undefined | Better HN

0 pointslatchkey4y ago0 comments

Why would you want to trust your VPN provider?

That's like saying: "you really really need to trust a Bitcoin miner"

I'd hope the VPN service is built and operated in a way that doesn't require trust, but provides the same level of security.

edit: Since there is confusion in the responses. I'd prefer to trust no-one.

0 comments

10 comments · 5 top-level

HappySweeney4y ago· 3 in thread

How would you verify there are no logs kept?

latchkeyOP4y ago

Inverse is true as well. How do you prove it?

jonfw4y ago

You can't prove it, which is why you want to find a VPN provider you can trust

cblconfederate4y ago

Someone can steal their logs

kbenson4y ago· 2 in thread

There's always trust involved. You have to trust the DNS infrastructure, you have to trust your ISP, you have to trust the VPN provider. You don't have to trust them completely, but you have to trust them at least somewhat.

We take steps to reduce the amount of trust required, such as splitting that trust across many parties, so any one party hopefully can't betray us enough that it matters or that we don't notice, but there's still a lot of trust. For example, we use SSL certificates and certificate authorities that are known ahead of time to protect from problems on the network, but that requires you trust your OS and/or your browser, which is generally how you receive those certificate authorities. If I'm able to get my own CA on your system and trusted, and I can see your traffic, it doesn't matter whether you're using HTTPS connections.

A VPN provider might say they're not keeping logs, or that their servers are not beholden to a third party and traffic is not being analyzed, but ultimately all you have is their word on that. Ultimately, the only thing different between you connecting to the NSA and routing all your traffic (even if your traffic is mostly encrypted) through them so they can look at it and a VPN provider is that you trust the VPN provider when they say they aren't the NSA and they aren't looking at your traffic.

aborsy4y ago

It’s worth mentioning that, if you listen to the podcast mentioned in this thread, DarkMatter, the hacking company, at some point ran a certificate authority that was recognized by browsers including Chrome and Firefox, until lately that news about them came out.

I wouldn’t blindly trust CAs either.

kbenson4y ago

Oh, I don't, it's just also really hard to vet that stuff adequately as a single person, and also why HTTPS isn't always adequate.

There's DNS and root servers to consider as well (but that might be harder to hide with all the caching going on).

I almost edited my above comment a few minutes afterwards to append something like "and honestly, it would be pretty hard to convince me the NSA or some other group hasn't run one or more VPN providers in the past. The only question in my eye is whether it was a popular one or not."

whoknew11224y ago

But then you have to trust that the VPN service is built and operated the way they say it is.

Or have we already forgot about Zoom's "end-to-end encryption?"

bcrosby954y ago

> I'd hope the VPN service is built and operated in a way that doesn't require trust

Unless you're continuously verifying, this requires trust that it is built that way and/or won't be changed in the future.

BenoitEssiambre4y ago

I don't think VPNs go that far. Wouldn't that be more like Tor type of security?

j / k navigate · click thread line to collapse