This seems like bad advice because it doesn't address the legitimate need for keeping your browsing history private from overzealous, data-mining ISP's [1].
And even in the case of a known-hostile ISP that engages in invasive practices like supercookies or ad injection, it's unrealistic to ask users to set up and maintain their own VPS servers.
For the average internet user, a "glorified proxy" service that is hassle-free to set up is a simple and effective means of protection against such a menace.
It seems like bad advice because it is, frankly, just bad advice. Nearly all of his arguments fall down, even within his own post.
He says that VPN providers don't provide more security. They do, and he mentions this himself when it comes to the public wifi argument.
He says that VPN providers don't provide more encryption. They do. Another layer of transport encryption is another layer of transport encryption.[1]
He says that VPN providers don't provide more privacy. They do. Turns out a lot of networks do things like log DNS, which a decent VPN client can tunnel.[2]
He says there are two use cases for VPNs: There are a lot more.
He says that tunneling all of your traffic is a worse case for obfuscating your identity to a third party service. It's not, or at least I can't imagine how it would be.
He says that instead of a VPN, you can use a VPS with a VPN: That's just a VPN. It does all of the same things, including being outsourced to a third-party provider, except you lose a ton of the functionality of a real VPN service like geographical redundancy and spread.
He asks why VPN services exist, if for any other purpose than stealing traffic or data, but fails to understand any way in which a VPN service could be useful.
The entire piece is just the opinions of someone who is failing to see that other people have significantly different use-cases and threat models than he does.
-
[1] Especially if you think of "local -> internet" as easier to intercept than "somewhere internet -> otherwhere internet". Which it usually is. One involves something dumb simple like ARP poisoning. Another involves compromising a telco or the VPN provider itself, which is a teensy bit harder. All of this is even sillier if you consider the hostile-network scenario as well.
[2] Yes, you are offloading 'trust' that the VPN provider doesn't also log your DNS. There's more chance that they don't when they say they don't, than your corporate network doesn't when they say they do.
A VPN tunnel in the abstract provides the benefits you mentioned, but a VPN service is a slightly different beast. It doesn't solve the problem with your untrusted ISP, it just gives you effectively a different untrusted ISP.
Imagine if, in response to the question, "how do I protect myself from snooping ISPs" someone provided the answer, "Just use an ISP that specializes in providing anonymity." You'd probably object on the following grounds:
* Saying you provide anonymity doesn't mean that you actually do. And track records tend to demonstrate otherwise.
* Your ISP still knows exactly who you are, even if they promise not to tell.
* ISPs who specialize in shady customers are more likely to be under surveillance themselves, meaning you're now more likely to be under surveillance rather than less.
* You're solving the wrong problem: you need end-to-end privacy, not just customer-to-ISP
You'd be right. But more importantly, these same objections apply to VPN providers. They more-or-less ALL specialize in aggregating known-suspicious traffic, which is not the bundle you want to be tied in with.
In fact, any argument you could make against using a Cloud VPN endpoint can also be made against a VPN service provider. Because, and this should be painfully obvious already, VPN providers just terminate their traffic through Cloud and/or Colo hosting providers as well; usually optimized on bandwidth cost over all else. So by setting up your on VM, you're just cutting out one of the middle men. There's nothing they can do that you can't do just as well without them.
It gives me a different untrusted ISP and transport layer encryption between my machine and the VPN endpoint. Which, y'know, you admit to later in your comment, so you clearly know what's up, but that's not exactly a minor thing. There's a couple of parties between myself and my content, and this just eliminates the bit players. Y'know, the nerds on public wifi.
And, yeah, I could set up my own VPN on a VPS I rent. They're only $5 a month. I'd just need a couple in the USA, a couple in the UK, a couple in a few different EU countries, a couple in Australia...
The service I pay for from a VPN provider is not ultra secure. It's not even above average secure. It is, however, somewhat secure. And yeah, sometime it lumps me with "known-suspicious traffic", but that's okay: What I'm doing is completely irrelevant to that fact.
There is less of a chance that the Colo or shell account you are using to run psybouncer will hand over anything to anyone before you wipe the machine than there would be directly connecting to a VPN service. I think this is addressed to average Joe Americana who clicks the protect button in Facebook.
Your argument for VPN tunnels in general makes sense, especially if you're on a hostile network, and that includes hostile ISPs you feel you can't trust.
Your argument for VPN services completely forgets that a VPN service in this regard is just another ISP.
How do you know you can trust this ISP any more than the one you're already using?
A VPN service provider is not an ISP in the single way that is most important to me: In a "my government mandates that ISPs perform metadata collection" kind of way.
My ISP tells me that they do, indeed, operate legally and collect metadata. They tell me that they do, indeed, inject JS sometimes. They tell me that they do, indeed, reserve the right to resell my anonymised data for marketing purposes.
My VPN service provider tells me that they do none of these things, and in fact have been reported in the tech media for telling courts to kindly go fuck themselves when it comes to logging.
Who do I trust collects less data? Well, to be honest, I'm 100% certain that the ISP is doing the things it tells me it's doing. I'm not 100% certain that the VPN provider isn't doing things it tells me it's not, but it's a damn sight sure less than 100%.
And, y'know, despite all that rhetoric: The main thing I use my VPN provider for is to watch the US version of Netflix.
"How do you know you can trust this ISP any more than the one you're already using?"
