The problem is that they are sold as a security/privacy product, because they can’t mention the more illicit uses (which the author mentions under “when to use a VPN”), which are the real use cases people buy them for.
It’s kind of like when shops selling bongs would market them as “tobacco accessories”, but there was a wink-and-nudge understanding about how they would really be used.
My dad used to complain that he couldn't get on certain websites, got CAPTCHAs a lot more than he used to and often prices came up in US dollars on his computer, turns out he paid for a 3y plan to NordVPN and had it start on start up on his computer.
He can barely work the Sky box never mind stream stuff from the internet, he got duped into thinking it would make him "safer" when in reality it just makes using the internet a lot harder as everyone flags your traffic as malicious based on the datacentre IP.
As someone who operated a high fraud target during the pandemic, I am comfortable asserting that while not all commercial VPN traffic is fraudulent or malicious, most fraudulent or malicious traffic is over VPN.
Anyone who has browsed through one of these personal VPN services - or even a DIY VPN from a datacentre IP - for more than about 10 minutes will have experienced the increase in captcha's.
>Anyone who has browsed through one of these personal VPN services - or even a DIY VPN from a datacentre IP - for more than about 10 minutes will have experienced the increase in captcha's.
Because people run crawlers and perform illegal activity, and/or because ‘security companies’ sell the IP lists as low reputation potentially malicious IPs?
Because I've hosted websites where blocking datacentre IPs has caused a massive reduction in spam and malicious activity - and tried to use Google search with Mullvad dialled only to be greeted by a CAPTCHA every other search.
> Exactly. Is there anyone whose primary use case for a personal VPN is not "Geofence bypass for region-locked content"??
Hi! /waves I use a VPN to stop my ISP from monitoring my traffic and selling my personal information. My VPN (usually) exits in the same "region" as my real location; I guess if I hit a geoblock I could look at that, but it hasn't come up.
If the local ISP has a 100% chance of monetizing my data and the VPN provider has anything less than that, then it's still a win.
(Longer answer: This boils down to the weighted probabilities; if the ISP was meaningfully regulated such that it was legally restricted from doing certain things with my data, that might matter, and one should also play in the exact likelihood that either party is selling my data. In my case the weighted probability is wildly in favor of a VPN, but I suppose I can imagine situations where that wouldn't hold.)
It’s their business (value proposition) to not do the same and most explicitly commit to that. They also get third party aidiots and publish results. This isn’t fool proof but it’s better than trusting Comcast or ATT or whoever.
You can set mullvad (which offers VPN service) as your DNS over https server. Traffic is also mostly encrypted by https. Your ISP still gets the destination IP addresses, though they are harder to track.
Skipping the broader discussion of AI, the ridiculous amount of automatic and human impossible pattern, matching and correlation with seemingly harmless data is something that I don’t think we are equipped to fully comprehend.
The time at which I hit some meta CDN, seems harmless. Until combined with some cookie and some access time to some asset it uniquely identifies me to previously anonymized data.
So no, I do not think HTTP and a good DNS are enough.
No; until Encrypted Client Hello is ubiquitous HTTPS still has domains in cleartext. Also, I don't think we should be casually dismissing tracking by IP addresses.
> You're just trading your ISP for a different third-party
Yes.
> who has all the same incentives.
And no. The ISP has little to no competition or incentive to not sell my information, while the VPN provider has loads of competition and often has user privacy as a core part of their value proposition.
Besides - even if both of the did have the same incentives, one openly says they're selling my data and one says they're not. At worst it's a gamble between the VPN lying and the ISP telling the truth.
The availability of internet service providers typically varies by state and even by city. In many cases, your choices might be limited. Often, you may find yourself restricted to a single cable provider, with the possibility of DSL, but not much else, unless you consider wireless options. Installing a wired line can range from very difficult to nearly impossible. Cities might impose a moratorium on new installations, often due to lobbying, and even if installation is permitted, the costs can be exorbitant. For example, the cost of laying new lines can reach into the hundreds of thousands of dollars, with service providers generally unwilling to cover these costs. One recent quote I saw was as high as $160,000.
In many (US, at least) locations, there is only a single provider of fixed broadband. Not sure how it is elsewhere, but without a more customer-friendly framework (infrastructure isn't owned by the same entity selling user access), I can't imagine too many places have multiple, parallel cable or fiber networks in a single town/city.
Yes, lots of people have other primary use cases? Why is that even a surprise?
VPN companies are more trustworthy than my ISP. Many get third party audits and publish results. And if the VPN company and server are in a privacy friendly country, they are hard to subpoena. Individual privacy being the default is itself valuable.
