I appreciated that Wirecutter's review of VPN services began with investigating which ones had contracted for 3rd party security reviews. This presciently excluded many providers that were all about marketing, like NordVPN. I think this is the best approach rather than the litany of mostly useless criteria that's cataloged on ThatOnePrivacySite. You want to extract out the high signal, and "will my VPN service get hacked and all my traffic get leaked?" should probably be your first question when choosing a service.
Full disclosure, I'm the author of AlgoVPN, a set of scripts for hosting your own VPN rather than using a 3rd party service, and was interviewed by Wirecutter for their article. You should use Algo if you're at all capable of doing so: https://github.com/trailofbits/algo
In terms of privacy, isn't running your own VPN pointless?
I mean, it is basically just changing your IP and putting an additional hop in. You aren't mixing with other's traffic, making it very easy to fingerprint you.
I guess this is all dependent on someone's threat model, but I am not really sure if there is any benefit of running your own VPN besides being slightly more sure your VPN provider or someone who hacked your VPN provider isn't watching you.
It provides you protection on a hostile local network, such as a hotel or a restaurant. Like you said, it does not achieve the anonymity level a public VPN would.
> I mean, it is basically just changing your IP and putting an additional hop in. You aren't mixing with other's traffic, making it very easy to fingerprint you.
If that IP is in Russia, on a cheap supplier that has hundreds of similar VPS sitting behind a NAT, I wish em luck in fingerprinting you. Or extracting logs for that matter.
Let me add to the chorus of praise for Algo. As a journalist working around the Middle East it at least gets me out of the local censored internets and isn't blocked like all of the popular VPN services.
It seems like the thing that someone could roll into an iOS or android app for even easier deployment.
It's tough to create an Algo app without inserting Trail of Bits between you and your VPN server somehow. I want to eventually create an app, but my requirement is that the end result is trustless and I never see any of your keys. Maybe in 2020!
Have you tried Psiphon? It's one of the few free ones I trust (I know the guys in the team very well) and is built with the journalist threat model in mind
That's fantastic, but in terms of threat model, you're still trusting AWS/DO/GCE/Azure/whatever. My hope with a good VPN service is that they'll run their own servers in a data center, so they're slightly less subject to audit than something running on AWS.
Right, you're always trusting someone. If you don't use a VPN (or Tor or I2P) you're trusting your ISP. If you use a VPN service, you're trusting it. If you run your own VPN on a VPS or server, you're trusting the provider.
Also, you can't trust what a VPN service says about where their servers are, how they're manages, and so on.
So you need to distribute trust. [Please see my other recent comment about how to do that.]
You can also take the antagonistic approach. Use a VPN service from the North-Korean government. They will surely spy on you and try to attack your network. But they also won't share data with any form of law enforcement that could reach you.
Probably a really bad idea, but the principle is clear. If you want to minimize legislative reach, take a service from the other side of the planet. Maybe not Australia.
And using nested VPN chains, you can pick appropriately.
For the first (entry) VPN, I use one that's innocuous and popular for streaming etc. For the middle ones, I pick ones that are either apparently honest or do business from jurisdictions that won't likely cooperate with my country's. And for the last (exit) VPN, I pick another that's innocuous, with IPs that don't often get blacklisted.
Access the internet via an anonymous SIM card (tethering), then use TOR to access your VPN (paid in Bitcoins, money order or whatever). This gives you a decent level of anonymity, if need be.
There are some VPN services run on dodgy VPS, but apart from that I'd wager almost everyone either rents or colocates physical servers. A terabyte of outbound traffic is around $170 on AWS but around $5 at a regular data center.
You can get good security arrangements if you colocate in sufficient volume (locked rooms etc). That's where reading security reviews is useful.
protonvpn has its own servers in a former swiss army bunker. these are only a few of the many, but they offer routing to other servers through their swiss center which they market as "secure core".
I am capable of running something like AlgoVPN, but more importantly I'm interested in having disguising traffic: getting "lost in the crowd". In your view, what is the best to accomplish that?
