Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.
I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".
Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."
Long ago, in the era of Firesheep and exploding prevalence of coffee-shop Wi-Fi, consumer VPN services were definitely valuable.
But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".
I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.
- protecting your privacy from your local ISP, WiFi, school, government etc
- protecting your privacy from some forms of online tracking
- circumventing censorship
- circumventing geographical restrictions
If you combine masking of your IP address with a web browser that protects you from various types of browser-based fingerprinting, you are more in control of your privacy online. You get to decide, to a greater extent, who you share very personal information with. That doesn't seem very silly.
(disclosure: I'm one of the deeply silly cofounders of Mullvad)
There's a niche fifth reason. Roaming between upstreams while not having open TCP connections drop. I use multiple ISP's and on mullvad I can swap which wifi/ethernet I'm on and all my connections stay up since wireguard is stateless.
Good point. That is indeed a distinct fifth reason.
Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.
latency/bandwidth: because of weird peering agreements between ISPs / ASes.
cost: there are networks where consumers pay per MB for international traffic, but not local traffic. Consumers can sometimes establish a VPN tunnel to the local data center and get an unmetered international connection, because the data center has a different agreement with the monopolistic consumer ISP.
How about a seventh: in solidarity with people who are facing censorship or oppression.
Like, if only dissidents and malcontents use a VPN (or TOR or HTTPS or E2E encrypted messaging apps) then if you want to reduce dissent, you can just round up all the VPN users and have them shot. If everyone uses VPNs for normal internet use, that becomes impractical.
> Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.
I find that using a VPN over starlink is quite a different experience than terrestrial. I can VPN through another country and the speed isn't affected nearly as much. My guess is that the route is satellite to satellite, so it is much faster.
Yup, when you're not using a VPN, even with encrypted DNS and HTTPS, you're still sending hostnames (e.g. wikileaks.org) over plaintext in TLS SNI for every HTTPS connection. I believe most firewall appliances now even prefer to use SNI for deep-packet-inspection since it's so reliable.
> I'm one of the deeply silly cofounders of Mullvad
Cool.
Also funny, but it would be nice if you addressed the specific objection. Here are some of the new ads: https://mullvad.net/en/blog/advertising-that-targets-everyon... . Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?
> it would be nice if you addressed the specific objection
I'm pretty sure I did. I'll happily answer yours as well.
> Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?
Between those two options, definitely "it keeps me vaguely secure". None of the ads you link to are intended for customers that want to circumvent geographical restrictions. We don't market to that customer segment.
Advertisement targeting is a risk. Even just leaking your IP to various services introduces risks and being able to build profiles on your activities online introduces risk.
Usually the risk is you spend money you wouldn't have otherwise spend, but those profiles can also be used for future nefarious reasons. You're basically just relying on everyone running analytics to be good people, forever. Remember, anything on the internet is forever. And, even if they are, you're still relying on them having perfect security, forever. If a database breach happens and people now know everything data brokers and analytics services know... that's a problem.
IMO, nobody should browse the web without a reliable and trustworthy VPN, at all.
Hi! Thanks for your deeply non-silly reply; it's nice to (virtually) meet a cofounder.
If you have time, I'd love to hear your thoughts on Mullvad's campaign here in Seattle.
For what it's worth, I suppose my perspective boils down to: the first three issues aren't issues here in town, or can be addressed in more direct ways (we have a wide choice of providers; 1st party browsers and services cover the gamut of tracking concerns; etc). Circumventing geographical restrictions is useful, but -- perhaps understandably! -- doesn't appear to be what Mullvad is advertising on the trains I ride.
Regarding tracking concerns, masking your IP address is a necessary but insufficient first step to improving your privacy online. ISPs typically don't allow their users to do that per-device in a UX-friendly way. Protecting against browser fingerprinting is something that Mullvad Browser does quite well, thanks to it being a fork of Tor Browser.
As for circumventing geo restrictions, you're absolutely right. We make an effort to get it to work, but ultimately privacy and censorship is much more of a priority for us. That's why we don't advertise it.
Finally, the campaign isn't just about getting more customers. We started Mullvad for political reasons, and now we have the resources to spread that message further. Governments around the world are warming up to the idea of mandatory device-side mass surveillance and backdooring E2E encryption. We're trying to build public opinion against that.
I’m surely happy to not live in the UK at the moment. And Indonesia of course. If I would live in one of these countries I’d be using VPN. And maybe in the (not so distant) future this is preferable in the US too.
> We're trying to build public opinion against that.
Good on you!
But to be honest; it seems that it would be in Mullvads interest if the US starts requiring “open encryption” for internet services! Then more people would feel the need for VPNs
Actually, no. Our goal is to make mass surveillance and censorship ineffective, not maximizing profit to our shareholders. If there was a big red button we could push that accomplishes our goal and makes Mullvad obsolete in the process, we'd push it. There's an abundance of problems to solve in the world. It'd be nice if we could figure out how to get rid of some and move on to other problems.
At this point I'm reminded of Tom Scott's honest VPN advertisement, contrasting how VPNs are advertised (on YouTube, at least) with the main features that they really provide.
Also (3) work around overbroad restrictions on public Wi-Fi, which still sometimes do things like block Reddit or HN or SSH. But I guess more typical consumers than those of us here are less likely to experience those obstacles.
Times Square at one point was practically half full of Mullvad ads. I already distrusted it but the sheer amount of money they spent to do that made it shadier to me
Mullvad is rather principled on privacy. You can't even make a real account, you can only generate an account number that you can charge, and I assume they do some sort of clever tricks to keep themselves as blind as possible to who uses the account number. Firefox Relay is also just whitelabeled Mullvad, so they have Mozilla's stamp of approval.
Of the big VPNs, the only one's that have ever felt shady to me are NordVPN and Private Internet Access. NordVPN because of the sheer amount of false advertising they pay YouTubers to do, and Private Internet Access because of how cheap they are and how poorly they maintain their infrastructure. Their .ovpn generated files haven't worked for 2+ years now because they include certificates with malformed revocation dates, and refuse to pay the certificate authority to update them.
>Mullvad is rather principled on privacy. You can't even make a real account, you can only generate an account number that you can charge, and I assume they do some sort of clever tricks to keep themselves as blind as possible to who uses the account number. Firefox Relay is also just whitelabeled Mullvad, so they have Mozilla's stamp of approval.
Yep. And I use the VPN connection (and/or TOR) to re-up my Mullvad VPN when I run low.
Mostly I use the VPN to protect my privacy when posting with a throwaway account here and/or other sites. And of course for torrenting.
What's more, I had some monero (XMR) left over from some other transactions, so I use that to pay for the VPN connection.
As such, unless Mullvad is storing the IP address from which I connect (and they claim they do not), it would be difficult (but not impossible -- I don't always use VPN when posting anonymously/throwaway -- that isn't a challenge!) to identify me through my VPN connections.
I feel like other VPNs sponsoring YouTubers or others to talk wonders about them while not really using their product makes me trust them less, especially if they are based in some opaque jurisdiction like NordVPN (Panama) or ExpressVPN (British Virgin Islands) among others
What about a malicious DNS (on a public spoofed or hacked WiFi) that forwards you to a lookalike domain? Unfortunately many times public WiFi doesn’t work with Google’s or Cloudflare’s DNS servers (I think the Deutsche Bahn’s WiFi was such a case, if I remember correctly, but I know I came across a few on the last few years while traveling). I don’t think there’s anything protecting against that when you’re using a browser.
Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).
HSTS solves this to some extent. If you've visited the domain in the past (or the site operator submitted to the HSTS preload list), a different certificate presented would be flagged by your browser.
It isn't too useful nowadays, is it? With most websites' certificates being from Let's Encrypt or similar CAs automated via ACME and up to 90-day certs; and this getting reduced in the future to only 47 days. Every month you'd need to accept any website's new certificate.
Also, does HSTS have something to do with the authority? AFAIK it only forces the browser to use HTTPS and never plain HTTP for that domain, but if you switch from a legit Let's Encrypt to a legit ZeroSSL cert, HSTS won't care about it; only the browser if you have a not-trusted certificate from another CA (or self-signed).
Your better websites use "HSTS Preloading" to ensure users always get sent to the https version of the site - in which case even if the attacker redirected the DNS resolution, you'd just get an SSL error as the attacker wouldn't have a valid certificate.
Of course, an astonishing number of (even important, high-profile) websites don't bother with HSTS preloading ¯\_(ツ)_/¯
Why? In almost all countries ISPs are at the very least legally required to block websites and even surveil there customers. I trust mullvad about 100 times more than any ISP beholden to governments and profit incentive.
What about (3) "bypass government censorship"? UK and China are examples of where this is desirable. This is different from (1) because it's broader than just streaming shows and is about authoritarian rather than capitalist restrictions.
I think the general discussion is conflating censorship with age restrictions. Lumping the UK with China is very disingenuous.
The UK law is stipulating adult content can only be viewed if you are provably over 18. They are putting all of that responsibility onto the websites/platforms to enforce that.
If a child goes to a shop and tries to buy a pornographic magazine and they are denied, is that censorship?
If a child tries to see an 18 film at the Cinema and is denied, is that censorship?
The fact is both of these were freely and easily done on the Internet as most websites do not verify a users age.
I do not like the online safety act as it is, but it is not "censorship".
My ISP is smarter - they just block all the torrent and streaming site I visit, and try to push me to upgrade to a plan with many streaming platforms bundled in it. Sucks for them, because I already subscribe to a few of them but still prefer torrent-ing to download videos to watch them offline whenever I want, without unnecessary time limits, in the video / audio quality I want, in the medium I want (TV, computer, mobile devices etc.), with the software (player) I like, without ads and other nags.
I used to do private P2Ping actively. Now I don't. Not enough time - for that, not motivated enough - for that. So I was planning to let go of that VPS of mine where my Seedbox resides. But I am not sure anymore. I do feel I may let it up and running just like many others who did it when I couldn't afford a Seedbox.
Then on the other hand I feel that the real need are from people who come to find those Linux ISOs from public P2Ps and for that I think I will be booted off my VPS in a day or two. So eventually I think this will be better - dust off that old r-pi (or maybe get a new one), get a cheap HDD, get a VPN and let it stay at home and keep seeding.
And shitposting here in germany has become slightly more dangerous. If you use a vpn to call your local politician an idiot, you are much less likely to get into legal trouble.
