[HN Gopher] NordVPN disables features when you turn off auto-renew
___________________________________________________________________
NordVPN disables features when you turn off auto-renew
Author : decrypt
Score : 343 points
Date : 2021-02-06 14:20 UTC (8 hours ago)
(HTM) web link (www.reddit.com)
(TXT) w3m dump (www.reddit.com)
| dhdc wrote:
| The amount of astroturfing in the reddit thread is just awful.
| VPN hosters market in the most aggressive ways possible, probably
| due to the fact that its usually impossible to verify a VPN
| hoster's claims (without a breach), so assuming they did most of
| the VPN stuff right, any new users they lured in are gonna stick,
| at least for a while.
| aswerty wrote:
| I've used NordVPN previously and thought they were fine as a VPN
| service. In fact I went back to use them earlier today before
| seeing this submission. But yeah, on reflection, they really do
| go out of their way to scare/screw their customers into auto-
| renewing with various dark patterns. So maybe next time round
| I'll check out something less evil.
|
| I use a VPN for geo blocked free-to-air sport(6 nations <3) from
| my home country so VPNs work well for my needs. Ironically it's
| not even possible to pay for access to view the sport in a
| legitimate way since everything is region locked.
| myrandomcomment wrote:
| Which channel is streaming it? I have seen some on the BBC over
| the years but not every match.
| myrandomcomment wrote:
| Just found it on ITV.
| aswerty wrote:
| ITV was what I used today, I originally planned on using
| Virgin Media Ireland but had login issues there.
| WarOnPrivacy wrote:
| From the thread:
|
| >The secret to not dealing with crapty company practices is to
| avoid ones that advertise literally everywhere 24/7 nonstop
| around every single corner you look.
|
| This is so true it nearly qualifies as physics.
| lebaux wrote:
| * This is so true it nearly qualifies as physics.
|
| I am going to (over)use this phrase from now on. Thank you.
| WarOnPrivacy wrote:
| Oh nice. I wasn't sure how it would land.
| DesiLurker wrote:
| my goto explanation for this is the crappiest companies out
| there have highest profit margin simply because they have a
| whole host of bad practices available to pick from. that
| basically means they have most resources to burn on marketing &
| promotion.. egro most highly advertised stuff is what one
| should avoid the most.
| fasicle wrote:
| Audible might be the exception, I'm very happy with it.
| IshKebab wrote:
| Maybe better since Amazon bought them but before that they
| had an atrocious reputation for making their subscriptions
| impossible to cancel.
| iFreilicht wrote:
| Very crappy if you want to cancel after you forgot to get new
| audiobooks for a few months. You lose all your credit, and
| they don't say that during the cancellation process. I gifted
| 6 months of payment to Audible just because they avoided to
| inform me about that.
| that_guy_iain wrote:
| They also have a limit on the number of active credits you
| can have. I luckily found this out via someone else. But
| yea that part of Audible sucks massively. But I wouldn't be
| shocked if you emailed customer support they would just
| give you the credits, it's Amazon after all. Also, if you
| sign up and the system doesn't say you're eligble for a 30
| free trial, customer support will give it to you. I found
| that one out when my payment method wouldn't work and I
| cheekily asked and they hooked me up.
| SifJar wrote:
| FWIW last time I tried to cancel & still had credits,
| Audible did warn me I'd lose them if I cancelled (so I
| quickly used the credits before cancelling - thanks to
| their generous return policy, shouldn't be an issue if I
| change my mind about one of the books I chose hastily
| before cancelling)
| jorblumesea wrote:
| What's the argument for VPNs in 2021? Can't ISP just use metadata
| patterns and DPI/analytics to tell what you're up to anyways? For
| example if I want to hide by torrenting, it's not like VPN is
| going to really help that. ISP should be able to figure that out
| right? Or am I wrong here?
|
| edit: this is a serious question I am not trying to troll anyone
| here
| beermonster wrote:
| People use VPN services, as opposed to say why enterprises use
| site-to-site VPNs, for a variety of reasons:
|
| - Access geo-restricted content on say Netflix
|
| - Privacy - one encrypted pipe to hide what you're doing
|
| - Hide source IP address (perhaps for researching a competitors
| website etc)
|
| - Protect insecure services (though the services would need to
| exist on the VPN endpoint or they would be exposed at the
| VPN->insecure service termination).
|
| - Bypass ISP throttling (yup this works and is always funny as
| ISPs deny they do this but hey, easy to check!)
|
| - Avoid censorship even in places like the UK (https://en.wikip
| edia.org/wiki/Internet_censorship_and_survei...)
|
| And more. So there's plenty of use-cases for a VPN in 2021. But
| it's worth thinking about how the threat model changes as a
| result of using one especially if you're not hosting it
| yourself.
| AlexandrB wrote:
| Using DPI an ISP might be able to figure out _that_ you 're
| torrenting but not _what_ you 're torrenting. In some
| jurisdictions this is a big improvement.
| ev1 wrote:
| A correct VPN will make it look like you're just sending
| garbage traffic to/from one destination, the outside looking in
| traffic pattern is completely different than a torrent directly
| (which is many to one + one to many)
| pdimitar wrote:
| What do you mean by a "correct VPN" here? The traffic
| analysis obfuscation angle is also interesting, do you have
| links?
| jorblumesea wrote:
| Does it really look like garbage from the outside? My
| impression or understanding was that you could tease out
| those details (they are torrenting) but not inspect the
| packets directly (what are they torrenting?)
| ev1 wrote:
| A proper VPN will completely encapsulate your layer 7 data,
| so you should not be able to tease out the fact that they
| are torrenting - it should more or less be an opaque
| stream.
|
| With some protocols you can identify that they are sending
| VPN traffic to and from a destination, but that should be
| it, otherwise something has gone horribly wrong in a
| dangerous way.
| yjftsjthsd-h wrote:
| Depending on the VPN protocol, you can still fingerprint
| by size - as I understand it, bandwidth use patterns are
| actually enough to distinguish things like "streaming
| video" from "BitTorrent traffic" from "web browsing".
| IIRC, ex. TOR does a bucket-filling approach to fight
| this (something along the lines of trying to wait until
| you've got X bytes to send together to smooth out the
| packet size, or even inserting garbage to pad out your
| use).
| cedricgle wrote:
| Is that legal ?: because you pay the same yet you don't receive
| the same set of features.