Thanks for the Algo tools! Do you know of any cloud service that doesn't get blocked by popular services (e.g. Netflix)? It seems Netflix, et al, know DO, AWS's IPs and block traffic coming from those servers.
> OpenVPN does not have out-of-the-box client support on any major desktop or mobile operating system. This introduces user experience issues and requires the user to update and maintain the software themselves. OpenVPN depends on the security of TLS, both the protocol and its implementations, and we simply trust the server less due to past security incidents.
This sounds great! Can I ask you an obvious question, which is why should we trust you and your code / created service? I'm constructively positive on an answer to this.
As far as I recall the answer is that it’s open source from top to bottom.
Not that it’s relevant to trust in algo, but I also recall some very acrimonious exchanges on hn previously when discussing algo, based on trailofbits’s support of USA govt spying. I cannot what the accusations are though, so if anyone who knows more could help me out that’d be great.
I’ve been using servers spun up by this for two years now. Worth it for the dns blocking abilities alone. Made phone browsing tolerable again. Thanks!!
If you're using a VPN only to block ads, consider https://blokada.org (Android) or DnsCloak (iOS) [0]. Both these open-source apps run a local-only (no servers) split-VPNs (tunnel port 53 traffic to remote DNS resolvers). Whilst Blokada NXDOMAINs ads and trackers using on-device blacklists, DnsCloak can forward queries to any DnsCrypt or DoH resolver (for ad-blocking purposes, one could use AdGuard [1]).
If you want to point Android/iOS to a custom DoH/DoT resolver, https://getintra.org (Android) does DoH whilst Nebulo (iOS and Android) [2] does DoT. Setting up DoH/DoT resolvers (say, using NLNet's Unbound) might be cheaper than a full fledged VPN?
You don't need to download an app to use Algo on iOS! It creates an Apple profile that installs an IKEv2 VPN. Algo _also_ creates a WireGuard profile which does require an app. It's your choice which one to use.
This appears to be a story about how commercial VPN review sites are untrustworthy because they accept advertising from commercial VPNs, written on and with promotion for a site that provides reviews for commercial VPNs and accepts sponsorship money from those VPN providers.
A pox on the entire commercial VPN "industry". They all deserve each other.
While I don't think you should use any of these commercial VPN servers, I'll give props to WireCutter for at least attempting to do a serious job of impartial reviews.
PrivacyTools doesn't have a deal with any VPN company or any other company. They can become our sponsors, but they won't get listed as our recommendation on the website [1] (we don't even have any sponsor at the moment), also we can't profit from it personally and everything is transparently shown on OpenCollective [2]. We even give a huge red warning that VPN is not going to help a lot and that you should probably use Tor instead [3]. Also we removed a lot of VPN services from our site, some time ago [4][5].
Why can't every VPN review site say the same thing? Serious review sites don't accept sponsorships. This one does. Should it be taken seriously? I don't take it seriously.
> Why can't every VPN review site say the same thing? Serious review sites don't accept sponsorships. This one does. Should it be taken seriously? I don't take it seriously.
1. We currently get _no_ money from _any_ VPN provider (our site makes other recommendations too that are not related to VPN services), our finances are very transparent:
2. Being a part of the sponsorship program does not get you on the website, you must still meet the criteria which a VPN provider could do for free (so there's no incentive for them to pay us anything).
3. We don't use referral links
4. No single member of the team can add/remove things (everything is also logged in git commit logs). Pull requests also require more than 2 members to sign off. Technically jonaharagon as owner could add things, but it would be pretty suspicious if new VPN providers started appearing without any discussion.... lol. I know I'd be asking questions.
I use a VPN for privacy, which is great, but routing my traffic through it will exclude me from sites that try to block VPNs (mostly streaming services).
What I really need is Cloudflare's WARP via wireguard config. I love the idea that they'll shield me from my ISP but still provide my real IP to service providers.
