[HN Gopher] Personal VPN services are snake oil
___________________________________________________________________
Personal VPN services are snake oil
Author : ementally
Score : 108 points
Date : 2024-04-14 19:08 UTC (3 hours ago)
(HTM) web link (httpscolonforwardslashforwardslashwwwdotzoltanbalazsdotcom.com)
(TXT) w3m dump (httpscolonforwardslashforwardslashwwwdotzoltanbalazsdotcom.com)
| ethbr1 wrote:
| URL would be funnier if owner also owned the actual URL, but
| redirected everything to the extra one.
|
| And it's unregistered!
|
| https://www.namecheap.com/domains/registration/results/?doma...
|
| _Edit:_ Per below, missed the last dot. zoltanbalazs is
| registered.
| https://www.namecheap.com/domains/registration/results/?doma...
|
| Also, what would be more interesting: a financial breakdown of
| how an average _free_ VPN provider makes money.
|
| I assume ad injection + selling traffic data, but does that make
| enough to offset the cost?
| jsheard wrote:
| I believe at least one of the business models for "free" VPNs
| is to turn their users machines into exit nodes, and the real
| business is in selling those to people who want to spread their
| traffic across many residential IPs for usually dubious reasons
| (e.g. scalpers trying to scoop up concert tickets or limited
| edition sneakers or whatever without tripping bot detection).
| bpfrh wrote:
| afaik some free vpn providers use your own connection to offer
| residential ips for scrapping services or other vpn users.
|
| I know I read a article about one where they at least routed
| some other traffic through the vpn app, but I can't find the
| article anymore.
| dantyti wrote:
| holavpn was exposed by trend micro as a botnet for rent (best
| source I could find since the original white paper from trend
| micro seems to be gone:
| https://www.vice.com/en/article/pga9yk/your-tool-to-access-n...
| )
|
| facebook used their vpn onavo to mitm users of snapchat,
| amazon, youtube: https://techcrunch.com/2024/03/26/facebook-
| secret-project-sn... - somehow I had missed this, I was only
| aware of the much older scoop about facebook using it to track
| underaged users: https://techcrunch.com/2019/01/29/facebook-
| project-atlas/
| username3 wrote:
| dotzoltanbalazsdotcom.com is unregistered.
|
| zoltanbalazs.com was registered in 2021.
| ethbr1 wrote:
| Oops! Mistake on my part. Updated above.
|
| Sadly, doesn't look like there's anything hosted on
| zoltanbalazs.com
| beefnugs wrote:
| baby's first regex! oh so cute, here let me feed you more periods
| lucb1e wrote:
| I just noticed newlines are rendered on Algolia:
| https://hn.algolia.com/?query=regex%20feed%20periods&type=co...
| This can be useful when people attempt bullet point lists
|
| Anyway is this comment a reference to the domain? I don't
| understand what you mean
| bhaney wrote:
| > When to use a personal VPN?
|
| > - Geofence bypass
|
| > - Piracy
|
| > - Soft network block/censorship
|
| Among all the people I know who use the kind of VPN services
| talked about here, these are exactly their reasons for using
| them. Obviously advertisements are going to shy away from these
| angles.
| jsheard wrote:
| You may not even need a VPN to get around censorship, ISPs
| implementing legally mandated site blocks often only bother to
| enforce them at the DNS level so you can trivially bypass them
| by using an encrypted DNS resolver.
| pc86 wrote:
| Encrypted DNS resolvers aren't trivial[0] for the ~99% of
| people who don't even know what they are, though.
|
| [0] https://news.ycombinator.com/item?id=8863
| bhaney wrote:
| Doesn't Firefox default to eDNS these days? I don't think
| it can get much more trivial than that
| LaLaLand122 wrote:
| In the UK, at least, it isn't the default (because of
| "the children"/"terrorism"). But it's still just a
| setting in Firefox/Chrome to change (and I guess in Edge
| too).
| gruez wrote:
| Changing the "secure dns" option on their phone/computer is
| probably easier than installing a VPN app, tbh.
| taneq wrote:
| Even just using a different DNS can be enough. A certain
| popular movie uploader is/was blocked by my ISP at the DNS
| level but worked fine once I changed to OpenDNS.
| UniverseHacker wrote:
| Pretty funny to say they're snake oil, and then list 3 very
| good reasons to have one.
| mattrick wrote:
| I think the snake oil claim is in regard to VPN companies
| marketing themselves as a security product. The security
| benefits that these companies claim in their ads are dubious
| but of course there's other benefits to them, they just can't
| advertise that they can be used for these things.
|
| The problem is people who aren't aware of this see these ads
| and think that they actually do prevent hackers from stealing
| their information.
| nmeagent wrote:
| > I think the snake oil claim is in regard to VPN companies
| marketing themselves as a security product
|
| Considering that confidentiality is a vital component of
| overall security, it's not necessarily unreasonable to
| describe a VPN as a security product. Of course, it's not
| the panacea some companies claim; nobody's "surfing the web
| in full security and privacy" with just a VPN service.
| the_snooze wrote:
| We already have really good client-server confidentiality
| (and integrity) assurances from the wide adoption of
| TLS/HTTPS. Wrapping that in a VPN doesn't buy you all
| that much additional security. Maybe a little bit of DNS
| privacy and being able to mask your IP address on
| torrents, but that's all that comes to mind.