Simple. For example, you live in a country where ISP's are allowed to do whatever they want (or forced to do what government/letter agencies wants), so if you value your privacy and data, you use VPN company that's based on a country where private data is respected and protected by law.
Your ISP has strong laws that require a court order for anyone to take a peek or identify you. Your VPN provider does not but can legally do whatever they want with your data. Mining, providing/selling personal information etc. (and they are equally forced to reveal everything asked for when faced with a court order).
The combination of using a service such as a VPN (drawing attention to your activities) with less legal protection is in my opinion the biggest arguments against using a VPN.
Yes, but it's much easier to choose/change VPN than ISP, because because VPN providers usually are not geographically bound as opposed to ISP where it's not uncommon to be stuck with single ISP available. Furthermore, if you have a reputable ISP and your traffic is not being filtered/snooped, there aren't many reasons to use VPN service at all.
If you are such a high-level target that these agencies went out of their way to setup honeypot for you, no VPN will save you anyway. But in realistic case, nobody is going to setup honeypots just to capture your porn search history.
Well, an entire country that is behind a firewall that dynamically blocks huge swaths of content by randomly slowing it down and dropping packets... is a little different than an ISP that uses MITM. The problem is not that they are spying on you when you use https, it's that you can't even get your email, search using google, checkout your code, or get to your financial information at all.
You can forget Github, Facebook, Instagram, NYT, but I'm not even trying to use those... I want to get my damn work done. If all my contacts were on WeChat, I only wanted to use Weibo, and could search using pinyin, I might be fine.
Like most controversial technical advice, the point is not to educate but to pontificate. In addition to attention-seeking, the author's previous Github gists and associated twitter drama suggest a pathological need to be the "smartest" guy in the room.
"it's unrealistic to ask users to set up and maintain their own VPS servers."
I think that sshuttle[1] changes that calculus.
sshuttle allows you to make any ssh server a VPN endpoint. So you don't need to configure IPSEC or make an SSH tunnel or anything like that - you just need a login on an ssh server somewhere.
And (for some of us) even regular/non-malicious but law abiding ISP's - who're now required by law to keep logs of your "metadata" aka: which websites you visit...
VPN providers have just as much insight about your traffic as your ISP... it's just a matter of time before they monetize it... and they both know who you are (unless you are very very very careful, which is almost impossible).
Negative on that: all a VPN provider knows about me à priori is my IP (and all that comes with that, like ISP and rough location) and which monero payment ID I used to pay it with (which is entirely useless). In contrast an ISP knows everything: my address, name, bank account, contracted service, fiscal number, etc.
If either of them is going to use my traffic data against me, I'd rather it be the former, who I can easily replace within minutes and has less information about me.
It does not totally invalidate the benefits you mentioned but from what I've heard there are mature commercial services that map consumer IPs to meatspace IDs (name, phone number, address, household income, credit score, etc). The ad industry is both a consumer and a producer of these databases for obvious reasons. Highly likely that multiple levels of law enforcement have access to them as well.
This gist was also written in 2015, I think the knowledge of ISPs data-mining is more public now (even though it was likely going on then anyways in some format)
Yeah. M ISP has sold data on customers before which is why I uses VPN.
I chose one which seems moderately high profile (where a court case could ruin their reputation), and they are apparently planning on supporting wireguard later on. Seems I picked the right one :)
Have you ever considered it would be easier for the government to pay the VPN providers a large sum to hand over the data, avoid a big public lawsuit, and silently mine all the data without having to break the encryption?
The ISP an the VPN providers are already mandated by law to hand over my data at any goverment request, but a VPN provider is not required to store data for 6-24 months. That is not what I'm afraid of.
I just trust my VPN provider more than my ISP. The data policy of my VPN is much better: they cannot legally sell my data,whereas my ISP make no such promises.
Don't get me wrong - I pay for a VPN subscription too for when I'm travelling/public wifi, but it's much easier to quietly hand VPN providers a nice sum of money for them to just hand over the keys. Everyone leaves happy.
Based on that, I believe if you want an extra level of security for every day use, then go for a big VPN co. If you're doing highly sensitive style stuff, then there's probably better software and services out there. It's all about your threat model I suppose.
> doesn't address the legitimate need for keeping your browsing history private from overzealous, data-mining ISP's
I think the point of the article is that an arbitrary VPN provider is really no different than an overzealous, data-mining ISP. Unless people can trivially join some sort of anonymized, decentralized mesh network, they are going to be forced to trust a third party at some point.
This is throwing the baby out with the bathwater, yes you should assume that your VPN provider is 100% logging your IP, traffic, referrer, etc, but you should also assume that any public wifi is being sniffed. A VPN won't magically hide your traffic, you're shifting the attacker in the threat model. But all this is also means that a VPN provider is less dangerous than public wifi is, which is really the reason you should be using VPN's.
If you already have an SSH client (which implies that you have somewhere to SSH to) and Firefox installed on your machine (not sure about Chrome) then you can prevent public wi-fi snooping right this very instant with a SOCKS proxy. This requires no new software on your machine, no money to change hands, and takes literally 30 seconds to set up. VPNs are overkill for that use case.
Only for firefox's traffic. There's almost certainly other software on your machine using the network and thus not going through the proxy unless you explicitly tell it to.