| MikeDelta wrote:
| Honestly, if you are worried about privacy and use a VPN for
| those reasons, then you should check out the principle of browser
| fingerprinting [0].
|
| The conclusion is that servers/websites can check so many
| parameters of your browser that they can produce a (unique)
| fingerprint based on the settings and drivers on your phone. No
| VPN or Tor will cover that, only burner phones or pen and paper.
|
| [0] https://coveryourtracks.eff.org
| jonny_eh wrote:
| https://blog.mozilla.org/security/2021/01/26/supercookie-pro...
| isoprophlex wrote:
| By now these VPN providers are like toothpaste, diapers or soft
| drinks: completely undifferentiated between competitors, and so
| only able to maintain their market share by spending loads on
| marketing. Of course the company with most egregious dark
| patterns and aggressive churn dampening wins.
|
| Thankfully a tube of toothpaste doesn't allow implementing dark
| patterns like this... yet.
| xxs wrote:
| >doesn't allow implementing dark patterns like this.
|
| or does it? Call from the past "3D" tooth paste marketing,
| whitening agents, microplastics, multi-color squirts, same FUD
| "brush like a pro only with XXX". Those are just few (top of my
| head) of the levels marketing goes to attempt and sell
| toothpaste.
| isoprophlex wrote:
| You are right of course... the "analogue dark patterns" are
| as old as advertising.
|
| But there's more! since posting my comment, I've noticed
| Amazon dark-patterning a "monthly subscription on diapers"
| into a product description page.
|
| Gotta chase that sweet sweet MRR
| uzakov wrote:
| I would strongly disagree for the following reasons: You can
| and should differentiate VPN providers. Ways to differentiate
| them: Have they shared logs in the past, where companies are
| headquartered, reputation.
| isoprophlex wrote:
| Fair point, agreed.
|
| I have noticed personally, however, that all people i know
| that have purchased a vpn subscription don't do this. They
| simply buy into the FUD. N=1 of course...
|
| Maybe the market size has become so large that less savvy
| users propel the unscrupulous companies to the top?
| uzakov wrote:
| I think it's exactly the same as when purchasing anything
| in life. There are better and worse products. Many people
| will not buy a good product in terms of quality/price or
| value/price.
|
| > Maybe the market size has become so large that less savvy
| users propel the unscrupulous companies to the top?
|
| I would say that is the case for many products. Personal
| example: our family car is nearly 10 years or so old and
| still going strong, its reliable and good overall. We spent
| time researching good vehicles on the market then and
| bought the care after research, it paid off.
| amelius wrote:
| Can't we give the FTC more teeth, so they take action whenever
| a company turns against their customers? Most dark patterns are
| well known, so how hard can it be to define some laws or set up
| a legal framework around this? The free market isn't
| everything, but at least we can try to make it less shitty.
| johnnyfived wrote:
| I agree with this very much, and it's becoming pervasive in
| other industry spaces too, like streaming services imo.
| notRobot wrote:
| Honestly, nothing holds up to Mullvad [1]. They don't even take
| an email address while creating accounts, and you can pay easily
| with Bitcoin or even with cash mailed to them.
|
| I'm not affiliated, just a _very_ happy customer.
|
| Mullvad is also who Mozilla trusts for the Mozilla VPN [2]. You
| can sign up with that if you'd like Mozilla to get a cut.
|
| [1]: https://mullvad.net/ [2]: https://vpn.mozilla.org/
| gopty wrote:
| Is mullvad able to drill through the Great Firewall of China?
| Few VPN can
| wwwwwwwww wrote:
| Nowadays its probably best to set up your own VPN server for
| that. Back when I lived there, most VPNs got occationally
| blocked, then they would get new IPs and work fine again. But
| from what I heard, it got way worse since Winnie the Pooh
| took over.
| myrandomcomment wrote:
| I am not sure using your own is a good idea. Every time I
| was in China for the last 3 years they would quickly find
| and block my small startups VPN. I was able to send an
| email and ask someone to move it to a new IP. Now imaging
| you have your own setup and they block it, as well as
| access to the provider you used to create the VM that runs
| it. Using something like Nord or the like at least you know
| that they will keep changing the IPs. Your mileage might
| vary, but this was my experience.
| acct776 wrote:
| You wouldn't advertise you were using your personal VPS
| as a VPN.
| acdha wrote:
| Your activity advertises that to anyone who can see the
| traffic. Even if you use a popular port, the traffic
| volume and timing easily stands out -- and if you're
| actually in China ask what they'd conclude from a client
| which does no other traffic except for that one
| IP/protocol/port, unlike basically every other device.
| VectorLock wrote:
| I guess if you really wanted to be clever you could set
| up a number of IP addresses and if your VPN doesn't see
| you login for, say, a day, switch to another IP. Or just
| give your VM 14 addresses and rotate them as you need.
| For a 2 week trip/14 addresses this would cost you about
| $26 on AWS.
| dheera wrote:
| Agree. I always use my own VPN for this.
|
| Most VPN services get blocked eventually and then play cat-
| and-mouse to get themselves back up, so the service is
| overall unreliable.
|
| The China firewall also does some "intelligent" blocking of
| common VPN protocols by fingerprinting their traffic
| patterns, handshakes, ports, and other things.
|
| If you set up own server, it helps to modify the protocol
| or wrap it in a proxy that obfuscates the VPN traffic as
| something innocent-looking. Basically, if you implement
| something like TCP/IP-over-cat-picture-jpeg-files-on-HTTP-
| port-80 you'll generally have a rock solid experience.
| (That's not exactly what I do, but it's along the same
| lines of thinking, you get the idea, be creative.)
|
| Unfortunately I'm not going to provide code to do this
| though because that makes it vulnerable to its traffic
| pattern being fingerprinted and blocked.
|
| Also, avoid AWS. Using slightly lesser-known IaaS providers
| helps.
| rightbyte wrote:
| Interesting thought. A little part of me want to make a
| TCP-over-HTML cat pictures wrapper. Maybe put the payload
| in every fifth cat pixel or something. Should work for
| bmp:s right.
| Stevvo wrote:
| They often block VPN traffic at the protocol level i.e.
| even rolling your own is going to be a headache.
|
| That said, I never had problems using an SSH tunnel and the
| end result is the same.