This is leaving aside numerous other reasons like avoiding censorship or persecution or whatever.
But that said, on this point I do agree with the author: privacy improvements from using a VPN are marginal for the average user due to the now widespread use of HTTPS. Yes, your ISP can see which domains you visit, but that's about it. I'm curious if there have been any successful lawsuits or prosecutions based solely on domain access logs.
LOL. Several of the large ones are owned by the same entity.
The main reason they exist is to do grey market bypass of controls becoming media access. If you trust them to not do some grey/shady exploitation of your metadata, more power to you. Sounds foolish to me.
I absolutely despise my ISP’s business arm, but I trust their network arm not to do something stupid. I certainly trust them more than a company in a remote tax haven with a broken legal system.
Sweden and Switzerland are hardly 'remote tax havens with broken legal systems.' you don't actually prefer your ISP's DNS service over something like say, Quad9's, do you?
My ISP Comcast (sometimes called Xfinity) has regularly done MITM attacks that inject javascript into web pages since 2013. Surfing the web without tunneling my connection is unacceptable with an ISP that commits CFAA crimes like this. It is a valid use case for a VPN or VPS tunnel for the 30 million of us stuck with a comcast monopoly.
I am old fashioned. So I would use a VPN if I want to prevent my landlord from getting a cease and desist letter from a lawyer when I download warez. Mostly audio books, and textbooks, but also movies and music.
Ie, it's the use case where you Pirate all the media, and use a VPN as a security bandaid against anti-post-scarcity busybodies.
There's no ethical difference between faking your location to bypass licensing and copyright and downloading a file via torrent to bypass licensing and copyright. Both are piracy.
I reckon the majority of VPN sales are actually people being bombarded by adverts and sponsorships for VPNs and think that is actually of benefit. I am constantly bombarded by questions on which VPN product to use from people who are even unaware you can steal content.
My primary use case for a vpn is i dont trust people on my guest network and dont want their traffic looking like it is coming from an ip associated with me. I am not protecting against 3 letter agency levels of surveillance so i dont need the extra benefit and slowness of tor, i just need to move that traffic to a different jurisdiction to complicate things enough that people dont bother to figure out it came from my network on the off chance that someone i let on myguest network does something untoward.
That's a valid privacy concern
But is a VPN service a good solution? Certainly not if you are on a shared IP with the VPN.
I know you can get some with a dedicated IP, but with most VPN providers it is still probably coming out of a cesspool of ips that you don't want any kind of association to.
Shared ip is even better if you are reasonably sure the provider deletes logs (i.ec you are using mullvad). Good luck proving in a court of law which of the firehouse of clients did whatever you are claiming.
Except that use-case doesn't even work because any service worth a salt just blocks the VPN's IP addresses. For example: US citizen living in US goes to the UK and uses VPN service to watch US-based netflix. Netflix blocks this.
> Is "geofence bypass for region-locked content" actually “illicit”?
Yes, in practically every jurisdiction. It’s wilful breach of contract, tortious interference with the content distributor’s licensing schemes and copyright infringement.
> tortious interference with the content distributor’s licensing schemes
No it's not.
Tortious interference with a business relationship is no doubt what you're referring to here, but it's a long bow with multiple layers of indirection. It is "intentionally acting to prevent someone from successfully establishing or maintaining business relationships with others".
Miramax, as a content distributor, might license their content to Netflix.
You are a customer of Netflix.
Now say you are a customer of NordVPN.
For one, NordVPN isn't trying to prevent you maintaining a business relationship with Netflix. Nor is it trying to prevent Netflix having a business relationship with Miramax.
NordVPN may provide you means by which you can choose to be in violation of your TOS with Netflix. It's not acting to ensure you are.
Netflix doesn't have to -allow- this, hence VPN/proxy detection. But they have recourse, drop you as a customer, for you, the customer's, actions, not for NordVPN's actions. Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix.
> Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix
No, but they could argue that the VPN user interfered with their licensing scheme. (If everyone in a region circumvented geoblocks, why would someone in that region pay for regional rights to that content?) They wouldn’t, because it’s not worth it.
This is false, it is not illegal. You might be in violation of a specific contract, but that is far from it being illegal. For example Steam might ban you if you circumvent a region lock. Reason for that is that there are other legal requirements for them as a market place.
I highly doubt you know the laws in every region globally. This may be true in yours, but it's not a good idea to make such blanket, objective statements online.
A notable exception being the use of a VPN to access region-protected content.
INAL, but while this use case might violate ToS, the case law suggests that courts deem this to be fair use provided you don't breech other laws in the process (e.g, copyrights).