Indeed, I had tunnel vision and was thinking only of web traffic. But at the same time, what software other than web-browsers-connecting-to-HTTP-sites is attempting unencrypted network communcation? If there are any system updaters or package managers trying to do their job over plaintext, that's important for people to know!
w/r to package managers, apt is usually unencrypted. Of course, there's signature validation that makes sure you don't get altered packages, but traffic can be snooped none the less.
You can ask Firefox to do the DNS lookup at the proxy end, as long as it supports SOCKS5 (I tunnel from my Windows machine to a remote Linux VPS using PuTTY, and this setup works great)
> But all this is also means that a VPN provider is less dangerous than public wifi is
Is it really? I guess it depends on what sort of threat you are trying to protect yourself from.
Using public wifi lots of places leaves different traces at completely disconnected ISPs/service-points. For an attacker, obtaining and correlating all these is probably not a realistic option.
Consistently using a third-party VPN service (as opposed to hosting your own) centralizes all your data in a single point which is much easier to target.
Yes, I agree that this is overly generic. But it's important to realize that most people don't have the technical knowledge to approach this from a nuanced perspective. For them, it is all or nothing.
I wrote a post pretty similar to this about Tor several years ago. That's even worse than a VPN.
I suggest people lookup "The Market For Lemons"[1] as it is a good warning for what can happen to markets with extreme information asymmetry. VPN providers like many tech companies have a huge information asymmetry over their customers. There is no way to really verify many of the claims that a provider is making, especially when it comes to something like logging. The result is that the consumer can't actually distinguish a low quality product from a high quality product. This creates a disincentive for companies to actually provide a high quality product when they can provide a product that is lower quality and cheaper to produce and still pull in the same revenue from users. If this is allowed to go on without any form of third party intervention, the end result is a market filled of products with dubious quality.
It's not clear to me that you're referencing data asymmetries in the same sense Akerlof does.
"Lemons" discusses a buyer and seller having different levels of knowledge about a product, not necessarily one another. The result, in the essay, is that buyers presume lower-quality product, and something of a self-fulfilling prophecy emerges in that sellers are aware that high-quality product won't trade on the market.
This is one of several types of Gresham's Law dynamics, where Gresham's Law can be generalised to describe both asymmetries of information and constraints on complexity.
The knowledge of the counterparty case verges more on one of control, in being able to know the other party's interests, motives, and/or vulnerabilities. That's ... well outside the scope of "Lemons", and has far more to do with power and control dynamics.
(Though it might also result in presumptions on the part of customers of such a monopoly.)
Part of the answer, in both cases, is to provide more information or trust through various mechanisms, including regulation, audits, etc.
The part of the ISP market which is as described in "Lemons" is in knowing what information is or isn't collected, and how it's used. The inability to do so does lead to race-to-the-bottom tendencies, a phenomenon also frequently described as "a (sort of|kind of) Gresham's Law".
Searching for variants of that phrase within Google Books is quite interesting. Examples include: legal citations, neighbourhoods, immigration/immigrants, coin, politicians, divorce law, environmental regulations, mass / popular media, television, bicycles, software, consumer electronics, and more.
The information asymmetry I was referencing was simply the knowledge of whether data is or is not recorded and how much is recorded. A VPN service that records more data is what I would consider a lower quality product and a lemon. Once a company starts collecting information it can use that data for a variety of other purposes such as selling it to advertisers. That extra revenue stream is what would make a lower quality VPN product cheaper than a higher quality one with no logging.
Also the end result of a market full of lemons is something that develops over time. I don't think the VPN market is mature enough for buyers to have learned to presume a lower quality product. I would even argue that the information asymmetry is so extreme in the case of VPN services, that a user can purchase a product, user it for years, and still not be able to accurately assess its quality. This would slow down the development of a true market for lemons.
The "Market for Lemons" dynamic has an earlier precursor, the horse trader. In looking up Gresham's Law references, I've run across H.L. Mencken's "Bayard vs. Lionheart" (1926), which references "David Harum". That was a novel, and film, and later (after Mencken's writing) a radio serial, about a horse trader.
Horses, as complex and nonuniform goods, had developed a reputation for unreliable and underhanded dealing. The lasting legacy of the novel itself is the expression "horse trading".
Exactly what you say. Maybe the solution is to use two VPNs. That way the second doesn't know your home IP and the first has no info on the content. Like a home baked Tor.
I think that’s not his point. There is a probability p that vpn providers are not providing the service they advertise (ie lemon). But the probability that both are lemons become p^2 which is much lower (subpoena-ing a provider that maintains no log is useless).
Where it breaks I think is that you can chain as many VPNs as you want, only the last one sees what you are downloading, the others only see traffic to another VPN. So the authority just needs to subpoena that one.
Generally speaking, tunneling TCP inside TCP is a bad idea. Yes, it’ll “mostly” work with the added latency you mentioned, but it can go very poorly if the network starts having packet congestion or dropped packets.
If the “outer” VPN is UDP or IPsec, then not as much an issue, but many of the VPN providers commonly used are TCP based (of the ones I spot checked from a google search anyway). And remember, since they are TCPinTCP already, you are just making the situation even more likely to occur.
Well then why is it if you actually try and sue a VPN provider for the logs, you won't be able to get them. this is the case for one scenario I know of where a subject got hacked and it was traced to a VPN service. Article is just FUD -- which this conversation could be warranted in some cases, but realistically I've found that it isn't the case. This doesn't mean that their outbound service isn't being logged by a third or unknown party like a government entity (which we know all traffic is logged), but hey it is what it is.
