Honestly, nothing holds up to Mullvad [1]. They don't even take an email address while creating accounts, and you can pay easily with Bitcoin or even with cash mailed to them.
I'm not affiliated, just a very happy customer.
Mullvad is also who Mozilla trusts for the Mozilla VPN [2]. You can sign up with that if you'd like Mozilla to get a cut.
Don't use their service but they do really come across as one of most trustworthy out there. Have a Protonvpn account for getting around a geoblock once in a blue moon, personally don't have much use for commercial vpns.
"Honestly, nothing holds up to ... (VPN provider)"
If you're serious you send a machine, that you own, to a colo provider and you register for service with a corporate entity that you created for just that purpose.
Your name exists nowhere and ... regulatory inquiries are directed to your corporate contact email.
Or, if you feel like that's a heavy burden and you don't attach any value to the physical machine (some old 1U, right ?) then you can just sign up under an assumed corporate name with some colo provider that doesn't care that it is, or is not, an actual corporation and you can pay with your non-AMEX credit card[1] using whatever Mickey Mouse name you feel like.
Trust me - it won't take long to find someone who will take your money.[2]
For practical purposes the only people who can penetrate a simple vpn service are potentially a government order to start recording your traffic that is legal based on jurisdiction or a dedicated hacker.
It looks to me that NEITHER would be prevented by you using a colocated machine. It's not like your colocation provider is incapable of compromising you and probably would if ordered to do so in a jurisdiction where this act would be legal.
A hacker presumably isn't concerned about whether they are attacking a machine on your desk or in Nebraska.
Over a 5 year time frame your colocated machine would presumably run you between $6600 and $19000 and would have bought you zero additional privacy compared to paying $360 for a vpn in the same jurisdiction.
The problem is more that a commercial VPN changes the threat model from an individual one to a collective one.
Very likely, no one cares about me enough to put effort towards specifically monitoring or hijacking my internet traffic.
However, someone puts out a shingle as NordVPN or Mullvad or whatever else, and starts advertising VPN services to the world.
That VPN provider has a finite number of endpoints / egress nodes, and those become a very high value target. Now my threat model has to include not just targeted attacks at me, but general attacks on the VPN provider.
An analogy would be, if you have 1 million dollars worth of real-world valuables (artwork, say), it's better to store it in a nondescript warehouse than a warehouse with a neon billboard out front that says "BOB'S HIGH-SECURITY WAREHOUSE FOR EXPENSIVE VALUABLES". The latter is painting a giant target on itself for anyone interested in stealing stuff.
I think the analogy fails because thats valuable isn't a good that it is simply retained or lost. If your vpn usage for example is downloading movies the fact that bob the hacker knows you downloaded inception isn't very worrisome. Likewise with keeping your personal traffic personal instead of having it show up on your bosses network who cares if bob has it.
If the vpn provider doesn't keep any logs your total exposure is that they may start collecting logs of traffic for the duration during which they are compromised. If they are attentive and competent this either will never happen or it will be for a short duration. Again this breaks the example of valuables in storage.
In fact a VPS or indeed any host actually has the same problem you describe in that a host is a bigger target than you and therefore more valuable.
On the other hand for most people the differential between know how between you and professionals is probably sufficiently useful that you are less likely to get hacked with them than on your own. After all nobody has to actually target you in particular they can look for vulnerable hosts in an automated fashion.
I don't think you have provided any substantial argument for most commercial vpn users to switch. I feel like for most threat models its a more than acceptable tool.
If just you want to torrent the last season of game of thrones (why would you?) then a reasonably reputable no-log vpn service will probably do a perfectly fine job.
If you want to access non-https websites from coffee shops, buy a $5/mo vps from amazon/prgmr/digitalocean/whomever and tunnel through it.
I don't see a situation in which the dedicated colocated hardware is the right choice.
If you're super super serious, can you even trust Tor? I personally give it better than 50% chance that some consortium of goverments control the majority of tor exit points but won't reveal it for small cases so as not to reveal this trick.
Yes but tor is slow, making it slightly less practical than the tunnel through the VPS. It also doesn't hide your traffic from the exit nodes, who may be less trustworthy than a VPS provider if you are doing strictly legal things.
(On the other hand, if you want to perform a public service, using tor is a good way of masking the traffic of people who actually want to use it to disseminate sensitive information.)
The premise of Tor is exactly that you need not trust any of the nodes. The only exception being, all of the nodes in your path being controlled by the same entity. But an exit node knowing that an anonymous user has an encrypted connection to a specific site is usually not a privacy concern.
If the website you are accessing is unencrypted then the exit node knows the entirety of your communication with it. (It doesn't know your IP; but small consolation. You're still vulnerable e.g. to injection.)
This is far less anonymous than sending cash in the mail to Mullvad. There is a paper trail leading back to you when you register the corporate entity.
From a security perspective, this is equivalent to renting a dedicated server. Once it leaves your possession, it isn't really "your hardware" anymore from a data security standpoint.
Also, as others have pointed out, all you have to do is sniff the traffic going in to the machine, something both the colo and ISP and upstreams are trivially able to do to obtain your residential or GSM IP, linked to your name/identity.
This is bad advice. Mullvad is like five bucks and offers equivalent privacy.
I think it's at least conceptually possible to pre-load a machine with software that doesn't pass any plaintext between you and it, and which the software image can't be modified without you knowing it.
I don't know about obscuring the fact of the connection between you and it though. Tor isn't enough by itself.
> which the software image can't be modified without you knowing it.
Nah. If you're worried about the kind of attacks that necessitate sending your own hardware, then, regardless of who owns title to the device, the firmware being replaced to snoop on or alter what is actually in RAM is in-bounds.
There are lots of ways of hiding persistence on a system, and decades of research along these lines. Once it leaves your possession, there's not much you can do to ensure that it still has unmodified code on it (assuming standard PC hardware).
Really though this isn't the threat model at all for someone who just wants to use a VPN, I only went there because the comment senselessly advised shipping your own hardware to the colo. That's the same privacy as using the colo-owned machine, which, for a VPN, is the same privacy as using a generic $5/mo VPN service, as in all cases the upstream can be trivially monitored (even in the case where it's your own, tamper-evident HSM-whatever remote attestation hardware).
Then why can't the entire FBI break in to an ordinary iphone, except by virtue of finding errors in implementation rather than the fundamental invalidity of the concept of secure hardware?
Why don't they just desolder the cpu and wire up an emulator and laugh at all those secure enclaves and encryption?
That whole thing was farce; the FBI got the unencrypted backup data from Apple. iCloud Backup is on by default for every iPhone, and is effectively unencrypted, and sends pretty much the entirety of the device's data to Apple every night when plugged in (using Apple keys).
Apple can decrypt the whole thing without any input from the user: they don't need their phone, they don't need their password, they don't need their keys.
The whole thing was a carefully orchestrated media dance designed to make it seem like the feds can't get the data off of iPhones. Not only do they have access to almost all of the data on almost every iPhone, they have access to it without a warrant or probable cause thanks to the FISA Amendments Act. Apple compromised over 30,000 accounts for the US government without a warrant in 2019, per Apple's own transparency report.
And with Mullvad you can just make a one-time payment of EUR 5.00 if you need to use it for 30 days. No auto-renew crap / commitment to long subscriptions to deal with.
Mullvad is the service that Firefox use, I took that as an endorsement and tested them, it worked well (on Linux, which has a command line controller for a service that is installed) once you've got used to how it's set up. They seem to do anonymising thoroughly. IIRC you can even mail them cash.
Edit: I should say, I used their support email, they responded pretty quickly for a cheap service, offered a beta client and that fixed the issue (I'd actually tried the beta by the time I got the email back, but still).
I totally understand using a VPN service if you're trying to access the internet from another location, e.g. to get past the China firewall or get access to content from a different copyright jurisdiction.
However, I don't fully understand the privacy argument. It would seem to be that instead of handing over your entire DNS query history and unencrypted HTTP history to your own corporate IT department or the Starbucks Wi-Fi router, you're now handing over all that data to Mullvad. Are people okay with that?
I usually create my own VPNs. I realize that involves handing data over to AWS or whoever I use for my servers but I somehow feel slightly better about that than handing it over to some Mullvad dude.
Google tries to impose its VPN on Android too and my first insinct is: do I really want all my traffic going through Google?
> However, I don't fully understand the privacy argument. It would seem to be that instead of handing over your entire DNS query history and unencrypted HTTP history to your own corporate IT department or the Starbucks Wi-Fi router, you're now handing over all that data to Mullvad.
Well, you're of course right that the privacy argument for VPNs doesn't make a lot of sense. But there's a whole industry living from people believing it does, and ad partners of that industry willing to proclaim that VPNs are essential for your personal privacy.
The VPN providers promise not to keep logs. They go to different lengths to prove this claim to you.
If you do believe that, it's more private. If you don't, they still might have access to that data. Otherwise AWS or someone else will.
However, even so it will be more difficult for third parties to track you since you will generally not be assigned a dedicated IP address. You are probably NATed with a bunch of other customers from all over the world. If you set up a VPN in a VPS you'll most likely have a permanent public IP.
Personally, I believe that Mullvad is truthful about its privacy claims, but I'm not a customer.
Why do you think corporate IT or Starbucks or AWS is more trustworthy than "some Mullvad dude"? Isn't it possible that Mullvad is more trustworthy? Isn't it more possible to know about Mullvad than what's going on at Starbucks or AWS?
I don't consider corporate IT or Starbucks to be trustable.
AWS I would "trust" slightly more only because I get to implement the infrastructure and among the sea of trillions of requests they serve it would be a bit more of a challenge for them to figure out which of those requests are VPN browsing data and clean that data. I can also mildly obfuscate and pollute requests using their own infrastructure and make it hard for them to extract anything meaningful about me unless they really wanted to.
Basically AWS isn't already set up as a VPN service, so they'd have to put in a nonzero amount of time to extract, parse, collate, and analyze VPN logs, let alone figure out which instances among their billions are actually VPN instances, especially if I run a non-standard, modified protocol. Unless I was some Snowden-like target it's unlikely they would waste a couple weeks of engineer hours to wireshark and clean the data from my instances.
Mullvad on the other hand handles 100% VPN browsing data so if they unscrupulously keep logs, they would have clean logs to begin with, nicely organized by username, which is scary. They wrote the client and they control the protocol. They also rent their instances from various providers (the names of which they disclose on their website) and I could presumably just bypass them and rent an instance with one of those providers directly.
Why would AWS need to Wireshark your traffic? If law enforcement came to them with IP logs from some target machine, it's just a matter of looking at AWS outbound NAT logs to find your account.
Of course, either approach should work if the goal is merely to disassociate your traffic from your identity in order to keep marketing companies knowing your interests. Your approach is more provably reliable, but some VPN providers do provide 3rd party audits and such which seems a reasonable way to establish trust.
Other than that, I think it's mainly geoblocking evasion, which might have overtaken piracy recently as the most popular reason for using a proxy service.
Any use where the slowness of tor is a dealbreaker, and where criminal liability is not so high that law enforcement will attempt to unmask proxy users in realtime.
The privacy argument simply haven't stood the test of time. However, the first reason is still valid: some companies think they can segregate people based on their IP address, and VPNs offer a simple solution to that - even if it often doesn't work, and in many cases becomes a mouse-and-cat game with the service provider.
This is my feeling too. Also, I know for a fact that my ISP would be watching me browse (thanks for nothing, Ajit Pai!), while a VPN at least promises not to. The uncertainty of whether they're telling the truth on that is still better than knowing 100% on the ISP side.
I'd say it's probably worse privacy wise, corporate IT or your ISP are at least accountable since you share the same jurisdiction. Some dody VPN company which you should prefer to be overseas if your main objective is piracy is much less accountable in regards to your data.
It is interesting to me that the Mozilla option is cheaper. (5 USD vs 5 EUR)
Also it bugs me that there are 5 "Try" buttons on the Mozilla site before they even show you the price. To be fair it does show you the price on the credit card page after you log in but still feels a bit scummy to me. Mullvad puts it in your face above the fold.
The thing is, it costs >$5 per month. I pay $2 for NordVPN.
I'm not expecting privacy, I just want a way to occasionally geo-hop to other countries, for streaming video and to test if a problem is related to my IP/location or not. And occasionally to have some minimal level of protection in a coffee shop.
You can't use any commercial VPN service and expect privacy. Those are only good for bypassing geographical restrictions. If you want privacy, buy a VDS and host your own VPN server. It'll cost about the same, and you can use it for other things at no additional cost.
Seems like it'd be easier to "unmask" someone's VPS account than figure out who someone is when they use a paid VPN service.
If you're worried about a government, your personal info from a VPS provider is just one court order away. If you use a VPN service that actually is serious about not keeping PII or logs, you might fare better there (they might be coerced to log future traffic of yours, but at least your prior activity is still secret).
If you're worried about ad tracking, a VPN just doesn't do you much good period: ad tracking is sophisticated enough to not care about your IP address.
But all of this "VPN for privacy" stuff is predicated on trusting faceless third-parties to help keep you safe, so it's generally a losing proposition. Agree that the only "safe" thing to use a commercial VPN for is to bypass geographical restrictions.
Every form of security has different threat models and appropriate countermeasures.
If you are trying to avoid your ISP knowing you are downloading movies a VPN is a good solution.
If you don't want others in the coffeeshop to be able to snoop on remaining unencrypted http traffic. VPN
If you don't want your employer to have a list of your web traffic from your personal device. VPN
If you don't want a service which you don't pay with a credit card to have a way to connect your pseudonym to your real name. VPN
If you want to opt out of some degree of dragnet surveillance/data collection via parties like your ISP. VPN
None of these are incredibly uncommon. VPSs work great for most scenarios. If your actions are dangerous to your continued existence or you need to keep your own government from watching you then you probably need to adopt far more stringent measures but I feel this is vastly less common than the above situations.
Perhaps it depends on the definition of privacy. Now your identity is tied to any and all traffic to/from that IP address for the duration of ownership.
If I use a public WLAN, a VPN like Mullvad is going to gain me privacy and security. Furthermore, I would get (for good or bad) "mixed" with the rest of the users (although in my case this does not apply as I use WireGuard to my home connection). If I use mobile, a VPN makes MITM more difficult.
If I pirate using a VPN in a country hostile to mine, the local RIAA/MPAA can't do anything. They probably already can't when VPN is in same country. A VPN doesn't stop a determined adversary, but if you worry about these you should probably use Tor or something like that, possibly without going back to clearnet.
While your stance is a good wake-up call, and perhaps a decent rule of thumb the above are reasonable exempts.
Except most providers worth their salt will require your credit card/paypal for a subscription. This adds another potential loophole for de-anonymization. At least with Mullvad you can pay in crypto or even mail them cash. Though it all depends on what you want to achieve I'd say a trusted VPN is much better than a VPS, esp one located in US or any of the five eyes countries.
Does Mullvad allow me to connect using wireguard without pasting my private key into their website? Their website says the private key never leaves my browser and is only used to generate the configuration file, but all I really want to do is give them a public key and I suppose let them know which server I'll be connecting to. I can put together the config file by hand myself, thanks, I shouldn't need to ever copy the private key into my clipboard, let alone paste it into a browser.
How do they take bitcoin? I’ve seen various invoicing systems that completely break in Tor+JS and in all noJS environments.
If they shoehorned bitpay in, its probably not tapping into the utility of having bitcoin payment options.
I like paying invoices with Monero over Tor, while the merchant receives bitcoin that a third party pushed to them. I’ve been doing that for at least half a decade.
But if I can’t access their invoice they just lose a customer.
They show you a BTC address and you send BTC to that address. Whatever arrives at the address is credited to your account. No "invoicing system" involved.
Current BTC fee seems to be just over $1, not $20.
I don't think MorphToken would work because as far as I can tell, they have no way to set a fixed amount of the destination currency.
Other providers like ChangeNOW do offer that but they have much higher minimums, something like .003 BTC, which is obviously not useful for a $5 payment.
> Current BTC fee seems to be just over $1, not $20.
Really? My Ledger app says 112 sat/byte, which comes out to $8 for me, and I'm pretty sure they were higher a few weeks ago, when I checked. Am I way overpaying?
> I don't think MorphToken would work because as far as I can tell, they have no way to set a fixed amount of the destination currency.
That's too bad, XMR.to was really useful for this...
> Really? My Ledger app says 112 sat/byte, which comes out to $8 for me, and I'm pretty sure they were higher a few weeks ago, when I checked. Am I way overpaying?
Hm, maybe? I think those clients usually just use the average fee paid in recent transactions, which will result in overpayment if everyone else is doing it too.
The real question, "how low can I set the fee and still have my tx confirmed," is given an attempt at an answer by https://fees.watch, which is what I checked -- it showed less than $2 for every speed at the time.
To be honest I don't actually use Bitcoin, but I do use Ethereum regularly and I use this fees.watch site for that. My transactions almost always get confirmed exactly when expected, and it's almost always cheaper than whatever the wallet suggests.
I used to use Mullvad but got sick of having to pay them via Bitcoin (or Bitcoin Cash, lol). I emailed them about accepting Monero directly and they said something like "we would like to but it's too much work." Ended up switching to IVPN, which actually costs more but is worth it for me not to have to deal with those shitcoins.
I really love paying with Monero as well. Fast, super cheap and anonymous. It's definitely my favorite coin to use (since I don't like speculation). I just wish it were more widespread as a payment option.
Which exchanges? I'm only aware of Bittrex, whose Monero volume was insignificant to begin with. And what evidence is there that government pressure had anything to do with it?
As far as I can tell, MorphToken doesn't allow you to set a fixed destination amount. In other words, when going XMR->BTC you can't set or know the exact amount of BTC that will be delivered.
ChangeNOW allows that, but has a much higher minimum, .003 BTC or so. Not useful for small transactions.
And all of these services take many minutes to complete the exchange, by which time the invoice you're paying might expire. AFAIK xmr.to was the only one that did instant exchange with zero confirmations for smaller amounts.
Shadowsocks always used to work well enough to evade the GFoC if you hosted your own VPS. Which is simpler than say strongSwan - and IPSEC gives the game away anyway.
Nowadays its probably best to set up your own VPN server for that. Back when I lived there, most VPNs got occationally blocked, then they would get new IPs and work fine again. But from what I heard, it got way worse since Winnie the Pooh took over.
Most VPN services get blocked eventually and then play cat-and-mouse to get themselves back up, so the service is overall unreliable.
The China firewall also does some "intelligent" blocking of common VPN protocols by fingerprinting their traffic patterns, handshakes, ports, and other things.
If you set up own server, it helps to modify the protocol or wrap it in a proxy that obfuscates the VPN traffic as something innocent-looking. Basically, if you implement something like TCP/IP-over-cat-picture-jpeg-files-on-HTTP-port-80 you'll generally have a rock solid experience. (That's not exactly what I do, but it's along the same lines of thinking, you get the idea, be creative.)
Unfortunately I'm not going to provide code to do this though because that makes it vulnerable to its traffic pattern being fingerprinted and blocked.
Also, avoid AWS. Using slightly lesser-known IaaS providers helps.
Interesting thought. A little part of me want to make a TCP-over-HTML cat pictures wrapper. Maybe put the payload in every fifth cat pixel or something. Should work for bmp:s right.
I am not sure using your own is a good idea. Every time I was in China for the last 3 years they would quickly find and block my small startups VPN. I was able to send an email and ask someone to move it to a new IP. Now imaging you have your own setup and they block it, as well as access to the provider you used to create the VM that runs it. Using something like Nord or the like at least you know that they will keep changing the IPs. Your mileage might vary, but this was my experience.
I guess if you really wanted to be clever you could set up a number of IP addresses and if your VPN doesn't see you login for, say, a day, switch to another IP. Or just give your VM 14 addresses and rotate them as you need. For a 2 week trip/14 addresses this would cost you about $26 on AWS.
Your activity advertises that to anyone who can see the traffic. Even if you use a popular port, the traffic volume and timing easily stands out — and if you’re actually in China ask what they’d conclude from a client which does no other traffic except for that one IP/protocol/port, unlike basically every other device.
>The secret to not dealing with crapty company practices is to avoid ones that advertise literally everywhere 24/7 nonstop around every single corner you look.
my goto explanation for this is the crappiest companies out there have highest profit margin simply because they have a whole host of bad practices available to pick from. that basically means they have most resources to burn on marketing & promotion.. egro most highly advertised stuff is what one should avoid the most.
Bad practices increase cash-on-hand at the expense of long-term outlook. That cash-on-hand can be funnelled into more bad practices.
It's kind of like a wooden building burning down: something that was previously in stable, long-term equilibrium state (no fire, no energy release, serving a useful purpose) switches suddenly to a runaway reaction (exponentially accelerating, pulling in more and more reactants from the environment, serving no useful purpose.)
Very crappy if you want to cancel after you forgot to get new audiobooks for a few months. You lose all your credit, and they don’t say that during the cancellation process. I gifted 6 months of payment to Audible just because they avoided to inform me about that.
That's rough but on the scale of company bad practices that leans more towards being an oversight than truly malicious. I'm not saying it's an oversight but it's not on the same level as making cancellation take 10 clicks or having only phone support or turning off features when you turn off auto-renew.
They also have a limit on the number of active credits you can have. I luckily found this out via someone else. But yea that part of Audible sucks massively. But I wouldn't be shocked if you emailed customer support they would just give you the credits, it's Amazon after all. Also, if you sign up and the system doesn't say you're eligble for a 30 free trial, customer support will give it to you. I found that one out when my payment method wouldn't work and I cheekily asked and they hooked me up.
FWIW last time I tried to cancel & still had credits, Audible did warn me I'd lose them if I cancelled (so I quickly used the credits before cancelling - thanks to their generous return policy, shouldn't be an issue if I change my mind about one of the books I chose hastily before cancelling)
It moves the source of threat from local (eg someone around you on shared wifi) and the local(ish) ISP to remote and abstract and possibly uncaring (foreign company and whoever has the resources to monitor their firehose). It doesn't eliminate threat, but it changes it in ways that may be relevant - eg with a VPN the people around me can't see that I'm surfing midget porn, and my ISP can tell that I'm torrenting but can't tell what or from where. Other torrent watchers (eg whoever goes after pirates these days) will also have a hard time isolating me back to an IP with which they might be able to get account holder information - and entities with the resources to monitor what's coming out of the fat pipes at the VPN provider probably don't care about me.
> From a security standpoint it is awful because you increase the number of providers you have to trust.
No, a VPN replaces an ISP in most threat models (by shifting who can see your traffic). For some people, this is a good trade (ex. me: my ISP has straight-up admitted to analyzing people's traffic for marketing info).
1) people believing long-outdated guidance about not using open WiFi networks without a VPN
2) protecting your browsing traffic from being observed by your ISP (where you may not have much choice), at the risk of it being observed by the VPN company (which you trust).
3) Torrenting without having to worry about fines, nastygrams and other annoyances
4) Bypassing geoblocking
1 + 2 is what the VPNs advertise, but I think 3 + 4 are what people actually use them for.
What's wrong about (1)? Https or not, there are still MitM attacks, and the URLs you are accessing are still trackable. As to why I'd trust my VPN more than my ISP, who's CEO has got more to lose once word gets out that his company cooperated with authorities to turn over my logs?
This is maybe a nit-pick, but https prevents tracking of URLs - they can still see what hosts you're connecting to, but they don't get the full URL string.
More or less everything your computer does online is protected through HTTPS or similar protocols, with proper certificate checking to protect against MitM attacks. By now, enough time has passed to get most incompetent vendors who had auto updaters doing insufficient checking to fix their software.
As someone else pointed out, URLs are not trackable, host names are, but the advice often comes in the form of "don't do sensitive stuff like online banking from untrusted networks". Since especially this has had HTTPS for 10+ years now, this advice is far outdated.
> 1 + 2 is what the VPNs advertise, but I think 3 + 4 are what people actually use them for.
I don't know, I've seen two different "household" gaming Youtube channels advertise VPNs with a focus on geoblocking. I was kind of shocked at how brazen it was.
Open wifi networks still exist. When last I was at my public library (a year ago... covid) they still had an open wifi network for public use. I think for them it's a matter of principle, since it means nobody has to ask permission to use it.
But HTTPS has become (nearly) universal. There's little risk of someone on your network snooping on your traffic, because it's just not possible anymore.
>1) people believing long-outdated guidance about not using open WiFi networks without a VPN
Long-outdated? It's more important today than it was 10 years ago. That public wifi you're on is tracking your every move and correlating your devices back to you if you happened to purchase anything in the store with a credit card.
But web browsing is the vast majority of network usage now. The only big exception I can think of that don't go through standard HTTP/HTTPS rails is email. And even then desktop email clients are pretty rare now and they're pretty universally encrypted now.
No, but HTTPS isn't only browsing the web either. Very little that the average person will do on the go doesn't use TLS (or other effective encryption) in some form.
Getting around censorship such as the Great Firewall. I have relatives in China, we visit most years. Without the right VPN (most don't do a good job against the Great Firewall) you lose things like Google (thus your Gmail account), Facebook (no great loss), Dropbox and it's siblings, pretty much any major news site. Last time I was over there I was having some trouble with my VPN (it's always a cat-and-mouse game between the VPNs and the Firewall) and the only search services that worked were Bing (which saw my Chinese location and did a much worse job than normal) and Baidu (which is China-focused and thus did a horrible job of serving up results in English.) Both engines were more likely to cough up a mixed-language page that vaguely matched over an English-only page that would be a much better match. Note that I was using a machine with the language set to English and not one bit of Chinese in the queries.
Mostly because of their FUD marketing. Almost all of the VPN ads imply, if not outright state that accessing your bank account is unsafe without a VPN.
I mean sure, if you want to sell Netflix access sure, but their security claims are way off.
Their marketing is the sketchiest shit ever. Any VPN that advertises like that is dead as far as I'm concerned, particularly NordVPN. They are the worst offender; listening to a few different jackasses on youtube pitching their product and hearing each one repeat the same talking points, it's obvious the FUD comes from NordVPN themselves, telling people to say it.
If your ISP is realistic vector for your bank details, anyway you have much bigger problems.
Geoblocking I see, but other stuff without knowing exactly who you get VPN from and who is your ISP is extremely murky... And I think there is very few who can make educated decision on these. And they are running their own or using tor...
In the UK your ISP has to store your entire browsing history for a year. Multiple agencies have access to this data without a warrant.
So my usecase is simply preventing my ISP from knowing what I browse and from keeping this record. I'd much rather take my chances with a VPN company than my ISP and the British government.
I never understood the details of it: So if you download 2GB from SSH, does it have to store it, encrypted, as is? Or just the IP packet headers, i.e. where from and where to, in which case it is practically useless?
Correct, it's just a log of IP addresses that you "visited" which is why I really struggle with it. Visiting any website can hit hundreds if not thousands of IPs, without your knowledge or any intent behind it.
One reason is to help reduce some identifying information Ad networks and the like might collect since a common IP is shared among many users. There are disadvantages too but this is something you won’t get with self hosting.
You respond primarily with non technical means, making a giant stink that a hotel that generally lives and dies on corporate money is man in the middling their WiFi.
exactly. I have at least some trust in Mulvad, but I'll be damned if I'm getting on the hotel WiFi in a US hotel chain without VPN. Let alone while travelling in foreign countries.
I frequently access my bank info etc. on such trips. With a VPN at least I have fewer random threat vectors to consider on a network.
I've frequently (especially outside the US, but even in a major hospital system here in San Francisco) come across WiFi networks that force access web through a MITM proxy. Yes, HTTPS will help me detect it, but if I need to actually get through, a VPN is helpful.
"bank info" in this case being anything from logging in to check my balance, pay bills or even contact them via their secure messaging because I'm disputing a transaction.
It doesn't eliminate all threats, but I'm not a secret agent ninja that needs 100% hardened communications. I just need a modicum of assurance.
My bank blacklisted me from their online banking portal because of a "suspicious IP". After submitting a number of automated requests to my bank's new security website (a company in another country and only available in a different language), I found out that my IP was marked as dangerous because I ran a Tor service at some point in the past. I hadn't been running it for months but they still had my IP tagged as potentially malicious which was enough for my bank to distrust my ip. I should also note that I also had a static IP back then, which due to this ban, I subsequently disabled. In the mean time I've moved all my external facing (mostly Raspberry Pi) services to VPN and plan to finally re-activate static IP.
> Maybe someone can enlighten me why these services exist and what usecase they have?
Because there are lots of people that can't create their own VPN even though these days you can spin up a lightsail instance for $3.50 pcm and be up and running with Wireguard in minutes.
And for those people that cannot, their threat model changes to now needing to trust a single entity after they are up in minutes.
As you say, those providers have oftentimes been proven to not be so trustworthy. But how many CAs have been shown to be not trustworthy in the last couple years?
Also many websites will block cloud services IPs. This can also happen with 3rd party providers but in my experience it’s much less common because some vpn providers will buy residential IPs.
It also can be nice to get a new IP more or less whenever you want by just connecting to a different, already setup server.
The only websites to block my AWS IP are streaming providers like Netflix.
I don't believe VPN providers are buying residential IPs. They use a p2p architecture and route traffic through their customers, usually without informing them. If I do use a commercial VPN service, I prefer to use the openVPN client rather than their proprietary client.
I moved last year back to my home country from the uk, and did the final trip on my motorbike.
Midway I realized I was missing an offline map of a country I was about the be passing through the next day. I had an unlimited data plan with traffic abroad included, and despite this, it didn't allow me to download the maps for my gps (everything else worked!), even after fiddling around with third party dns.
So I downloaded a vpn app, and managed to get everything sorted out.
This is not much of a problem, because you are seeding to "friends" making the whole thing non commercial and a private affair in some legislatures.
Not sure if the laws have changed but what.cd used to have a certain number of users which was capped by the number of friends some judge thought to be reasonable.
If i recall correctly that whas around 200k meaning that you could run a private tracker and in case of a bust claim to know everyone.
Back in the day i had a what.cd account and when they got busted (took them many years) nothing happened to the users. I think they shredded the servers before the cops could seize them.
Getting onto many private trackers is a real pain in the ass, involving lurking on some IRC channel for who knows how long, begging and sucking up to people until somebody gives you an invite (assuming the tracker is even open to new applicants at the time.) Then, even with an invite, often the admins want to interview you to see if you answer probing questions like a pirate or a lawyer. The whole thing is a pain in the ass. These days I just say YOLO and use public trackers.
youtube ads is the reason i am most familiar with. especially with nordvpn.
so, essentially, even the most knowledgeable people on youtube tell you that nordvpn is a must have thing. and they "use it all the time". what do you want people who don't know better to do?
By now these VPN providers are like toothpaste, diapers or soft drinks: completely undifferentiated between competitors, and so only able to maintain their market share by spending loads on marketing. Of course the company with most egregious dark patterns and aggressive churn dampening wins.
Thankfully a tube of toothpaste doesn't allow implementing dark patterns like this... yet.
I would strongly disagree for the following reasons:
You can and should differentiate VPN providers. Ways to differentiate them: Have they shared logs in the past, where companies are headquartered, reputation.
I have noticed personally, however, that all people i know that have purchased a vpn subscription don't do this. They simply buy into the FUD. N=1 of course...
Maybe the market size has become so large that less savvy users propel the unscrupulous companies to the top?
I think it's exactly the same as when purchasing anything in life. There are better and worse products. Many people will not buy a good product in terms of quality/price or value/price.
> Maybe the market size has become so large that less savvy users propel the unscrupulous companies to the top?
I would say that is the case for many products. Personal example: our family car is nearly 10 years or so old and still going strong, its reliable and good overall. We spent time researching good vehicles on the market then and bought the care after research, it paid off.
>doesn't allow implementing dark patterns like this.
or does it? Call from the past "3D" tooth paste marketing, whitening agents, microplastics, multi-color squirts, same FUD "brush like a pro only with XXX". Those are just few (top of my head) of the levels marketing goes to attempt and sell toothpaste.
Can't we give the FTC more teeth, so they take action whenever a company turns against their customers? Most dark patterns are well known, so how hard can it be to define some laws or set up a legal framework around this? The free market isn't everything, but at least we can try to make it less shitty.
The amount of astroturfing in the reddit thread is just awful.
VPN hosters market in the most aggressive ways possible, probably due to the fact that its usually impossible to verify a VPN hoster's claims (without a breach), so assuming they did most of the VPN stuff right, any new users they lured in are gonna stick, at least for a while.
Although not entirely false, this post is a bit too defeatist. "Don't use a VPN because they may be lying about not logging connections" is the same as saying "Don't get on an airplane because the pilot may be suicidal".
I'm not going to stop using vpns nor flying on airplanes because of that.
ISPs monitor and modify your internet traffic in America (perhaps that's different in the UK?). My American ISP absolutely spies on me. So rather than accept that guarantee, I can use a VPN like Mullvad who at least promise not to do this, and whose entire business relies on keeping that promise.
> whose entire business relies on keeping that promise.
That "you should not use a VPN" link someone posted elsewhere explicitly disproves that claim, saying that HideMyAss were caught breaking their privacy promises and have yet to go out of business.
The prices of VPN services also don't make sense and potentially suggest something nefarious is going on (not saying Mullvad is doing this, but any VPN advertised on YouTube is very likely to do so). It's difficult to imagine that they can afford such bandwidth/hardware and the amount of support/abuse cases (remember that VPN services will attract scum as a side-effect of their privacy/anonymity claims) for such a low price.
This isn't a persuasive argument for not using a VPN, it's a strongly-worded reminder that using a VPN means you're trusting your VPN provider. That's a big difference.
I personally never liked the whole Nord ecosystem. I tried NordPass and encountered bug after bug and had to stop using it. The software seems kind of thrown together / shoddily made just to make a quick buck. They don't nearly put in as much passion and effort as better offerings like ProtonVPN and Mullvad (no affiliation, just really love their services).
Can confirm. I used to use ProtonVPN and it was worth every penny. I switched to NordVPN to save a few bucks and it was one of the worst decisions I have ever made. NordVPN couldn’t hold a candle to what ProtonVPN offered in terms of reliability, ease of use, transparency and support. ProtonVPN was costlier, but I think it justified its cost.
I've used NordVPN previously and thought they were fine as a VPN service. In fact I went back to use them earlier today before seeing this submission. But yeah, on reflection, they really do go out of their way to scare/screw their customers into auto-renewing with various dark patterns. So maybe next time round I'll check out something less evil.
I use a VPN for geo blocked free-to-air sport(6 nations <3) from my home country so VPNs work well for my needs. Ironically it's not even possible to pay for access to view the sport in a legitimate way since everything is region locked.
This seems the work of some market-oblivious marketing "expert": we want more autorenewals, let's figure out some stick and carrot. Trust doesn't appear to be a consideration.
Has anyone actually been able to reproduce this? This annoyed me enough that I cancelled my NordVPN renewal, and I never got this screen - and all the adblock/anti-malware stuff still works fine.
Honestly, if you are worried about privacy and use a VPN for those reasons, then you should check out the principle of browser fingerprinting [0].
The conclusion is that servers/websites can check so many parameters of your browser that they can produce a (unique) fingerprint based on the settings and drivers on your phone. No VPN or Tor will cover that, only burner phones or pen and paper.
I've used them for years as well and it seems like they have really gone down hill the last year or so. The iOS app is now unusable for me. Lot's of slow or unresponsive servers now. Just heaps of issues for me.
They were recently partially or wholly purchased. There was a big stink about it because the other company had ties to Israeli intelligence or something. I may be misremembering the details, but I'm to lazy to look it up on my phone. I recently switched from PIA to mullvad and I can definitely recommend it. It feels more transparent to me, and the client app is well done.
When you use multiple browsers, with 1 (FF) used for general browsing setup to blocks fingerprintin, all cookies, js, etc... will the other (Brave, Opera) browsers leak info to web sites, when using FF ?
It depends if the browsers have matching characteristics. If you're not using a VPN, then they can be matched by IP. If you are, then it's down to side-channels which are a pain but usually differ by browser (and perhaps even profile) - but I do wonder if ex. font availability and possibly GPU-based fingerprints wouldn't match. Of course, if your locked-down browser blocks enough then you can solve that.
What's the argument for VPNs in 2021? Can't ISP just use metadata patterns and DPI/analytics to tell what you're up to anyways? For example if I want to hide by torrenting, it's not like VPN is going to really help that. ISP should be able to figure that out right? Or am I wrong here?
edit: this is a serious question I am not trying to troll anyone here
People use VPN services, as opposed to say why enterprises use site-to-site VPNs, for a variety of reasons:
- Access geo-restricted content on say Netflix
- Privacy - one encrypted pipe to hide what you're doing
- Hide source IP address (perhaps for researching a competitors website etc)
- Protect insecure services (though the services would need to exist on the VPN endpoint or they would be exposed at the VPN->insecure service termination).
- Bypass ISP throttling (yup this works and is always funny as ISPs deny they do this but hey, easy to check!)
And more. So there's plenty of use-cases for a VPN in 2021. But it's worth thinking about how the threat model changes as a result of using one especially if you're not hosting it yourself.
A correct VPN will make it look like you're just sending garbage traffic to/from one destination, the outside looking in traffic pattern is completely different than a torrent directly (which is many to one + one to many)
Does it really look like garbage from the outside? My impression or understanding was that you could tease out those details (they are torrenting) but not inspect the packets directly (what are they torrenting?)
A proper VPN will completely encapsulate your layer 7 data, so you should not be able to tease out the fact that they are torrenting - it should more or less be an opaque stream.
With some protocols you can identify that they are sending VPN traffic to and from a destination, but that should be it, otherwise something has gone horribly wrong in a dangerous way.
Depending on the VPN protocol, you can still fingerprint by size - as I understand it, bandwidth use patterns are actually enough to distinguish things like "streaming video" from "BitTorrent traffic" from "web browsing". IIRC, ex. TOR does a bucket-filling approach to fight this (something along the lines of trying to wait until you've got X bytes to send together to smooth out the packet size, or even inserting garbage to pad out your use).
I'm not affiliated, just a very happy customer.
Mullvad is also who Mozilla trusts for the Mozilla VPN [2]. You can sign up with that if you'd like Mozilla to get a cut.
[1]: https://mullvad.net/ [2]: https://vpn.mozilla.org/