Unless you have any explicit court case decisions to the contrary, I'm calling bullshit. I did a simple Google search and could not find any examples of someone being sued or prosecuted for region bypass.
When was the last time you heard of anyone murdering someone with a sea cucumber? People obviously use VPNs all the time for region bypass, and have for years, so if anyone had an issue with it it surely would have had some relevant legal proceedings.
Laws only mean what courts say they mean. Besides that, I have simply never heard any argument of region bypass being illegal or otherwise illicit, and you haven't provided any evidence to the contrary.
There's also bypassing nanny software in coffee shops. I've had checking a word meaning on Urban Dictionary and checking the odds of Trump winning 2024 blocked by that. I guess for naughty words and gambling?
I felt stupid when someone told me what the 'roses in a glass' tubes that were sold in convenience stores were really used for, but I guess it never occurred to me that crack pipes would be something these places would want to be associated with. At least it restored my faith in romantic gestures a bit to know people weren't buying them as a token of love.
The bodega sells whatever people want to buy, as long as it doesn't get the bodega in trouble for doing so.
Beer, wine, booze, tobacco, and vapes are obvious, but things like cough medicine (dextromethorphan), diarrhea pills (loperamide), little roses in neat glass tubes, and air dusters (let's kill some brain cells!) are perhaps less-obvious.
The bodega wants to be associated with being the place where a person can stop in and buy anything, from a can of soup to a pair of pants.
I once asked why levothyrox, a drug to compensate a dying thyroid, is so regulated (at least in France). It's not like it's psychotic or something, it is just a hormone. Turns out people were buying it expecting weight loss...
It's because of such idiots that people whose life is already complicated gets it even more.
It's an opiate, and some opiate addicts like loperamide. It's certainly not the fix they're looking for, but some of them like it enough that -- unlike seemingly every other OTC drug they stock -- it is kept behind the counter at the Dollar General near me, so that a would-be buyer has to ask for it.
And that's not a result of regulation (anyone can buy as much as they want), but is rather a result of stock shrink. It tends to disappear in some less-than-savory neighborhoods.
(I use loperamide occasionally for its main intended purpose of settling my gut down enough that I can do something other than hang out near a bathroom while I quickly dehydrate, and more than once it has been legitimately hard to find in some areas when I've needed to buy more.)
NYC has Mullvad ads plastered everywhere. They bill themselves as protection from corporate surveillance. This is not wink-wink advertising. It’s an attempt to swindle somewhat tech literate people through a lie.
Sure you and everyone else on HN know what a VPN for, but that’s not the case for 97% of the people on a subway car who see their latest campaign.
This is exactly what it is. Almost everyone I know here in my country, which has not (yet) gone China, who uses a VPN does so exclusively to access sites and services that are banned or not reachable here (read porn, p2p, and geo-limited services like Hulu, and Spotify before it was released here etc). No one, absolutely no one, uses it for privacy and security.
The thing that bothers me is that we've had these things for so long, but no one does any actual research about them, so we still can't say that we know they don't work, but only that we don't know that they work. And "we don't know that they work" doesn't really convince people who say "thousands of years of tradition say that they work, and my great aunt was healed by it".
Research has been done, and has shown herbal medicines to not work[1], to nobody's surprise. Sure, there's not a huge amount of research into the matter, but this is comparable to the small amount of research time sunk into verifying if prayer can cure cancer.
Nonsense like "rhino horns look like an erect penis, so surely they will give you erections" should be dismissed without further discussion, but unfortunately a multi-billion dollar industry continues to wipe out rare and endangered species for magic cures that can't possibly work.
[1] A large subset of such medications are basically stimulants that make patients feel better but do more harm than good. My father in law was scammed this way by a herbal doctor that gave him such huge doses as to cause heart damage.
We have done this research, and the result is called "medicine" now instead of "herbal medicine".
Aspirin used to be extracted from tree bark.
Opium and morphine is the juice of the opium poppy.
Penicillin is from a mould.
Botox is from a bacteria.
Heck, there's an entire subset of the pharma industry running around testing every damned plant, weed, and flower to see if it has some sort of useful effect! There's even been movies made about this! https://www.imdb.com/title/tt0104839/
We've tested herbal medicines, and use the pure extracts from those that do actually work every day in every country.
That doesn't mean the guy selling dried tiger penis should be allowed to open shop next to a pharmacy and claim mysterious properties "unknown to science".
Among all the people I know who use the kind of VPN services talked about here, these are exactly their reasons for using them. Obviously advertisements are going to shy away from these angles.