Here in the United States, I don't know that I could trust the vpn to protect me from that. I remember an incident from a few years ago, some idiot at Harvard emailed in a bomb threat to get out of finals. They arrested him only a few hours later. It's possible he misused the vpn, but I suspect that they merely contacted the vpn provider, got a shortlist of people going through that endpoint, and eliminated all of them not in Boston. Didn't require any Stuxnet-type fuckery or super-secret technology. Be careful and good luck.
I remember that, Schneier talked about it on his blog.
It was actually tor (the threat came from tor), and harvard 'found' him by constantly logging what connections were going to known tor entries from on campus. As it turns out he was one or possibly the only one using tor that morning from harvard.
Bruce outlines it that he certainly could have stayed tight-lipped (all evidence was circumstantial) but, nevertheless confessed as soon as they approached him.
Network traffic analysis/DPI strikes again. I wonder how many people think that their VPN usage obscures their identity, when the flow of traffic at certain times gives X% probability that this person visited the site based on the timing/size/speed/length of each TCP stream, increasing in confidence every repeated visit. Hell, how often will someone download a file of exactly 7060378032 bytes? It may not be damning evidence, but it'll surely put you under suspicion; sometimes that's all it takes.
I'm looking forward to when VPNs always throw up chaff traffic.
It's not even that complicated, the list of Tor entry nodes is public, all they had to do is look in their logs for connections to those IP addresses coming from their network.
> I'm looking forward to when VPNs always throw up chaff traffic.
Mullvads DAITA (Defense Against AI-guided Traffic Analysis) is going into that direction[0] and Mullvad is one of the better providers. Tor also has some protections against this afaik and the upcoming nym vpn is also doing some traffic obfuscation [1]. But as the saying goes: Correlation Attacks are a bitch.
Yeah, it's not gonna help you for that but for low level "crime" (and those "" do some heavy lifting) where the police basically asks providers for logs once and than give up you are fine with any of the more "trustworthy" (and those "" do some heavy lifting) vpn providers.
Correlation attacks are a bitch and i'm sure i'm on a shortlist already but calling a politician an idiot with a burner account made using a vpn should be fine.
I'm a happy PIA user for many years, but I probably won't really trust any US-based VPN with what the Republicans are going to be doing in the next couple of years. They will absolutely destroy all privacy for the "save the children" boogeyman. A VPN not based in the US is the only workaround I can see, and that's if we're even allowed to use them.
Most non-technical people I know that have VPNs simply have it for streaming media from platforms that geo-restrict. It's a cat and mouse game as the provider bans servers/providers.
On the contrary so far to me only the so called non-technical users' VPN use cases have made any sense to me - "I want to access/do this site/streaming/p2p. I can't do this without a VPN. Hence I am using a VPN". That's it. No drama, no virtue signalling, no lecturing. Just a need.
It's the technical users whose myriad VPN use cases rather baffle me which in most cases eventually achieve little to none other than some sort of feeling of satisfaction or maybe placebo.
Additionally, all these VPNs do it with very pretty graphics. If the OSes went overboard with their Wi-Fi and Ethernet connection graphics, embellishing the connection security[1], VPN services would evaporate.
Making sensible choices requires thinking things through, and understanding what it really is that you are doing, or refrain from doing it. Experts are just as prone to neglecting this as novices. But expressing your misgivings about prevailing orthodoxies is an ungrateful undertaking as it tends to make people angry, and there is little honour to be had in getting vindicated.
I used to pay for IPredator because it allowed me to "port forward" without exposing my actual IP. Used to host minecraft servers for friends behind a Swedish IP. Also funnily enough, I could login to it on my college computers and bypass the college firewall.
> I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers
If you think they sell millions of subscriptions to "prevent identity theft" I have a bridge to sell you.
Your friends and relatives aren't going to tell you that they are using it for p0rn, online dating, to buy taboo things online, etc. That's the main use case for VPN software and that's why people are buying it. Doesn't matter if it works the perception that it works is more than enough.
>In my estimation the main reason people use VPNs is for pr*n and piracy
I get the piracy part, but why would someone want/need VPN for pr0n? That's not a gotcha or snark, I don't understand why folks would "need" vpn for that (assuming it's not* non-consensual, which includes hidden cameras and/or animals or children -- neither of whom can actually provide meaningful consent) as long as it's legal.
The gist of the report summary is that VPN companies can be really shady. At the same time, these companies enjoy an undeserved implicit trust from the public.
Sending all our data through an untrusted intermediary is a bad idea. Installing software from an unknown company (that hijacks the machine's entire network stack) is not a good way to protect data.
It all really depends on what you are protecting against. For the average person wanting to protect data and avoid being tracked, setting up thoughtful DNS infra, and a basic firewall, is probably more effective than using a commercial VPN from your home network.
For public networks, it's probably safer to set up a VPN server on your home network and use that in case you need to connect to public wifi or some other potentially hostile network.
The answer is always "maybe" until you bring your threat model to the table.
I use a VPN to watch IPTV & download torrents without my ISP sending me nasty letters. Mullvad is great for that.
I would trust it in conjunction with Tor to protect me from low-level crimes. I wouldn't run trust either it or Tor, alone or in combination, to run a marketplace the DEA would become interested in.
If your threat model is obscuring your home IP to hide your IP from above board HTTPS sites, a DIY VPN probably is great. If it's to do low level crime, a cheap VPN is probably enough. Anything else, good luck.
a DYI VPN may hide my home IP but it does not hide my identity unless the server i route through is not owned by me. also any server that i can use is likely blocked by wikipedia, youtube, reddit, and others because they detect and block hosting services.
> a DYI VPN may hide my home IP but it does not hide my identity unless the server i route through is not owned by me.
Again, threat model matters – hide your identity from whom?
You certainly won't hide it from someone who can seize payment records. You will struggle to hide it from someone who has control of enough of the internet to correlate data across sites, like Google or Cloudflare. But if you're looking to be pseudonymous in the face of a single site, or a small set of sites that don't conspire to unmask users? It might work just fine.
(unless as you rightly note they block your hosting service's ASN;-))
sure, threat model matters. no protection is 100%, but more is better. using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server. i might hide it somewhat if i use that proxy only for this purpose, not point any DNS records at it, not reveal any public data, never use it for services where i log in, etc.
truly anonymous hosters are high profile targets for law enforcement, so in my opinion they are higher risk than even VPN providers. not interested in getting caught up with that crowd. and for the good VPN providers at least a court order is necessary, and if the VPN doesn't log usage, they can't prove anything.
there is no threat model where your own hosted proxy could ever provide better protection than any VPN. i use my own proxy because it's free, because i already have a server where i host my website, not because it provides me with any kind of protection. to get that, a VPN would be easier and cheaper.
Between the parent and the other one, it's almost like I specifically pointed out the limited utility of this approach and all of the Well Acktshually posters had to spell it out anyway.
I was responding to someone who said they were technical, so it should be assumed they can work this all out for themselves.
A cheap VPS instance + DNS with adblock + self hosted VPN used to be great until around ~5 years ago, when a great many websites (especially streaming sites) just started blocking any IP range associated with a VPS provider. I've given up using VPSes as VPN exit nodes now.
I was a Suddenlink cable internet customer, and they threatened to reveal my identifying information to copyright trolls. The $4/month was cheaper than a court judgement against me or the $250/month+ it'd cost to subscribe to all the various streaming services and premium cable channels (magazine/books/music/movies is probably closer to $4000/month in retail price tags). Last week I thought to myself "what if I downloaded the entire Book-of-the-Month-Club since 1924?"
VPNs work. I never got another single nasty letter from Suddenstink.
A few months back, I sat down for a week with a free trial of an obscure webapp, downloaded all of their data and formatted it into json via the javascript console, and pirated by first webapp. Since it's not making xhr calls constantly, it's even snappier than the official one. I'm inventing new piracy methodology. Some of us are more dedicated than the rest of you.
I pay to route my traffic through a barely known intermediary to obscure its origin. It all depends on your threat model for that traffic. If the traffic itself is not sensitive (or already encrypted) but you want to obscure the origin from the destination, or the destination from your ISP, it works.
This is my feeling too. I also don't think these people realize how none of these groups can refuse a subpoena so the scenario of "the government coming after me," doesn't get addressed either.
Worse, some of these are tied to foreign nation state intelligence, who are now analyzing your data when before they couldn't because they didnt have a relationship with your ISP. Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Weird technical issues happen because a lot of services don't keep vpn's in mind. I saw a lot of people were having issues connecting to multiplayer game servers. The vpn provider broke something, maybe it was on a blacklisted IP, maybe increased latency, maybe the IP is in the wrong region and people are connecting to a NA server but are in LATAM, etc.
I really dont know the use case for a vpn, not to mention advertising snooping happens on the application level anyway. Its javascript running on my browser and html5 and heaven knows what else analyzing me for ads, not "what IP did you connect from."
Lastly, there are privacy tools like onion and running a browser with no js active. These vpn types dont do that. They're actually not getting the privacy and security they want because tor is slow and a no-js firefox is unfun. So this weird cargo cult of VPNs has appeared, similar to stuff like "disable UAC" and other "computer enthusiast" knowledge you see in gamer or low information forums. Its the blind leading the blind here and these capitalist opportunists absolutely are taking advantage of that. "I'm safe I have a vpn," is a normal thing to say even though its almost entirely wrong.
The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
Many major VPN providers claim to keep no logs, and some have had third party audits supporting that claim. Subpeonas don't do anything if the company doesn't keep logs.
I also wouldn’t trust VPN provider standing up to the pressure of really angry Western government. If Mullivad gets US FISA warrant followed by threat to destroy their ability gain access to US payments, they are going to flip logging for you on so fast.
I'm not necessarily sure they would, they've built their company based on no logs and privacy and seem fairly ideological, if this occurred their business would likely be permanently crippled. Most of their users use them because of their strong guarantees.
Turning on Logs for single user vs taking what could be crippling business hit? Maybe their CEO is ethical but that would be behavior I haven't seen from CEO ever.
Third party auditors aren't going to be allowed into Room 641A.
Courts can order providers to keep logs on certain users. Wiretapping laws also allow for it. And all of that goes out the window if the government decides there's a threat to national security.
I suspect every single VPN, including the ones who claim to not log, maintains or exposes enough information for a dedicated adversary to make a convincing case if they want. I give a little extra credit to Mullvad simply because I can put cash in the mail, but even then if a significant adversary wants to know you are connecting, they will.
> Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Even the "friendly" international ones aren't in the clear. Sweden isn't in FVEY, but they're in Fourteen Eyes. And we know from the XKeyscore leaks that the NSA hoovers up metadata like there's no tomorrow. I'd bet my house that anyone who connects to a commercial VPN or _especially_ to Tor lights up like a Christmas tree on the NSAs board – so they might not know for sure what you're doing, but they know you are possibly doing something.
