I deal with a lot of abuse originating from "VPN" browser extensions. I've spent a lot of time looking at how they operate.
A surprising number of these are implemented as open HTTPS proxies. You don't even need the extension installed to use the proxy, nor any kind of authentication. The extension just fetches a list of proxies that the company has configured and picks one.
The free ones are rather questionable. For example, Hola makes your computer part of an expensive VPN service (sold under a different name) aimed at bypassing IP bans[0]. On some the free tier is made so inconvenient that you will almost have to subscribe to the paid tier if you're using it legitimately (but it's usually usable if you just want to get around some ban).
There used to be some ad-supported VPN providers, which would ironically trade away all of the privacy you'd normally otherwise get by using a VPN, making them only useful for ban/block evasion. These have mostly died out now that ads == tracking is common knowledge[1], but I'm still very suspicious of "free" providers that offer generous access without payment. It's difficult to prove that logs aren't collected, and they could just as easily be collecting and selling user logs.
If you're in the market for a VPN, pick a reputable provider that has no free tier (you should make sure that you are the customer and not the product), and ideally one that also provides actual VPN servers and not just a browser extension that connects to proxies. Another good option is to set one up yourself using a cheap VPS.
I don't know how that would work but it's interesting to think about.
I don't think it would be possible if you're depending on a single entity? I don't see a way a provider would be able to prove they are not logging connections, for example.
Note that you don't need an extension to proxy in Firefox, which has built-in support for SOCKS proxies (go to "Options" and search for "proxy"); all you need is an SSH client and a server that you can SSH into (`ssh -D 1234 foo@example.com`). I don't use it for privacy (rather, to prevent MITM on public networks), but it seems to avoid the pitfalls discussed in the article (e.g. does not allow split tunneling and DNS is resolved over the proxy). However, I suspect that if you were running a Flash or Java plugin then that could make network requests that bypass this proxy.
Firefox has a checkbox to force DNS through the tunnel. Also,turn on dns over https in firefox and it won't do DNS lookups. I don't know if plugins are allowed to interface with host system's network stack,but if they're not then even plugins may not be able to bypass.
I bought a two year subscription to NordVPN a while back simply to use for -
1) Slightly better security/privacy using airport, cafe, etc. wifi
2) So I can watch iPlayer, YouTube etc. in different countries.
Do Nord keep logs? Are they based in a five eyes country? I don't care to be honest. I don't use it to protect myself from that. I use it to get around stupid geo-retrictions and to make it hard for an attacker to intercept my data when I have to send an email at the airport.
While on the subject I haven't had any issues with Nord, they are not the cheapest but no way near the most expensive either. Their iOS, Android, macOS and Windows apps are all very nice to use as well or you can do it manually with OpenVPN or whatever but that is more hassle that it is worth for me personally.
They protect against ISPs. My ISP, Comcast, regularly and as part of it's policy performs man in the middle attacks on subscriber connections in order to insert malicious javascript into user requests from 3rd party websites.
If hiding from your ISP is your threat model then a VPN is fine. It'd be better to use individual per-application tunnels though so you can still host servers with your ports locally and participate in the internet as an equal. Using a full VPN you rent prevents that.
> Comcast regularly and as part of it's policy performs man in the middle attacks on subscriber connections in order to insert malicious javascript into user requests from 3rd party websites.
Wait what? This is the first I'm hearing about this!
When it happened it broke websites' functionality (ie, it'd pop up in the Steam store browser and I'd be unable to close the pop-up within and have to start over). I even had it pop up between me and my bank website's non-HTTPS front page.
They may have desired to notify me of things but it's obvious what would happen. Those who implemented this system were not ignorant. They were malicious. Those above them telling them to do so may have been just ignorant or stupid.
These days I tunnel everything through one of my remote VPS.
If you want privacy, why not use a real VPN like IPSec or OpenVPN? Both work on every operating system and both are fairly easy, from the client perspective, to set up. If you want a VPN and are willing to pay a service provider for it, why would you not go this route?
On the client side, configuring an IKEv1 VPN (IKEv2 doesn't support Split DNS yet) in MacOS, iOS, and Android is a piece of cake. You specify the server, username, password, and pre-shared key. Done. If you want to use a certificate instead of a pre-shared key it's a bit more work, but still do-able.