| dilyevsky wrote:
| Heh if they blocked ssh my access logs would be
| considerably leaner
| beermonster wrote:
| Shadowsocks always used to work well enough to evade the GFoC
| if you hosted your own VPS. Which is simpler than say
| strongSwan - and IPSEC gives the game away anyway.
|
| https://gfw.report/blog/ss_advise/en/
|
| https://gfw.report/blog/ss_tutorial/en/
| tedunangst wrote:
| So Mozilla VPN is wireguard, but won't let me use my own
| wireguard client?
| kbrosnan wrote:
| The Mozilla VPN uses an auth key generated from the Firefox
| Account. There is at least one 3rd party app
| https://github.com/NilsIrl/MozWire/ Though the official
| client support the major operating systems [Windows, MacOS,
| Linux, iOS, and Android] https://github.com/mozilla-
| mobile/mozilla-vpn-client
| soulofmischief wrote:
| Seconding Mullvad. Their service cannot be beat.
| BelenusMordred wrote:
| Have massive respect for all the open source code Mullvad pumps
| out.
|
| https://github.com/mullvad
|
| Don't use their service but they do really come across as one
| of most trustworthy out there. Have a Protonvpn account for
| getting around a geoblock once in a blue moon, personally don't
| have much use for commercial vpns.
| blindm wrote:
| And with Mullvad you can just make a one-time payment of EUR
| 5.00 if you need to use it for 30 days. No auto-renew crap /
| commitment to long subscriptions to deal with.
| kevincox wrote:
| It is interesting to me that the Mozilla option is cheaper. (5
| USD vs 5 EUR)
|
| Also it bugs me that there are 5 "Try" buttons on the Mozilla
| site before they even show you the price. To be fair it does
| show you the price on the credit card page after you log in but
| still feels a bit scummy to me. Mullvad puts it in your face
| above the fold.
| dheera wrote:
| I totally understand using a VPN service if you're trying to
| access the internet from another location, e.g. to get past the
| China firewall or get access to content from a different
| copyright jurisdiction.
|
| However, I don't fully understand the privacy argument. It
| would seem to be that instead of handing over your entire DNS
| query history and unencrypted HTTP history to your own
| corporate IT department or the Starbucks Wi-Fi router, you're
| now handing over all that data to Mullvad. Are people okay with
| that?
|
| I usually create my own VPNs. I realize that involves handing
| data over to AWS or whoever I use for my servers but I somehow
| feel slightly better about that than handing it over to some
| Mullvad dude.
|
| Google tries to impose its VPN on Android too and my first
| insinct is: do I really want all my traffic going through
| Google?
| shim__ wrote:
| I'd say it's probably worse privacy wise, corporate IT or
| your ISP are at least accountable since you share the same
| jurisdiction. Some dody VPN company which you should prefer
| to be overseas if your main objective is piracy is much less
| accountable in regards to your data.
| harshreality wrote:
| > I don't fully understand the privacy argument.
|
| Hiding IPs while engaging in piracy.
|
| Other than that, I think it's mainly geoblocking evasion,
| which might have overtaken piracy recently as the most
| popular reason for using a proxy service.
|
| Any use where the slowness of tor is a dealbreaker, and where
| criminal liability is not so high that law enforcement will
| attempt to unmask proxy users in realtime.
| frr149 wrote:
| Could you elaborate on this? How do you create your own VPN
| on aws (or any other server)?
| boring_twenties wrote:
| Personally if I'm going to hand over my history to someone,
| I'd rather it be anyone but Comcast.
| onychomys wrote:
| This is my feeling too. Also, I know for a fact that my ISP
| would be watching me browse (thanks for nothing, Ajit
| Pai!), while a VPN at least promises not to. The
| uncertainty of whether they're telling the truth on that is
| still better than knowing 100% on the ISP side.
| dehrmann wrote:
| > I don't fully understand the privacy argument
|
| It's mostly moot. In the days of HTTPS and DoH, they're
| essentially selling snake oil. It was a lot more useful in
| 2010.
| hannob wrote:
| > However, I don't fully understand the privacy argument. It
| would seem to be that instead of handing over your entire DNS
| query history and unencrypted HTTP history to your own
| corporate IT department or the Starbucks Wi-Fi router, you're
| now handing over all that data to Mullvad.
|
| Well, you're of course right that the privacy argument for
| VPNs doesn't make a lot of sense. But there's a whole
| industry living from people believing it does, and ad
| partners of that industry willing to proclaim that VPNs are
| essential for your personal privacy.
| stu2b50 wrote:
| VPN ads remind me of supplement ads.
| hatsunearu wrote:
| >However, I don't fully understand the privacy argument.
|
| Yes, it's crap, and any techbro worth their salary should
| know this.
|
| It's also incredibly annoying when VPN this and VPN that pops
| up on youtube.
| VectorLock wrote:
| I personally like the irony of VPN companies getting around
| adblockers by getting paid youtuber sponsorships.
| rafram wrote:
| SponsorBlock!
|
| https://sponsor.ajay.app/
| justnotworthit wrote:
| Why do you think corporate IT or Starbucks or AWS is more
| trustworthy than "some Mullvad dude"? Isn't it possible that
| Mullvad is more trustworthy? Isn't it more possible to know
| about Mullvad than what's going on at Starbucks or AWS?
| dheera wrote:
| I don't consider corporate IT or Starbucks to be trustable.
|
| AWS I would "trust" slightly more only because I get to
| implement the infrastructure and among the sea of trillions
| of requests they serve it would be a bit more of a
| challenge for them to figure out which of those requests
| are VPN browsing data and clean that data. I can also
| mildly obfuscate and pollute requests using their own
| infrastructure and make it hard for them to extract
| anything meaningful about me unless they really wanted to.
|
| Basically AWS isn't already set up as a VPN service, so
| they'd have to put in a nonzero amount of time to extract,
| parse, collate, and analyze VPN logs, let alone figure out
| which instances among their billions are actually VPN
| instances, especially if I run a non-standard, modified
| protocol. Unless I was some Snowden-like target it's
| unlikely they would waste a couple weeks of engineer hours
| to wireshark and clean the data from my instances.
|
| Mullvad on the other hand handles 100% VPN browsing data so
| if they unscrupulously keep logs, they would have clean
| logs to begin with, nicely organized by username, which is
| scary. They wrote the client and they control the protocol.
