People should NOT trust free VPN services at all, as you don't pay level of service is not guaranteed. What's worse, who knows what the service provide is doing with the data flowing through the tunnels (to)? cover the operational cost (and goal for profits)
Install and configure your own VPN services (IPsec or OpenVPN), use strongSwan (Android native client which works great with RSA authentication with x509 certs, now supports importing VPN profiles in json format, cool) and OpenVPN.
Several past discussions on hacker news to start with:
Actually, I missed this point. Thank you for pointing out ;-)
I think that's why more and more open source tools (scripts or automation {cook,play}books, etc.} have been made available to enable people to self serve and build their own VPN service ;-)
The problem with personal VPN services is that it can be pretty trivial to reverse who the traffic is coming from (eg by requesting the billing address from the VM hosting provider).
This may not be an issue for some people and for those who it is an issue, there are ways around it (I'll leave that part of the post for someone more experienced than I as I don't want to risk giving out bad advice). But it's worth baring in mind when signing up for a VPS in view of running a VPN.
I think that's pretty unlikely to be honest - or at least easily avoided. There's enough reputable hosting providers out there (Amazon, Google, Microsoft, OVH, Digital Ocean, etc etc) that there isn't really any excuse for signing up with a provider who does MITM your VMs traffic.
That all said, I'm not excluding the possibility of providers logging network connections passively. The way around that is to run more than one VPN; that way any particular provider only has visibility of either the destinations but not the source, or the source but not the destinations. I'm not recommending that people need or should run two VPNs though - just adding it as a workaround against passive snooping by hosting providers.
There's not much to trust anyway. If you're using it for geoblocking, you probably don't care that some company knows you're watching some movie. HTTPS websites are still safe if the app isn't somehow hacking the browser. Non encrypted traffic was never hidden from much anyway. My ISP even injects ads into HTTP websites.
One side effect of schools blocking websites is students downloading and using free VPN software. They have no money, and it works well enough for "unblocking" websites as far as they're concerned. Rip privacy.
Can you elaborate where you are seeing this? Is this as the post-secondary level or lower? I worked in higher-ed in the US and almost uniformly our institution and those we talked to in mailing lists were adamantly anti-blocking. Remembering back to when I was in HS and our library was outfitted with a few donated computers that shared a 56k connection, I know they had a net-nanny installed, but that was quite some time ago.
Schools blocking stuff is very active still- it's extremely prevalent up to and including high school, and only a handful of colleges do any sort of filtering.
Furthermore, kids find increasingly shady free vpns as IT blocks more and more free vpns.
Lots of kids will use free vpns to get their SAT/ACT/AP scores a day or so early.
Some standardized test scores are released on different dates depending on the location of your IP (divided into zones like Eastern, Central, Western US, and International).
> We test individually each one of the 150 VPN apps under
consideration.
> Two people executed a total of 5,340 tests manually for three months and connected to all end-points mentioned in the GUI of a given VPN app.
Okay, that's brilliant, but I'd love to see the actual data as well. Even if it's impractical to include the data in an appendix (page number limitations in the published work, et cetera), hosting it online and linking to it in the article would be great.
Perhaps you're confusing VPNs with Tor. The latter seeks to provide anonymity; the former protects traffic traveling over a potentially untrustworthy network. Sure, a lot of
folks seem to use VPNs lately as just a proxy to bypass geoblocking or whatever, and that works if the upstream endpoint is in the right place - but that's no reason to get confused about what the tool under discussion actually is able to do.
A lot of people are using VPN providers to download illegal content via torrents. And in case there are no logs on the servers (which most providers advertise) the copyright holder has no way of knowing who you are since they only see that the traffic is coming and going from the providers IP address.
Those people are in for a series of nasty surprises if copyright enforcement ever grows teeth, because whoever's providing such a VPN service with backhaul certainly has enough information to tie them to their activity.
If they don't store logs they don't have enough information. That is the reason why a lot of companies that provide this service are incorporated in countries that don't require them to do so.
I can run a VPN service and not store logs. I can't prevent whoever sells me that service's bandwidth from storing logs, which they likely will do for troubleshooting purposes if nothing else.
> A VPS from DigitalOcean or something beats most providers' pricing.
Does it? A VPN subscription costs around $40 a year, DigitalOcean starts from $60 a year for the lowest level standard droplet. Am I overlooking something?
I'm currently posting through a VPN running on a VPS I discovered through Low End Box, works just fine for browsing and downloading. 500GB transfer per month for $10 a year.
providers have the advantage of offering multiple geographic locations without having to spin up a new instance every time you switch which may be useful to some people though.
What I've noticed is that if you pay for premium service, the apps keep the connection up way better and offer nice features, like switching your country from an easy menu.
Tha being said I've been quite happy with http://privateinternetaccess.com/. A good Android client, fast, don't ask any personal information when you register, they say no logging, the Android app doesn't ask any permissions and so on. I can choose the key length and additionally block all connections if the VPN is not connected.