They have logs, they just don't keep them very long. (Allegedly.) So in theory, while they might not have logs for a past incident if it's been long enough, they most certainly have logs in very short term and/or can tell who's connected to what at the present time. So while many copyright actors will be too slow to get a hold of said logs, a government actor with significant interest will.
The biggest issue for me is that VPN providers have given me no particular reason to trust them. If I already have reasons to distrust large international corporations that say they care about my privacy, why would I go trust one I've never heard of on the Internet that says it cares about my privacy?
Under EU privacy regulations you could probably demand that your VPN provider gives you a copy of all information they have on you, including logs.
In the EU I've seen this successfully done with ISPs, ie. customers request logs and get a CD by mail. You'll have to insist and it might involve a small service fee.
Probably what is required under Danish "law", which would be every 20th TCP session or so...
Note: I write "law" because afaik the current logging directives have been found in violation of the European Human Rights declaration, I hear a legal battle is pending:
Whether or not your VPN provider gives you any particular reason to trust them - for some of us, the government has passed laws to require our ISPs to be "untrustworthy".
I know PIA had an actual FBI subpoena.[1] (literally the first link I find) Of course there are collision based identification methods, but knowing that you use a VPN and were using something on the East Coast isn't much to go off of. Worst case I can see here is "User was the only one connected on the East coast at this time", but with PIA's userbase, that seems like an unlikely scenario.
There's also a list [2] (little old)
I remember looking a little closer back when the ISP stuff was happening and it wasn't too hard to find cases where specific VPNs were "tested in the field". But I remember coming across a few, I think Norad was also one of them.
Is anything that is blacked out dangerous or a violation?
Could it have been done on purpose? To fulfill legal requirements and prove they aren't hiding anything.
Or could it be an accident? If the latter, then there are certainty questions to ask. I'd expect the legal department to have different tech skills than the IT department though. But still questions.
I don't know the answer, and really would like an answer if someone does know the correct one.
There's nothing confidential in those images. It is a matter of public record that Detective Andrew Perley #660 wanted to know who was routed through 184.75.214.66 on 2013-2-19, and that his interest was communicated to the VPN provider on 2013-4-22.
I'm not sure why they went through the rigmarole of pretending to black something out. Maybe they were just fucking with him?
They sent the blacked out version to the media, and Ars and others published them like that.
So why did they black it out? As a childish joke? Also not inspiring trust in them.
And if they just blacked it out, without need of doing so, and fucked that up, then the question is if they're trustworthy if their security team doesn't double check their blacked out PDFs.
The problem isn't with the content, but with the process.
Yes, this is more likely than intentional leak of the info and I don't know why you're getting downvoted. Someone who works at your company doesn't understand how PDF works -- that's OK, most people don't need to. It's unlikely that the guys who are busy running the servers are going to be spending their time dragging boxes over documents before they get posted online.
The whole point of a VPN is that you trust it more than your government or ISP.
If your VPN allows any intern to simply post PDFs online that contain such info, without the legal or security department looking over it, you're not trustworthy.
What's next? Next time they actually deliver someone's info, and it ends up in a PDF everywhere online, too?
Well, uh, that's definitely not the point of VPNs when I use them. It's very unlikely that a private VPN provider is more trustworthy than either a decently-sized ISP or a government.
VPNs are useful to avoid negative effects of traffic analysis and bad QoS, bad neighbors at a public access point, and give privacy or a different geolocation when accessing specific individual destinations on the web (e.g., an IRC server that would emit your IP into the public log). Generally, VPNs should be used as needed to serve one of these specific purposes, not 24/7.
Expecting protection from your government or ISP for $10 / mo is a tad unrealistic.
Interesting. PIAs entirely marketing argues differently, even going as far as the typical 2000s era scare tactics of telling me where my IP is geolocated, and that the government can read my data.
To some extent it will be more credible, but the usual "Past Behavior is No Guarantee of Future Performance" type caveats are going to apply regardless.
I know I certainly don't have the time, inclination, or frankly the expertise, to keep abreast of the internal developments in a VPN provider's business, which will likely be private anyway, as well as the evolving legal/regulatory framework wherever they operate. Similarly, policies regarding logs or data retention can evolve over time, one of course has to trust that any retention policy disclosed in public is actually adhered to in private.
If you really are someone who has to give serious consideration to the risk of logs being pulled, I'm not sure any commercial third party provider is a "safe" option.
The VPN I used is based in a country where the US can't come and subpoena / sue people, which is the main protection I can think of. Worst that can happen is their servers being shutdown in countries that can, and it happens on a daily basis. Using a US-based VPN seems like a bad idea either way.
Additionally, why would a VPN keep logs at all? With no traces, they have "plausible deniability" that some of their users are doing horrible, horrible things online. This is the main reason I trust my VPN provider to not have logs. IIRC, the only thing they look for is email spam (which is fairly easy to detect with very minimal / time restricted logging), as it spoils their IP addresses too quickly.
The way I see it (guessing, not knowing anything specific), the better commercial VPN services -- at least in or ensared into U.S. law -- may not keep logs, in general. But when a three letter agency with relevant authority (being more generous WRT some VPN services, maybe only unavoidable authority), asks for logging for specific users or perhaps some other narrow logging profile, then such logging starts and is made available.