| They also rent their instances from various providers (the
| names of which they disclose on their website) and I could
| presumably just bypass them and rent an instance with one
| of those providers directly.
| mypalmike wrote:
| Why would AWS need to Wireshark your traffic? If law
| enforcement came to them with IP logs from some target
| machine, it's just a matter of looking at AWS outbound
| NAT logs to find your account.
|
| Of course, either approach should work if the goal is
| merely to disassociate your traffic from your identity in
| order to keep marketing companies knowing your interests.
| Your approach is more provably reliable, but some VPN
| providers do provide 3rd party audits and such which
| seems a reasonable way to establish trust.
| Cu3PO42 wrote:
| The VPN providers promise not to keep logs. They go to
| different lengths to prove this claim to you.
|
| If you do believe that, it's more private. If you don't, they
| still might have access to that data. Otherwise AWS or
| someone else will.
|
| However, even so it will be more difficult for third parties
| to track you since you will generally not be assigned a
| dedicated IP address. You are probably NATed with a bunch of
| other customers from all over the world. If you set up a VPN
| in a VPS you'll most likely have a permanent public IP.
|
| Personally, I believe that Mullvad is truthful about its
| privacy claims, but I'm not a customer.
| dvfjsdhgfv wrote:
| The privacy argument simply haven't stood the test of time.
| However, the first reason is still valid: some companies
| think they can segregate people based on their IP address,
| and VPNs offer a simple solution to that - even if it often
| doesn't work, and in many cases becomes a mouse-and-cat game
| with the service provider.
| LiberatedLlama wrote:
| Does Mullvad allow me to connect using wireguard without
| pasting my private key into their website? Their website says
| the private key never leaves my browser and is only used to
| generate the configuration file, but all I really want to do is
| give them a public key and I suppose let them know which server
| I'll be connecting to. I can put together the config file by
| hand myself, thanks, I shouldn't need to ever copy the private
| key into my clipboard, let alone paste it into a browser.
| vmception wrote:
| How do they take bitcoin? I've seen various invoicing systems
| that completely break in Tor+JS and in all noJS environments.
|
| If they shoehorned bitpay in, its probably not tapping into the
| utility of having bitcoin payment options.
|
| I like paying invoices with Monero over Tor, while the merchant
| receives bitcoin that a third party pushed to them. I've been
| doing that for at least half a decade.
|
| But if I can't access their invoice they just lose a customer.
| wwwwwwwww wrote:
| They show you a BTC address and you send BTC to that address.
| Whatever arrives at the address is credited to your account.
| No "invoicing system" involved.
| StavrosK wrote:
| How do things like Morphtoken and Xmr.to handle the $20
| Bitcoin transfer fee?
| vmception wrote:
| Perfect!
| boring_twenties wrote:
| I used to use Mullvad but got sick of having to pay them via
| Bitcoin (or Bitcoin Cash, lol). I emailed them about
| accepting Monero directly and they said something like "we
| would like to but it's too much work." Ended up switching to
| IVPN, which actually costs more but is worth it for me not to
| have to deal with those shitcoins.
| vmception wrote:
| But you could always pay them with Monero
|
| You can pay any bitcoin invoice with Monero and people have
| been doing that for 6 years
| [deleted]
| StavrosK wrote:
| I really love paying with Monero as well. Fast, super cheap
| and anonymous. It's definitely my favorite coin to use
| (since I don't like speculation). I just wish it were more
| widespread as a payment option.
| namanyayg wrote:
| What third party are you using that does the xmr -> btc for
| you?
| vmception wrote:
| these days, its Morphtoken and Xmr.to
|
| still waiting for something better but its good enough
| _muff1nman_ wrote:
| xmr.to has recently shut down[1]. It would be nice to see
| more services accepting monero directly.
|
| 1. https://www.reddit.com/r/Monero/comments/la46ds/xmrto_
| servic...
| vmception wrote:
| that's too bad, thanks for spreading the word
|
| One day people will figure out how to connect XMR to
| other chains, really unlocking its value and utility for
| those markets
| StavrosK wrote:
| I think that's scheduled for September this year.
| lawn wrote:
| They have a custom implementation.
| shrimp_emoji wrote:
| Great Linux client, too!
| pbhjpbhj wrote:
| Mullvad is the service that Firefox use, I took that as an
| endorsement and tested them, it worked well (on Linux, which
| has a command line controller for a service that is installed)
| once you've got used to how it's set up. They seem to do
| anonymising thoroughly. IIRC you can even mail them cash.
|
| Edit: I should say, I used their support email, they responded
| pretty quickly for a cheap service, offered a beta client and
| that fixed the issue (I'd actually tried the beta by the time I
| got the email back, but still).
| hda111 wrote:
| Using Bitcoin doesn't make one anonymous. I would always send
| cash to them.
| grishka wrote:
| You can't use _any_ commercial VPN service and expect privacy.
| Those are only good for bypassing geographical restrictions. If
| you want privacy, buy a VDS and host your own VPN server. It
| 'll cost about the same, and you can use it for other things at
| no additional cost.
| gazby wrote:
| Perhaps it depends on the definition of privacy. Now your
| identity is tied to any and all traffic to/from that IP
| address for the duration of ownership.
| colechristensen wrote:
| The specific issue is the VPN provider harvesting data
| about your traffic and selling it.
| gazby wrote:
| I'm suggesting it's vastly greater effort to identify
| individuals in a VPN service than a VPS provider (shared
| vs dedicated tenancy).
|
| If you're talking about bulk collection, then your ISP is
| probably already doing that.
| freebuju wrote:
| Except most providers worth their salt will require your
| credit card/paypal for a subscription. This adds another
| potential loophole for de-anonymization. At least with
| Mullvad you can pay in crypto or even mail them cash. Though
| it all depends on what you want to achieve I'd say a trusted
| VPN is much better than a VPS, esp one located in US or any
| of the five eyes countries.
| Fnoord wrote:
| If I use a public WLAN, a VPN like Mullvad is going to gain
| me privacy and security. Furthermore, I would get (for good
| or bad) "mixed" with the rest of the users (although in my
| case this does not apply as I use WireGuard to my home
| connection). If I use mobile, a VPN makes MITM more
| difficult.
|
| If I pirate using a VPN in a country hostile to mine, the
| local RIAA/MPAA can't do anything. They probably already
| can't when VPN is in same country. A VPN doesn't stop a
| determined adversary, but if you worry about these you should
| probably use Tor or something like that, possibly without
| going back to clearnet.
