234 comments

[ 4.5 ms ] story [ 273 ms ] thread
Too be honest despite your reassurance I still expected that there would be affiliate links, purchase cookies or other tracking somewhere (I checked, all good). Thanks for sharing your reviews!
god forbid they make money for their time (and money) spent!
I don't mind affiliate links. I mind when ratings, scores, ordering of results are influenced by payment from the reviewed companies. Or companies get excluded because they don't offer affiliate programs.

Example http://www.top10bestvpn.com/ "Please be advised that the operator of this site ACCEPTS advertising COMPENSATION from certain companies that appear on the site, and such compensation IMPACTS THE LOCATION AND ORDER in which the companies (and/or their products) are presented, and in some cases may also IMPACT THE SCORING that is assigned to them." (emphasis mine)

I hate to sound like I'm advertising, but I've found blackvpn quite good. It's based in Hong Kong.
I frankly wouldn't want any of my traffic going anywhere that close to China regardless of how well they implement their stuff.
Private Internet Access

> A pretty boring company. Extremely transactional. You get in and get out. It delivers its experience the way a utility company would. Sometimes, that may be a good thing. But in this case, since I have choice, I'd rather give my money to a company who would appreciate it a little more — perhaps put it to better use.

PIA might be very "transactional" but I like them and I've never had any issues with their service. I'm surprised it didn't get a better rating. I don't need a flashy VPN, a utility is exactly what I'm looking for.

They connect on port 80 (HTTP instead of HTTPS) on startup. That's unacceptable for a privacy company.
It's worse than that. Back when I used PIA a few years ago, they would pass your username and password around in the query string, completely plain-text. That was their session mechanism. I sent them an email explaining the problem and got a refund. Their security mistakes, and the fact that they are based in the US, disqualify them for me. I really wish people would recommend someone else.
I would be interested to know more about this; why they were doing it at the time and if it's still being done.

The use of port 80 is not really important; I'm not sure if the article's author is using "port 80" as shorthand for "unencrypted" but that's sloppy writing if so; you can certainly establish encrypted connections over port 80, of course. I used to do SSH on port 80 all the time to get around stupid firewalls...

Rasengan answers above the port 80 call is for non-sensitive data and is signed.
> That's unacceptable for a privacy company.

Why?

The fact of a connection being established in port 80 is to do with how TCP/IP works. You aren't even claiming to understand what protocol is in use on port 80, not to mention whether the data is in the clear, what it is for, etc. This isn't analysis, it's... something far short of analysis that I can't think of a kind name for.

(comment deleted)
That, in and of itself, is not an issue. Your browsers, for example, download Certificate Revocation Lists over plain-text HTTP as well -- but they are digitally signed.
Given that he rates Vyrpr above PIA, when Vypr have had clear incidents of doing enough logging to identify which user has done something [1][2], and PIA do no logging [3], I'm not particularly inclined to trust this analysis on the basis of which app is more "fun" to use.

Disclaimer: I used to use Vyrpr, when I found out about the logging, I switched to PIA, which I use with Tunnelblick anyway instead of their app. Furthermore, I can only really go by what they say, as I don't have inside access to their systems.

[1]: https://www.reddit.com/r/torrents/comments/17g53i/if_you_tho... [2]: https://www.goldenfrog.com/copyright [3]: https://helpdesk.privateinternetaccess.com/hc/en-us/articles...

He doesn't rate Vyper above PIA:

Vyper: 8,2,0

PIA: 9,4,0

The stars are identified as being from his personal experience and he discusses the rationale behind them.

Since the entries on the site are ordered top-to-bottom based entirely on his subjective rating, ignoring the objective criteria, the list absolutely rates Vype higher, in both a figurative and literal sense, and in a way that implies that his 5-star ratings are far more important than the objective criteria.
PIA used to be fast, a year ago. Somehow at times they were faster than my underlying connection!

Now, they're _much_ slower. Surely it's not just me.

I have not noticed any change in speed. I did use an ISP at one point that would throttle high bandwidth VPN traffic pretty aggressively though.
Wow, surprising. I thought I'd see a lot of "me too" responses.

So maybe it _is_ just me, or my ISP throttles encrypted traffic, or ....

To steal (and paraphrase) what is basically the perfect summary of this from @SwiftOnSecurity:

Commercial VPNs: for when you want all the security of Ukrainian coffee-house wifi from the comfort of your own home.

Taylor Swift isn't wrong about this. Use something like Algo to run your own VPN if you have to. If you must use a commercial VPN to get to Netflix or whatever, do it from inside a virtual machine that you use for nothing but that.

I heard VPNs don't work on netflix anymore.
Sort of; they are good at flagging VPN ips but you can always spin up your own to get around this.
I assume they are pretty good about blocking popular VPS host ip addresses too, though.

So not just spinning up your own, but finding a VPS host they don't yet know about.

Something that can work well on a limited scale is if you have access to ssh into company/edu servers around the world - then you can use sshuttle and your traffic looks like it coming from a company/university campus.
Have friends that went back to their homes for summer. They're logging to their universities via the school VPN to watch game of thrones and other things...
They seem to block all of Linode, so I wouldn't be surprised if they block other popular VPS providers as well.
It's a game of whack-a-mole, to be sure, but I have a high success rate with NordVPN. FWIW.
You have the security of the datacenter provider instead when you use something like Algo. That datacenter provider is going to have logging, probably wouldn't take pseudoanonymous payment methods like BTC directly, does not have legal insurance, will shut you down if you get enough file sharing complaints and probably wouldn't do things like having RAM only VPN servers w/ read only boot media.

Nothing prevents the datacenter provider from doing the bad crap that commercial VPN providers can do. There are ones out there that let you use standard clients as well, so the bad client software part is kind of moot. The only advantage you get is control and responsibility over the vpn server.

> Nothing prevents the datacenter provider from doing the bad crap that commercial VPN providers can do.

Money prevents it. Of course datacenter could toggle logging for particular server, but logging everything is very expensive. Most of their clients aren't running VPN servers or file sharing software so it's easier for them to just kick you out on DMCA arrival or when something shady is going on rather than keep your bandwidth.

On other side any commercial VPN service is always waiting for problems with law enforcement to come. And unlike datacenter huge part of their customer base will be doing something shady so they can't just stop providing service in every of such cases.

> Money prevents it. Of course datacenter could toggle logging for particular server, but logging everything is very expensive.

They'll absolutely log a particular server if a law enforcement agency requires that they do so, and they'll bill the agency for it, so money isn't a factor.

I have no doubt about that, but I totally sure nobody logging every running server at all times. On other side commercial VPN services...
Wouldn't it still be prohibitively expensive for a commercial VPN service to log all traffic at all times? The traffic going through should be proportional to their scale, just like a generic VPS company. Why does logging get more expensive just because a server is general-use rather than solely a VPN server?
It could easily be still prohibitively expensive, but I totally sure that percent of DMCA and law enforcement incidents per customer will be way higher for commercial VPN service. Especially if this VPN service marketing is targeting at selling "anonimity", "no logs" and acceptance of cryptocurrencies.

At least they can for sure have turn full logging for anyone who paid with bitcoin (even if it's through coinbase).

Question:

I use a commercial VPN primarily so that my IP is shared across hundreds of other users (as opposed to using it so that my data is safe being transmitted through coffeehouse WiFi), and thus would make it at least marginally more difficult for someone to track me.

Is this reasoning false?

Which provider do you use to get a new IP for each tunnel?
I've been using AirVPN lately, but have used PIA, iVPN, TorGuard, and BolehVPN in the past.
> Use something like Algo to run your own VPN if you have to.

This might be good advice for tech-savvy people, but too hard for most folks.

Also, Algo is targeted at only security/privacy, and not censorship resistant. The last time I checked, it didn't offer any protocols that work well behind GFW.

Also, where are you going to run your VPN? Assuming you don't have your own hosting infrastructure (or domestic broadband connection in another country), then you're renting a server from someone else. Perhaps your assumption is that a random VPS provider is more trustworthy than a random VPN provider?

> If you must use a commercial VPN to get to Netflix or whatever, > do it from inside a virtual machine that you use for nothing but that.

Again, good advice for tech-savvy people, but not practical for most folks, particularly for the times when they're on mobile devices.

I don't disagree with your overall sentiment (I don't use commercial VPN providers for the same reasons), but for many folks these serve a useful purpose, and there are no practical alternatives.

Knowing your profile, do you have any (current) recommendations for Chinese users?

Beijing has been cracking down on VPN users a lot recently (even blocking AWS, DO, etc.)

That observation matches my experience, at least for cheap offers. I bought a one-year subscription to ivacy.com (a Hong Kong based provider ~ Chinese government controlled) at a ridiculously low sales price and it turned out that they impose a maximum password length of 8 characters limited to a small ASCII set. It's like buying a cheap Casio watch imitation with a "waterproof" sticker on it - not really waterproof...
Does this really work? I tried Netflix from my DigitalOcean virtual machine but it throws the usual error "You seem to be using an unblocker or proxy"
Thanks for this! It's pretty cool and it's nice to have something to pass on to friends who are interested in subscribing to a VPN service.
Regardless of how you feel about _why_ PIA sponsor the organisations they do, it is surprising to see someone claiming they "perhaps put [their money] to better use" given their record of supporting foss and digital/online rights [1].

Additionally, the characterization as being extremely focused on the tech illiterate I feel isn't really the case either, they have lots of docs about how to use OpenVPN [2].

Thirdly, while there's no online free trial, at DEFCON and other events they do liberally hand out free trial cards.

The above points, as well as reading the commentary, leads me to believe that the author hasn't spent much time at all using or understanding the various product offerings, and the written review and star-score seem to clash with the high feature based score listed above. I can't speak at all for the other providers, but I don't feel like PIA at least has been well researched.

[1] https://www.privateinternetaccess.com/pages/companies-we-spo...

[2] https://www.privateinternetaccess.com/pages/client-support/

As full disclosure, I'm a unpaid volunteer for a non-profit PIA has contributed to. I have used in the past, but do not currently use, PIA VPN.

"As a disclaimer" (disclosure).
Thanks, I've updated accordingly. It's getting late here in the UK!
PIA actually scores as one of the highest on the objective measures. The star count is just a subjective impression and experience with getting it set up. They connect over HTTP on startup instead of HTTPS (which is unacceptable for a privacy company). They then ping almost a hundred servers on startup (no other app does this, at least not to this extent).
Don't use their app then. In fact, I can't think of a reason why I'd install any vpns app if they support openvpn.
It gets you an "automatic" option for which endpoint to use, other than that I can't think of anything.
Some people like the kill switch. I just think remote port is easier to setup.

I sometimes use the app. Mainly use the builtin client of the OS.

Their app has all of their various points of presence pre-populated. If you use your favorite OpenVPN program to connect you would need to get a couple dozen configs imported.

It also tries to find the fastest connection for you, which is useful when traveling.

Considering your claim to be interested in producing a quality analysis of the various services and clients, and in other reviews you took pains to point out that connections were made to Google analytics servers, I found it pretty disappointing that you didn't explain what the servers that PIA were pinging actually are.

Are they, as I suspect (as a PIA user), pinging their own servers worldwide, to find the fastest options available? Are they pinging third parties?

Your review basically says "pings are bad m'kay" without demonstrating any understanding of what the client is doing.

Furthermore, your questioning of the use of port 80 makes me wonder about your own security knowledge. You really don't understand why a commercial VPN product designed to be used by portable devices in unexpected environments might commence a connection on port 80?

These 'objections' you have make me sceptical of your attention to detail in general.

Hi mobitar. Thanks for the highest score in regard to the objective measures. Regarding the subjective impression and experience, I'd like to let you know what's going on. If you feel that this changes your impression, it would be great to update accordingly!

The HTTP connection upon startup is for the region data request which is signed and verified upon receipt. It's tamper proof, but you can read it. It's something that anyone with the client can read, and the client is free to download.

Arguably, it's more secure to entrust the communication from PIA to the client software itself than to blindly entrust it to HTTPS which has provably been compromised due to bad actors in the past.

We're in #privateinternetaccess on irc.freenode.net to discuss anytime as well!

Thanks for everything mobitar and for taking the time to produce this report.

Sorry mobitar, I forgot to address the pings. This is to find the best (closest by network latency) path to you. We're really focused on providing the best possible experience, and that experience is simply providing what we do best, in the most unobtrusive way possible.