Cloudflare, if you're listening, is it ok to extract wireguard credentials from your app and use them on my whole network? I'll gladly pay the $5/mo, but I don't want to be banned from Cloudflare or do something you may construe is illegal by extracting keys from your Android app.
The problem with free review sites is that once you've built up trust as an honest, objective reviewer, the most effective way to profit on that trust is to violate it.
This may be true. But that doesn't mean the best strategy is to completely burn your reputation. Even if the only way to profit is to sell-out, it's usually better to sell-out slowly and collect much more sustainable revenue over a longer time frame.
There are a lot of equilibria where most free review sites are mostly, but not completely, trustworthy. With enough review sites in that model, an end-user can effectively triangulate the objective truth with arbitrarily high certainty.
This article misses the most vital point: VPN providers are asking you to trust them, and there is no way to verify that. That's why I think DIY (e.g. Algo or Streisand) is the only way to go.
OK, but then you need to trust the VPS provider, and there's no way to verify that either.
Also, using your own VPN, you're likely the only one using it. There's zero anonymity. And so an adversary would figure that out, and then focus on the VPS provider.
The sad truth is that you can't trust anyone. So your best option is distributing trust. That way, compromise depends on collusion among providers. Or on their joint compromise by your adversaries.
That's how Tor is designed. User traffic gets routed through three relays. User clients pick the relays in advance, for each circuit. The first (guard) relay only knows the IPs of the user and the second (middle) relay. The middle relay only knows the IPs of the guard and the third (exit) relay. And the exit relay only knows the IPs of the middle relay and the internet resource.
And you can do the same thing with VPN services. That is, nested VPN chains. You can do it either using multiple pfSense VMs as VPN gateways.[0] Or less securely, just with routing and iptables.[1,2]
Do DIY clouds give you anonymity? I assume that if I run my traffic through a VPN server in AWS and I am the only one operating and using the server, anything I do on that VPN can be traced back to me.
No, they (usually) don't. In fact, given that your ISP likely rotates your IP more often than your AWS server, rolling your own VPN may in fact be a decrease in anonymity in some cases.
The benefits to privacy would be:
- It may still make it harder for your ISP to track you, which can be worthwhile.
- It can still be useful to help hide your physical location, since your IP won't be in the same county as you. That's also not nothing.
For 3rd-party sites, you'll be making your traffic easier to correlate across domains, locations, etc... Up to you whether or not that's part of your threat model.
I run a VPN server via Vultr, and I've wondered if it would be worth the hassle to rotate instances once a week to solve this issue. So, every week, run a script that spins up a new instance, sets up the VPN, and shuts down the old one. If you use DNS to point to the server instead of a static IP address, this can be automated completely without even touching the VPN clients. Hell, if it works well enough, I don't see why you couldn't do this every night.
I recently saw a comment from someone really dedicated to privacy (I think they said they were a journalist) who scripted this via Streisand. They set up a new instance at the start of each day as part of their normal workflow. So I'm sure it's possible, and maybe not even too much of a hassle once you have the scripting in place.
The ISP retains records. It's not uncommon to get letters from your ISP telling you to stop torrenting that blockbuster movie you torrented last week because some law office reported your IP address at the time. So clearly someone can ascertain your identity through legal discovery if you just use your ISP.
- Rolling your own VPN (control your own infrastructure)
- Using an existing VPN service (crowd-based anonymity)
- Doing nothing (privacy nihilism)
Each decision has their own benefits and tradeoffs. If you're someone who torrents, you should probably be using crowd-based anonymity. If you really dislike the trust relationship you have with your VPN and you're technically inclined, you can roll your own VPN. If you don't want to spend the time worrying about this stuff, setting up a VPN on its own and doing nothing else won't make you private anyway.
I (very cautiously) lean towards advising people to use an existing VPN service, but that's not a strong opinion. I do think people who argue that rolling your own VPN is the only sensible choice are either full of crap, or haven't thought through the actual threat models real people face.