|
| While your stance is a good wake-up call, and perhaps a
| decent rule of thumb the above are reasonable exempts.
| kelnos wrote:
| Seems like it'd be easier to "unmask" someone's VPS account
| than figure out who someone is when they use a paid VPN
| service.
|
| If you're worried about a government, your personal info from
| a VPS provider is just one court order away. If you use a VPN
| service that actually is serious about not keeping PII or
| logs, you might fare better there (they _might_ be coerced to
| log _future_ traffic of yours, but at least your prior
| activity is still secret).
|
| If you're worried about ad tracking, a VPN just doesn't do
| you much good period: ad tracking is sophisticated enough to
| not care about your IP address.
|
| But all of this "VPN for privacy" stuff is predicated on
| trusting faceless third-parties to help keep you safe, so
| it's generally a losing proposition. Agree that the only
| "safe" thing to use a commercial VPN for is to bypass
| geographical restrictions.
| michaelmrose wrote:
| Every form of security has different threat models and
| appropriate countermeasures.
|
| If you are trying to avoid your ISP knowing you are
| downloading movies a VPN is a good solution.
|
| If you don't want others in the coffeeshop to be able to
| snoop on remaining unencrypted http traffic. VPN
|
| If you don't want your employer to have a list of your web
| traffic from your personal device. VPN
|
| If you don't want a service which you don't pay with a
| credit card to have a way to connect your pseudonym to your
| real name. VPN
|
| If you want to opt out of some degree of dragnet
| surveillance/data collection via parties like your ISP. VPN
|
| None of these are incredibly uncommon. VPSs work great for
| most scenarios. If your actions are dangerous to your
| continued existence or you need to keep your own government
| from watching you then you probably need to adopt far more
| stringent measures but I feel this is vastly less common
| than the above situations.
| symlinkk wrote:
| Who runs Mullvad? Am I supposed to just blindly trust these
| people with my entire internet activity?
| rsync wrote:
| "Honestly, nothing holds up to ... (VPN provider)"
|
| If you're serious you send a machine, that you own, to a colo
| provider and you register for service with a corporate entity
| that you created for just that purpose.
|
| Your name exists nowhere and ... _regulatory inquiries_ are
| directed to your corporate contact email.
|
| Or, if you feel like that's a heavy burden and you don't attach
| any value to the physical machine (some old 1U, right ?) then
| you can just sign up under an assumed corporate name with some
| colo provider that doesn't care that it is, or is not, an
| actual corporation _and_ you can pay with your non-AMEX credit
| card[1] using whatever Mickey Mouse name you feel like.
|
| Trust me - it won't take long to find someone who will take
| your money.[2]
|
| [1] Only AMEX validates First Last ...
|
| [2] https://www.lowendtalk.com/
| michaelmrose wrote:
| For practical purposes the only people who can penetrate a
| simple vpn service are potentially a government order to
| start recording your traffic that is legal based on
| jurisdiction or a dedicated hacker.
|
| It looks to me that NEITHER would be prevented by you using a
| colocated machine. It's not like your colocation provider is
| incapable of compromising you and probably would if ordered
| to do so in a jurisdiction where this act would be legal.
|
| A hacker presumably isn't concerned about whether they are
| attacking a machine on your desk or in Nebraska.
|
| Over a 5 year time frame your colocated machine would
| presumably run you between $6600 and $19000 and would have
| bought you zero additional privacy compared to paying $360
| for a vpn in the same jurisdiction.
| sbierwagen wrote:
| These guys say they'll colo a raspberry pi for $9 a month:
| https://www.endoffice.com/picolo.html
| Thorentis wrote:
| This is far less anonymous than sending cash in the mail to
| Mullvad. There is a paper trail leading back to you when you
| register the corporate entity.
| [deleted]
| sneak wrote:
| From a security perspective, this is equivalent to renting a
| dedicated server. Once it leaves your possession, it isn't
| really "your hardware" anymore from a data security
| standpoint.
|
| Also, as others have pointed out, all you have to do is sniff
| the traffic going in to the machine, something both the colo
| and ISP and upstreams are trivially able to do to obtain your
| residential or GSM IP, linked to your name/identity.
|
| This is bad advice. Mullvad is like five bucks and offers
| equivalent privacy.
| HelloNurse wrote:
| This seems the work of some market-oblivious marketing "expert":
| we want more autorenewals, let's figure out some stick and
| carrot. Trust doesn't appear to be a consideration.
| respli wrote:
| Has anyone actually been able to reproduce this? This annoyed me
| enough that I cancelled my NordVPN renewal, and I never got this
| screen - and all the adblock/anti-malware stuff still works fine.
| IG_Semmelweiss wrote:
| question for those privacy conscious peeps:
|
| When you use multiple browsers, with 1 (FF) used for general
| browsing setup to blocks fingerprintin, all cookies, js, etc...
| will the _other_ (Brave, Opera) browsers leak info to web sites,
| when using FF ?
| yjftsjthsd-h wrote:
| Not an expert, but:
|
| It depends if the browsers have matching characteristics. If
| you're not using a VPN, then they can be matched by IP. If you
| are, then it's down to side-channels which are a pain but
| _usually_ differ by browser (and perhaps even profile) - but I
| do wonder if ex. font availability and possibly GPU-based
| fingerprints wouldn 't match. Of course, if your locked-down
| browser blocks enough then you can solve that.
| kahlonel wrote:
| And now their login page is "crashing". They knew I was coming to
| uncheck that crap.
| LordHeini wrote:
| Why are these VPNs even a thing?
|
| The only reason i would use one is to get cheaper steam keys from
| brasil and for that i can get a free one.
|
| From a security standpoint it is awful because you increase the
| number of providers you have to trust.
|
| Apart from your ISP and the server you connect to, you got a
| third party involved for no reason.
|
| And VPNs can not that trustworhty as shown by the leaks of logs
| and what not.
|
| Maybe someone can enlighten me why these services exist and what
| usecase they have?
| gambiting wrote:
| In the UK your ISP has to store your entire browsing history
| for a year. Multiple agencies have access to this data without
| a warrant.
|
| So my usecase is simply preventing my ISP from knowing what I
| browse and from keeping this record. I'd much rather take my
| chances with a VPN company than my ISP and the British
| government.