| ed_balls wrote:
| renting a car - better rate if you are local.
| SV_BubbleTime wrote:
| Hmm... I'm going to try that. Thanks traveler.
| SOLAR_FIELDS wrote:
| Also plane tickets. It was less than half the price for me
| to buy Peruvian tickets in soles from LATAM than to shop on
| the equivalent site in USD
| whynotmaybe wrote:
| I found the opposite when renting a car at the airport.
|
| Renting a car in Belgium from the Canadian website is cheaper
| than renting the same car on the Belgian website.
| drexlspivey wrote:
| I have mine always on for privacy. Is there a reason to not use
| it? The extra latency is close to 0 just use an exit node in
| the same city. Why should I donate all my browsing data to my
| ISP ?
| ThatMedicIsASpy wrote:
| ISP routing, throttling
| paulgb wrote:
| The problem is that they are sold as a security/privacy product,
| because they can't mention the more illicit uses (which the
| author mentions under "when to use a VPN"), which are the real
| use cases people buy them for.
|
| It's kind of like when shops selling bongs would market them as
| "tobacco accessories", but there was a wink-and-nudge
| understanding about how they would really be used.
| EGreg wrote:
| You mean like vibrating massagers?
|
| Did you know the original vibrator was a medical device by
| doctors to automate treatment of Hysteria?
| HenryBemis wrote:
| I assume you get downvoted due to the (not much) relevance of
| your example to the VPN discussion. As for the accuracy: Yes!
|
| 1) https://jhupbooks.press.jhu.edu/content/technology-orgasm
|
| 2) https://www.psychologytoday.com/us/blog/all-about-
| sex/201303...
|
| 3) https://www.bbc.com/future/article/20181107-the-history-
| of-t...
| zaroth wrote:
| Haha, lookup what "hysteria" was and the medical "treatment"
| devised to "cure" it.
|
| We might have a long way yet to go as a species, but we've
| sure come a long way.
| jiggawatts wrote:
| We still have chiropractors and Chinese herbal medicine
| dispensaries.
| yosito wrote:
| The thing that bothers me is that we've had these things
| for so long, but no one does any actual research about
| them, so we still can't say that we know they don't work,
| but only that we don't know that they work. And "we don't
| know that they work" doesn't really convince people who
| say "thousands of years of tradition say that they work,
| and my great aunt was healed by it".
| pgraf wrote:
| According to this article, this is probably a myth:
|
| https://www.theatlantic.com/health/archive/2018/09/victorian.
| ..
|
| https://archive.is/idRiW
| elorant wrote:
| I buy them so I can have country specific ips
| ponector wrote:
| Which vpn provider do you use? I found it is somethimes a
| nightmare to use some of them due to blacklisted ip and
| endless captcha.
| elorant wrote:
| Mullvad
| hn_throwaway_99 wrote:
| Exactly. Is there anyone whose primary use case for a personal
| VPN is _not_ "Geofence bypass for region-locked content"??
|
| Whenever a state in the US passes a new "we need your ID to
| watch porn" law, sales of personal VPNs must predictably
| skyrocket in that state.
| tshaddox wrote:
| Is "geofence bypass for region-locked content" actually
| "illicit"?
| JumpCrisscross wrote:
| > _Is "geofence bypass for region-locked content" actually
| "illicit"?_
|
| Yes, in practically every jurisdiction. It's wilful breach
| of contract, tortious interference with the content
| distributor's licensing schemes and copyright infringement.
| hn_throwaway_99 wrote:
| Unless you have any explicit court case decisions to the
| contrary, I'm calling bullshit. I did a simple Google
| search and could not find any examples of someone being
| sued or prosecuted for region bypass.
| JumpCrisscross wrote:
| > _Unless you have any explicit court case decisions to
| the contrary_
|
| I also don't think there is prosecutorial precedent for
| murdering someone with a sea cucumber; that doesn't make
| it licit (or legal).
| chrisfinazzo wrote:
| A notable exception being the use of a VPN to access
| region-protected content.
|
| INAL, but while this use case _might_ violate ToS, the
| case law suggests that courts deem this to be fair use
| provided you don 't breech other laws in the process
| (e.g, copyrights).
| JumpCrisscross wrote:
| Agree that it's the digital equivalent of jaywalking.
| FireBeyond wrote:
| > tortious interference with the content distributor's
| licensing schemes
|
| No it's not.
|
| Tortious interference with a business relationship is no
| doubt what you're referring to here, but it's a long bow
| with multiple layers of indirection. It is "intentionally
| acting to prevent someone from successfully establishing
| or maintaining business relationships with others".
|
| Miramax, as a content distributor, might license their
| content to Netflix.
|
| You are a customer of Netflix.
|
| Now say you are a customer of NordVPN.
|
| For one, NordVPN isn't trying to prevent you maintaining
| a business relationship with Netflix. Nor is it trying to
| prevent Netflix having a business relationship with
| Miramax.
|
| NordVPN may provide you means by which you can choose to
| be in violation of your TOS with Netflix. It's not acting
| to ensure you are.
|
| Netflix doesn't have to -allow- this, hence VPN/proxy
| detection. But they have recourse, drop you as a
| customer, for you, the customer's, actions, not for
| NordVPN's actions. Miramax can't argue that NordVPN acted
| to interfere with their licensing scheme with Netflix.
| yjftsjthsd-h wrote:
| > Exactly. Is there anyone whose primary use case for a
| personal VPN is not "Geofence bypass for region-locked
| content"??
|
| Hi! /waves I use a VPN to stop my ISP from monitoring my
| traffic and selling my personal information. My VPN (usually)
| exits in the same "region" as my real location; I guess if I
| hit a geoblock I could look at that, but it hasn't come up.
| aborsy wrote:
| You can set mullvad (which offers VPN service) as your DNS
| over https server. Traffic is also mostly encrypted by
| https. Your ISP still gets the destination IP addresses,
| though they are harder to track.
|
| Wouldn't that address your concern?
| SV_BubbleTime wrote:
| I think this is the old way of thinking about it.
|
| Skipping the broader discussion of AI, the ridiculous
| amount of automatic and human impossible pattern,
| matching and correlation with seemingly harmless data is
| something that I don't think we are equipped to fully
| comprehend.
|
| The time at which I hit some meta CDN, seems harmless.
| Until combined with some cookie and some access time to
| some asset it uniquely identifies me to previously
| anonymized data.
|
| So no, I do not think HTTP and a good DNS are enough.
| hnlmorg wrote:
| IP addresses and host names (as defined in SNI).
|
| https://en.m.wikipedia.org/wiki/Server_Name_Indication
| yjftsjthsd-h wrote:
| No; until Encrypted Client Hello is ubiquitous HTTPS
| still has domains in cleartext. Also, I don't think we
| should be casually dismissing tracking by IP addresses.
| dec0dedab0de wrote:
| _Hi! /waves I use a VPN to stop my ISP from monitoring my
| traffic and selling my personal information._
|
| But then how do you stop your VPN company from doing the
| same? You essentially have two ISPs now.
| yjftsjthsd-h wrote:
| If the local ISP has a 100% chance of monetizing my data
| and the VPN provider has anything less than that, then
| it's still a win.
|
| (Longer answer: This boils down to the weighted
| probabilities; if the ISP was meaningfully regulated such
| that it was legally restricted from doing certain things
| with my data, that might matter, and one should also play
| in the exact likelihood that either party is selling my
| data. In my case the weighted probability is wildly in
| favor of a VPN, but I suppose I can imagine situations
| where that wouldn't hold.)
| jddj wrote:
| I VPN to a $5 vps in a distant country. I kill and
| move/re-up it once or twice a year.
|
| They probably could sell my traffic, but I estimate it
| (based on vibes) as being less likely than for most other
| intermediaries
| blackeyeblitzar wrote:
| It's their business (value proposition) to not do the
| same and most explicitly commit to that. They also get
| third party aidiots and publish results. This isn't fool
| proof but it's better than trusting Comcast or ATT or
| whoever.
| stouset wrote:
| You're just trading your ISP for a different third-party
| who has all the same incentives.
| chuckadams wrote:
| Sir I would have you know that I participate in no such
| illicit tomfoolery. My VPN use is strictly for torrenting
| pirated content!
| cjk2 wrote:
| I reckon the majority of VPN sales are actually people being
| bombarded by adverts and sponsorships for VPNs and think that
| is actually of benefit. I am _constantly_ bombarded by
| questions on which VPN product to use from people who are
| even unaware you can steal content.
|
| _" Are you downloading films from anywhere?"_
|
| _" Huh what from Disney Plus?"_
| jonathantf2 wrote:
| My dad used to complain that he couldn't get on certain
| websites, got CAPTCHAs a lot more than he used to and often
| prices came up in US dollars on his computer, turns out he
| paid for a 3y plan to NordVPN and had it start on start up on
| his computer.
|
| He can barely work the Sky box never mind stream stuff from
| the internet, he got duped into thinking it would make him
| "safer" when in reality it just makes using the internet a
| lot harder as everyone flags your traffic as malicious based
| on the datacentre IP.
| username135 wrote:
| Why is your assumption that VPN traffic is being blocked
| because it's malicious?
| csours wrote:
| If you read carefully, you may see that they did not say
| that "VPN traffic is being blocked because it's
| malicious"
| SkyPuncher wrote:
| Because it absolutely is.
|
| I occasionally fire up Mullvad when I'm on the go. I get
| blocked way more often when I use it
| hsbauauvhabzb wrote:
| Because people run crawlers and perform illegal activity,
| and/or because 'security companies' sell the IP lists as
| low reputation potentially malicious IPs?
| xmodem wrote:
| Anyone who has browsed through one of these personal VPN
| services - or even a DIY VPN from a datacentre IP - for
| more than about 10 minutes will have experienced the
| increase in captcha's.
| BrandoElFollito wrote:
| Torrenting and buying a service cheaper are two examples.
| blackeyeblitzar wrote:
| Yes, lots of people have other primary use cases? Why is that
| even a surprise?
|
| VPN companies are more trustworthy than my ISP. Many get
| third party audits and publish results. And if the VPN
| company and server are in a privacy friendly country, they
| are hard to subpoena. Individual privacy being the default is
| itself valuable.
|
| This is leaving aside numerous other reasons like avoiding
| censorship or persecution or whatever.
| hn_throwaway_99 wrote:
| Yes, I was using a bit of hyperbole.
|
| But that said, on this point I do agree with the author:
| privacy improvements from using a VPN are marginal for the
| average user due to the now widespread use of HTTPS. Yes,
| your ISP can see _which_ domains you visit, but that 's
| about it. I'm curious if there have been any successful
| lawsuits or prosecutions based solely on domain access
| logs.
| RajT88 wrote:
| Unless you're using DNS over HTTPS or DNS over TLS. Then
| they can't.
|
| Side question: Anyone know of a gateway or self-host
| service which supports DNS over HTTPS relay?
|
| i.e. it will accept vanilla DNS requests, but if it needs
| to forward requests, it will only do so to DoH / DoT
| servers?
| pgraf wrote:
| They can still deduce it from the TLS SNI unless the web
| server you access supports TLS 1.3 Encrypted Client
| Hello.
| https://en.m.wikipedia.org/wiki/Server_Name_Indication
| jachee wrote:
| I do that with pihole.
| Kwpolska wrote:
| I absolutely despise my ISP's business arm, but I trust
| their network arm not to do something stupid. I certainly
| trust them more than a company in a remote tax haven with a
| broken legal system.
| nickburns wrote:
| Sweden and Switzerland are hardly 'remote tax havens with
| broken legal systems.' you don't actually prefer your
| ISP's DNS service over something like say, Quad9's, do
| you?
| superkuh wrote:
| My ISP Comcast (sometimes called Xfinity) has regularly done
| MITM attacks that inject javascript into web pages since
| 2013. Surfing the web without tunneling my connection is
| unacceptable with an ISP that commits CFAA crimes like this.
| It is a valid use case for a VPN or VPS tunnel for the 30
| million of us stuck with a comcast monopoly.
| barfbagginus wrote:
| I am old fashioned. So I would use a VPN if I want to prevent
| my landlord from getting a cease and desist letter from a
| lawyer when I download warez. Mostly audio books, and
| textbooks, but also movies and music.
|
| Ie, it's the use case where you Pirate all the media, and use
| a VPN as a security bandaid against anti-post-scarcity
| busybodies.
| ldjb wrote:
| Piracy is also listed under the "When to use a personal
| VPN?" heading.
| g4zj wrote:
| It is, but I believe the comment you replied to was in
| response to this line.
|
| > Is there anyone whose primary use case for a personal
| VPN is not "Geofence bypass for region-locked content"??
| cyanydeez wrote:
| ...piracy
| snapplebobapple wrote:
| My primary use case for a vpn is i dont trust people on my
| guest network and dont want their traffic looking like it is
| coming from an ip associated with me. I am not protecting
| against 3 letter agency levels of surveillance so i dont need
| the extra benefit and slowness of tor, i just need to move
| that traffic to a different jurisdiction to complicate things
| enough that people dont bother to figure out it came from my
| network on the off chance that someone i let on myguest
| network does something untoward.
|
| does that count?
| theginger wrote:
| That's a valid privacy concern But is a VPN service a good
| solution? Certainly not if you are on a shared IP with the
| VPN. I know you can get some with a dedicated IP, but with
| most VPN providers it is still probably coming out of a
| cesspool of ips that you don't want any kind of association
| to.
| mbesto wrote:
| Except that use-case doesn't even work because any service
| worth a salt just blocks the VPN's IP addresses. For example:
| US citizen living in US goes to the UK and uses VPN service
| to watch US-based netflix. Netflix blocks this.
| Mountain_Skies wrote:
| I felt stupid when someone told me what the 'roses in a glass'
| tubes that were sold in convenience stores were really used
| for, but I guess it never occurred to me that crack pipes would
| be something these places would want to be associated with. At
| least it restored my faith in romantic gestures a bit to know
| people weren't buying them as a token of love.
| ssl-3 wrote:
| The bodega sells whatever people want to buy, as long as it
| doesn't get the bodega in trouble for doing so.
|
| Beer, wine, booze, tobacco, and vapes are obvious, but things
| like cough medicine (dextromethorphan), diarrhea pills
| (loperamide), little roses in neat glass tubes, and air
| dusters (let's kill some brain cells!) are perhaps less-
| obvious.
|
| The bodega wants to be associated with being the place where
| a person can stop in and buy _anything_ , from a can of soup
| to a pair of pants.
| BrandoElFollito wrote:
| What's the deal with loperamide?
|
| I once asked why levothyrox, a drug to compensate a dying
| thyroid, is so regulated (at least in France). It's not
| like it's psychotic or something, it is just a hormone.
| Turns out people were buying it expecting weight loss...
|
| It's because of such idiots that people whose life is
| already complicated gets it even more.
| madog wrote:
| https://en.wikipedia.org/wiki/Loperamide#Off-
| label/unapprove...
|
| News to me as well
| fny wrote:
| NYC has Mullvad ads plastered everywhere. They bill themselves
| as protection from corporate surveillance. This is not wink-
| wink advertising. It's an attempt to swindle somewhat tech
| literate people through a lie.
|
| Sure you and everyone else on HN know what a VPN for, but
| that's not the case for 97% of the people on a subway car who
| see their latest campaign.
| bayindirh wrote:
| Funny thing is, in my most recent trip, hotel's wireless
| network information contained a note which can be summarized as
| follows:
|
| "Our hotel uses unencrypted wifi, so if you want any kind of
| privacy on hotel network, please use a VPN, kthxbye."
| toast0 wrote:
| I've never seen a whole lot of value in personal VPNs; it's
| basically trading one network that can observe you for another.
| Often with unverifiable claims about not observing you.
|
| But, it can be helpful to trade one network's routes for another,
| in cases where direct routing between you and your desired peers
| is poor for whatever reason. And it's clearly useful for
| circumventing geographic restrictions (as long as those imposing
| the restrictions dont' care to identify and restrict access
| through VPNs)
| ls612 wrote:
| Mullvad and Proton at least have had their no logs policies
| court tested so I believe their claims.
| mmsc wrote:
| In general I agree about it not providing security benefit, but
| they can reduce the exposure of eavesdropping like DNS leaking
| browsing patterns, and so on. Sure, you're now leaking your DNS
| traffic to the VPN server, but in my opinion it's better to leak
| that to somewhere external than somewhere close by (e.g. to
| companies or individuals directly related to your network that
| will use it for monitoring and monetisation)
|
| https downgrade attacks and the like (html injection on http
| pages) can also be thwarted (unless they are done on the
| vpn->service path ofc),
| al_borland wrote:
| Wouldn't switching to something like Cloudflare's 1.1.1.1 DNS
| mostly solve the DNS issue without going the VPN route? The
| user's DNS provider would no longer be their ISP.
| mschuster91 wrote:
| > The user's DNS provider would no longer be their ISP.
|
| Only if the ISP doesn't do DPI to transparently route any
| outgoing DNS traffic to their (censoring) servers. There have
| been enough cases of that.
| yjftsjthsd-h wrote:
| Does that work anymore with DNS over HTTPS? I think the
| real leak is that until we get Encrypted Client Hello your
| HTTPS connections expose the domain in plaintext so DNS is
| kind of a moot point.
| CPLX wrote:
| It's not that deep. People want to download shit and watch
| Netflix
| pyrolistical wrote:
| The author calls it snake oil then lists legitimate reasons to
| use a VPN at the end
| tensor wrote:
| No better way to get traffic than rage baiting I guess.
| lionkor wrote:
| Say I sell snake oil, and I say it will cure cancer. Then Peter
| comes and buys it because he lubricates his discumbulator
| machine with it. It has a legitimate use, and maybe I even know
| that, but I still sell it as a cancer cure (which it isn't).
| Its still snake oil.
| kelsey98765431 wrote:
| Argument is based on the assumption that "probably only one
| percent of users correctly use a kill switch", and in general
| shows a low level of understanding of threat models and the swiss
| cheese security model. Author assumes to know the intentions of
| VPN users and asserts users are dumb, also throwing unnecessary
| barbs at "wannabe hackers". Unprofessional article, bad advice,
| no differentiation between nonlogging services and services like
| nordvpn that bundle google analytics and tracking into their
| application.
|
| My take? Do a threat assessment, build a threat model, know your
| adversary be it your own ISP selling your data or protection
| against hostile state entities when traveling overseas. There are
| many valid uses for the various types of commercial VPN and
| instead of an objective look at these services the author walks
| in with an assumption that they are all the same and never
| provide value to their customers, then bends over backwards to
| attempt to make weak arguments against a vast category of
| service.
| rfl890 wrote:
| Yep, HN is definitely not the article's target audience.
| blablabla123 wrote:
| I think this is one of the biggest misunderstandings about
| security that there's one linear scale and that every solution
| can be assigned a generic positive/negative delta on that.
| datadrivenangel wrote:
| Author is correct that TOR has better privacy than a better VPN
| because TOR means you are truly anonymous (assuming the network
| is not majority compromised).
|
| However, bandwidth and latency on TOR suck, and in many cases the
| endpoint IPs are blacklisted to hell due to abuse. A VPN is a
| nice middle ground where your can put another entity between
| yourself and your traffic, which is valuable against most
| opportunist adversaries. If a TLA wants me and can get a warrant,
| not even TOR will save me, but a VPN keeps the ISP from selling
| my traffic and the media trolls from sending me grumpy letters
| because the neighbors keep using my wifi to watch free content.
| bsza wrote:
| > assuming the network is not majority compromised
|
| There is no such guarantee AFAIK, as long as a bad actor
| controls all the nodes in YOUR route, they can deanonymize you.
| malfist wrote:
| Everyone is pointing out that the article shoots itself in the
| foot by giving three very good reasons for VPNs and dismissing
| them. But I think there's a fourth reason that isn't mentioned:
|
| The US doesn't have reasonable privacy laws and I don't trust my
| VPN to not sell my browsing history to anybody with two pennies
| to rub together.
|
| Yeah, I can (and do) use DNS over HTTP, but the ISP still knows
| what IPs I am connecting too. It's trivial to find out what
| domains are hosted there.
| PlutoIsAPlanet wrote:
| An issue is that they're sold as a way to stop your ISP tracking
| what you're doing.
|
| But why would I trust a random company with this information over
| an ISP, who yes aren't always angels, but at least are somewhat
| accountable.
| moffkalast wrote:
| Furthermore, they use their VPN clients as proxies and sell
| access to their network to scrapers and botnetters. Usually the
| rule of thumb is that if you're not paying, you're the product,
| but in this case they manage to double dip. That's where the
| real funding comes from.
|
| https://oxylabs.io
| perplexa wrote:
| If they claim to be operating an ethical service one more
| time I might start to believe it.
| Ekaros wrote:
| It is really question do you trust your ISP or do you trust
| your VPN provider? And if you are doing something your state
| might have interest in. Well VPN options might also be
| questionable. Either in some adjacent state, or other ways
| scrupulous...
| SV_BubbleTime wrote:
| My ISP is Comcast and my VPN is Mullvlad.
|
| Guess.
| sss111 wrote:
| Mullvad and it's not even close haha
| gruez wrote:
| >But why would I trust a random company with this information
| over an ISP, who yes aren't always angels, but at least are
| somewhat accountable.
|
| ISPs often have captive markets and have enough political sway
| to grant them said captive markets. VPN companies have none of
| that, and live or die based on their reputation, so they
| arguably have more of an incentive to behave well. Meanwhile
| some ISPs have even admitted to selling your traffic for
| marketing purposes or are forced by the government to keep
| records. There's plenty of shady VPN companies out there, and
| not all ISPs are scummy and sell your info, but there's quite a
| bit of range between the scummiest ISP and the best VPN, and
| for a subset of people using VPNs definitely makes sense.
| deno wrote:
| 1) You can choose where in the world your traffic exits. 2) You
| can switch your VPN provider or even use/stack multiple and
| it's easier than changing ISPs which encourages innovation. 3)
| ISPs and VPNs are regulated differently. In many if not most
| countries ISPs have to log and store certain PII.
| diego_moita wrote:
| A lot of people have VPNs for single temporary reasons.
|
| * In the Bible Belt (a.k.a. Chistianstan) and some Muslim
| countries it is to access porn.
|
| * In Canada and Mexico is about accessing what Netflix doesn't
| provide to their countries.
|
| * In hybrid offices it is about the second job that they do
| remote and hidden.
|
| They want something simple for a couple of months and then just
| discard it. VPNs are good for that.
| BrandoElFollito wrote:
| There are some states in the US that restrict access to porn?
| wishfish wrote:
| Yes. Via the new age verification laws which require any site
| with a considerable amount of 18+ content to verify their
| users are 18+. This has passed in a few states. Leading
| Pornhub, and some other porn sites, to block access from
| those states.
|
| The age verification laws are written pretty broadly and
| could be used to target a wide variety of content. Not just
| porn. Anything the state deems 18+ would require age
| verification.
|
| These laws are facing some court challenges. If we're lucky,
| the laws will not survive.
| ementally wrote:
| Author linked to privacytools.io.
|
| >even better, a browser built with privacy in mind
|
| which is full of VPN ads https://www.privacytools.io/privacy-vpn.
| Browse https://www.privacyguides.org/en/vpn/ better.
| pompino wrote:
| VPN or not, the biggest MiTM threat to privacy on the web is
| Google. They may not be actively malicious and steal your bank
| info, or do other nefarious stuff, but they will always oppose
| end-end encryption. Google's stance is to lock out the
| competition under the guise of "protecting" users, so only they
| can spy on user data.
| shoaki wrote:
| Although i agree with the overall message, there are privacy
| concerns with OCSP[1] which are mitigated by using a VPN. When
| trying to use the web privacy conscious, it might actually be
| beneficial to your privacy. This is a very edge case though.
|
| [1]
| https://en.wikipedia.org/wiki/Online_Certificate_Status_Prot...
| TZubiri wrote:
| Fuck that is a good domain name
| FireBeyond wrote:
| Back in the 90s, early 2000s, in Australia, there was an ISP
| called Dot, IIRC.
|
| In an attempt to be edgy, their website was at:
|
| triplew.dot.net.au
|
| "triple w dot dot dot net dot au"
| rwiggins wrote:
| There's a fourth use-case: occasionally, gaming.
|
| I play Final Fantasy XIV, an MMORPG - apparently, supposedly, the
| peering connection between AT&T and FFXIV's US ISP (NTT) was
| particularly bad. [1]
|
| This manifested as pretty severe connection issues for AT&T
| customers playing FFXIV. Except, it was a chronic issue that
| would only flare up when that particular connection point was
| stressed.
|
| One of the easiest workarounds? Hop on a VPN.
|
| That's one example. Anecdotally, I have a few friends that toggle
| VPNs on and off when they encounter "network weather" in games.
| Personally, I'm a bit skeptical they're truly so often mitigating
| problems by toggling a VPN (instead of, say, just waiting a
| couple minutes), but hey, they swear by it.
|
| [1]: https://forum.square-enix.com/ffxiv/threads/482155-Bad-
| lag-a...
| iambateman wrote:
| It's true that their privacy promises are dubious...but they're
| great for IP switching.
|
| I run a low-volume scraper which benefits a ton from keeping the
| IP address fresh.
|
| So I guess, in a sense, I'm grateful that enough people are
| paying for ~nothing to make the service pretty great.
| netfortius wrote:
| Try to travel the world and access financial or governmental
| institutions, then tell me about usefulness / uselessness of VPN.
| gruez wrote:
| It's baffling that banks/governments that do geoip based risk
| assessments (ie. the ones that would lock your account if you
| tried logging in from a random country) wouldn't flag logins
| from a VPN/datacenter IP. Those basically tell you nothing
| about where the user is actually logging in from, and they
| should therefore treat them as if you're logging in from a
| random country.
| zaroth wrote:
| Digital Ocean droplet and Tailscale?
| shoaki wrote:
| The author specifically excludes "Company VPNs" and VPNs to
| "phone into your home network" from the scope of the article.
| gruez wrote:
| The "DIY VPN" is worse for 3 reasons:
|
| 1. it's more expensive than commercial VPNs, which you can
| often get for <$3/month, or even less with promos/cashback
| sites
|
| 2. you're limited to one region, which means you can't use it
| as effectively for geoblock evasion purposes.
|
| 3. you get less anonymity because you get a static ip that's
| assigned to you only, as opposed to a commercial VPN provider
| where you can connect to hundreds/thousands of servers each of
| which are used by probably hundreds of users.
| coppsilgold wrote:
| If a VPN provider doesn't keep logs and if their routes to you
| are not being tapped for packet timing correlation then they
| are superior in privacy to DIY VPNs due to them laundering your
| connections/packets with multiple other people.
| zoklet-enjoyer wrote:
| I need a VPN to do a lot of stuff with crypto now because
| websites are blocking Americans. $5 a month and having to use it
| is annoying, but I'd have missed out on thousands of dollars of
| income if I wasn't using one.
| mschuster91 wrote:
| There is a fourth use case for VPNs: evading traffic shaping and
| censorship on public wifi hotspots. Many hotels block not just
| porn sites but also legitimate news pages (e.g. Torrentfreak),
| and most drastically throttle YouTube, Netflix and other
| streaming-heavy sites.
|
| A fifth use case is related: evading bad peering. Deutsche
| Telekom was infamous for years to "double dip", i.e. requiring
| that other (backbone/regional) ISPs pay them for peering, and so
| DTAG customers that tried to access Hetzner servers were
| throttled as the Hetzner-Telekom link got saturated in the peak
| traffic times.
|
| [1] https://www.golem.de/news/hetzner-und-netzneutralitaet-
| extra...
| oynqr wrote:
| The link to AWS was/is really bad as well, since that has to go
| through Telia.
| mschuster91 wrote:
| For real, _this_ is the only case where I wouldn 't mind AWS
| to actually use their market size firepower. Throttle all of
| DTAG on a single 1 GBit/s link and tell them, either you peer
| with us for free like everyone else, or you'll have to deal
| with annoyed users.
| pelasaco wrote:
| My use case:
|
| - In Hotel, Airport. VPN can be used to bypass DNS based captive
| portal. - Yes true hopefully all website are encrypted with ssl,
| but still an attacker can easily fingerprint me through my
| internet usage, even though everything is ssl, there are still a
| lot of plain-text data flying around. So yeah, ProtonVPN, ftw.
| gruez wrote:
| >Yes true hopefully all website are encrypted with ssl, but
| still an attacker can easily fingerprint me through my internet
| usage
|
| So an "attacker" can figure out that you browse hacker news.
| Who cares?
| blackeyeblitzar wrote:
| I care, and my feeling is that more people do each day as
| they become aware of how tracked they are. Why does anyone
| need to know anything about me - it feels like a violation.
| There are all sorts of possible costs to that, but I think
| many of us value privacy on its own.
|
| But as for an attacker - maybe they discover something about
| you from one compromised service and correlate it to
| something else. Or maybe they extort you in some way. Who
| knows - there are many possibilities and it's safer to reduce
| exposure.
| yjftsjthsd-h wrote:
| Yeah, no.
|
| > OK, but what about my DNS and TLS records being exposed to
| everyone so they can follow what I am doing? In a public place,
| anyone can look at your display already. Or, if you are worried
| about your ISP selling your traffic data, there are better
| options for you. Use DNS over HTTPS, for example. You have to use
| a VPN provider you trust better than your ISP/Wi-Fi provider.
| Also, as Encrypted Client Hello is about to start soon, it will
| be exponentially harder for eavesdroppers to figure out which
| sites you are trying to visit.
|
| Encrypting DNS is a nice start, but the ISP can still see the IPs
| you're connecting to, which is enough for a lot of sites, and
| Encrypted Client Hello is _about to start soon_ is a lot of words
| to say "today, your ISP can see the domain on every HTTPS
| connection you make". So no, distrusting my ISP is _absolutely_ a
| compelling reason to use a VPN. (And lest you say "but do they
| actually spy on you?", I literally got a letter from AT&T
| informing me that they were going to start monetizing information
| mined from my connections.)
|
| > But if you care about privacy, the answer is always ToR, ToR
| browser or Tails, and never VPN. Except in cases where you first
| have to hide your ToR usage using a VPN, which is a rare
| exception among users. If you don't understand why you would need
| that, you probably don't need that complexity. Tor Browser uses
| uncountable techniques that prevent tracking your browser. And if
| your privacy is essential against local Wi-Fi attackers, your
| ISP, why is the ad industry not in scope? Adblockers are only
| half the solution against tracking.
|
| I mean, yeah I also use uBlock, but TOR makes harsher tradeoffs
| than are necessarily needed (multiple hops is really safe but
| also really slow). I'm _just_ hiding from my ISP 's prying eyes;
| I explicitly don't include the NSA in my threat models and lesser
| methods are Good Enough(tm) for websites tracking me.
| woofcat wrote:
| ECH is not starting soon. CloudFlare haven't rolled it out to
| everyone and good luck finding a constant setup for it.
|
| There are some experimental servers for it, but basically not
| supported anywhere.
| healsdata wrote:
| The article appears to be written by a technical person who
| doesn't understand (or want to acknowledge) how bad end-users can
| be at security. We're still trying to get users to not reuse
| passwords on multiple sites and not click on links in SMS
| messages. Meanwhile, the author is suggesting you contact every
| website you use and ask them to add HSTS.
|
| Some end-users need straight forward advice like "Use a password
| manager" or "Use a non-free VPN on open WiFi connections". The
| rest is going to get thrown out with the bathwater.
| wmf wrote:
| For people with bad security practices... VPNs still have
| virtually no benefit.
| VeejayRampay wrote:
| I wanted to use one to watch Gardener's World from the BBC and it
| doesn't even work (I'm in France and the program is UK-only for a
| reason that no one really understands)
|
| same goes for watching Netflix from other countries, VPN are
| badically useless
| miki123211 wrote:
| I'd add:
|
| 4. Making all your traffic look "neutral" to your ISP, in places
| (think corporate / college campuses, cellular data, hotels and
| boarding schools, not countries) where net neutrality isn't
| enforced and certain traffic (most often torrenting, video
| streaming and/or gaming is deprioritized. I guess this could be
| classified as blocking or censorship, but deserves a separate
| category IMO.
|
| 5. Places where the networking hardware messes about with your
| data. I've seen places that would add their own iframes to
| unencrypted HTML content, which broke some software because their
| algorithms to detect what was HTML weren't very good.
| diebeforei485 wrote:
| Some college campuses (like the University of Texas system) block
| tiktok on wifi, so people are using VPN. (They could use cellular
| data instead, but that is often slower than campus wifi with
| VPN).
| aborsy wrote:
| Wouldn't a VPN help protect against a targeted attack? Like an
| attacker could push bad JavaScript or app update to the user of a
| particular IP address. On DNS, it's plaintext by default, and
| almost always not signed via DNSSEC. Such user could slightly
| benefit from a VPN from a security perspective.
|
| VPNs also usually do ad blocking, and some limited malware
| scanning.
|
| On privacy, there are many situations where a private IP address
| may be desirable, some of which mentioned in this post. VPN hides
| the traffic from the ISP, but also the user from the destination.
| On the latter, for instance, the websites could log IPs and that
| information could be sold or leak in the future.
| privacyking wrote:
| In my country ISPs are legally required to store metadata for all
| traffic so using a VPN protects me from that
| rbut wrote:
| Yes in AU this, and so websites don't know my real IP, are the
| only reasons I use a VPN.
|
| I don't ever do anything illegal, I just don't like being
| tracked.
| pg5 wrote:
| Plex does not work for me on my AT&T fiber - some peering issue
| (or intentional throttling?!) that makes movies fail to playback
| 50% of the time as if I'm on dialup or something.
|
| Got a cheap VPN to get around the issue and it works perfectly.
| sedatk wrote:
| Yes, AT&T throttles Plex traffic. I don't know if they could if
| FCC hadn't killed Net Neutrality.
| bazil376 wrote:
| Heartened to see that porn consumption is one of the few
| recommended use cases for a personal VPN
| yegor wrote:
| I run a commercial VPN service (Windscribe). Here are my thoughts
| on this.
|
| At its core, a basic VPN is a trust shift service, nothing more.
| Do you trust your ISP less than an some anonymous shell company
| owned by Siberian forest dwellers? In many cases, the answer is
| no.
|
| That being said, depending on where you are and if you choose the
| "right" VPN, the answer could be yes. Here are some reasons why
| you may want to use a good commercial VPN, which goes beyond just
| the ability to tunnel your traffic through a remote endpoint:
|
| - You are in Russia, China, Iran or other countries with heavily
| censored Internet. Over 3 billion people live in such places, or
| nearly 50% of the world's population.
|
| - If you don't live in such places, laws in certain US states
| criminalize certain behaviors. This will only get worse, even in
| "western democracies". Using a quality VPN service is much better
| than barebacking the Internet.
|
| - You want your traffic to be "lost in the crowd", something you
| cannot achieve with your Digital Ocean droplet, no matter how
| well you configure it. Changing your IP does absolutely nothing,
| safe a few exceptions (piracy, or keeping an alter ego if your
| opsec is good)
|
| - Additional features: server side DNS filtering / blocking. Yes
| you can use uBlock origin, but not on mobile, and not outside the
| browser. Yes you can run Pi-Hole, and setup WG tunnels to your
| homelab. 99% of people won't.
|
| - Advanced features: Companion browser extensions that block ads,
| trackers, malicious domains, mess with your browser settings to
| reduce chances of fingerprinting. Yes you can install 5+
| different extensions to do that. Most people won't.
|
| TLDR; If you're an elite haxor, you can do everything yourself.
| You will spend time, and money doing so. Most people will not
| bother or not be able to do these things, and a quality
| commercial VPN service can check a lot of the boxes I mentioned
| above. Just avoid the ones that advertise heavily, those are
| marketing / snakeoil sales companies, as the author suggested.
| croemer wrote:
| I use speedify to channel bond wifi and mobile when the wifi is
| not super reliable. It works great when walking around outside
| and eduroam works for 20m at a time.
___________________________________________________________________
(page generated 2024-04-14 23:01 UTC)