There's a big movement in some portions of the security industry to say that moving trust around isn't valuable, and that doing nothing is better than centralizing your trust. I'm not going to mince words, I think that's a really dumb perspective.
If you're going to mention this point, then you need to mention that by rolling your own single-user VPN, you now no longer have plausible deniability.
Some VPN companies have been tested in court. Some have failed. Some have not. The latter group lends evidence to the possibility that they are telling the truth.
It "misses the point" in the sense that it wasn't what the article was about at all, I suppose. Ultimately the point was that people need to be aware of VPN reviewer's practices, it is definitely not encouraging the use of a VPN. Otherwise I'd agree with you, which is why we wrote about and recommend self-hosting with Outline: https://blog.privacytools.io/self-hosting-a-shadowsocks-vpn-...
This is why I desperately want Apple to build a VPN service. They are already committed to privacy, and they've got a lot more to lose than some fly-by-night VPN service.
Apple is vulnerable to a national security letter. They can stop your ISP from spying on you, but your data will still be shared with any number of 3 letter agencies and will still likely be vulnerable to logging and pressure from the media industry to accept and process DMCA notices for their VPN users. Apple won't say no if the RIAA threatens to pull content away from itunes.
Think about the risk trade offs: Honest Bob’s VPN and Bait Shack is a niche business, probably an LLC or equivalent which can fail, leaving most of the assets untouchable, and the people behind it can just setup another shell company and start over.
Google, Amazon, etc. are huge businesses which get a ton of scrutiny by large business and government customers: if they get caught cheating, especially in a way which jeopardize customer data, they’ll lose orders of magnitude more money than any VPN user is worth and as a publicly traded company in the United States they’re going to have a much harder time avoiding legal consequences.
> and the people behind it can just setup another shell company
I think this may be true for the smaller ones, but not for the larger companies, like for example ProtonVpn. They would loose their entire business if they get caught "cheating".
> Google, Amazon... if they get caught cheating...
For example Google is getting caught with privacy violations constantly/on a regular basis. For example lately they were caught following Android devices even with Location Services turned off!
I started wondering which VPN might be best to use, then I realized, there's little comparison to your own server. Outline VPN is a neat open source tool that makes this possible with no server setup or maintenance required: https://getoutline.org/en/home
The point of using a commercial VPN is that you can share an endpoint with multiple users. Thus "blending in" with the crowd. If you choose to use a VPN endpoint that only you use, you lose all privacy benefits except the one against your ISP.
A list, what features each provider has, and leave it to yourself to make the judgement. If you're being told why it's good there is bias involved somewhere along the line.
Of course, you need to understand whether the site has updated their information and presenting it truthfully, which should be easily verifiable.
That's mentioned in the article, but it does bring up the caveat that many consumers are just looking for an answer, not the information they need to form their own answer. That's why VPN review sites are so common, it's a quick and easy response rather than a list of features to sort through and compare.
AirVPN is the best, but PIA is ok if your not doing anything illegal. They will shield you from any copyright liability.
It all depends on your threat vector.
I think alot of this vpn hand-wringing is really just meant to discourage vpn usage in general. There have only been afew cases of paid vpn services giving up user information and they are well publicized.
I have been using Mullvad since forever (actually recommended by the site of the article). They are extremely helpful, and are generally recommended in VPN reviews that do not have affiliates (including the site you linked to).
They do have both wireguard and openvpn options, as well as an app with a GUI (with support for both).
My favourite part is the support though. I got help with weird openvpn configs that didn't get answered in the openVPN forums for ages, within an hour.
+1 for Mullvad. Been using them since the beginning but never used their support so can't comment on that. One thing that bugged me was the general instability of Mullvad vs others, a few years ago connections would often drop or become extremely slow. For the last two years this seems to have been massively improved.
Connection dropping is one of the major issues with any commercial VPN provider. I recommend to create a script which runs openvpn and immediately after that "ip link eth0 down" to prevent leaks.
Just a SEO blog post that posts something obvious.