| glenneroo wrote:
| My bank blacklisted me from their online banking portal because
| of a "suspicious IP". After submitting a number of automated
| requests to my bank's new security website (a company in
| another country and only available in a different language), I
| found out that my IP was marked as dangerous because I ran a
| Tor service at some point in the past. I hadn't been running it
| for months but they still had my IP tagged as potentially
| malicious which was enough for my bank to distrust my ip. I
| should also note that I also had a static IP back then, which
| due to this ban, I subsequently disabled. In the mean time I've
| moved all my external facing (mostly Raspberry Pi) services to
| VPN and plan to finally re-activate static IP.
| blondin wrote:
| youtube ads is the reason i am most familiar with. especially
| with nordvpn.
|
| so, essentially, even the most knowledgeable people on youtube
| tell you that nordvpn is a must have thing. and they "use it
| all the time". what do you want people who don't know better to
| do?
|
| that's the sad online world we live in.
| fencepost wrote:
| It moves the source of threat from local (eg someone around you
| on shared wifi) and the local(ish) ISP to remote and abstract
| and possibly uncaring (foreign company and whoever has the
| resources to monitor their firehose). It doesn't eliminate
| threat, but it changes it in ways that may be relevant - eg
| with a VPN the people around me can't see that I'm surfing
| midget porn, and my ISP can tell that I'm torrenting but can't
| tell what or from where. Other torrent watchers (eg whoever
| goes after pirates these days) will also have a hard time
| isolating me back to an IP with which they might be able to get
| account holder information - and entities with the resources to
| monitor what's coming out of the fat pipes at the VPN provider
| probably don't care about me.
| LorenPechtel wrote:
| Getting around censorship such as the Great Firewall. I have
| relatives in China, we visit most years. Without the right VPN
| (most don't do a good job against the Great Firewall) you lose
| things like Google (thus your Gmail account), Facebook (no
| great loss), Dropbox and it's siblings, pretty much any major
| news site. Last time I was over there I was having some trouble
| with my VPN (it's always a cat-and-mouse game between the VPNs
| and the Firewall) and the only search services that worked were
| Bing (which saw my Chinese location and did a much worse job
| than normal) and Baidu (which is China-focused and thus did a
| horrible job of serving up results in English.) Both engines
| were more likely to cough up a mixed-language page that vaguely
| matched over an English-only page that would be a much better
| match. Note that I was using a machine with the language set to
| English and not one bit of Chinese in the queries.
| jariel wrote:
| Probably the #1 reason by far is geoblocking.
|
| Security interests are niche compared to people wanting to
| watch 'xyz program' or 'xyz super game'.
| astura wrote:
| I suppose Geounblocking is a big feature - I use PIA to watch
| in-market MLB games.
| kevincox wrote:
| Mostly because of their FUD marketing. Almost all of the VPN
| ads imply, if not outright state that accessing your bank
| account is unsafe without a VPN.
|
| I mean sure, if you want to sell Netflix access sure, but their
| security claims are _way_ off.
| LiberatedLlama wrote:
| Their marketing is the sketchiest shit ever. Any VPN that
| advertises like that is dead as far as I'm concerned,
| _particularly_ NordVPN. They are the worst offender;
| listening to a few different jackasses on youtube pitching
| their product and hearing each one repeat the same talking
| points, it 's obvious the FUD comes from NordVPN themselves,
| telling people to say it.
| Ekaros wrote:
| If your ISP is realistic vector for your bank details, anyway
| you have much bigger problems.
|
| Geoblocking I see, but other stuff without knowing exactly
| who you get VPN from and who is your ISP is extremely
| murky... And I think there is very few who can make educated
| decision on these. And they are running their own or using
| tor...
| s1rech wrote:
| If you are using the network of a hotel or a train station, for
| instance. Assumption is that you trust that VPN provider of
| course.
| LordHeini wrote:
| Well https takes care of that.
|
| The hotel might be able to see that you visited a certain
| website but thats about it.
| VectorLock wrote:
| You have now shifted your trust from your VPN provider to
| certificate authorities.
|
| And, I guess, just ignore anything thats not https.
|
| Or just be okay if your hotel blocks certain ports or
| destinations, which I've had happen multiple times.
| nicoburns wrote:
| Asssuming they don't MITM your connection.
| hahajk wrote:
| And how would they do that? Your browser should warn you
| the certs aren't trusted.
| nicoburns wrote:
| And if your browser does warn you: what do you do? You
| use a VPN.
| bzb6 wrote:
| Which you would notice immediately because of the big,
| scary warnings.
| nicoburns wrote:
| Right, but how do you respond to that? Using a VPN seems
| like a reasonable approach in this situation.
| monocasa wrote:
| You respond primarily with non technical means, making a
| giant stink that a hotel that generally lives and dies on
| corporate money is man in the middling their WiFi.
| LiberatedLlama wrote:
| It's a hotel right? I would respond by closing my laptop,
| then my eyelids, then checking out the next morning.
| LordHeini wrote:
| Assume my hotel has some MITM running with the right
| (broken) certificates and so on.
|
| Which is not that trivial to begin with.
|
| How hard would it be to take over the dns and simulate a
| fake VPN too?
|
| Or just constantly disconnect the vpn and hope the user
| stops using it for a while.
| lr4444lr wrote:
| Presumably, you exchanged certs with the actual VPN over
| a known secure network prior.
| rasguanabana wrote:
| Well, http(s) isn't the only traffic going through network.
| seppin wrote:
| It is for 95% of websites most people use.
| Hamuko wrote:
| Wouldn't you be better served by your own VPN server?
| seppin wrote:
| Yes but deploying a vpn to digitalocean for example made
| the web unusable. Too many "spam" catches when simply
| trying to browse the web
| J-Kuhn wrote:
| Not everyone can setup their own web/mail/vpn/whatever
| server.
| yjftsjthsd-h wrote:
| Then you're the only person coming from that IP; a
| commercial service lets you hide in the crowd.
| muststopmyths wrote:
| exactly. I have at least some trust in Mulvad, but I'll be
| damned if I'm getting on the hotel WiFi in a US hotel chain
| without VPN. Let alone while travelling in foreign countries.
|
| I frequently access my bank info etc. on such trips. With a
| VPN at least I have fewer random threat vectors to consider
| on a network.