I think the snake oil claim is in regard to VPN companies marketing themselves as a security product. The security benefits that these companies claim in their ads are dubious but of course there’s other benefits to them, they just can’t advertise that they can be used for these things.
The problem is people who aren’t aware of this see these ads and think that they actually do prevent hackers from stealing their information.
> I think the snake oil claim is in regard to VPN companies marketing themselves as a security product
Considering that confidentiality is a vital component of overall security, it's not necessarily unreasonable to describe a VPN as a security product. Of course, it's not the panacea some companies claim; nobody's "surfing the web in full security and privacy" with just a VPN service.
We already have really good client-server confidentiality (and integrity) assurances from the wide adoption of TLS/HTTPS. Wrapping that in a VPN doesn't buy you all that much additional security. Maybe a little bit of DNS privacy and being able to mask your IP address on torrents, but that's all that comes to mind.
That argument only makes sense if people don't really understand what a VPN is or what it is actually for. They're somewhat of an expensive and complex thing that usually noticeably slows down your internet connection... I doubt many people are buying them because they think it protects them from identity theft or something. I haven't seen an ad on the internet in a decade (thanks uBlock) - so I'm not sure if there's some ubiquitous misleading ads I'm missing.
Similar to cryptocurrency in this respect. People would often tout nebulous benefits for hypothetical legitimate use cases, when in reality they were only ever really good at ponzi schemes and conducting illicit transactions.
There's another use case (and is why I primarily pay for one, mostly due to being too geographically mobile to want to set up a bunch of VPS around the US): bypassing throttling on low-cost pay-as-you-go MVNO networks.
I use Visible (pre-paid Verizon), and they very clearly deprioritize, say, youtube when things get crowded. I turn on my VPN and all of a sudden I can play 1080p no problem.
I have mine always on for privacy. Is there a reason to not use it? The extra latency is close to 0 just use an exit node in the same city. Why should I donate all my browsing data to my ISP ?
You may not even need a VPN to get around censorship, ISPs implementing legally mandated site blocks often only bother to enforce them at the DNS level so you can trivially bypass them by using an encrypted DNS resolver.
In the UK, at least, it isn't the default (because of "the children"/"terrorism"). But it's still just a setting in Firefox/Chrome to change (and I guess in Edge too).
If only the Great Firewall were so easy. ExpressVPN seems to be "OK" once/if it connects but it's not very fast when websites load megabytes of crap via a bazillion tiny requests (which is a problem in any bandwidth-limited and/or high-latency environment: use your browser tools to simulate a slow connection, website devs!).
Even just using a different DNS can be enough. A certain popular movie uploader is/was blocked by my ISP at the DNS level but worked fine once I changed to OpenDNS.
4. Making all your traffic look "neutral" to your ISP, in places (think corporate / college campuses, cellular data, hotels and boarding schools, not countries) where net neutrality isn't enforced and certain traffic (most often torrenting, video streaming and/or gaming is deprioritized. I guess this could be classified as blocking or censorship, but deserves a separate category IMO.
5. Places where the networking hardware messes about with your data. I've seen places that would add their own iframes to unencrypted HTML content, which broke some software because their algorithms to detect what was HTML weren't very good.
There is a fourth use case for VPNs: evading traffic shaping and censorship on public wifi hotspots. Many hotels block not just porn sites but also legitimate news pages (e.g. Torrentfreak), and most drastically throttle YouTube, Netflix and other streaming-heavy sites.
A fifth use case is related: evading bad peering. Deutsche Telekom was infamous for years to "double dip", i.e. requiring that other (backbone/regional) ISPs pay them for peering, and so DTAG customers that tried to access Hetzner servers were throttled as the Hetzner-Telekom link got saturated in the peak traffic times.
For real, this is the only case where I wouldn't mind AWS to actually use their market size firepower. Throttle all of DTAG on a single 1 GBit/s link and tell them, either you peer with us for free like everyone else, or you'll have to deal with annoyed users.
The article appears to be written by a technical person who doesn't understand (or want to acknowledge) how bad end-users can be at security. We're still trying to get users to not reuse passwords on multiple sites and not click on links in SMS messages. Meanwhile, the author is suggesting you contact every website you use and ask them to add HSTS.
Some end-users need straight forward advice like "Use a password manager" or "Use a non-free VPN on open WiFi connections". The rest is going to get thrown out with the bathwater.