Apple's Private Relay is probably the best chance to actually blend in, but estimates are 1-2% usage for "average users" and 3-5% for Wikimedia editors who I'd assume to have a technical slant. That's an order of magnitude too low for a crowd to exist to blend into, and with two friendly US entities on both sides of the privacy equation, I wouldn't rely on it to stand up against significant scrutiny.
> The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
My analysis tends towards this: there's a gradient of behavior that is "tolerated" at each step. If you want to torrent, a cheap VPN is tolerated and your crimes will be overlooked... because it's far better to catch serious criminals through that VPN. If you want to buy LSD from a dark web site, Tor lets your crimes be overlooked, because the big fish are the sellers. If you want to commit a significant crime, TLAs know everything about you already and the DEA/HSI/FBI/USPIS/IRS-CI or your local equivalents are ready to parallel construct your ass to the wall when you become noticeable enough.
But maybe I'm not as pessimistic as you – the vast majority of people aren't at the far end of the spectrum, so if you want to infringe copyrights, $60 to Mullvad for a year is what you want.
Do people here trust their ISPs more than their VPN providers? That’s the question!
On the other hand, as far as privacy from the end point is concerned, users can be identified regardless of IP addresses. Visit fingerprint.com, you will get an identifier, then connect to a privacy VPN and change servers once in a while. The website will identify you, tell you are the same user visited last week from such location, and the number of times you visited.
Browsers (except Tor) send so much data that accurate identification is possible without IP address. And services could refuse to work if users don’t provide the required information, although that info could be randomized.
I'm more worried about all the sites that require my phone number under the auspices of two-factor authentication. It's probably the most trackable bit of personally-identifying information these days.
I do trust my ISP more than any foreign VPN service providers because I have the option to take my ISP to court if they violate my rights. I stopped caring about anonymity on political subjects when I realised not being anonymous made me more civil online, and more mindful of what I want to talk about. (Ofcourse, I can think like this because I have the privilege of living a democracy).
If you lived in a place like Germany or the UK, you could get arrested for posting online that you don't like what Israel is doing in Gaza or that you think Elon Musk is a Nazi (among other things you could get arrested for saying). In this case, routing your traffic through an unknown intermediary makes sense.
You said you have to be mindful of what you say and how you say it, in order to comply with the law. In other words, your legitimate speech is being chilled. Why do you think that's okay?
I do say many critical things about my political leaders and government policies, online. But, like I said, I am more mindful of what I say and how I say it (e.g. I often quote such things from a news source / media). (People in Germany and UK can do so too - just understand the law and quote DW, BBC, DailyMail etc., all of whom have mentioned something about the Gaza genocide or Elon Musk's Nazi like behaviour, at some point). If the government wants to come after you, they will. You have to have faith in your democracy and the courts. If you are losing faith in your democratic setup, be prepared to mobilise people with some political party (or start one) and fight for your rights - it will have more lasting political impact than any anonymous post you make online.
I have faith the courts will interpret the law as written, because that's what they almost always have done so far, and the way they've previously interpreted it. And the law as written says don't be antisemitic. And the law as previously interpreted is that saying anything bad about Israel is antisemitism.
Quoting antisemitic publications for the purpose of agreeing with them is also antisemitism, not sure why you'd think it wouldn't be.
Yeah, I understand your point quite well. Many western countries do (or are trying to) conflate criticism of Israel and antisemitism, to create a chilling effect to protests against their own foreign policies on Israel and Israel's policies on Palestine ( see https://politics.stackexchange.com/q/93431 ). But, like I said, while a government intent on persecuting will do so, they still have to deal with the courts too - as far as I know, no one has been successfully prosecuted under such laws.
> Quoting antisemitic publications for the purpose of agreeing with them is also antisemitism, not sure why you'd think it wouldn't be.
Not really. It would be the media outlet who would be liable as you are only simply repeating what they said in good faith.
I’d probably use a VPN if I need to do something sketchy or egregiously illegal, but self hosted and behind 7 proxies. Or I could just use TOR and exercise a bit of OPSEC.
It greatly improves on the existing VPN trust model by separating the "who" (connecting IP, potential payment info, etc.), from the "what" (IP traffic). You no longer have a trust a single entity not being malicious or compromised.
Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.
MullvadVPN seem to be pretty decent at the moment, but it looks like they're laying down a worldwide VPN infrastructure of sorts that other VPN companies can rent (similar to phone networks)
This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now
We have a few partners who use our infrastructure (e.g. Mozilla), but we're not trying to dominate as a white-label solution. In fact, we've said no to a few well-known brands who wanted to white-label our infrastructure.
We want to make online mass surveillance and censorship ineffective. Mullvad is political action through entrepreneurship. We're reinvesting a lot of our profit into open-source software and hardware projects that benefit both Mullvad and the wider community.
I really don't want us to "corner the entire market" because that would make us a single point of failure. I would like to think that our hard work help push the market to keep improving.
I really like the "to plant trees in the shade of which we will never sit" statement. My pessimism only comes from watching trusted giants like Google and Cloudflare turn into critical infrastructure that in turn dictates the web.
May you continue to be the beacon of trustworthiness and hope that we all need right now
I think Mullvad's market share is still pretty low compared to NordVPN, which actually cornered the market thanks to their suspiciously large advertising budget.
and egregious marketing material. I think they're the ones who pushed the whole "its about security". I remember Tom Scott turning them down a lot because they wanted him to say that for the $$$ and he refused. Eventually I think they backed down and he got paid and did an ad for them without saying how it "improves security".
I also think this is the scandal waiting to emerge in this space; with what we know from Snowden/CryptoAG/Encrypted message app sting operations etc it is borderline impossible for me to believe not one of the major players is owned by a State level intelligence service.
Kape Technologies, an Israeli firm with ties to Israeli intelligence, owns several well-known VPN companies, including PIA, ExpressVPN, and Cyberghost.
I'm a happy Mullvad customer for years now, except a lot of their IPs seem to have been flagged (presumably due to scraping or similar) meaning that some sites are close to unusable when behind the VPN. Reddit is a prime example.
(I read somewhere a while back that they don't refresh their IPs (unlike some other VPNs?) but I have no special insight into this.)
This is the reality of VPNs, they’re going to end up with a short shelf life because major sites block them. Australians think that VPN will save them with the upcoming age restriction and verification for social media sites in coming months, and I’m quite sure that most VPN providers will be ineffective.
The notion of "zero trust" shouldn't just mean corporations not having to inherently trust users and networks. It should also mean users not having to inherently trust corporations.
VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.
I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.
Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.
I have no idea why people, especially in the United States, trust companies so much. I bump elbows with a lot of different crowds(rural, urban, conservative, liberal, etc) so I have a pretty decent sample size and without fail most people trust companies waaaay too much. Then they're shocked when a company lets them down because the company could make more money.
Stop trusting companies. They only care about 3 month profits.
I've always assumed that commercial VPN service providers were intelligence agency fronts. One only has to look back on the CIA's Swiss front company[1] selling encryption equipment for decades[2] to our supposed allies to become sufficiently cynical.
I assume similar Wikipedia entries will appear in the future about some, if not most of today's VPN providers.
How realistic is possibility that some VPN providers use clients (computers of person who installed VPN) to just be able to crawl (or rent crawl infra) sites and make it look like regular residential traffic? (This is speculation i heard somewhere)
Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.
There are various services that do this, e.g. BrightData:
> Bright Data is the World’s Largest Residential Proxy IP Network providing companies the ability to emulate a real user in any country, city or carrier (ASN) in the world. [...] Bright Data has an SDK (software development kit) that is implemented into applications. Bright SDK provides an attractive alternative to advertisements by providing the app user with the choice to opt-in to Bright Data’s network instead. For every user that opts-in to the Bright Data network, Bright Data pays a monthly fee to the application vendor, who passes that value on to the user by not displaying ads.
I haven't heard of any of the VPN providers doing this, but it wouldn't really surprise me.
This isn’t VPN providers per se - most want to be able to control their own exit nodes.
There are however a fair number of commercial proxies that do exactly that, sometimes via consumer malware. I know several startup founders who have used them as a way to scrape lots of data and not get banned. Usually the interface they provide to the customer is just a normal SaaS “pay us money and give us a list of URLs and we will give you the page content”, and the interface they provide to the end user is a game or marginally useful utility, and nobody but the company realizes they’re doing something dodgy.
There are also apps that purport to pay you up to a dollar a gigabyte (no joke) for proxying traffic.
And it's not even illegal, not even shady. I see nothing wrong with getting paid to help big companies compete with/destroy each other.
As a bonus you help rid the world of Cloudflare. Cloudflare serves more captchas to ISPs with more proxies. When every ISP is captcha'd, every user will hate Cloudflare.
It's not a get rich quick scheme - there's low demand for proxying at that kind of price.
I'm not going to shill specific companies, so just Google 'get paid to share mobile data' or something.
Interesting how the comments heading this thread ignore the effect of VPNs on surveillance and data collection for the benefit of online advertising, i.e., the stuff that so-called "tech" companies rely on as a "business model"
Must be that these so-called "tech" companies have no problem figuring out who is the ad target behind each VPN IP address, fingerprinting them and tracking their online behaviour acrosss every computer they use
TIL VPNs actually have _no impact_ on the data collection and ad services "business model"
That's why we sell only the service [1] and point our users to the default app install (Wireguard in our case). Ever since Holla VPN and the entire Brightdata/Luminati clusterf~ VPNs are a risky business for users. Most of them are proxy nodes underneath, they rent you datacenter IPs while they sell your residential internet to third parties.
Do you have a source that shows that popular VPN providers such as Mullvad or NordVPN actually sell your residential internet to third parties? That's a bold claim, but pretty scary if true.
yes, search for NordVPN vs Luminatti (guys behind Holla VPN) scandal: "nordvpn luminati lawsuit patent". Basically Luminatti, now known as bright data, reached out to NordVPN in order to utilise their user's internet as residential proxy nodes. NordVPN thought otherwise and created their own network instead (Oxylabs if I'm not mistaken). They are still in patent wars I believe.
I don't know anything bad about Mullvad! That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
> That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
maybe, harder tho and they will refuse to do so because that client install is close to malware on some providers. That's why we only hand out the config and instruct the user to install the official app.