| BoumTAC wrote:
| but every site nowadays use https. Doesn't it prevent issue
| with public wifi ?
| rasguanabana wrote:
| Not all traffic is http.
| djrogers wrote:
| What 'bank info etc.' are you accessing that isn't TLS
| encrypted already? Adding IPSEC on top of that isn't
| helping much, if at all...
| muststopmyths wrote:
| I've frequently (especially outside the US, but even in a
| major hospital system here in San Francisco) come across
| WiFi networks that force access web through a MITM proxy.
| Yes, HTTPS will help me detect it, but if I need to
| actually get through, a VPN is helpful.
|
| "bank info" in this case being anything from logging in
| to check my balance, pay bills or even contact them via
| their secure messaging because I'm disputing a
| transaction.
|
| It doesn't eliminate all threats, but I'm not a secret
| agent ninja that needs 100% hardened communications. I
| just need a modicum of assurance.
| viseztrance wrote:
| I moved last year back to my home country from the uk, and did
| the final trip on my motorbike.
|
| Midway I realized I was missing an offline map of a country I
| was about the be passing through the next day. I had an
| unlimited data plan with traffic abroad included, and despite
| this, it didn't allow me to download the maps for my gps
| (everything else worked!), even after fiddling around with
| third party dns.
|
| So I downloaded a vpn app, and managed to get everything sorted
| out.
| tgsovlerkhgsel wrote:
| 1) people believing long-outdated guidance about not using open
| WiFi networks without a VPN
|
| 2) protecting your browsing traffic from being observed by your
| ISP (where you may not have much choice), at the risk of it
| being observed by the VPN company (which you trust).
|
| 3) Torrenting without having to worry about fines, nastygrams
| and other annoyances
|
| 4) Bypassing geoblocking
|
| 1 + 2 is what the VPNs advertise, but I think 3 + 4 are what
| people actually use them for.
| lliamander wrote:
| Wait,, what's wrong about 1?
| cube2222 wrote:
| Almost everything is over https now, and with it, the wifi
| network security doesn't matter much.
| Aldipower wrote:
| Wifi isn't only browsing the web..
| kevindong wrote:
| But web browsing is the vast majority of network usage
| now. The only big exception I can think of that don't go
| through standard HTTP/HTTPS rails is email. And even then
| desktop email clients are pretty rare now and they're
| pretty universally encrypted now.
| reificator wrote:
| > _4) Bypassing geoblocking_
|
| > _1 + 2 is what the VPNs advertise, but I think 3 + 4 are
| what people actually use them for._
|
| I don't know, I've seen two different "household" gaming
| Youtube channels advertise VPNs with a focus on geoblocking.
| I was kind of shocked at how brazen it was.
| LiberatedLlama wrote:
| > _1)_
|
| Open wifi networks still exist. When last I was at my public
| library (a year ago... covid) they still had an open wifi
| network for public use. I think for them it's a matter of
| principle, since it means nobody has to ask permission to use
| it.
| rafram wrote:
| But HTTPS has become (nearly) universal. There's little
| risk of someone on your network snooping on your traffic,
| because it's just not possible anymore.
| swader999 wrote:
| All your clicks getting tracked and sold and resold to the
| point anyone can know more about you than your wife does.
| tw04 wrote:
| >1) people believing long-outdated guidance about not using
| open WiFi networks without a VPN
|
| Long-outdated? It's more important today than it was 10 years
| ago. That public wifi you're on is tracking your every move
| and correlating your devices back to you if you happened to
| purchase anything in the store with a credit card.
| lr4444lr wrote:
| What's wrong about (1)? Https or not, there are still MitM
| attacks, and the URLs you are accessing are still trackable.
| As to why I'd trust my VPN more than my ISP, who's CEO has
| got more to lose once word gets out that his company
| cooperated with authorities to turn over my logs?
| jonahhorowitz wrote:
| This is maybe a nit-pick, but https prevents tracking of
| URLs - they can still see what hosts you're connecting to,
| but they don't get the full URL string.
| 12ian34 wrote:
| I'll just leave this here as food for thought
| https://schub.wtf/blog/2019/04/08/very-precarious-narrative....
| yjftsjthsd-h wrote:
| > From a security standpoint it is awful because you increase
| the number of providers you have to trust.
|
| No, a VPN _replaces_ an ISP in most threat models (by shifting
| who can see your traffic). For some people, this is a good
| trade (ex. me: my ISP has straight-up admitted to analyzing
| people 's traffic for marketing info).
| beermonster wrote:
| ISP modifying DNS responses, or at the least potentially
| logging them. A good reason to use DoH/DoT.
|
| ISP logging traffic anyway in UK in order to comply with,
| say, Snoopers charter.
|
| ISP providing out-of-date router hardware with unpatched
| firmware that most people connect directly to their WiFI
| networks instead of isolating.
| ence wrote:
| Pirating copyrighted material.
| LordHeini wrote:
| Well afaik seeding on public torrents is just about the only
| way, where you would get in trouble for pirating.
|
| Just don't do that, use a private tracker and use Tor for
| small stuff like ebooks.
| TillE wrote:
| There's nothing magical about a "private tracker", those
| are regularly infiltrated too.
| LordHeini wrote:
| I may be completely wrong on this one but...
|
| This is not much of a problem, because you are seeding to
| "friends" making the whole thing non commercial and a
| private affair in some legislatures.
|
| Not sure if the laws have changed but what.cd used to
| have a certain number of users which was capped by the
| number of friends some judge thought to be reasonable.
|
| If i recall correctly that whas around 200k meaning that
| you could run a private tracker and in case of a bust
| claim to know everyone.
|
| Back in the day i had a what.cd account and when they got
| busted (took them many years) nothing happened to the
| users. I think they shredded the servers before the cops
| could seize them.
| monocasa wrote:
| None of that helps in the US.
| LiberatedLlama wrote:
| Getting onto many private trackers is a real pain in the
| ass, involving lurking on some IRC channel for who knows
| how long, begging and sucking up to people until somebody
| gives you an invite (assuming the tracker is even open to
| new applicants at the time.) Then, even with an invite,
| often the admins want to interview you to see if you answer
| probing questions like a pirate or a lawyer. The whole
| thing is a pain in the ass. These days I just say YOLO and
| use public trackers.
| beermonster wrote:
| > Maybe someone can enlighten me why these services exist and
| what usecase they have?