In general I agree about it not providing security benefit, but they can reduce the exposure of eavesdropping like DNS leaking browsing patterns, and so on. Sure, you’re now leaking your DNS traffic to the VPN server, but in my opinion it’s better to leak that to somewhere external than somewhere close by (e.g. to companies or individuals directly related to your network that will use it for monitoring and monetisation)
https downgrade attacks and the like (html injection on http pages) can also be thwarted (unless they are done on the vpn->service path ofc),
Wouldn’t switching to something like Cloudflare’s 1.1.1.1 DNS mostly solve the DNS issue without going the VPN route? The user’s DNS provider would no longer be their ISP.
Does that work anymore with DNS over HTTPS? I think the real leak is that until we get Encrypted Client Hello your HTTPS connections expose the domain in plaintext so DNS is kind of a moot point.
It does not. DoH and DoT is a real lifesaver for the privacy-minded people.
And it's hell for the security minded people. Before I could do DNAT on my router to redirect everything to my Pi-Hole, even the Google Mini that staunchly ignored the handed out DNS, but used 8.8.8.8.
But soon they'll start using DoH and I can't do anything anymore at all.
>But why would I trust a random company with this information over an ISP, who yes aren't always angels, but at least are somewhat accountable.
ISPs often have captive markets and have enough political sway to grant them said captive markets. VPN companies have none of that, and live or die based on their reputation, so they arguably have more of an incentive to behave well. Meanwhile some ISPs have even admitted to selling your traffic for marketing purposes or are forced by the government to keep records. There's plenty of shady VPN companies out there, and not all ISPs are scummy and sell your info, but there's quite a bit of range between the scummiest ISP and the best VPN, and for a subset of people using VPNs definitely makes sense.
It is really question do you trust your ISP or do you trust your VPN provider? And if you are doing something your state might have interest in. Well VPN options might also be questionable. Either in some adjacent state, or other ways scrupulous...
1) You can choose where in the world your traffic exits.
2) You can switch your VPN provider or even use/stack multiple and it’s easier than changing ISPs which encourages innovation.
3) ISPs and VPNs are regulated differently. In many if not most countries ISPs have to log and store certain PII.
Furthermore, they use their VPN clients as proxies and sell access to their network to scrapers and botnetters. Usually the rule of thumb is that if you're not paying, you're the product, but in this case they manage to double dip. That's where the real funding comes from.
I believe at least one of the business models for "free" VPNs is to turn their users machines into exit nodes, and the real business is in selling those to people who want to spread their traffic across many residential IPs for usually dubious reasons (e.g. scalpers trying to scoop up concert tickets or limited edition sneakers or whatever without tripping bot detection).
It's worth pointing out that while it operated as a VPN (so it could capture traffic), it was ostensibly marketed as a "security" app (ie. scanning your web traffic for threats). It's not really a good example of shady VPNs.
I've never seen a whole lot of value in personal VPNs; it's basically trading one network that can observe you for another. Often with unverifiable claims about not observing you.
But, it can be helpful to trade one network's routes for another, in cases where direct routing between you and your desired peers is poor for whatever reason. And it's clearly useful for circumventing geographic restrictions (as long as those imposing the restrictions dont' care to identify and restrict access through VPNs)
Plex does not work for me on my AT&T fiber - some peering issue (or intentional throttling?!) that makes movies fail to playback 50% of the time as if I'm on dialup or something.
Got a cheap VPN to get around the issue and it works perfectly.
Yes. Via the new age verification laws which require any site with a considerable amount of 18+ content to verify their users are 18+. This has passed in a few states. Leading Pornhub, and some other porn sites, to block access from those states.
The age verification laws are written pretty broadly and could be used to target a wide variety of content. Not just porn. Anything the state deems 18+ would require age verification.
These laws are facing some court challenges. If we're lucky, the laws will not survive.
Say I sell snake oil, and I say it will cure cancer. Then Peter comes and buys it because he lubricates his discumbulator machine with it. It has a legitimate use, and maybe I even know that, but I still sell it as a cancer cure (which it isn't). Its still snake oil.
Some college campuses (like the University of Texas system) block tiktok on wifi, so people are using VPN. (They could use cellular data instead, but that is often slower than campus wifi with VPN).
Author is correct that TOR has better privacy than a better VPN because TOR means you are truly anonymous (assuming the network is not majority compromised).
However, bandwidth and latency on TOR suck, and in many cases the endpoint IPs are blacklisted to hell due to abuse. A VPN is a nice middle ground where your can put another entity between yourself and your traffic, which is valuable against most opportunist adversaries. If a TLA wants me and can get a warrant, not even TOR will save me, but a VPN keeps the ISP from selling my traffic and the media trolls from sending me grumpy letters because the neighbors keep using my wifi to watch free content.