Our residentials are actually dedicated which are advertised as residentials by the provider. Sort of a mix where you get speed and stability as opposed to real residentials which are known to barely hold a connection sometimes. We also tried subrenting some real residentials but we will probably close that service since it brings nothing but pain due to unreliability. We're more focused now on privacy oriented services or anti censorship ones. Working atm on bringing Amnezia Wireguard up, we launched Trojan proxies earlier this year also.
Ive been a proton supporter since email. I like theor product suite. I use a vpn for all the reasons listed here, but mostly for obfuscating my traffic (and torrenting).
Their email UI is extremely clunky and unrefined, both on the desktop and on the app. When I delete a message in the app, it just stays there in the folder. When I empty spam in the desktop, its count doesn't update. It's like they don't use their own product.
Also, relying on its VPN for illegal activities is incredibly foolish since they log your IP and probably have your payment info.
It's worse than that. The company bought by said billionaire, and which in turn bought ExpressVPN, was founded by a member of Unit 8200 (Israel's NSA), and started out making browser advertising malware.
I’ve been keen to point out there is more utility in the technology underlying VPNs than the VPN functionality itself. The WireGuard handshake and transport encryption are lightweight and secure and I added support for it to my service as an option to secure data in flight. It’s getting used by developers and enterprises, not consumers.
IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).
I'd like to point out that a regime may find it worthwhile to compromise more kinds/sizes of VPNs than we might expect.
The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.
If I was the US government, I'd push Google Play to offer compromised updates of Signal silently to a few people I was interested in. Even among the highly-technical, who is going to be inspecting binaries installed on a phone regularly?
Does Signal even have reproducible builds? How do I know the code matches the binary?
I'd make my own messenger.... but I don't have the money for that at all.
I wish these risks could be split up and handled separately - Suppose I run a private dark network for me and my friends, and then the GUI for chatting over it runs in a sandbox where it can only message servers that I control, using public/private keys that I control.
Conflating a million lines of Java GUI code with "Noise is a simple and secure protocol" seems like a big attack surface.
I do this but this means two things:
* I am tied to paying the exit node so my identity is known to the provider
* I am responsible for the upkeep of said node
I don't know why anyone wouldn't assume that any VPN service is run by an intelligence service, potentially one hostile to you, or organized crime.
Consider-- people bring their traffic to you to monitor, and particularly people who are trying to conceal their identity or activities. They pay you for this, which means that if you get collateral benefit you can run at a small loss and undercut any legitimate players (if there are any!) or run levels of advertising that a legitimate business couldn't sustain. -- while its simultaneously one of the most cost effective surveillance plays you could imagine, since it's still primarily funded by the victims.
VPN services also have good deniability for their surveillance. Although (maybe!) your ISP can't surveil the VPNed traffic the VPN provider's ISP can as well as your counterparties ISP (and any other parties brought into the mix by things like third party content). And like any other electronic surveillance, parallel construction can be highly effective.
They can also be stood up by anyone, you can run any number of services. They don't require extremely extensive physical infrastructure, investment, large numbers of employees like running an ISP. You can even target particular actors or populations by using targeted advertising, though it's still most effective as a data hoovering operation.
Particularly for the intelligence actors they also have the benefit that issues like getting harassed by the state are among the complications of this business, but that is potentially less of an issue if you are the state.
And if there were an actually honest provider, they'd be a prime target for infiltration... all that interesting traffic in one place.
I don't use a VPN for anything that would get me in the cross hairs of a nation-state. I use it to trade crypto outside my jurisdiction, make sure my ISP doesn't get torrenting complaints, obscure my traffic from wifi networks I don't trust, that sort of thing. None of these things have enough money or power behind them that peeling away the VPN is worth it, so it's good enough.
i’m not sure what this list is, why investigate vpn companies yet dont even look at nordvpn, pia, express, or others that are wildly popular yet still shady af with their real world origins?
i mean, those companies are so popular they’re almost normie household names. the couple i looked at from the papers list have a small fraction of downloads compared to the above.
i agree that we absolutely need a deeper dive and a lot more transparency on who owns these companies but i’m curious why they chose to avoid the elephants in the room.
Shameless plug: VP.NET [1] runs in a trusted execution environment (enclave) so you can verify it is doing what it is supposed to do and not anything else!
no you can't... you can verify what something is doing, but there's no guarantee it's the same code routing your VPN requests, or that nothing else on the network/server is listening/forwarding your traffic elsewhere.
Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.
I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".
Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."
Long ago, in the era of Firesheep and exploding prevalence of coffee-shop Wi-Fi, consumer VPN services were definitely valuable.
But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".
I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.
The way I see it there's four use cases:
- protecting your privacy from your local ISP, WiFi, school, government etc
- protecting your privacy from some forms of online tracking
- circumventing censorship
- circumventing geographical restrictions
If you combine masking of your IP address with a web browser that protects you from various types of browser-based fingerprinting, you are more in control of your privacy online. You get to decide, to a greater extent, who you share very personal information with. That doesn't seem very silly.
(disclosure: I'm one of the deeply silly cofounders of Mullvad)
There's a niche fifth reason. Roaming between upstreams while not having open TCP connections drop. I use multiple ISP's and on mullvad I can swap which wifi/ethernet I'm on and all my connections stay up since wireguard is stateless.
Good point. That is indeed a distinct fifth reason.
Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.
latency/bandwidth: because of weird peering agreements between ISPs / ASes.
cost: there are networks where consumers pay per MB for international traffic, but not local traffic. Consumers can sometimes establish a VPN tunnel to the local data center and get an unmetered international connection, because the data center has a different agreement with the monopolistic consumer ISP.
How about a seventh: in solidarity with people who are facing censorship or oppression.
Like, if only dissidents and malcontents use a VPN (or TOR or HTTPS or E2E encrypted messaging apps) then if you want to reduce dissent, you can just round up all the VPN users and have them shot. If everyone uses VPNs for normal internet use, that becomes impractical.
If you're willing to shoot people, you can just make VPNs illegal and wait 30 days.
> Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.
I find that using a VPN over starlink is quite a different experience than terrestrial. I can VPN through another country and the speed isn't affected nearly as much. My guess is that the route is satellite to satellite, so it is much faster.
Yup, when you're not using a VPN, even with encrypted DNS and HTTPS, you're still sending hostnames (e.g. wikileaks.org) over plaintext in TLS SNI for every HTTPS connection. I believe most firewall appliances now even prefer to use SNI for deep-packet-inspection since it's so reliable.
> I'm one of the deeply silly cofounders of Mullvad
Cool.
Also funny, but it would be nice if you addressed the specific objection. Here are some of the new ads: https://mullvad.net/en/blog/advertising-that-targets-everyon... . Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?
> it would be nice if you addressed the specific objection
I'm pretty sure I did. I'll happily answer yours as well.
> Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?
Between those two options, definitely "it keeps me vaguely secure". None of the ads you link to are intended for customers that want to circumvent geographical restrictions. We don't market to that customer segment.
Advertisement targeting is a risk. Even just leaking your IP to various services introduces risks and being able to build profiles on your activities online introduces risk.
Usually the risk is you spend money you wouldn't have otherwise spend, but those profiles can also be used for future nefarious reasons. You're basically just relying on everyone running analytics to be good people, forever. Remember, anything on the internet is forever. And, even if they are, you're still relying on them having perfect security, forever. If a database breach happens and people now know everything data brokers and analytics services know... that's a problem.
IMO, nobody should browse the web without a reliable and trustworthy VPN, at all.
Hi! Thanks for your deeply non-silly reply; it's nice to (virtually) meet a cofounder.
If you have time, I'd love to hear your thoughts on Mullvad's campaign here in Seattle.
For what it's worth, I suppose my perspective boils down to: the first three issues aren't issues here in town, or can be addressed in more direct ways (we have a wide choice of providers; 1st party browsers and services cover the gamut of tracking concerns; etc). Circumventing geographical restrictions is useful, but -- perhaps understandably! -- doesn't appear to be what Mullvad is advertising on the trains I ride.
Sure!
Regarding tracking concerns, masking your IP address is a necessary but insufficient first step to improving your privacy online. ISPs typically don't allow their users to do that per-device in a UX-friendly way. Protecting against browser fingerprinting is something that Mullvad Browser does quite well, thanks to it being a fork of Tor Browser.
As for circumventing geo restrictions, you're absolutely right. We make an effort to get it to work, but ultimately privacy and censorship is much more of a priority for us. That's why we don't advertise it.
Finally, the campaign isn't just about getting more customers. We started Mullvad for political reasons, and now we have the resources to spread that message further. Governments around the world are warming up to the idea of mandatory device-side mass surveillance and backdooring E2E encryption. We're trying to build public opinion against that.
I’m surely happy to not live in the UK at the moment. And Indonesia of course. If I would live in one of these countries I’d be using VPN. And maybe in the (not so distant) future this is preferable in the US too.
> We're trying to build public opinion against that.
Good on you!
But to be honest; it seems that it would be in Mullvads interest if the US starts requiring “open encryption” for internet services! Then more people would feel the need for VPNs
Actually, no. Our goal is to make mass surveillance and censorship ineffective, not maximizing profit to our shareholders. If there was a big red button we could push that accomplishes our goal and makes Mullvad obsolete in the process, we'd push it. There's an abundance of problems to solve in the world. It'd be nice if we could figure out how to get rid of some and move on to other problems.
At this point I'm reminded of Tom Scott's honest VPN advertisement, contrasting how VPNs are advertised (on YouTube, at least) with the main features that they really provide.
* https://youtube.com/watch?v=WVDQEoe6ZWY
Thanks for running the service guys, I appreciate it
Also (3) work around overbroad restrictions on public Wi-Fi, which still sometimes do things like block Reddit or HN or SSH. But I guess more typical consumers than those of us here are less likely to experience those obstacles.
Times Square at one point was practically half full of Mullvad ads. I already distrusted it but the sheer amount of money they spent to do that made it shadier to me
Mullvad is rather principled on privacy. You can't even make a real account, you can only generate an account number that you can charge, and I assume they do some sort of clever tricks to keep themselves as blind as possible to who uses the account number. Firefox Relay is also just whitelabeled Mullvad, so they have Mozilla's stamp of approval.
Of the big VPNs, the only one's that have ever felt shady to me are NordVPN and Private Internet Access. NordVPN because of the sheer amount of false advertising they pay YouTubers to do, and Private Internet Access because of how cheap they are and how poorly they maintain their infrastructure. Their .ovpn generated files haven't worked for 2+ years now because they include certificates with malformed revocation dates, and refuse to pay the certificate authority to update them.
>Mullvad is rather principled on privacy.
no their not. protonvpn spends money to offer free account as form of advertisment. mullvd spend money on weird billboards.
protonvpn provide free privacy even for those from 3rld world country. you can create proton email anonymousley thats also protonvpn account
protonvpn is principled on privacy.
>Mullvad is rather principled on privacy. You can't even make a real account, you can only generate an account number that you can charge, and I assume they do some sort of clever tricks to keep themselves as blind as possible to who uses the account number. Firefox Relay is also just whitelabeled Mullvad, so they have Mozilla's stamp of approval.
Yep. And I use the VPN connection (and/or TOR) to re-up my Mullvad VPN when I run low.
Mostly I use the VPN to protect my privacy when posting with a throwaway account here and/or other sites. And of course for torrenting.
What's more, I had some monero (XMR) left over from some other transactions, so I use that to pay for the VPN connection.
As such, unless Mullvad is storing the IP address from which I connect (and they claim they do not), it would be difficult (but not impossible -- I don't always use VPN when posting anonymously/throwaway -- that isn't a challenge!) to identify me through my VPN connections.
> my privacy when posting with a throwaway account here
What's the data/IP/etc retention logging situation of HN? Do they have a page on it?
They also allow cash and monero payments over a onion site.
Might I ask, what made you distrust them prior to that?
I feel like other VPNs sponsoring YouTubers or others to talk wonders about them while not really using their product makes me trust them less, especially if they are based in some opaque jurisdiction like NordVPN (Panama) or ExpressVPN (British Virgin Islands) among others
what constitutes just the right amount of advertising to make it not shady to you?
What about a malicious DNS (on a public spoofed or hacked WiFi) that forwards you to a lookalike domain? Unfortunately many times public WiFi doesn’t work with Google’s or Cloudflare’s DNS servers (I think the Deutsche Bahn’s WiFi was such a case, if I remember correctly, but I know I came across a few on the last few years while traveling). I don’t think there’s anything protecting against that when you’re using a browser.
Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).
I don't think a malicous DNS Server can redirect your request to a domain that does not result in a certificate warning when using HTTPS.
With browsers adopting DoH, a public WiFi should not be able to interfere with DNS much.
HSTS solves this to some extent. If you've visited the domain in the past (or the site operator submitted to the HSTS preload list), a different certificate presented would be flagged by your browser.
Not a different certificate, but one signed by an untrusted authority. HSTS won't let you bypass it.
There used to be a Firefox addon that could warn you if the actual certificate changed, but it died with manifest addons.
It isn't too useful nowadays, is it? With most websites' certificates being from Let's Encrypt or similar CAs automated via ACME and up to 90-day certs; and this getting reduced in the future to only 47 days. Every month you'd need to accept any website's new certificate.
Also, does HSTS have something to do with the authority? AFAIK it only forces the browser to use HTTPS and never plain HTTP for that domain, but if you switch from a legit Let's Encrypt to a legit ZeroSSL cert, HSTS won't care about it; only the browser if you have a not-trusted certificate from another CA (or self-signed).
Your better websites use "HSTS Preloading" to ensure users always get sent to the https version of the site - in which case even if the attacker redirected the DNS resolution, you'd just get an SSL error as the attacker wouldn't have a valid certificate.
Of course, an astonishing number of (even important, high-profile) websites don't bother with HSTS preloading ¯\_(ツ)_/¯
You forgot 'connectivity from my home ISP to my favorite online game is temporarily degraded' but yeah ;)
>It's deeply silly
Why? In almost all countries ISPs are at the very least legally required to block websites and even surveil there customers. I trust mullvad about 100 times more than any ISP beholden to governments and profit incentive.
What about (3) "bypass government censorship"? UK and China are examples of where this is desirable. This is different from (1) because it's broader than just streaming shows and is about authoritarian rather than capitalist restrictions.
Add at least 18 US states to your examples if you consider age verification for porn to be government censorship.
Apparently, weaklings censor, so fighting them doesn't raise above the silly level
I think the general discussion is conflating censorship with age restrictions. Lumping the UK with China is very disingenuous.
The UK law is stipulating adult content can only be viewed if you are provably over 18. They are putting all of that responsibility onto the websites/platforms to enforce that.
If a child goes to a shop and tries to buy a pornographic magazine and they are denied, is that censorship?
If a child tries to see an 18 film at the Cinema and is denied, is that censorship?
The fact is both of these were freely and easily done on the Internet as most websites do not verify a users age.
I do not like the online safety act as it is, but it is not "censorship".
What about all the websites that either shut down or fully blocked the UK? Is that censorship?
Do you feel safer now?
(3) The fare aggregator that sold you a ticket to visit BFE conveniently also geoblock that very place.
That assumes that the user isn't connecting to a hotspot he doesn't know is compromised.
[dead]
Mine is simple: avoid my ISP complaining about torrents.
Avoid my ISPs piss poor routing and peering - especially during peak times.
My ISP is smarter - they just block all the torrent and streaming site I visit, and try to push me to upgrade to a plan with many streaming platforms bundled in it. Sucks for them, because I already subscribe to a few of them but still prefer torrent-ing to download videos to watch them offline whenever I want, without unnecessary time limits, in the video / audio quality I want, in the medium I want (TV, computer, mobile devices etc.), with the software (player) I like, without ads and other nags.
I used to do private P2Ping actively. Now I don't. Not enough time - for that, not motivated enough - for that. So I was planning to let go of that VPS of mine where my Seedbox resides. But I am not sure anymore. I do feel I may let it up and running just like many others who did it when I couldn't afford a Seedbox.
Then on the other hand I feel that the real need are from people who come to find those Linux ISOs from public P2Ps and for that I think I will be booted off my VPS in a day or two. So eventually I think this will be better - dust off that old r-pi (or maybe get a new one), get a cheap HDD, get a VPN and let it stay at home and keep seeding.
And shitposting here in germany has become slightly more dangerous. If you use a vpn to call your local politician an idiot, you are much less likely to get into legal trouble.
Here in the United States, I don't know that I could trust the vpn to protect me from that. I remember an incident from a few years ago, some idiot at Harvard emailed in a bomb threat to get out of finals. They arrested him only a few hours later. It's possible he misused the vpn, but I suspect that they merely contacted the vpn provider, got a shortlist of people going through that endpoint, and eliminated all of them not in Boston. Didn't require any Stuxnet-type fuckery or super-secret technology. Be careful and good luck.
I remember that, Schneier talked about it on his blog.
It was actually tor (the threat came from tor), and harvard 'found' him by constantly logging what connections were going to known tor entries from on campus. As it turns out he was one or possibly the only one using tor that morning from harvard.
Bruce outlines it that he certainly could have stayed tight-lipped (all evidence was circumstantial) but, nevertheless confessed as soon as they approached him.
Network traffic analysis/DPI strikes again. I wonder how many people think that their VPN usage obscures their identity, when the flow of traffic at certain times gives X% probability that this person visited the site based on the timing/size/speed/length of each TCP stream, increasing in confidence every repeated visit. Hell, how often will someone download a file of exactly 7060378032 bytes? It may not be damning evidence, but it'll surely put you under suspicion; sometimes that's all it takes.
I'm looking forward to when VPNs always throw up chaff traffic.
It's not even that complicated, the list of Tor entry nodes is public, all they had to do is look in their logs for connections to those IP addresses coming from their network.
> I'm looking forward to when VPNs always throw up chaff traffic.
Mullvads DAITA (Defense Against AI-guided Traffic Analysis) is going into that direction[0] and Mullvad is one of the better providers. Tor also has some protections against this afaik and the upcoming nym vpn is also doing some traffic obfuscation [1]. But as the saying goes: Correlation Attacks are a bitch.
[0] https://mullvad.net/de/vpn/daita [1] https://nym.com/
> https://nym.com/
The first line on the landing page says:
"The world’s most private VPN 80% off today!"
Very intresting.
Yeah, it's not gonna help you for that but for low level "crime" (and those "" do some heavy lifting) where the police basically asks providers for logs once and than give up you are fine with any of the more "trustworthy" (and those "" do some heavy lifting) vpn providers.
Correlation attacks are a bitch and i'm sure i'm on a shortlist already but calling a politician an idiot with a burner account made using a vpn should be fine.
Mine are:
1) I like Canadian shows in Netflix more than American
2) People in Silicon Valley get charged more on certain travel sites than people in Detroit.
> 2) People in Silicon Valley get charged more on certain travel sites than people in Detroit.
I wonder how this compares to Florida vs Detroit... Hmmm...
Which provider? How do you forward ports?
Port forwarding is really easy with PIA's client. I had to switch to them because Mullvad doesn't offer port forwarding anymore unfortunately.
Damn! I was thinking about switching to Mullvad from PIA, but now I guess I won't.
Yeah, PIA is great. You can even use regular wireguard with it if you don't want to use their client. Been a happy use for many years
Being able to use wg-quick to create a tunnel is also something mullvad supports, just fyi
Reminder: PIA is owned (was bought in 2019) by a company with ties to Israeli intelligence, and which started out producing advertising malware.
https://hackread.com/private-internet-access-pia-vpn-sold-is...
I'm a happy PIA user for many years, but I probably won't really trust any US-based VPN with what the Republicans are going to be doing in the next couple of years. They will absolutely destroy all privacy for the "save the children" boogeyman. A VPN not based in the US is the only workaround I can see, and that's if we're even allowed to use them.
Run docker and the haugene-transmission image if you don't want your wife complaining and asking why Facebook thinks she's visiting Romania.
> when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft"
I always assumed that was like head shops selling water pipes for "tobacco smoking"
A fig leaf, to keep their business respectable and the credit card processors off their backs.
Most non-technical people I know that have VPNs simply have it for streaming media from platforms that geo-restrict. It's a cat and mouse game as the provider bans servers/providers.
On the contrary so far to me only the so called non-technical users' VPN use cases have made any sense to me - "I want to access/do this site/streaming/p2p. I can't do this without a VPN. Hence I am using a VPN". That's it. No drama, no virtue signalling, no lecturing. Just a need.
It's the technical users whose myriad VPN use cases rather baffle me which in most cases eventually achieve little to none other than some sort of feeling of satisfaction or maybe placebo.
Additionally, all these VPNs do it with very pretty graphics. If the OSes went overboard with their Wi-Fi and Ethernet connection graphics, embellishing the connection security[1], VPN services would evaporate.
[1]
UNIVERSAL-->SECURE CONNECTION
https://youtube.com/v/zXyG_HncULU
Making sensible choices requires thinking things through, and understanding what it really is that you are doing, or refrain from doing it. Experts are just as prone to neglecting this as novices. But expressing your misgivings about prevailing orthodoxies is an ungrateful undertaking as it tends to make people angry, and there is little honour to be had in getting vindicated.
I used to pay for IPredator because it allowed me to "port forward" without exposing my actual IP. Used to host minecraft servers for friends behind a Swedish IP. Also funnily enough, I could login to it on my college computers and bypass the college firewall.
> I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers
If you think they sell millions of subscriptions to "prevent identity theft" I have a bridge to sell you.
Your friends and relatives aren't going to tell you that they are using it for p0rn, online dating, to buy taboo things online, etc. That's the main use case for VPN software and that's why people are buying it. Doesn't matter if it works the perception that it works is more than enough.
Are you sure they aren't just giving you a politically correct answer?
In my estimation the main reason people use VPNs is for pr*n and piracy and they may not want to just flat out admit it.
>In my estimation the main reason people use VPNs is for pr*n and piracy
I get the piracy part, but why would someone want/need VPN for pr0n? That's not a gotcha or snark, I don't understand why folks would "need" vpn for that (assuming it's not* non-consensual, which includes hidden cameras and/or animals or children -- neither of whom can actually provide meaningful consent) as long as it's legal.
Pornhub is blocked in 21 U.S. states (including Texas and Florida) and heavily crippled in the UK.
>Pornhub is blocked in 21 U.S. states (including Texas and Florida) and heavily crippled in the UK.
Fair enough. And likely a host of other sites too, I guess.
Commercial VPNs do indeed vaguely promise to protect your data, access, etc.
For those of us that are technical but unschooled, what resources would you recommend we learn from?
The gist of the report summary is that VPN companies can be really shady. At the same time, these companies enjoy an undeserved implicit trust from the public.
Sending all our data through an untrusted intermediary is a bad idea. Installing software from an unknown company (that hijacks the machine's entire network stack) is not a good way to protect data.
It all really depends on what you are protecting against. For the average person wanting to protect data and avoid being tracked, setting up thoughtful DNS infra, and a basic firewall, is probably more effective than using a commercial VPN from your home network.
For public networks, it's probably safer to set up a VPN server on your home network and use that in case you need to connect to public wifi or some other potentially hostile network.
I'm not aware of any authoritative article on this topic but I generally share writings by Schneier. This one touches on the subject: https://www.schneier.com/blog/archives/2021/06/vpns-and-trus...
You can operate your own VPN (algovpn, openvpn, etc). There's low utility to doing so, but it's fairly straightforward these days.
Or run Tailscale (and a self-hosted DERP relay).
> You can operate your own VPN
On what infra? Can you trust that one? Doesn't that solution just move the problem down one level?
The answer is always "maybe" until you bring your threat model to the table.
I use a VPN to watch IPTV & download torrents without my ISP sending me nasty letters. Mullvad is great for that.
I would trust it in conjunction with Tor to protect me from low-level crimes. I wouldn't run trust either it or Tor, alone or in combination, to run a marketplace the DEA would become interested in.
If your threat model is obscuring your home IP to hide your IP from above board HTTPS sites, a DIY VPN probably is great. If it's to do low level crime, a cheap VPN is probably enough. Anything else, good luck.
a DYI VPN may hide my home IP but it does not hide my identity unless the server i route through is not owned by me. also any server that i can use is likely blocked by wikipedia, youtube, reddit, and others because they detect and block hosting services.
> a DYI VPN may hide my home IP but it does not hide my identity unless the server i route through is not owned by me.
Again, threat model matters – hide your identity from whom?
You certainly won't hide it from someone who can seize payment records. You will struggle to hide it from someone who has control of enough of the internet to correlate data across sites, like Google or Cloudflare. But if you're looking to be pseudonymous in the face of a single site, or a small set of sites that don't conspire to unmask users? It might work just fine.
(unless as you rightly note they block your hosting service's ASN;-))
sure, threat model matters. no protection is 100%, but more is better. using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server. i might hide it somewhat if i use that proxy only for this purpose, not point any DNS records at it, not reveal any public data, never use it for services where i log in, etc.
truly anonymous hosters are high profile targets for law enforcement, so in my opinion they are higher risk than even VPN providers. not interested in getting caught up with that crowd. and for the good VPN providers at least a court order is necessary, and if the VPN doesn't log usage, they can't prove anything.
there is no threat model where your own hosted proxy could ever provide better protection than any VPN. i use my own proxy because it's free, because i already have a server where i host my website, not because it provides me with any kind of protection. to get that, a VPN would be easier and cheaper.
This.
Between the parent and the other one, it's almost like I specifically pointed out the limited utility of this approach and all of the Well Acktshually posters had to spell it out anyway.
I was responding to someone who said they were technical, so it should be assumed they can work this all out for themselves.
You provided some great breadcrumbs. I appreciate your responses.
I did this for a while in combination with a PiHole setup on a small vultr.com package.
Utility in that was that the traffic of all devices was routed through a "PiHoled VPN", so very little advertisements came through...
A cheap VPS instance + DNS with adblock + self hosted VPN used to be great until around ~5 years ago, when a great many websites (especially streaming sites) just started blocking any IP range associated with a VPS provider. I've given up using VPSes as VPN exit nodes now.
The caveat with this is you're going to encounter every Cloudflare capture possible.
I was a Suddenlink cable internet customer, and they threatened to reveal my identifying information to copyright trolls. The $4/month was cheaper than a court judgement against me or the $250/month+ it'd cost to subscribe to all the various streaming services and premium cable channels (magazine/books/music/movies is probably closer to $4000/month in retail price tags). Last week I thought to myself "what if I downloaded the entire Book-of-the-Month-Club since 1924?"
VPNs work. I never got another single nasty letter from Suddenstink.
A few months back, I sat down for a week with a free trial of an obscure webapp, downloaded all of their data and formatted it into json via the javascript console, and pirated by first webapp. Since it's not making xhr calls constantly, it's even snappier than the official one. I'm inventing new piracy methodology. Some of us are more dedicated than the rest of you.
I use a VPN to access crypto apps that I'm geoblocked from
ok, but lets be honest: would they really tell you they're using it to make sure the government doesn't know they're a furry?
I pay to route my traffic through a barely known intermediary to obscure its origin. It all depends on your threat model for that traffic. If the traffic itself is not sensitive (or already encrypted) but you want to obscure the origin from the destination, or the destination from your ISP, it works.
This is my feeling too. I also don't think these people realize how none of these groups can refuse a subpoena so the scenario of "the government coming after me," doesn't get addressed either.
Worse, some of these are tied to foreign nation state intelligence, who are now analyzing your data when before they couldn't because they didnt have a relationship with your ISP. Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Weird technical issues happen because a lot of services don't keep vpn's in mind. I saw a lot of people were having issues connecting to multiplayer game servers. The vpn provider broke something, maybe it was on a blacklisted IP, maybe increased latency, maybe the IP is in the wrong region and people are connecting to a NA server but are in LATAM, etc.
I really dont know the use case for a vpn, not to mention advertising snooping happens on the application level anyway. Its javascript running on my browser and html5 and heaven knows what else analyzing me for ads, not "what IP did you connect from."
Lastly, there are privacy tools like onion and running a browser with no js active. These vpn types dont do that. They're actually not getting the privacy and security they want because tor is slow and a no-js firefox is unfun. So this weird cargo cult of VPNs has appeared, similar to stuff like "disable UAC" and other "computer enthusiast" knowledge you see in gamer or low information forums. Its the blind leading the blind here and these capitalist opportunists absolutely are taking advantage of that. "I'm safe I have a vpn," is a normal thing to say even though its almost entirely wrong.
The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
I use mullvad and the main reasons I pay the 5$ a month are:
1) I do believe it is quite private
2) the socksv5 proxy is useful to prevent qbittorrent connecting to the internet at work by mistake
3) if the network is spotty or a bit unstable the vpn hides the instability from apps
4) I don't trust my isp DNS
5) geoblocking (mullvad is not the best at this though)
Many major VPN providers claim to keep no logs, and some have had third party audits supporting that claim. Subpeonas don't do anything if the company doesn't keep logs.
I also wouldn’t trust VPN provider standing up to the pressure of really angry Western government. If Mullivad gets US FISA warrant followed by threat to destroy their ability gain access to US payments, they are going to flip logging for you on so fast.
I'm not necessarily sure they would, they've built their company based on no logs and privacy and seem fairly ideological, if this occurred their business would likely be permanently crippled. Most of their users use them because of their strong guarantees.
Turning on Logs for single user vs taking what could be crippling business hit? Maybe their CEO is ethical but that would be behavior I haven't seen from CEO ever.
Third party auditors aren't going to be allowed into Room 641A.
Courts can order providers to keep logs on certain users. Wiretapping laws also allow for it. And all of that goes out the window if the government decides there's a threat to national security.
I suspect every single VPN, including the ones who claim to not log, maintains or exposes enough information for a dedicated adversary to make a convincing case if they want. I give a little extra credit to Mullvad simply because I can put cash in the mail, but even then if a significant adversary wants to know you are connecting, they will.
> Domestically, I wouldnt be surprised if all of this data from US owned VPNs is shipped to the NSA or other groups and analyzed. After the Snowden reveals its hard to really see this stuff as conspiracy anymore.
Even the "friendly" international ones aren't in the clear. Sweden isn't in FVEY, but they're in Fourteen Eyes. And we know from the XKeyscore leaks that the NSA hoovers up metadata like there's no tomorrow. I'd bet my house that anyone who connects to a commercial VPN or _especially_ to Tor lights up like a Christmas tree on the NSAs board – so they might not know for sure what you're doing, but they know you are possibly doing something.
Apple's Private Relay is probably the best chance to actually blend in, but estimates are 1-2% usage for "average users" and 3-5% for Wikimedia editors who I'd assume to have a technical slant. That's an order of magnitude too low for a crowd to exist to blend into, and with two friendly US entities on both sides of the privacy equation, I wouldn't rely on it to stand up against significant scrutiny.
> The only practical use case I can think of is torrents where the legal and political will to subpoena a vpn provider is low, so its this weird loophole where you can torrent but your ISP will never be informed. For now I suppose until the IP holders think the legal fees are worth it or get a law passed to sidestep subpeonas.