They mention ThatOnePrivacySite.net but criticize him:
"Here's the difference. They include virtually every provider — the good and the bad — and present them at equal value to sort through. Instead of providing their readers with answers, they provide them with information that can be used to deduce their own recommendations, based on their values as an individual. "
1st: providing them all guarantees that there is no conflict of interest
2nd: "Instead of providing their readers with answers" You can not provide this answer since there a tons of reasons to use a VPN
"Your VPN provider should not be hiding away in Panama controlled by anonymous leadership."
This is also bullshit. In fact, some of the most resilient VPN provides provide no legislation at all. They only exists in Cyberspace. "Sue us!"
It is the only VPN that I am aware of that works out of the box with softether. I have not tried it yet. I currently use Astrill. Astrill is not cheap but works pretty well to circumvent censorship. A disadvantage of Astrill is that it often leaks DNS like a motherf....
This should prevent DNS leaks on Linux if UFW is installed.
> It is the only VPN that I am aware of that works out of the box with softether. I have not tried it yet. I currently use Astrill. Astrill is not cheap but works pretty well to circumvent censorship. A disadvantage of Astrill is that it often leaks DNS like a motherf....
Should also keep in mind a few years ago Astril was using weak keys like ExpressVPN. That really makes me wonder what they know about running VPN servers. I think you only get one chance with your reputation on things like this.
Piracy is a case where you can't afford to give up your privacy for convenience, and common in the US, so probably yes. It is different in other countries. Lots of countries don't care about digital piracy enough to enforce restrictions. Pornography, access to uncensored social media, or just being able to email people outside of your firewall become the major use cases. It is still fairly rare to find people who are prepared to pay the costs for privacy just because they want privacy. I think that would change if the friction was reduced, such as Apple, Google or Microsoft including free VPN services built into their products.
I had to giggle a bit. The article claims that "[...] you'd have to scroll down to #6 before you found a provider that wouldn't pay them [...]" on an "unnamed review site". The service in their list at #6 would be "Mullvad".
Looking at their own list[1], "Mullvad" is the only VPN provider listed at the top of the list under "Recommended VPN Services".
Just something that caught my eye and which I considered an interesting coincidence.
specifically the item that got it there was that they had external auditing.
> Mullvad's VPN clients have been audited by Cure53 and Assured AB in a pentest report published at cure53.de. The security researchers concluded: https://cure53.de/pentest-report_mullvad_v2.pdf
We would like to see more VPN providers do this. Then we could have more good choices to choose from. A lot of the larger ones could certainly afford it.
In a world where HTTPS was the exception, I could see a use for this sort of service. Now not-HTTPS is the exception, not so much.
Privacy from your ISP? Okay, but I've replaced that problem with privacy from my VPN provider. Is that a better problem? Is my VPN provider going to exploit me less than my ISP would have?
Geographic restrictions? That's a genuine benefit. Alas, it would end up as a bit of an arms race as websites that really don't want me to visit would start blocking VPN providers.
> Is my VPN provider going to exploit me less than my ISP would have?
Well, probably the answer is yes, since we have many years of experience with the terrible behavior of ISPs. VPNs have a much smaller userbase, so I suppose they have less of an opportunity to screw you over, but come on, even the worst of them has to be better than something like Comcast.
In addition to what onychomys stated, there's also the matter of locality. If you were to assume they would be equally likely to exploit you, your ISP is more capable of doing so because it's local. For example, the VPN provider can sell your data to spammers that get filtered, but you ISP can shove spam in your physical mailbox.
Restore Privacy uses affiliate links. This article criticized recommendations from sites like Restore Privacy, because the financial compensation creates a conflict of interest.
Their "Best VPN List" doesn't mention it, either. That's extremely damning to Restore Privacy's credibility as a review site, and highlights how financial conflicts of interest can degrade the quality of a site's content.
The most recent Wayback Machine archive (November 18) shows that the "Trust issues?" paragraph wasn't in the NordVPN review until very recently. Thanks for getting the paragraph added in, because transparency is important.