I need a VPN to do a lot of stuff with crypto now because websites are blocking Americans. $5 a month and having to use it is annoying, but I'd have missed out on thousands of dollars of income if I wasn't using one.
Although i agree with the overall message, there are privacy concerns with OCSP[1] which are mitigated by using a VPN. When trying to use the web privacy conscious, it might actually be beneficial to your privacy. This is a very edge case though.
I don't necessarily disagree that there's a lot of people being sold a VPN that probably don't need it, but VPNs still can be a legitimate tool. Even outside of the "well known" VPN uses like piracy, privacy (in a 'I trust it more then my ISP' fashion), and getting around geo-fences there's still uses for them. A couple of quick examples:
Getting around blocks or monitoring on networks like work WiFi. No need to tell my work I'm on Indeed, and for a little while they seemed to block my email provider (Proton) and reading my email is handy to be able to do.
For use as a network tool. For example, I was recently helping my brother set up a website, and with port forwarding he was able to really easily VNC into my VM I was working on it with.
VPNs can also be handy for the 'slightly suspicious stuff' that's not illegal. You know, things like an internet search about something you saw on TV or were just curious about that's not illegal to research, but you're worried it could be a suspicious search. Or maybe I want to use wget to grab an offline archive of a website, but don't want to raise alarms and get my IP banned.
In terms of privacy, there is one aspect you can gain:
Privacy from your ISP and government. Even the UK now mandates ISPs collect data on user behaviour "just in-case" (snoopers charter), and it has been confirmed one of the big three mobile networks has implemented this, but not which. It's bad enough trying to put up with big tech.
I run a commercial VPN service (Windscribe). Here are my thoughts on this.
At its core, a basic VPN is a trust shift service, nothing more. Do you trust your ISP less than an some anonymous shell company owned by Siberian forest dwellers? In many cases, the answer is no.
That being said, depending on where you are and if you choose the "right" VPN, the answer could be yes. Here are some reasons why you may want to use a good commercial VPN, which goes beyond just the ability to tunnel your traffic through a remote endpoint:
- You are in Russia, China, Iran or other countries with heavily censored Internet. Over 3 billion people live in such places, or nearly 50% of the world's population.
- If you don't live in such places, laws in certain US states criminalize certain behaviors. This will only get worse, even in "western democracies". Using a quality VPN service is much better than barebacking the Internet.
- You want your traffic to be "lost in the crowd", something you cannot achieve with your Digital Ocean droplet, no matter how well you configure it. Changing your IP does absolutely nothing, safe a few exceptions (piracy, or keeping an alter ego if your opsec is good)
- Additional features: server side DNS filtering / blocking. Yes you can use uBlock origin, but not on mobile, and not outside the browser. Yes you can run Pi-Hole, and setup WG tunnels to your homelab. 99% of people won't.
- Advanced features: Companion browser extensions that block ads, trackers, malicious domains, mess with your browser settings to reduce chances of fingerprinting. Yes you can install 5+ different extensions to do that. Most people won't.
TLDR; If you're an elite haxor, you can do everything yourself. You will spend time, and money doing so. Most people will not bother or not be able to do these things, and a quality commercial VPN service can check a lot of the boxes I mentioned above. Just avoid the ones that advertise heavily, those are marketing / snakeoil sales companies, as the author suggested.
Wouldn’t a VPN help protect against a targeted attack? Like an attacker could push bad JavaScript or app update to the user of a particular IP address. On DNS, it’s plaintext by default, and almost always not signed via DNSSEC. Such user could slightly benefit from a VPN from a security perspective.
VPNs also usually do ad blocking, and some limited malware scanning.
On privacy, there are many situations where a private IP address may be desirable, some of which mentioned in this post. VPN hides the traffic from the ISP, but also the user from the destination. On the latter, for instance, the websites could log IPs and that information could be sold or leak in the future.
"Also, as Encrypted Client Hello is about to start soon, it will be exponentially harder for eavesdroppers to figure out which sites you are trying to visit."
Exponentially? Can we see the data on that. Perhaps this word as used here is just a figure of speech.
"Tor Browser uses uncountable techniques that prevent tracking your browser."
Tor Browser has a number of popular browser "features" removed/disabled by default. As such the browser user does not need to do anything, no fiddling with poorly-documented options via about:config, user.js or whatever. IMHO, modifications like these would be useful even when not submitting requests through the Tor network. The question I have is why is there not a Firefox version that is like Tor Browser but without the Tor integration.
Perhaps the answer is because Mozilla is trying to perpetuate online ads, i.e., surveillance, data collection and tracking, as a "business model", such as the model adopted by Google. Mozilla is wholly dependant on financial support from Google. If Google's online ads business fails, Mozilla is out of options.