My analysis tends towards this: there's a gradient of behavior that is "tolerated" at each step. If you want to torrent, a cheap VPN is tolerated and your crimes will be overlooked... because it's far better to catch serious criminals through that VPN. If you want to buy LSD from a dark web site, Tor lets your crimes be overlooked, because the big fish are the sellers. If you want to commit a significant crime, TLAs know everything about you already and the DEA/HSI/FBI/USPIS/IRS-CI or your local equivalents are ready to parallel construct your ass to the wall when you become noticeable enough.
But maybe I'm not as pessimistic as you – the vast majority of people aren't at the far end of the spectrum, so if you want to infringe copyrights, $60 to Mullvad for a year is what you want.
Do people here trust their ISPs more than their VPN providers? That’s the question!
On the other hand, as far as privacy from the end point is concerned, users can be identified regardless of IP addresses. Visit fingerprint.com, you will get an identifier, then connect to a privacy VPN and change servers once in a while. The website will identify you, tell you are the same user visited last week from such location, and the number of times you visited.
Browsers (except Tor) send so much data that accurate identification is possible without IP address. And services could refuse to work if users don’t provide the required information, although that info could be randomized.
I absolutely trust VPNs like Mullvad and iVPN more than my ISP. It's a major reason I use a VPN.
Thank you!
I'm more worried about all the sites that require my phone number under the auspices of two-factor authentication. It's probably the most trackable bit of personally-identifying information these days.
I do trust my ISP more than any foreign VPN service providers because I have the option to take my ISP to court if they violate my rights. I stopped caring about anonymity on political subjects when I realised not being anonymous made me more civil online, and more mindful of what I want to talk about. (Ofcourse, I can think like this because I have the privilege of living a democracy).
>more mindful of what I want to talk about
I would call that self censorship. If I want to insult a politician I will do so from a network location that won't get me put in legal trouble.
>I can think like this because I have the privilege of living a democracy
This has less to do with the political system than free speech which is nonexistent or limited even in most western countries that are democracies
If you lived in a place like Germany or the UK, you could get arrested for posting online that you don't like what Israel is doing in Gaza or that you think Elon Musk is a Nazi (among other things you could get arrested for saying). In this case, routing your traffic through an unknown intermediary makes sense.
You said you have to be mindful of what you say and how you say it, in order to comply with the law. In other words, your legitimate speech is being chilled. Why do you think that's okay?
I do say many critical things about my political leaders and government policies, online. But, like I said, I am more mindful of what I say and how I say it (e.g. I often quote such things from a news source / media). (People in Germany and UK can do so too - just understand the law and quote DW, BBC, DailyMail etc., all of whom have mentioned something about the Gaza genocide or Elon Musk's Nazi like behaviour, at some point). If the government wants to come after you, they will. You have to have faith in your democracy and the courts. If you are losing faith in your democratic setup, be prepared to mobilise people with some political party (or start one) and fight for your rights - it will have more lasting political impact than any anonymous post you make online.
I have faith the courts will interpret the law as written, because that's what they almost always have done so far, and the way they've previously interpreted it. And the law as written says don't be antisemitic. And the law as previously interpreted is that saying anything bad about Israel is antisemitism.
Quoting antisemitic publications for the purpose of agreeing with them is also antisemitism, not sure why you'd think it wouldn't be.
Yeah, I understand your point quite well. Many western countries do (or are trying to) conflate criticism of Israel and antisemitism, to create a chilling effect to protests against their own foreign policies on Israel and Israel's policies on Palestine ( see https://politics.stackexchange.com/q/93431 ). But, like I said, while a government intent on persecuting will do so, they still have to deal with the courts too - as far as I know, no one has been successfully prosecuted under such laws.
> Quoting antisemitic publications for the purpose of agreeing with them is also antisemitism, not sure why you'd think it wouldn't be.
Not really. It would be the media outlet who would be liable as you are only simply repeating what they said in good faith.
I’d probably use a VPN if I need to do something sketchy or egregiously illegal, but self hosted and behind 7 proxies. Or I could just use TOR and exercise a bit of OPSEC.
I use a VPN because it does NAT and shared public IP. My residential connection’s public IP and timestamp uniquely identifies my physical residence.
Also ISPs are shady and will sniff your DNS and SNI and they know your name, address, and phone number, and will sell it all as a bundle.
Damn, I thought incognito at least did some obfuscation.
https://coveryourtracks.eff.org
I had no idea about "Canvas fingerprinting" or that my browser tells sites how many CPUs I have installed.
I'm surprised no one has mentioned iCloud Relay-style Multi-Party Relays yet: https://www.privacyguides.org/articles/2024/11/17/where-are-...
It greatly improves on the existing VPN trust model by separating the "who" (connecting IP, potential payment info, etc.), from the "what" (IP traffic). You no longer have a trust a single entity not being malicious or compromised.
Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.
so now i have to trust two providers doing the right thing instead of one?
It's trusting A OR B, rather than A AND B
MullvadVPN seem to be pretty decent at the moment, but it looks like they're laying down a worldwide VPN infrastructure of sorts that other VPN companies can rent (similar to phone networks)
This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now
We have a few partners who use our infrastructure (e.g. Mozilla), but we're not trying to dominate as a white-label solution. In fact, we've said no to a few well-known brands who wanted to white-label our infrastructure.
As for our long term goals, take a look at our owner's directive: https://mullvad.net/en/blog/ownership-and-future-mullvad-vpn
We want to make online mass surveillance and censorship ineffective. Mullvad is political action through entrepreneurship. We're reinvesting a lot of our profit into open-source software and hardware projects that benefit both Mullvad and the wider community.
I really don't want us to "corner the entire market" because that would make us a single point of failure. I would like to think that our hard work help push the market to keep improving.
I really like the "to plant trees in the shade of which we will never sit" statement. My pessimism only comes from watching trusted giants like Google and Cloudflare turn into critical infrastructure that in turn dictates the web.
May you continue to be the beacon of trustworthiness and hope that we all need right now
>trusted giants like Google and Cloudflare
How where they ever even in anyway trusted??? They are literally peoples search results for sale and MITM as a service.
When they came out, the alternatives were worse.
I think Mullvad's market share is still pretty low compared to NordVPN, which actually cornered the market thanks to their suspiciously large advertising budget.
and egregious marketing material. I think they're the ones who pushed the whole "its about security". I remember Tom Scott turning them down a lot because they wanted him to say that for the $$$ and he refused. Eventually I think they backed down and he got paid and did an ad for them without saying how it "improves security".
Of the two im more suspicious that NordVPN is a CIA honeypot in the style of Crypto AG.
I also think this is the scandal waiting to emerge in this space; with what we know from Snowden/CryptoAG/Encrypted message app sting operations etc it is borderline impossible for me to believe not one of the major players is owned by a State level intelligence service.
Kape Technologies, an Israeli firm with ties to Israeli intelligence, owns several well-known VPN companies, including PIA, ExpressVPN, and Cyberghost.
https://hackread.com/private-internet-access-pia-vpn-sold-is...
That and all those Tor nodes too.
they probably learned from past and this time it will not be publicly known. so that's another option
Based on what? They seem to be one of the reputable players in the industry.
Sheer level of advertising and marketing.
I'm a happy Mullvad customer for years now, except a lot of their IPs seem to have been flagged (presumably due to scraping or similar) meaning that some sites are close to unusable when behind the VPN. Reddit is a prime example.
(I read somewhere a while back that they don't refresh their IPs (unlike some other VPNs?) but I have no special insight into this.)
This is the reality of VPNs, they’re going to end up with a short shelf life because major sites block them. Australians think that VPN will save them with the upcoming age restriction and verification for social media sites in coming months, and I’m quite sure that most VPN providers will be ineffective.
They'll work to hide you from Australia.
The notion of "zero trust" shouldn't just mean corporations not having to inherently trust users and networks. It should also mean users not having to inherently trust corporations.
VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.
I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.
Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.
I have no idea why people, especially in the United States, trust companies so much. I bump elbows with a lot of different crowds(rural, urban, conservative, liberal, etc) so I have a pretty decent sample size and without fail most people trust companies waaaay too much. Then they're shocked when a company lets them down because the company could make more money.
Stop trusting companies. They only care about 3 month profits.
I've always assumed that commercial VPN service providers were intelligence agency fronts. One only has to look back on the CIA's Swiss front company[1] selling encryption equipment for decades[2] to our supposed allies to become sufficiently cynical.
I assume similar Wikipedia entries will appear in the future about some, if not most of today's VPN providers.
[1] https://en.wikipedia.org/wiki/Crypto_AG
[2] https://en.wikipedia.org/wiki/Operation_Rubicon
https://web.archive.org/web/20250904091545if_/https://www.op...
How realistic is possibility that some VPN providers use clients (computers of person who installed VPN) to just be able to crawl (or rent crawl infra) sites and make it look like regular residential traffic? (This is speculation i heard somewhere)
Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.
There are various services that do this, e.g. BrightData:
> Bright Data is the World’s Largest Residential Proxy IP Network providing companies the ability to emulate a real user in any country, city or carrier (ASN) in the world. [...] Bright Data has an SDK (software development kit) that is implemented into applications. Bright SDK provides an attractive alternative to advertisements by providing the app user with the choice to opt-in to Bright Data’s network instead. For every user that opts-in to the Bright Data network, Bright Data pays a monthly fee to the application vendor, who passes that value on to the user by not displaying ads.
I haven't heard of any of the VPN providers doing this, but it wouldn't really surprise me.
This isn’t VPN providers per se - most want to be able to control their own exit nodes.
There are however a fair number of commercial proxies that do exactly that, sometimes via consumer malware. I know several startup founders who have used them as a way to scrape lots of data and not get banned. Usually the interface they provide to the customer is just a normal SaaS “pay us money and give us a list of URLs and we will give you the page content”, and the interface they provide to the end user is a game or marginally useful utility, and nobody but the company realizes they’re doing something dodgy.
There are a number of "free" VPN providers that have been documented to do this, if you search you should find some articles about it.
There are also apps that purport to pay you up to a dollar a gigabyte (no joke) for proxying traffic.
And it's not even illegal, not even shady. I see nothing wrong with getting paid to help big companies compete with/destroy each other.
As a bonus you help rid the world of Cloudflare. Cloudflare serves more captchas to ISPs with more proxies. When every ISP is captcha'd, every user will hate Cloudflare.
It's not a get rich quick scheme - there's low demand for proxying at that kind of price.
I'm not going to shill specific companies, so just Google 'get paid to share mobile data' or something.
any examples about this? really interesting
My pet theory for a while now has been that all of the biggest VPNs are secretly run by the NSA or other equivalent nation-state organizations.