That's hardly the only concern. What if they have an arrangement to sell your traffic data to ad networks? Inject ads via dns poisoning? Inject Bitcoin mining JavaScript into http? Throttle traffic unless e.g. Netflix pays for bandwidth?
VPN just substitutes an unregulated ISP for a somewhat regulated ISP.
Someone would notice a VPN firm fucking with their only service in those ways (well, maybe not the first way), and then they wouldn't have any more customers. That's the difference between these firms and ISPs: they face actual competition!
There is a point to be made in there somewhere, that your VPN needs to be an entity you trust (at least more than the alternatives), if you pay for its services, expecting privacy for the price.
A more helpful rant than the OP provided, would be one that informs you of ways to evaluate the trustworthiness of various VPN providers.
If you are going to attract the attention of governments (PSN and Sony hacks, etc), yes, don't expect a VPN to shield you.
If you're pirating a show that isn't available in your region, or checking up on an old workplace website, etc, a VPN is likely perfectly fine and will save you from legal scare letters, an old employer seeing your visit, etc.
Only justification I could think of is a strict reading of CFAA, where in your exit paperwork the employer commands you not to access any company systems, and the Web site is technically a company system. Though “protected” would be quite arguable there.
I occasionally have crons from my personal infrastructure running into an employer for operational purposes (offsite monitoring or whatever), so I’ve blackholed outgoing traffic to former employers to be on the safe side in case I miss one. So I can see where that sentiment is coming from, though I think it’s a legal stretch.
So for the 99.999999% of the rest of us who don't use personal systems to provide monitoring services this argument doesn't apply. Seems like it would be easier to just use outside monitoring or setup some monitoring instances in the cloud that your employer owns than going through this effort.
If you don't like the employee example, think, "reading your ex's blog." You might want to read it but not advertise to your ex (through traffic logs) that you're reading it.
Other than TunnelBear, ProtonVPN is run by the ProtonMail folks and is based out of Switzerland, so they would respond to any foreign subpoena with a polite "fuck off."
Switzerland is no longer the bastion of privacy it once was. In fact, it's been nine years since every single Swiss Bank rolled over on their customers to placate the IRS. And it's only been downhill from there since.
I believe they were saying that they were OK with the Swiss banks giving info to the IRS about tax dodgers. Which I'm ok with too. I'm not ok with random web traffic being disclosed to authorities.
Switzerland and the United States are not the same country. That the United States can steamroll the sovereignty of independent nations like this is not very good. Diversity and competition among jurisdictions is important.
True. There used to be a way to open up anonymous bank accounts in Switzerland where anyone with the account #/access code could withdraw/deposit cash, but no more. Unless I'm mistaken, Switzerland also has its own version of KYC laws.
p.s. I pay all my taxes and take all the deductions I can.
So what's the alternative? Trust my ISP not to do the same? No thanks, I'll take my chances that my well-regarded and relatively cheap VPN service has both less resources to handle massive data storage for as long term, and is no less incentivized to turn huge profits or protect themselves by spilling everything to the government, even if both would under extreme duress. For what I pay, the VPN is a worthwhile little extra protection, not to mention the extra portable security when I have no choice but to use public wifi.
If you're reading HN, one alternative is spin up your own VPN on AWS/Gcloud/DigitalOcean/etc. It's not hard, and there are some scripts / ansible playbooks to automate the process.
Yes, but with all due respect, this misses the point: If my concern is privacy, consider the business incentives to each party for divulging info about me to a government agency or marketer. The cloud services you describe receive revenue from thousands of different companies with various business needs and concerns. Little ol' me won't be a blip on the radar revenue-wise, even if it's a big news story in the internet privacy world. For the VPN on the other hand, a sizable - maybe the lion's share - of their customer base has the same priority as me. If it gets out in public that the VPN caved either to pressures of the state or corporate greed on my data, they'd just as easily do so to anyone else, and customers would flee en masse.
Is there a good guide/link to these scripts/Docker container/whatever that allows people to set up OpenVPN with a secure non-leaky configuration that reliably forwards all their traffic?
It depends what you want to do with the proxy. If you're doing serious crimes like child porn, terrorism or mass hacking the government will probably ask the VPN for logs.
But if you're just doing stuff like P2P to download content illegally, at least in France they only track IPs for the consumer ISPs. Any other IP, especially out of the country, they'll ignore.
So it doesn't matter if they have the logs, for minor things the government agencies or copyright holders will just give up and focus on the easy targets.
Also in some countries some torrent websites are blocked and a VPN gives access to these too. It's also useful to watch TV channels in other countries since they are often geo-blocked.
In other countries like China there's no question that a VPN is useful. Actually whoever wrote this article seems a bit clueless about why a VPN is useful. They suggest setting up your own on a VPS but doing this in China will get your server blocked right away. That's why a third party is useful since they can offer various IPs in many countries and quickly setup new servers when they get blocked.
Plenty of good points here. I'm disappointed the author did not know about Streisand, a tool to help set up a number of VPN and related services on cloud hardware you control: https://github.com/StreisandEffect/streisand
When the setup is complete, you end up with some incredibly well-written instructions that make setting up the tools with any OS dead-simple. It's a really fantastic project.