That was my thoughts. My guess is that people are falling for "FREE VPN NOW!!!" type apps. Running your own VPN is easy for the HN crowd, but well beyond most users. I'm lucky enough to get a free, highspeed VPN via my ISP, but I suspect that is very uncommon as well.
In my case, it's because I've found IPSec considerably more of a pain to set up and maintain than OpenVPN, which iOS doesn't natively support. (I don't think Android does, either.)
In the general case, it's because most folks don't have the knowledge and skill required to set up either - nor should they have to.
With the increasing adoption of IoT devices and their generally crap (but not actively malicious) security, it would seem like a no-brainer for ISPs to offer VPN capability on the CPE as part of the basic service package, with UPnP configured to expose on the VPN interface rather than the public one, and with dynamic name resolution included to make configuration an easy one-time process. It'd help with customer retention, I think, and it'd surely improve network stability and throughput by reducing the quantity of attack traffic.
> Why would you need a third party app on Android?
Because the consensus seems to be that if you use any VPN besides OpenVPN you're a moron, and therefore some build-in solutions for some OSes only support OpenVPN.
Now I'm all confused. Let me check the built-in support for OpenVPN: Windows - nope. Android - nope. Linux - nope. iOS - nope. OS X - nope. The consensus you are referring to seems to be quite imaginary - or I'm missing something. What is it?
looked at the report to see if they'd reviewed torguard and apparently they... don't realize it's a VPN service and think it's related to the onion router. Kinda undermines they're credibility a bit if they can't even identify the tools they're auditing properly.
Actually, their report is much more credible because they note the difference between TorGuard (and a few similar apps) vs normal VPNs. To actually quote the report[1]:
67% of Android VPN apps claim to provide traditional VPN services (labeled here as “VPN clients”) including enhanced security and privacy, anti-surveillance or tunnels to
access geo-filtered or censored content. Note that we consider Tor clients (e.g.,
Orbot, Globus VPN] and TorGuard VPN client) as a separate category.
That seems a pretty fair distinction.
Notably, the report doesn't include the word "onion" in it at all, so I'm not sure where you got "[they] think it's related to the onion router" from.
"Is TorGuard related in any way to the “tor” project? No, The reference to "tor" in TorGuard relates to "torrents" and guarding one’s privacy when using bitorrent. We are not related in any way to the “tor” project however the company does support through donations."
Ok, I entirely agree they (and I) are wrong. But obviously I'm going to take the position that it isn't unreasonable to think something called "TorGuard" has something to do with Tor.
If you're just doing a google search then yeah it's reasonable. It's less so when you're a professional who's supposed to be an expert on these things. If you can't spend more than 5 seconds double checking the accuracy of your research why should I trust it?
As far as I know, Android VPN API does not expose setting up IPSec or IKEv2, it just creates a TUN device and forwards all the IP packets to you, it is upto you to handle it, therefore most devs I guess just sends the packet without encrypting. This does not mean they should be insensitive, but it is not suprising the most people have chosen the easy way. I guess iOS allows setting IPSec and IKEv2 VPN profiles, but did not try it. And, to actually create a TUN-device like functionality, it requires manual permisson from Apple, as OpenVPN did.
Many I know who have recently started using these free VPNs only do so to skirt content filtering on free wireless networks. They do not have any expectation of security or privacy and are not conscious of the possibility of their traffic being collected or inspected by a rogue third party.
Slightly off topic, but I'd be interested while I have the VPN people here to hear opinions about Softether. I've been using it for a while and like it. But I can't get much independent information about it from a security point of view.
I once looked extensively into Softether. It's the work of a Japanese professor and his lab. It's over a million lines of code because squeezes different VPN protocols into one server. IIRC it might even require some binaries as a prerequisite to installation. Nobody has ever audited its source code (how could they? it's million+ lines), and it has not popular long enough to have faced serious scrutiny.
I would assume it to be insecure against a motivated attacker.
That's interesting. Guess that might be a problem for the people who use http://www.vpngate.net/en/ which I know the Softether guys created expressly to help people circumvent Governmental level firewalls.
They don't really mention anything about Opera VPN... but they do call out it's previous incarnation, Surfeasy, for the use of tracking/ad libraries. I wonder if the current Opera branded version has removed those or not...
>Only less than 1% of the negative re-
views relate to security and privacy concerns, including the
use of abusive or dubious permission requests and fraudulent
activity, for the 9 apps listed in Table 7.
Of course. People don't install these VPN apps because they want their traffic to be "secure" or "private". They install them because they want to bypass geographical restrictions for content.
Nobody cares about traffic being insecure, or ads being injected in pages--users just want to see that geolocked video and get on with it.
Install and configure your own VPN services (IPsec or OpenVPN), use strongSwan (Android native client which works great with RSA authentication with x509 certs, now supports importing VPN profiles in json format, cool) and OpenVPN.
Several past discussions on hacker news to start with:
- https://news.ycombinator.com/item?id=13351211
- https://news.ycombinator.com/item?id=13425728