However, you might want to consider using the pronoun "I" or "we" instead of "he", because astroturfing is not a transparent thing to do. It doesn't take a genius to see that you're affiliated with Restore Privacy just as Restore Privacy is affiliated with NordVPN.
Thank you for pointing that out. My mistake, sorry about that - I should have checked there before replying to your original comment.
Interestingly, it looks like he doesn't censor/hadn't censored the couple of comments mentioning the breach on that page.
His article on the breach/hack was published in Oct. But his Nord VPN review was published/updated the month prior (from your waybackmachine link). So a month later.
It's plausible to me that he just never got around to updating the original post/review. But apparently your comment prompted him to do so.
However, he hasn't bothered to jump in this thread and comment that was the case. So although I think RestorePrivacy is still a useful site, perhaps a larger grain of salt is needed.
> However, you might want to consider using the pronoun "I" or "we" instead of "he", because astroturfing is not a transparent thing to do
Not Sven and not astroturfing. Merely suggesting what I thought was a decent privacy resource - in a related topic's thread.
I don't understand why you were downvoted. If someone has concerns over RestorePrivacy.com which is a site I used as well, could they explain what seems to be wrong with their recommendations as they seemed quite professional to me?
Some years ago, I looked at a bunch of these VPN review sites over time, relying on archive.org captures. At any given time, there were just a few distinct sets of rankings. Some of that could have reflected shared ownership. But it likely also reflected changes over time in advertising budgets.
It's the new "Web hosting review" site. 10-15 years ago there were hundreds of similar commission-funded sites recommending shared hosting providers, all with the same problems. Where there's a commission, there's someone ready to write a good review :-)
Mattresses seems like another one so over polluted by affiliate links, you can barely find a real comparison. (sleeplikethedead.com seems pretty good.)
On its face, affiliate reviews are ok if the company has integrity, like Wirecutter attempts. If they pick a profitless product as first over one that makes them money.
Credit card reviews are another one that have gone off the chain. There are thousands of identical sites ranking the same cards.
Yeah mattresses, any specific type of software (CAD, photo editing, video editing etc), credit cards, supplements of all varieties... these are all the ones I've personally encountered when trying to find info.
People are always quick to throw Amazon under the buss for reviews but it's not just Amazon/Newegg etc but I don't trust reviews anymore, at all, the only time I trust a 'review' is when a friend is like "yeah man I've been using this thing for such and such and it's great".
Even when friends recommend something I've been burnt simply by listening to just 1 or 2. Altman mentions a specific mattress cooler in one of his blog posts, I bought it without even checking other online reviews because I respect Sam and value his opinions (he also has no reason to plug a specific product, especially when he is in no way involved with the company). Man it was great, oh man was it great, until I'd been using it a couple of months and was changing my sheets and saw mildew all over my mattress protector from the condensation forming on the tubes at night while I slept. San Francisco doesn't have the summer humidity that Indiana does and in the 2 weeks between sheet changing...
The problem with a lot of these affiliate sites (which I alluded to in the conclusion of the article but perhaps didn't spend quite enough time on) is that they provide a small disclosure of their relationships in their footer or in the article. But they do it as inconspicuously as possible to avoid the drawbacks of disclosing anything.
I have a lot more respect for the sites that prominently disclose their relationships, like Wirecutter. Most of these sites are a business, they've gotta make money somehow. But IMO most readers aren't seeking out such disclosures automatically when they see a "review", so the hidden-in-the-footer nonsense is entirely useless.
Web hosting is pretty bad about these affiliate link filled 'review sites' too. Virtually every company rating hosts is in it for the affiliate revenue, and features the same few (well paying) companies regardless of actual quality.
https://thewirecutter.com/reviews/best-vpn-service/#how-we-p...
Full disclosure, I'm the author of AlgoVPN, a set of scripts for hosting your own VPN rather than using a 3rd party service, and was interviewed by Wirecutter for their article. You should use Algo if you're at all capable of doing so: https://github.com/trailofbits/algo