The author makes good points but forgets to key considerations:
1) Reputation. A well known,well reputed provider (Fsecure or protonvpn for example) for most users would not be less trustworthy than their ISP. ISPs can easily get away with injecting malware into your http traffic or selling your data. A security company or VPN provider based in a jurisdiction with strict privacy laws and with well known business owners however has a lot more to lose and a lot less legal fighting power.
2) Threat model - you are already trusting someone (ISP) with not only monitoring your traffic but manipulating it. That should already be part of your threat model.when comparing a vpn provider with your ISP, which potential attacker poses a greater risk? For many users,sadly,it is their ISP.
Last note,most vpn users just want to bypass IP restrictions,they don't care all that much about privacy(although that seems to be changing)
> If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).
I feel like this sets up false equivalency. Tapping VPN provider and tapping individuals last mile are very different things. Of course it is debatable which one is more secure etc, but the fact remains that they have very different characteristics. I'd say that for almost any single attacker moving the hypothetical tap will not be happening at a push of a button, more likely it will not happen at all.
Furthermore, what is even meant by this "tap"? For most attackers breaking OpenVPN + HTTPS is just plain impossible, even if they somehow intercept the connection and position themselves between the VPN end point and the target server.
The argument seems to be "since VPN does not provide perfect security and privacy, you should not use it". This is obviously a fallacious argument - you need to evaluate "using VPN" vs. "not using VPN", not "using VPN" vs. "using some perfect theoretic unicorn privacy system that nobody has".
Yes, VPN providers can track - but they make it harder to track you to third parties, unless they are in collusion with those parties, but for average user the chance this is happening - unless they are on the FBI/NSA radar already - is pretty low.
Yes, third parties can fingerprint and use other techniques to track people. That's not the reason to offer them the most easy and readily available means of tracking on a silver plate.
It isn't and it is horrible advice. Networks of trust are a real thing. It's like saying "don't trust any code you haven't audited yourself because they might lie to you and insert malicious code, just assume a priori that everybody scams you"
which is obviously nonsensical because nobody would ever get any work done this way. A sane way to think about it is to make a judgement whether the business you trust has a solid track record, has market incentive to not screw you over, is transparent, is open source and whether your security demand is proportionate to what you're doing.
The only major hickup seems to be the mentioned "HideMyAss" case, where a UK citizen was arrested on hacking charges facing 15 years in prison. Yes if you're trying to break into corporations and want to commit serious crimes don't trust a five dollar vpn provider legally registered in the same country.
If you're trying to circumvent censorship or torrent a movie I think a regular VPN might still be an adequate choice
> "how do I know that Linode, Bluehost, and other VPS providers aren't looking at my traffic?"
I would assume that it's because they have no financial interest in the content of your traffic, whereas a VPN-specific service might. Most big VPS providers know that the bulk of their customers are technically minded people who read their own logs and monitor their own traffic, so there's no technical interest for them either.
That said, if you end up abusing their terms (higher than allocated traffic or sustained heavy CPU time, for example), you can expect them to investigate if only to see if it's malicious in nature (DoS, spam, etc) or just a bad configuration.
But again, those are just assumptions on my part. If you have any doubt about a particular service, it's probably best to move on to one you can vet/audit.
Well yeah, that was the point of my comment -- it sounds like unsubstantiated opinion.
If you have any doubt about a particular service, it's probably best to move on to one you can vet/audit.
How is that even possible? Assuming you want to connect to the internet, you have to hand off your traffic to some upstream provider than you can't trust.
A guess: If random VPN service is doing something malicious to traffic, they won't get caught and nothing would happen if they did. If AWS/DO/gcloud do something malicious, one of the many very technical shops using them will notice, and the fallout would be epic. Now, "arbitrary generic VPS provider", maybe less so, but there are big names that are probably trustworthy in hosting.
So we've seen several VPN services that have proven to be malicious, insofar as selling your browsing history to advertisers (see Hola Better Internet[0]), but have we actually seen a VPN provider being a 'honeypot' yet?
I guess we should qualify the term. In my mind, that would be a hostile government who sets up a VPN service for the purpose of attracting citizens who wish to avoid their censorship, and then arresting the users.
There’s a third, valid reason you should use a VPN: accessing geo-restricted content. This use case doesn’t require any privacy guarantees above a normal user-ISP relationship.
This has been locked down -- presumably including using targeting services provided by some businesses that apparently don't get reported on, much -- to the point where I've started talking about the "curated" Web/Internet.
There are already large, shadowy forces increasingly differentiating traffic. This also includes access at all via a VPN; more and more, I run into web sites that refuse to serve you at all if you hit them with an IP address associated with a VPN.
Or, they put you through rounds of Recaptcha.
At first, it was just the big commercial streamers. Now, it's a lot more.
That, I wasn't aware of. It's been on my mind to set one up.
I principally use a VPN to keep Comcast and Verizon out of my business (there's no need I endorse for them to sniff -- much less inject into -- my traffic).
As archive.is and others and now increasingly even Google block me and make me jump through hoops, I'd been thinking rolling my own was the next step.
I suppose I can switch to business class Internet at home and run a local server, but...
Absolutely. It seems they only blocked a few specific large providers and service types. I often route my netflix traffic through a smaller provider and I never got any service interruption.
In UK, all ISPs have to log your browsing history for a year now. And from April, all adult websites have to verify your identity(proposals as to how include giving them your passport scan and credit card details). And British government has just announced a tool that will automatically flag extremist content on the internet using AI.