Or worse, as the article points out,
Interesting how the comments heading this thread ignore the effect of VPNs on surveillance and data collection for the benefit of online advertising, i.e., the stuff that so-called "tech" companies rely on as a "business model"
Must be that these so-called "tech" companies have no problem figuring out who is the ad target behind each VPN IP address, fingerprinting them and tracking their online behaviour acrosss every computer they use
TIL VPNs actually have _no impact_ on the data collection and ad services "business model"
I'd love to know how many people use VPNs because of "fear of being hacked" (hack covering everything non tech-savvy here).
Almost everyone I know use VPNs only to bypass restrictions, not for fear or privacy.
That's why we sell only the service [1] and point our users to the default app install (Wireguard in our case). Ever since Holla VPN and the entire Brightdata/Luminati clusterf~ VPNs are a risky business for users. Most of them are proxy nodes underneath, they rent you datacenter IPs while they sell your residential internet to third parties.
[1] https://www.anonymous-proxies.net/products/
Do you have a source that shows that popular VPN providers such as Mullvad or NordVPN actually sell your residential internet to third parties? That's a bold claim, but pretty scary if true.
yes, search for NordVPN vs Luminatti (guys behind Holla VPN) scandal: "nordvpn luminati lawsuit patent". Basically Luminatti, now known as bright data, reached out to NordVPN in order to utilise their user's internet as residential proxy nodes. NordVPN thought otherwise and created their own network instead (Oxylabs if I'm not mistaken). They are still in patent wars I believe.
I don't know anything bad about Mullvad! That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
> That being said I, as a small business owner in this space, will not use any of them, ever. I know it sounds like a "yeah right" because I sell the services but I know better.
If you weren't you, would you trust your service?
> I don't know anything bad about Mullvad!
Is it even possible for them to do something like this for people who just use the OpenVPN/Wireguard configs and don't install an app?
I mean can they really even if you're using off the shelf client software like plain OpenVPN?
maybe, harder tho and they will refuse to do so because that client install is close to malware on some providers. That's why we only hand out the config and instruct the user to install the official app.
> We offer highly secure, /.../Residential /.../ Proxies.
Where do you get residential proxies? I ask because I'm always reminded of https://sponsor.ajay.app/emails/.
Our residentials are actually dedicated which are advertised as residentials by the provider. Sort of a mix where you get speed and stability as opposed to real residentials which are known to barely hold a connection sometimes. We also tried subrenting some real residentials but we will probably close that service since it brings nothing but pain due to unreliability. We're more focused now on privacy oriented services or anti censorship ones. Working atm on bringing Amnezia Wireguard up, we launched Trojan proxies earlier this year also.
brightdata but it will cost several hundred USD per month
Ive been a proton supporter since email. I like theor product suite. I use a vpn for all the reasons listed here, but mostly for obfuscating my traffic (and torrenting).
Their email UI is extremely clunky and unrefined, both on the desktop and on the app. When I delete a message in the app, it just stays there in the folder. When I empty spam in the desktop, its count doesn't update. It's like they don't use their own product.
Also, relying on its VPN for illegal activities is incredibly foolish since they log your IP and probably have your payment info.
What is this list that doesnt include NordVPN and ExpressVPN?
A list made by NordVPN or ExpressVPN
> ExpressVPN
You mean the one owned by an Israeli billionaire? Hopefully they don’t find a way to make your monitor remotely explode.
It's worse than that. The company bought by said billionaire, and which in turn bought ExpressVPN, was founded by a member of Unit 8200 (Israel's NSA), and started out making browser advertising malware.
https://hackread.com/private-internet-access-pia-vpn-sold-is...
I’ve been keen to point out there is more utility in the technology underlying VPNs than the VPN functionality itself. The WireGuard handshake and transport encryption are lightweight and secure and I added support for it to my service as an option to secure data in flight. It’s getting used by developers and enterprises, not consumers.
IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).
I'd like to point out that a regime may find it worthwhile to compromise more kinds/sizes of VPNs than we might expect.
The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.
That threat model for Signal worries me.
If I was the US government, I'd push Google Play to offer compromised updates of Signal silently to a few people I was interested in. Even among the highly-technical, who is going to be inspecting binaries installed on a phone regularly?
Does Signal even have reproducible builds? How do I know the code matches the binary?
I'd make my own messenger.... but I don't have the money for that at all.
I wish these risks could be split up and handled separately - Suppose I run a private dark network for me and my friends, and then the GUI for chatting over it runs in a sandbox where it can only message servers that I control, using public/private keys that I control.
Conflating a million lines of Java GUI code with "Noise is a simple and secure protocol" seems like a big attack surface.
This goes back to that old meme from before: "There is no cloud, it's just someone else's computer."
I use tailscale with an exit node. I just need location control. Wireguard gives me that.
Wireguard doesn't give you exit nodes, it's just the encrypted L3 stack.
Whomever is responsible for your exit nodes actually gives you this functionality.
If it's tailscale itself then they use mullvad nodes as exit nodes which I welcome very much.
> Wireguard doesn't give you exit nodes, it's just the encrypted L3 stack.
That's why I said tailscale lol. But I understand, I guess I said it in a confusing manner.
> If it's tailscale itself then they use mullvad nodes as exit nodes which I welcome very much.
You can also set on of your devices as an exit node for your Tailscale network. Kind of cool.
I do this but this means two things: * I am tied to paying the exit node so my identity is known to the provider * I am responsible for the upkeep of said node
With online development responsibilities, I don't find VPNs to be compatible with what I do all day.
That said, the few implementations I have test before seemed leaky and not as useful as they claim.
I've been happy with AirVPN, curious to hear how others feel about them. Pretty reliable and seems good enough for my purposes, at least.
VPN Comparison Table
https://docs.google.com/spreadsheets/d/1ijfqfLrJWLUVBfJZ_Yal...
95% of VPN companies are owned by Mossad
Are you referring to the cluster of VPNs owned by Israeli tech magnate Teddy Sagi?
CyberGhost, Private Internet Access (PIA), ZenMate, ExpressVPN, and Intego
I don't know why anyone wouldn't assume that any VPN service is run by an intelligence service, potentially one hostile to you, or organized crime.
Consider-- people bring their traffic to you to monitor, and particularly people who are trying to conceal their identity or activities. They pay you for this, which means that if you get collateral benefit you can run at a small loss and undercut any legitimate players (if there are any!) or run levels of advertising that a legitimate business couldn't sustain. -- while its simultaneously one of the most cost effective surveillance plays you could imagine, since it's still primarily funded by the victims.
VPN services also have good deniability for their surveillance. Although (maybe!) your ISP can't surveil the VPNed traffic the VPN provider's ISP can as well as your counterparties ISP (and any other parties brought into the mix by things like third party content). And like any other electronic surveillance, parallel construction can be highly effective.
They can also be stood up by anyone, you can run any number of services. They don't require extremely extensive physical infrastructure, investment, large numbers of employees like running an ISP. You can even target particular actors or populations by using targeted advertising, though it's still most effective as a data hoovering operation.
Particularly for the intelligence actors they also have the benefit that issues like getting harassed by the state are among the complications of this business, but that is potentially less of an issue if you are the state.
And if there were an actually honest provider, they'd be a prime target for infiltration... all that interesting traffic in one place.
Final results from the table on page 50:
Operates more transparently. No concerning findings identified.
• Mullvad (Mullvad)
• TunnelBear (TunnelBear)
• Lantern (Lantern)
• Psiphon (Psiphon)
• ProtonVPN (Proton VPN)
Operates more anonymously. Potentially concerning, but no definitive findings.
• HotVPN (HotVPN)
• LetsVPN (LetsVPN)
• Astrill VPN (Astrill VPN)
• CookieDevs (Cookie, Ciao Proxy Pro)
• VPN Super Inc (VPN - Super Unlimited Proxy)
• PureVPN (PureVPN)
• Potato VPN (Potato VPN)
Concerning and suspicious findings (users should avoid).
• Innovative Connecting (Turbo VPN - Secure VPN Proxy, Turbo VPN Lite - VPN Proxy, VPN Monster - Secure VPN Proxy)
• Autumn Breeze (SnapVPN, Signal Secure VPN - Robot VPN)
• Lemon Clove (SuperNet VPN, VPN Proxy Master Pro, VPN Proxy Master Lite)
• Matrix Mobile (Global VPN)
• ForeRaya Technologies (Melon VPN)
• Hong Kong Silence Technology (Super Z VPN)
• Yolo Mobile Technology (Touch VPN - Stable & Secure, VPN ProMaster - Secure your net)
• Wild Tech (3X VPN - Smooth Browsing, VPN Inf, Melon VPN - Secure Proxy VPN)
I don't use a VPN for anything that would get me in the cross hairs of a nation-state. I use it to trade crypto outside my jurisdiction, make sure my ISP doesn't get torrenting complaints, obscure my traffic from wifi networks I don't trust, that sort of thing. None of these things have enough money or power behind them that peeling away the VPN is worth it, so it's good enough.
> Yolo Technology Limited
I mean, this seems like the company name equivalent of the yellow and black stripes on a wasp. It is a _warning_.
i’m not sure what this list is, why investigate vpn companies yet dont even look at nordvpn, pia, express, or others that are wildly popular yet still shady af with their real world origins?
i mean, those companies are so popular they’re almost normie household names. the couple i looked at from the papers list have a small fraction of downloads compared to the above.
i agree that we absolutely need a deeper dive and a lot more transparency on who owns these companies but i’m curious why they chose to avoid the elephants in the room.
Shameless plug: VP.NET [1] runs in a trusted execution environment (enclave) so you can verify it is doing what it is supposed to do and not anything else!
[1] https://vp.net/l/en-US/blog/Don%27t-Trust-Verify
no you can't... you can verify what something is doing, but there's no guarantee it's the same code routing your VPN requests, or that nothing else on the network/server is listening/forwarding your traffic elsewhere.
You can since the enclave attests to what is running!
This is also coupled with the crypto and NAT occuring in-enclave with various timing/obfuscations. It's verifiably private.
Shameless antiplug: It's owned by the guy who destroyed freenode and the other guy who stole $2.4 trillion in bitcoins a decade ago. I'm serious.
VPNs don’t really stop fingerprinting techniques, if anyone is using it for that.
[dead]
You get what you pay for...
I don't think a high price in the VPN market is a reliable indicator of "getting something better"
VPN companies often overpackage their offerings and overcharge -- this truism doesn't apply when shopping for VPNs.