NB. I would never use Tor Browser. I am a text-only browser user and I prefer netcat and other TCP clients through one or more localhost-bound proxies for making HTTP requests. When I experiment with Tor, I use tor binary I compiled myself without relay module. In front of the tor SOCKS proxy, I use socat for requests to .onion sites that use HTTPS and tinyproxy for requests to .onion sites that use HTTP.^1
1. If anyone can explain why some .onion sites use HTTPS instead of HTTP, I would be interested to know the anwser. AFAICT, most .onion sites use HTTP.
Tor reminds me of the early public internet. Submitting a request like an Archie search and having to wait seconds for a response. Also the number of .onion sites is relatively small. I like the uniformity of .onion addresses and the general absence of "vanity" names. And the search engine for it reminds me of the web pre-Google: like AltaVista, thousands of results are accessible. That's the way I like it. None of this collecting data from searches and trying to "guess" what someone is searching for (as Google does).
- In Hotel, Airport. VPN can be used to bypass DNS based captive portal.
- Yes true hopefully all website are encrypted with ssl, but still an attacker can easily fingerprint me through my internet usage, even though everything is ssl, there are still a lot of plain-text data flying around. So yeah, ProtonVPN, ftw.
I care, and my feeling is that more people do each day as they become aware of how tracked they are. Why does anyone need to know anything about me - it feels like a violation. There are all sorts of possible costs to that, but I think many of us value privacy on its own.
But as for an attacker - maybe they discover something about you from one compromised service and correlate it to something else. Or maybe they extort you in some way. Who knows - there are many possibilities and it’s safer to reduce exposure.
The thing I never hear mentioned is when your home ISP (or say your favorite cafe's) is known to use your traffic data for marketing purposes or sell it outright. I trust Mullvad farther than I trust my ISP. I could switch ISPs, but my only option is Comcast and they're even sleazier.
The article itself refutes the claim in it's title. VPNs have legitimate use, where they are the most attractive option to complete a certain goal. The article itself is listing thse use cases.
But yes, VPN advertising preys on people's unfounded fears.
I wanted to use one to watch Gardener's World from the BBC and it doesn't even work (I'm in France and the program is UK-only for a reason that no one really understands)
same goes for watching Netflix from other countries, VPN are badically useless
Watching BBC Iplayer via VPN is hard, mainly because it’s in the interest of the BBC to avoid eating the cost of serving the world for free. And VPN traffic is easy to spot, if you’re looking for it. I’m assuming the BBC invests a lot of resources to fence of non paying foreign viewers.
But this is a BBC specific problem, most of the other European geofencing is quite weak and getting access to most other public broadcasters works just fine with a proper VPN.
nobody going to point out that using a vpn for region bypass gets you blocked on Wikipedia, banned on your banking, shown captcha left and right by cloud flare... but Netflix and Disney+ all works perfectly?
Everyone is pointing out that the article shoots itself in the foot by giving three very good reasons for VPNs and dismissing them. But I think there's a fourth reason that isn't mentioned:
The US doesn't have reasonable privacy laws and I don't trust my VPN to not sell my browsing history to anybody with two pennies to rub together.
Yeah, I can (and do) use DNS over HTTP, but the ISP still knows what IPs I am connecting too. It's trivial to find out what domains are hosted there.
I use speedify to channel bond wifi and mobile when the wifi is not super reliable. It works great when walking around outside and eduroam works for 20m at a time.
I play Final Fantasy XIV, an MMORPG - apparently, supposedly, the peering connection between AT&T and FFXIV's US ISP (NTT) was particularly bad. [1]
This manifested as pretty severe connection issues for AT&T customers playing FFXIV. Except, it was a chronic issue that would only flare up when that particular connection point was stressed.
One of the easiest workarounds? Hop on a VPN.
That's one example. Anecdotally, I have a few friends that toggle VPNs on and off when they encounter "network weather" in games. Personally, I'm a bit skeptical they're truly so often mitigating problems by toggling a VPN (instead of, say, just waiting a couple minutes), but hey, they swear by it.
> OK, but what about my DNS and TLS records being exposed to everyone so they can follow what I am doing? In a public place, anyone can look at your display already. Or, if you are worried about your ISP selling your traffic data, there are better options for you. Use DNS over HTTPS, for example. You have to use a VPN provider you trust better than your ISP/Wi-Fi provider. Also, as Encrypted Client Hello is about to start soon, it will be exponentially harder for eavesdroppers to figure out which sites you are trying to visit.
Encrypting DNS is a nice start, but the ISP can still see the IPs you're connecting to, which is enough for a lot of sites, and Encrypted Client Hello is about to start soon is a lot of words to say "today, your ISP can see the domain on every HTTPS connection you make". So no, distrusting my ISP is absolutely a compelling reason to use a VPN. (And lest you say "but do they actually spy on you?", I literally got a letter from AT&T informing me that they were going to start monetizing information mined from my connections.)
> But if you care about privacy, the answer is always ToR, ToR browser or Tails, and never VPN. Except in cases where you first have to hide your ToR usage using a VPN, which is a rare exception among users. If you don’t understand why you would need that, you probably don’t need that complexity. Tor Browser uses uncountable techniques that prevent tracking your browser. And if your privacy is essential against local Wi-Fi attackers, your ISP, why is the ad industry not in scope? Adblockers are only half the solution against tracking.
I mean, yeah I also use uBlock, but TOR makes harsher tradeoffs than are necessarily needed (multiple hops is really safe but also really slow). I'm just hiding from my ISP's prying eyes; I explicitly don't include the NSA in my threat models and lesser methods are Good Enough™ for websites tracking me.
1. it's more expensive than commercial VPNs, which you can often get for <$3/month, or even less with promos/cashback sites
2. you're limited to one region, which means you can't use it as effectively for geoblock evasion purposes.
3. you get less anonymity because you get a static ip that's assigned to you only, as opposed to a commercial VPN provider where you can connect to hundreds/thousands of servers each of which are used by probably hundreds of users.
If a VPN provider doesn't keep logs and if their routes to you are not being tapped for packet timing correlation then they are superior in privacy to DIY VPNs due to them laundering your connections/packets with multiple other people.
"One massive problem with personal VPN services is that they are working to fail open. If the connection fails, your connection is not “protected” anymore. Some premium VPN providers sell “kill switch” functionality, but I am sure less than 1% of the users use this properly."
There's a very, very easy way to solve this problem:
vpn_command ; ip link set ens160 down
... or whatever ... this way, if the VPN exits you are immediately bringing your network down. Very simple and robust.
A 'network slug'[1] is an even more robust - and network-wide - mechanism for enforcing your VPN. If you are serious about avoiding misconfiguration or opsec failures you should have a network slug as a physical choke in your PHY.
[1] A "slug" is a layer-2 bridge, with no IP address configured, that still enforces a TCP/IP whitelist. So it does not "use" a hop on the network route, and you can't see the device, but as it bridges traffic it enforces a (very simple) ruleset:
It's baffling that banks/governments that do geoip based risk assessments (ie. the ones that would lock your account if you tried logging in from a random country) wouldn't flag logins from a VPN/datacenter IP. Those basically tell you nothing about where the user is actually logging in from, and they should therefore treat them as if you're logging in from a random country.
This is generally true. These VPN services are security theater as tracking has moved beyond IP address. They are likely masking other more nefarious use cases; and in many cases, deliberately and willfully aiding and abetting therein (for example forwarding BitTorrent traffic to other "Non-Copyright/DMCA Participant" countries, forwarding users through faux residential IPs for 'streaming', etc.).
Another interesting point is that VPN providers have access to server-side keys and, obviously, the processes. This just makes the VPN provider the new ISP.
There's no guarantee that VPN traffic isn't being decrypted and inspected
Argument is based on the assumption that "probably only one percent of users correctly use a kill switch", and in general shows a low level of understanding of threat models and the swiss cheese security model. Author assumes to know the intentions of VPN users and asserts users are dumb, also throwing unnecessary barbs at "wannabe hackers". Unprofessional article, bad advice, no differentiation between nonlogging services and services like nordvpn that bundle google analytics and tracking into their application.
My take? Do a threat assessment, build a threat model, know your adversary be it your own ISP selling your data or protection against hostile state entities when traveling overseas. There are many valid uses for the various types of commercial VPN and instead of an objective look at these services the author walks in with an assumption that they are all the same and never provide value to their customers, then bends over backwards to attempt to make weak arguments against a vast category of service.
I think this is one of the biggest misunderstandings about security that there's one linear scale and that every solution can be assigned a generic positive/negative delta on that.
VPN or not, the biggest MiTM threat to privacy on the web is Google. They may not be actively malicious and steal your bank info, or do other nefarious stuff, but they will always oppose end-end encryption. Google's stance is to lock out the competition under the guise of "protecting" users, so only they can spy on user data.
It’s kind of like when shops selling bongs would market them as “tobacco accessories”, but there was a wink-and-nudge understanding about how they would really be used.