I'd much much much rather take my chances with a VPN provider and still route all of my traffic through any other country other than UK, thank you very much.
> And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer...
Data is a liability. Keeping it is assuming responsibility. It is in the provider's best interest to keep the minimum information. If any agency were to ask for data, you can honestly say there is none and be free to continue running your business.
And if you must keep data, keep it encrypted and only decryptable by the customer wherever possible.
As someone from an African country with govt affiliated ISPs, even if my vpn service logged almost everything, I'd still use it as compared to the alternative
I view VPN services more as "Kabuki Theater": The major governments need to keep up the pretense that they aren't reading our traffic via arrangements with the VPN providers, and in return they promise to keep our actions secret BUT ONLY if we aren't engaging in a national crime such as terrorism or espionage.
Wha? Isn't the VPN market about accessing geo-restricted content? My non-geek friends often ask me "Can I stream X for free?" Moral and legal questions not-withstanding, the answer is often yes, using a VPN service.
Could restriction-avoidance come back to bite you someday via logged behavior? Perhaps, but it sure wouldn't be in the interest of a VPN provider to allow that to happen. Should one lose sleep over appearing to be in the UK in order to stream Eurosport? Tough sell.
"Send all of your traffic through us so that we can keep it private and secure" is absurd on the face of it. I'd like to think many non-technical people can see this, yet want to watch the Olympics on CBC because, more curling!
I'm not overly concerned with traffic being traced back to me via my ISP, so I just run OpenVPN on my pfSense router. Whenever I'm on remote WiFi that isn't run by me, I hop on the VPN and route all traffic through it. Minimizes my exposure on public hotspots, which is what concerns me most.
It's irritating that I have to worry about my ISP, but not irritating enough for me to care. If that changes, I'll spin up a machine on some hosting provider and route traffic through there. It'll suck to have reduced speeds in that case though.
If you're going to use a VPN, please read about its policies and try to understand them. I was horrified to learn about this VPN service from Facebook that is now being promoted in its iOS app (I don't use the app, but anything to do with Facebook generally worries me). The Onavo VPN service from Facebook is disguised as a protection mechanism but tracks the user for the benefit of Facebook.
Quoting from this recent news: [1]
"But Facebook didn’t buy Onavo for its security protections.
Instead, Onavo’s VPN allow Facebook to monitor user activity across apps, giving Facebook a big advantage in terms of spotting new trends across the larger mobile ecosystem. For example, Facebook gets an early heads up about apps that are becoming breakout hits; it can tell which are seeing slowing user growth; it sees which apps’ new features appear to be resonating with their users, and much more.
This data has already helped Facebook in a number of ways, most notably in its battle with Snapchat. At The WSJ reported last August, Facebook could tell that Instagram’s launch of Stories – a Snapchat-like feature – was working to slow Snapchat’s user growth, before the company itself even publicly disclosed this fact."
I use a VPN all the time on my laptop because I'm frequently on public wifi at coffee shops. That alone makes a VPN worthwhile. The logic of "you can't 100% trust them so its useless" seems really extreme and detrimental. Yeah it won't stop a determined government agency... but unless you're Edward Snowden what you probably should be more worried about is some sketchy hacker listening in on wifi traffic, which VPNs are super useful for.
My direct ISP is also a vertically integrated global media conglomerate which lobbies for abusive copyright practices, and maintains a large catalog of entertainment IP, which it walls-off from other providers, for the purpose of limiting competition.
My VPN provider may collect data. But they're not fucking evil monopolists.
And the other not-too-delicate point:
MOST of the harm that comes from data collection is not Gillette learning that you have sensitive skin and might benefit from a 7-blade razor.
MOST of the harm comes from LARGE corporate entities aggregating huge datasets from large quantities of people, such that they can draw statistical inferences. There can be a small subset of weirdos - who adblock and vpn. Doesn't matter, because all their neighbors share their data openly. The weirdos who protect themselves are still statistically outed - and even if they aren't the idiot neighbors are exposed to fake news, shitty campaign ads, and they vote, and that affects policy and law which applies to all of us, and that's why we should ALL be using VPN, but that's certainly not going to happen, and if it did, the VPN companies would just sell our data to aggregators anyway.
The bayesian guess that customers of a VPN service, specifically, are going to have more interesting traffic, is an interesting thing i hadn't really thought about.
I would think that setting up https://github.com/trailofbits/algo and getting good at moving around from cloud-provider-of-your-choice VMs wouldn't be a horrible idea.
In the meantime I have a OpenVPN server at home just so I can log into my internal network from everywhere and use it when on public wifi... For the moment it's more than enough for me.
As always, you have to do what is right for your threat model. I personally run my own VPN mainly for peace of mind when I'm on untrusted LANs. It's actually not that hard to do, and I can easily serve both my phone and my computers.
And as always, if you have an APT after you...you have bigger problems than what VPN provider you should use.
Slightly tangential: Today, one of my staff (we're an IT company, I'm CREST accredited etc etc) connected up a NextCloud client to our NextCloud instance on a laptop and noted that the SSL cert was untrusted.
The cert. on our NextCloud is a Let's Encrypt job. He was using a laptop provided by a customer (he works there a lot) and they deploy a MitM web proxy that he was perhaps only dimly aware of. I haven't look too deeply into the laptop config but it looks like either the MitM CA wasn't installed as trusted or the NC client is a bit clever. Now, I'll plump for: screw up in other corp. IT.
