra – a software that speeds up internet connections
  o LibreBrowser – a completely private browser
  o Private.sh – a private and encrypted search engine based on proprietary cryptography technology
And then includes a list of what else the acquisition actually includes. No freenode listed there.

Thanks for the reference! I found LTMI's registration in Delaware (file numbers 6362713 and 5806497; 4797091 looks unrelated). I see how this doc says Kape is acquiring LTM, but Freenode's announcement specifically says it's coming under PIA. Other things line up, like Christel being the Freenode admin and PIA Chief Communications Officer, even writing a blog post about this acquisition: https://www.privateinternetaccess.com/blog/2019/11/the-conti...

Besides this document's omission, what leads you to think Freenode is not part of PIA?

Edit: I'm not trying to make an ad hominem here, but I see in an earlier comment you describe yourself as the CEO of irc.com, which is also a PIA project (in some sense - again, I don't know the legal relationship or if there's a separate entity). So it sounds like you know what you're talking about, and I hope you can help find or make public some material support for the claim that Freenode is unaffected by this.

Indeed another comment further up cites his involvement before he'd admitted it. Everything about PIA is super shady. rasengan has always been a bit off, and some of his comments show glaring holes in his knowledge of his own field. ryanlol nailed him to the wall pretty handily a few days ago. It's almost like some comments are normal, some are like the PR guy grabbed the keyboard. All I know is I wont touch PIA or Nord anymore

Hoo boy...like what?

This is the same PR blabbering that occurs with any acquisition. It means nothing just like any other. I’m cancelling and changing providers. Does anybody have recommendations?

I'll be going from ProtonVPN to Mullvad because Mullvad does not offer any deals (which, in a way, I like as besides it being honest for a low price it allows me to unsub for a month). ProtonVPN with Secure Core is just too expensive IMO but the primary reason is Mullvad offer WireGuard, and when I looked them up I saw no red flags whatsoever. You could argue "Sweden" but not all ProtonVPN employees are residing in Switzerland either, so they could be coerced.

Thankfully, I don't have to worry that much about it. My only concern is that they don't keep logs and that they're not automatically updating and loading my PC with malware.

Though, if PIA ever put malware in their installer it would be like hitting the self-destruct button.

Neither do I. I don't tunnel 0/0 through VPN; only some BitTorrent traffic. This is civil court work; not criminal court. That the NSA (and EU counterparts) can figure out what I use BitTorrent for, that I take for granted. They're [in this use-case] not my adversary.

Can anyone give some substantiated information about Kape? Why is so bad? All I found was FUD.

What will happen with Freenode now?

The submitted title was "PIA bought by company known for distributing malware". We changed it to the article title in accordance with the site guidelines: https://news.ycombinator.com/newsguidelines.html, which ask "Please use the original title, unless it is misleading or linkbait; don't editorialize." One reason we have that rule is that we're not in any position to decide the truth or falsehood of contentious claims.

Time to go. Any suggested alternatives?

I went to Mullvad personally.

I've never used these VPN services before. Is it possible for them to MITM a connection?

Yes, they can install certificates that enable MitM.

That's one reason why I never use custom clients for VPN services. That is, no binaries.

I just get the OpenVPN PKI stuff, and use stock OpenVPN.

> Yes, they can install certificates that enable MitM.

Well, only if you give them permission to. Just use a non-provider specific client and you're okay.

I don't use them, so I don't know whether they'd ask specifically about the TLS cert. It might just be something about "web security" or whatever.

And about using stock clients, that's what I said :)

From openvpn.net or in Linus distros or in pfSense, for example.

Not if it is an encrypted connection and you are using a third party client, no. PIA supports OpenVPN and IPsec (IKEv2, iirc), for which most operating systems already have r either native or popular trusted and secure clients for.

Sorry, I must be missing something obvious so please let me know, but VPNs are literally MITM: they terminate your encrypted connection with the client and stablish a new connection with the outside world from their end. So doesn't matter if the client is trusted, they can do whatever with the data before relaying it to the outside and before encrypting and sending back to the client.

> VPNs are literally MITM: they terminate your encrypted connection with the client and stablish a new connection with the outside world from their end

I think you misunderstand how VPNs work.

They tunnel, not terminate traffic. It is effectively a NAT service, with extra steps.

Take the scenario of a TLS connection to www.example.com:443 []

Connection A: Direct to the internet through my ISP.

I'll make an outbound connection to, and the IP that the remote sees will be the public IP that my ISP has assigned me. All traffic on that TLS connection is encrypted and my ISP can't view the content.

Connection B: Using a VPN Service

I'll make an outbound connection to, and the IP that the remote sees will be the public IP that my VPN Service has assigned me. All traffic on that TLS connection is encrypted and neither my ISP or the VPN provider can view the content.

In both scenarios, the TLS Connection is direct to, and my client will and should verify that the presented certificate is for cn=www.example.com (or a SAN with that cn), and signed by one of the Root CAs that my computer/software trusts.

Thank you, I wrote "with the client", but I meant "with the server". Your description cleared some misunderstandings I had.

What about an unencrypted HTTP connection, or any unencrypted connection whatsoever?

Couldn't those be MiTM'd?

Yes. But whoever is in the path of your connection to the server you're talking to can man in the middle you.

It's your fault if you're trusting an unencrypted connection.

Yes, just like your current ISP can without VPN.

Certainly, but the thread is about encrypted connections.

What you are describing is a proxy server and not a VPN.

> but VPNs are literally MITM

I don't tunnel 0/0 to them. You don't have to either. I only tunnel my BitTorrent traffic through them [...].

Can anyone vouch for mullvad VPN?


They're recommended by PrivacyTools.io¹ You can read more about their methodology² and what's wrong with most other "VPN review" sites.³ They're also a top pick from wirecutter.⁴





Your plan will expire on October XX, 2020. Well... shit!

I believe that the title should be changed because: "In late 2012 Sagi acquired the start-up company Crossrider for $US 37M." [1]

That alone tells you that Kape's (or rather, Crossrider's current owner) had nothing to do with their past actions, and could be therefore considered libel.

Moreover, post that someone linked with all the proof is pretty much a lot of FUD, and while I'm not happy with the sale, I fail to see any actual proof being brought up.


Whoa, whoa. You're the one misleading people here. Sagi (a person) purchased Crossrider outright for $37M then RENAMED Crossrider to Kape.

It's even more clear that the Crossrider "Adtech" (read Adware) was produced by the very same company Crossrider which is now called Kape. They are one in the same.

> current owner had nothing to do with their past actions, and could be therefore considered libel.

I'm not sure that follows. When you buy a company, one of the things you're acquiring is that company's reputation -- for better or worse.

But the title of the thread insinuates that Kape is known for distributing malware, not the company it had acquired. I personally believe that there's a big difference between saying: "PIA bought by company that also acquired a company known for distributing malware" and straight out claiming that PIA's acquirer distributes or has distributed malware at some point in time.

Kape _is_ Crossrider. Crossrider was renamed Kape and a new CEO was put in place to "exit the advertising market" transitioning to cyber security.

What PIA is this about? Pakistan International Airlines? Who also own the Roosevelt Hotel in New York? Famous for the livery with the green tail marked PIA.

How about clicking on the link? It's in the path, the subreddit name and the post.

On a second look the sub Reddit is named privateinternetaccess, but nowhere on the page can I see PIA expanded as such.

You have to employ basic reading comprehension skills sometimes

It is common copy editing practice to expand an acronym it appears the first time in a text, that is all.

I’m sure the government would love to get rid of them but the unions wouldn’t know who to DDoS

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact