Wow, I didn't know VPN providers have broken SSL and can read all that traffic.
This was on the frontpage before. Are people just upvoting it for the clickbait headline without reading the points that are being made?
They could do per-flow logging of TCP flows (subscriber 89 made a TCP connection to 1.2.3.4:567 starting at 12:00:05, ending at 12:02:04, transferring 10kB up and 1MB down). In the worst case this would also include the TLS SNI, which is transmitted in plaintext.
Or it they could do logging based on the endpoint (subscriber 89 transmitted 1MB from IP 1.2.3.4 in the 15 minute interval 12:00-12:15).
DNS, SNI and mixed content are all insecure for the vast majority of users. You can learn a lot from HTTPS traffic.
If you think TLS is adequate to stop a VPN provider figuring out what you're doing, why isn't it good enough to stop the ISP/Government/evil coffee chain IT team?
Short of using a VPN provider that's a front operation of the government you're trying to avoid, VPNs do a good job in adding a layer of protection. The proposed solution in the article (rent a VPS) does not, as the IP is unique to you and tied to your identity, the hoster has no incentive to protect your identity.
And metadata can be just as useful for violating your privacy as content data.
https://www.techspot.com/news/82259-keeping-private-5-vpns-h...
Edit: Many coutries have mandatory data retention policies [1], so if you're from one of those countries it's virtually guaranteed that your internet usage logs for the last months/years are logged somewhere. On the otherhand, a VPN provider has a strong financial incentive to not log your data (because their repuatation has a high financial value) and in some cases it can be known that (at least at some point in the past) they weren't logging, so there is a very high probability that they are not logging now.
The point the article was trying to make was you can never be sure which providers are trustworthy and which ones are not, and even the trustworthy ones today might not be trustworthy tomorrow and you have no way to verify whether they are or aren’t keeping logs.
0: https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-ex...
and do you have time to verify every source of information.
Also, why are these companies registered in Panama or the British Virgin Islands?
I skimmed through this article but I don't think it addressed this use case. Sure, my VPN could be tracking me, but I have much more trust in Mozilla than I do any other internety company. This article seems to be arguing that because perfect browsing privacy isn't possible that you might as well not bother with any.
> in April 2018, when the high court found the government’s power to order private companies to store communications data, including internet history, to be in breach of citizens' right to privacy.
It seems the original proposal has been watered down and then challenged in court. I'm wondering if someone more knowledgable can chime in.
Still, I don't want some government agency to be able to pull my entire browsing history, now or in the future.
Jumping through all kinds of administrative hurdles is still a hurdle, even for a government (in fact, in many ways - especially for a government!). A court may not force a VPN provider to hand over logs, and a a VPN provider may have little legal exposure in a country anyhow.
Even if a government somehow managed to get permission to see them, if a VPN provider doesn't have any (or none sufficiently detailed) it's pretty likely it will not suffer much for not having logs (especially given that various privacy laws might even make it illegal to keep unnecessary privacy-sensitive data floating around), and courts tend not to punish even illegal court-order violating behavior when the party was required to engage in that behavior (e.g. by law). If anything, that's a modicum of risk with a high potential reward (publicity here we come!)
And even if a VPN service maintains logs - what kind of logs? There are a lot packets floating around on a VPN, and storing metadata for every single one strikes me as a pretty excessive expense if there's no really good business case for it. Tying various incomplete logs together doesn't always reconstruct the whole story, so it's pretty plausible some logs may still contain less data than would be retrievable if you didn't use a VPN.
All in all it strikes me as invalid reasoning to assume that merely because it's possible a VPN might not keep traffic private that it will in practice leak said traffic. That does not appear to be the path of least resistance. So even if some UK government agency were to have the intent to track some of your traffic - a VPN might well prevent that or at least make it much more expensive (in both time and effort) for said agency to achieve that.
Therefore, shouldn't we expect at least some of the largest, cheapest, and most widely promoted VPNs to be secretly run by intelligence agencies?
And that government also certainly has much less legal restrictions on tracking you since you're probably not their citizen. Unless you VPN to a node in your own country, in which case, they're just tracking you at a different exit point.
Obviously if you want to protect your identity, you need to do that at every level, if you're hosting your VPN somewhere, that includes from the platform you're hosting your VPN at.
>There are hosting providers you don't need to give out your real identity to use
Even if you don't give them your real identity, they have access to the IP address you are connecting from which to a big enough adversary is enough to identify you.
That sounds like one of those things that original article says "can never be verified". Correct me if I'm wrong.
Though even for accessing TOR, using a VPN is a good idea. If you're planning of doing stupid things like mailing in a bomb threat to delay your exams because you haven't studied enough and you're using TOR, the usage itself will point at you if you're the only person using it. Had they used a VPN to access TOR, they wouldn't have been caught that easily.
[1] https://www.forbes.com/sites/runasandvik/2013/12/18/harvard-...
Based on this it sounds like if he hadn't confessed he wouldn't have been caught. After all, it would still be on the prosecutors to prove he used tor to send the threat, instead of just using it out of paranoia or something.
Additionally, there are still benefits to using a VPN in addition to tor: https://trac.torproject.org/projects/tor/wiki/doc/TorPlusVPN...
1) Why would you keep logs, when you could then be compelled to hand them over?
2) As setting up a VPN company is easy/cheap, you conversely have to spend a large pile of cash to advertize your way to the top. The only asset you really end up with is your name/reputation. Publicly burning a customer would be incredibly expensive.
Adjusts tinfoil hat I think the point about VPN providers acting as a honey-pot might have some legs though. Seems incredible to think that whilst NSA and the rest are determined to detect illegal activity online, VPN providers seemingly thrive without any interference/intrusion. My view is that as long as you're not doing anything too bad, you're safe as the cost of your exposure isn't worth it.
Of course if the government was having trouble infiltrating/extracting information from the big VPNs due to the volume of traffic, pushing the 'people who really want privacy' to self-identify even further, by creating their own service makes sense. All the traffic emerging from it (even if encrypted, you know where it's going) can be tied back to the single user.
Therefore, it seems to obvious that the VPN companies with the largest advertising budgets (perhaps even running a deficit) are run by intelligence agencies. They recoup their investment on the data harvested.
Also, the government, in addition to setting up honeypots, could simply require the providers to log. The way that it works, there are only a couple of people in the company who need to be aware of that; such fact will never be known to the public. There is zero audit trail.
Yeah that's a good point. If you keep logs then your legal team will have to do more work. It actually costs more to keep logs and customers will leave you for a competitor, meanwhile there is no opportunity to earn extra money.
I feel like every few months one of these holier-than-thou anti-VPN articles hits HN where the author completely ignores the real demographics and use cases of commercial VPNs and acts like our primary concerns are ISPs finding out what color of underwear we like. Most people use VPNs to watch Netflix and steal Game of Thrones. They don't leave them turned on because they noticeably increase browsing and gaming lag.
The VPN sidesteps all of that, and allows me to use the full speed of the connection - otherwise we’re throttled to about 40%.
Yes, I could and probably will set up my own endpoint, but for less than a dollar a month this is just an easy and cheap solution, for now.
Those seeding public torrents are in trouble if they get an abuse complaint. Most providers don't like those and will boot you off real quick.
Use VPN to change your local ISP to foreign ISP. The foreign ISP is better precisely because it is foreign. The direction doesn't matter.
Ideally pick across poorly cooperating jurisdictions.
Some accept anonymous cash payments like mullvad and do not require any information.
Everyone here probably knows VPNs are not an all-in solution for privacy nor security but they're certainly a good added layer to add and most likely have better privacy standards than most ISPs.
A person more concerned about privacy should just add one or more layers above/below the VPN ... like ISP > VPN > Tor for instance at the price of substantially lower performance ...
Or you could do the opposite with a cash accepting VPN such as Mullvad ... and only connect to them using ISP > Tor > VPN which would also provide a decent layer that would avoid the massive "maicious high risk flagging" of Tor Exit nodes everywhere while preventing the VPN provider from knowing your IP. You certainly have to hit less captchas with VPNs than with Tor ...
There are also quite a few VPN/VPS providers accepting Monero that can be used and paid for "anonymously" for adding more layers.
If you live in a large city with a decent view on places offering free legal public wifi, you could also buy a long range Wifi Directionnal Antenna and USB Wifi adapter to add such layer while remaining at home and avoid having to move to such places. Mac address randomization is trivial and integrated in most OSes now. Again it's not perfect but it's an added "convenient" layer not requiring physical moving.
Still VPNs can be useful to access content\networks that otherwise you can't.
As for privacy, it comes down to trust. You mentioned HideMyAss but other services have good track record, far better than most ISPs that publicly state they share information with 3rd parties.
It is however important to tell users, where using a VPN can greatly enhance safety. It does protect your traffic up to the VPN provider. This protects from unsafe local networks and also from any state actor in the country you are in. It doesn't protect from state actors in the country where the VPN exit point is, but depending on which states both are in, can make quite a difference.
Can't you solve a lot of these problems by chaining VPN providers? It would only take one running securely and not keeping logs to make it impossible to trace the connection from the destination to you.
what if your ISP is a known-hostile network?