|
| Because there are lots of people that can't create their own
| VPN even though these days you can spin up a lightsail instance
| for $3.50 pcm and be up and running with Wireguard in minutes.
|
| And for those people that cannot, their threat model changes to
| now needing to trust a single entity after they are up in
| minutes.
|
| As you say, those providers have oftentimes been proven to not
| be so trustworthy. But how many CAs have been shown to be not
| trustworthy in the last couple years?
| upbeat_general wrote:
| Also many websites will block cloud services IPs. This can
| also happen with 3rd party providers but in my experience
| it's much less common because some vpn providers will buy
| residential IPs.
|
| It also can be nice to get a new IP more or less whenever you
| want by just connecting to a different, already setup server.
| ficklepickle wrote:
| The only websites to block my AWS IP are streaming
| providers like Netflix.
|
| I don't believe VPN providers are buying residential IPs.
| They use a p2p architecture and route traffic through their
| customers, usually without informing them. If I do use a
| commercial VPN service, I prefer to use the openVPN client
| rather than their proprietary client.
| mikeiz404 wrote:
| One reason is to help reduce some identifying information Ad
| networks and the like might collect since a common IP is shared
| among many users. There are disadvantages too but this is
| something you won't get with self hosting.
|
| Also ISPs in the US are able to sell your browsing history
| (https://protonmail.com/blog/private-browsing-history/) but I
| believe this can be mitigated by DOH.
| database_lost wrote:
| For me, Nordvpn was much much slower than Expressvpn, and with
| this, its a no-brainer
| m3kw9 wrote:
| Did they initially say we will give you extra features if you
| enable auto renew? Still feels a bit slimy even if that is the
| case
| robinhood wrote:
| Happy Private Internet Access user, for years, and I don't have
| to deal with this kind of practices.
| kilroy123 wrote:
| I've used them for years as well and it seems like they have
| really gone down hill the last year or so. The iOS app is now
| unusable for me. Lot's of slow or unresponsive servers now.
| Just heaps of issues for me.
| pault wrote:
| They were recently partially or wholly purchased. There was a
| big stink about it because the other company had ties to
| Israeli intelligence or something. I may be misremembering
| the details, but I'm to lazy to look it up on my phone. I
| recently switched from PIA to mullvad and I can definitely
| recommend it. It feels more transparent to me, and the client
| app is well done.
| blindm wrote:
| I personally never liked the whole Nord ecosystem. I tried
| NordPass and encountered bug after bug and had to stop using it.
| The software seems kind of thrown together / shoddily made just
| to make a quick buck. They don't nearly put in as much passion
| and effort as better offerings like ProtonVPN and Mullvad (no
| affiliation, just really love their services).
| rochak wrote:
| Can confirm. I used to use ProtonVPN and it was worth every
| penny. I switched to NordVPN to save a few bucks and it was one
| of the worst decisions I have ever made. NordVPN couldn't hold
| a candle to what ProtonVPN offered in terms of reliability,
| ease of use, transparency and support. ProtonVPN was costlier,
| but I think it justified its cost.
| miniyarov wrote:
| Rather than depending on VPN services, I use Cloud Providers
| because, at least, I know that my server isn't logging me for
| sure. However, it is hard to deploy a VPN server on cloud
| providers right from your phone. That's why I developed
| zudvpn.com
|
| Completely open-source with DNS Ad blocking features and even a
| terminal to connect to the server.
|
| Store: https://apps.apple.com/us/app/zudvpn-personal-vpn-on-
| cloud/i... Github: https://github.com/zudvpn/zudvpn
| dcormier wrote:
| https://gist.github.com/joepie91/5a9909939e6ce7d09e29#file-v...
| karaterobot wrote:
| This isn't a persuasive argument for not using a VPN, it's a
| strongly-worded reminder that using a VPN means you're trusting
| your VPN provider. That's a big difference.
| bitcharmer wrote:
| Although not entirely false, this post is a bit too defeatist.
| "Don't use a VPN because they may be lying about not logging
| connections" is the same as saying "Don't get on an airplane
| because the pilot may be suicidal".
|
| I'm not going to stop using vpns nor flying on airplanes
| because of that.
| Nextgrid wrote:
| You typically get on an airplane because you have to travel
| someplace. With VPNs I fail to see a reason beyond
| circumventing geo-blocking.
| yoz-y wrote:
| Whereas the VPN provider _might_ do something with your
| data, your ISP most definitely _does_.
| midasuni wrote:
| Does it? I don't recall giving A&A permission to deal
| with my data in any nefarious way, i'd doubt they would
| anyway.
|
| https://www.aa.net.uk/
| eptcyka wrote:
| Virgin, who are the only ones who can provide decent
| speeds at my address most definitely spoof DNS and record
| traffic.
| rasguanabana wrote:
| This may be very different in countries different than
| yours.
| midasuni wrote:
| I wasn't making a blanket claim. Op told me my isp is
| bad. My isp is not bad. I'm certain that a vpn provider
| would be less trustworthy than my isp.
| judge2020 wrote:
| So maybe you don't have to worry about the ISP itself,
| but your government:
|
| https://www.theverge.com/2016/11/23/13718768/uk-
| surveillance....
|
| https://www.amnesty.org.uk/why-taking-government-court-
| mass-...
| [deleted]
| hellcow wrote:
| ISPs monitor and modify your internet traffic in America
| (perhaps that's different in the UK?). My American ISP
| absolutely spies on me. So rather than accept that
| guarantee, I can use a VPN like Mullvad who at least
| promise not to do this, and whose entire business relies
| on keeping that promise.
| Nextgrid wrote:
| > whose entire business relies on keeping that promise.
|
| That "you should not use a VPN" link someone posted
| elsewhere explicitly disproves that claim, saying that
| HideMyAss were caught breaking their privacy promises and
| have yet to go out of business.
|
| The prices of VPN services also don't make sense and
| potentially suggest something nefarious is going on (not
| saying Mullvad is doing this, but any VPN advertised on
| YouTube is very likely to do so). It's difficult to
| imagine that they can afford such bandwidth/hardware and
| the amount of support/abuse cases (remember that VPN
| services will attract scum as a side-effect of their
| privacy/anonymity claims) for such a low price.
| [deleted]
___________________________________________________________________
(page generated 2021-02-06 23:01 UTC)