So we have a techie ignoring warnings from an app that is designed to share data safely. OK, the customer's IT dept have their policies but I would have hoped that the default from my employee would have been to quietly walk away and uninstall NC from that laptop (he did after a few words.)
VPNs are very useful in lots of situations. My wife was in the hospital after delivering a baby, and whatever QoS they had going on in the router was making it painfully slow. Fired up PIA and off to the races, a normally functioning internet connection. There are a lot of networks where this is a legitimate use case. With cell phones such as they are today, people connect to public wifi frequently.
There's another benefit of VPN that people don't discuss much: your traffic can be compressed with LZO. This can make an unusably slow connection usable. The applicability to web browsing may be somewhat limited if the sites you use all set up their gzip headers properly, but I think that's a stretch when you're going off major properties, and it will compress all the traffic at the network level regardless of protocol-specific options, so it should help some.
If you want to setup your own VPN for personal use or for friends the StreisandEffect project[0] on Github has made it dead simple for anyone with basic Linux experience.
If I'm doing that on OS X, what actual app/service do I use to connect to the VPN i set up? For example with NordVPN it uses a mac app... so if I create my own what do I use instead? Please dont say tunnelblick
I use a VPN to (a) prevent my employer from recording my visits to anywhere and (b) my government from doing the same. I use ProtonVPN. This seems like a good use case. And Proton seem like a good bunch. Anyone have any feedback?
It’s reasonably easy to set up a l2tp VPN on AWS, using cloudformation. Running an EC2 instance for a full month for this costs roughly $5 USD. I don’t really get why someone with a bit of tech skills (=using github) would use a third party VPN service from an unverified provider. Sure enough, if Five Eyes want to get your logs from AWS they will, but for avoiding airport or hotel WiFi’s snooping a simple l2tp VPN over AWS serves quite fine, and it works with mobile phones and laptops without requiring any additional software.
Do you suppose that Amazon, which actively sells cloud services to the US intelligence community, is less able or willing to spy on your setup than a VPN provider would be? I have some bad news for you.
AWS would lose lots of business if their complicity became public. Foreign customers have lost confident in the security/data compliance of public cloud in the wake of the NSA revelations.
It'd be bad for the NSA, too. I assume they are spying but only rarely act on the data they're slurping. If Amazon loses customers, and the NSA has eyes inside, the NSA loses their eyes.
...Or any network where it is not known whether it is hostile or not. I.e. any network that isn't known-non-hostile. Which is most networks, possibly up to and including your own home WiFi.
But if you want VPN service, why not simply setup your own server? They're cheap. There are hosting services that accept cryptocurrencies if you're into anonymity, and then you can be certain there are no logs (unless the hosting provider logs you, of course).
My analogy for non-IT people for a VPN is that it's a tunnel between houses so you don't have use the road or footpath.
Then I point out that if it's easy for you to get out, it's easy for others (in the other house) to get in. And by extension anyone who visits their house.
That usually makes them think.
Managed/service VPN makes the hole wider or tighter depending on how trustworthy the manager is.
What problems does this solve? It ensures you still have a unique IP on the internet which can be traced by governments trivially, while a VPN service which actually doesn't log will keep you safe from simple attacks like that by sharing your IP.
If you assume the service provider is malicious and DOES log, then why is a VPS provider any better than a VPN provider?
Sometimes, a glorified proxy is just the thing you need. You have to weigh in the risk in having some random schmuck knowing where you've been and maybe getting subpoenaed against your Wifi hotspot provider, your ISP and your government easily knowing where you've been.
There is a good question about whether or not a national security letter holds any weight with a VPN, especially an endpoint outside the United States.
I believe if supplied an NSL, I would expect the VPN provider to grant the request. But that would be only for those operating in the US.
I've made this argument several times. I'm a psybouncer sort of guy. #shellz
It is super easy to get a 2 dollar a month shell account and run psybouncer with a list of hosts you can hide behind. At least then I can double proxy cheaper.
If anything, a better title would be “Use VPN services for security, not privacy”. I don’t know about others, but whenever I’m using a VPN, I pretty much only have security in mind for when I’m using public WiFi’s.
awful advice. use a threat model, which may or may not include commercial VPN services.
I can think of many situations in which I'd prefer a commercial VPN provider to a private one, or even to running meek on a tor bridge. there are also many situations in which someone else keeping logs is extremely useful :)
We've seen this little bit of FUD several times in the past and it's as inaccurate as it has always been. VPNs cover some scenarios but the author makes unreasonable, extreme demands and wants them to provide security no entity lower than major government-level can provide. A VPN is just one of many steps in hardening your machine and connection, it's not a silver bullet. A setup that's truly hardened against internet surveillance directed towards the average user _should_ also include a VPN as one of its components, that much is sure. A VPN will not protect you against Mossad, because as Mickens said, if Mossad is after you, you are going to die and there's nothing you can do to stop it. But a VPN will provide a very effective layer protecting you against location and IP based tracking and fingerprinting.
And even in the case of a known-hostile ISP that engages in invasive practices like supercookies or ad injection, it's unrealistic to ask users to set up and maintain their own VPS servers.
For the average internet user, a "glorified proxy" service that is hassle-free to set up is a simple and effective means of protection against such a menace.
[1] https://techcrunch.com/2017/03/29/everything-you-need-to-kno...