With iOS devices you can provide a profile file that has all of the settings already baked in so it's even easier. OpenVPN is similar, though you need to install an OpenVPN client first.
With a use-case of "I'm paying a 3rd-party to secure my traffic", which matches what these "VPN" extensions claim to provide, then the answer is simply "Wherever the 3rd-party runs it".
I can't read the original article, but I'd hope it has a rational discussion of threat models?
I don't necessarily assume my VPN is 100% secure; I do trust a company that I pay money to more than I trust that nobody's sniffing my traffic at a rando coffee shop.
I think the biggest risk a random user faces is when a single entity is storing their connection history and then sells it (or it gets leaked, or demanded by law enforcement).
Some rando at a coffee shop sniffing my traffic will get a tiny portion of my online life, but my ISP or a few other large firms can build a much bigger privacy-destroying picture of my behavior.
My concern with a large VPN company is that there is now a single place where all my traffic can be gathered, trivially.
As an aside, I use Striesand - https://github.com/StreisandEffect/streisand - to create my own VPN. I generally create a new one every week or so with a simple script and I tend to rotate hosting providers fairly regularly. It's definitely not completely secure, but it's very fast, very cheap and works well for all my devices.
>As an aside, I use Striesand - https://github.com/StreisandEffect/streisand - to create my own VPN. I generally create a new one every week or so with a simple script and I tend to rotate hosting providers fairly regularly. It's definitely not completely secure, but it's very fast, very cheap and works well for all my devices.
Interesting. I'd be interested in hearing more about how you did that. Algo seems to require a human in the loop to generate and insert an API token.
Honestly? My VPN setup works for me, so I haven't particularly bothered to spend time investigating alternatives. It's not that I do or don't trust it more than Tor.
That said, the few times in the far past I've tried to use Tor as a VPN, it's been slower and less reliable than the VPN I pay for (especially on my phone). Using a regular VPN also makes it easier for me to do things like spoof my country for region-locked services.
(If I was going to bother making a change, it'd probably be to hosting my own VPN server on a VPS provider instead of specifically paying a VPN provider)
For what it's worth, Tor does support choosing the country of your exit node, and is not as slow or unreliable as it has been in the past (although still not as fast as just using a VPS), but I watch YouTube over Tor without noticing anything unusual.
To flip the question around: what benefits does Tor give me over my existing setup? I can see an ideological argument, and I can see the $5 or $10 a month savings, but — especially given my threat model is well enough served by a VPN — I'm curious if there are other practical benefits of Tor that might help overcome the obvious downsides (more complicated setup, slower)
> I can see an ideological argument, and I can see the $5 or $10 a month savings
That is the benefit of Tor.
There's also the fact that the VPN provider is in a position to know where your traffic is both coming from and going to, and there is nobody who can do that in Tor.
> An error occurred during a connection to archive.is. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
Depending on how popular (and cheap) your VPN is, you may find that many of it's IPs have just as nasty a reputation as Tor exit nodes do when you try and access services.
A surprising number of these are implemented as open HTTPS proxies. You don't even need the extension installed to use the proxy, nor any kind of authentication. The extension just fetches a list of proxies that the company has configured and picks one.
The free ones are rather questionable. For example, Hola makes your computer part of an expensive VPN service (sold under a different name) aimed at bypassing IP bans[0]. On some the free tier is made so inconvenient that you will almost have to subscribe to the paid tier if you're using it legitimately (but it's usually usable if you just want to get around some ban).
There used to be some ad-supported VPN providers, which would ironically trade away all of the privacy you'd normally otherwise get by using a VPN, making them only useful for ban/block evasion. These have mostly died out now that ads == tracking is common knowledge[1], but I'm still very suspicious of "free" providers that offer generous access without payment. It's difficult to prove that logs aren't collected, and they could just as easily be collecting and selling user logs.
If you're in the market for a VPN, pick a reputable provider that has no free tier (you should make sure that you are the customer and not the product), and ideally one that also provides actual VPN servers and not just a browser extension that connects to proxies. Another good option is to set one up yourself using a cheap VPS.
[0]: http://adios-hola.org/
[1]: https://blog.cyberghostvpn.com/en/ending-free-version-cyberg...