And to that extent, when it comes to your privacy and fighting for your internet civil liberties, we'll be second to none.

Cheers,

Andrew

I've seen PIA being very active and friendly, along with supporting FOSS which I love, so I say good work.

That said, a question: is there a way for a power user to control this startup ping mechanism in favor of using a single server they have selected as the best? The only reason I see to not do this would be if your IP ranges are volatile time-wise for some reason. Or perhaps I'm missing another factor?

Well, you can use stock OpenVPN, with firewall rules to prevent leaks. Or you can use pfSense as a VPN gateway VM.
If you're using the app, I know you can choose a server instead of "Auto". Not sure if it does the pings.

You can bypass the app. I've identified some servers that work good and are close to me and just use a separate app with the profiles/configuration I need. (You can use the built in VPN on your OS or use the OpenVPN app directly for example if you want).

There are options.

Hi,

Can you please fix the mac client so that when I wake up my macbook after couple days of sleep I don't have HUNDREDS of "disconnected" messages from PIA to dismiss? I understand it connects and then disconnects every time the computer wakes up briefly during sleep, but the onslaught of notifications is.....A lot.

Hi Andrew! I've used PIA for a few years now. I'm very happy with it.

There's just one thing that's kind of a deal breaker. I recently switched to Mac and the Mac PIA Client is quite far behind the Windows, Android and iOS versions.

I'll list all my issues together here:

Major issues

- slow to start

- slow to connect (often tries forever). This is my biggest issue. On other platforms (or connecting directly with the built in Mac vpn function) it takes like 2-3 seconds. With the Mac client it takes many times longer. There's also no feedback about what stage the connection is in, unlike on every other OS.

- doesn't reconnect if network changes, so internet just stops working

Minor issues

- can't see pings for servers

- not as sexy as Windows client

I switched to using the built in Mac VPN feature to connect which is much faster, but occasionally stops working altogether for 20-30 minutes. So right now I don't have a good reliable VPN solution.

Hope this feedback helps!

Thanks again, andai

It's unfortunate that it's reached the front page given the quality but you don't need to thank him for a poorly written review.
(comment deleted)
They support OpenVPN.
I have happily used PIA for years on Ubuntu and macOS and Android, but I never, ever use their clients. Just download the ovpn files[1] and set them up with the native support built into your OS (or use something like Viscosity for more functionality). On an unrelated note, I'm happy to know that my (reasonable) annual subscription allows them to support FOSS projects, they should really publicize that more!

1: https://www.privateinternetaccess.com/openvpn/openvpn.zip 2: https://www.sparklabs.com/viscosity/

That stock photo of kids on bikes on their homepage feels so out of place hah
They're going for Mom, apple pie and so on :)
Which is so strange because in in the technical category they're one of the best. Shopping for a VPN provider 2 years ago I almost passed them right by due to how the site looks. So glad I dug a little deeper and eventually chose them because the service 'just works' and 2 years later I don't have a single complaint.
There was one VPN provider he just rated 1 star and refused to use because the home page didn't feel modern enough. At that point I mentally rated the article 1 star and refused to take its contents seriously.
I don't know, the criticism in the list is certainly irrelevant, but as far as I can see PIA is a US company and I believe it is kind of absurd to nowadays trust any US or UK company about privacy-related matters. The UK has become one of the worst countries in the world regarding privacy due to the Investigatory Powers Act, but the US also doesn't have a good reputation in this regard.

A simple Google search also reveals various user complaints that PIA apparently uses a Ruby (!) script to constantly write an extensive local log of all web activities, and the option is switched on by default. That's not inspiring my confidence. Their pricing is great, though.

The problem I have with VPNs in general is that quite a sizable number of them look as if they had been set up by dubious entities solely to collect data on their customers. Especially the ones with competitive pricing.

I would rather trust some of the more expensive ones from e.g. Sweden.

Possibly because PIA is a US company and therefore someone in Europe does not care?

For someone in, say, Germany a German VPN would be way more worrisome because of the same jurisdiction.

This guy has been reviewing VPN services for a while and has put together an incredibly comprehensive table as well as a selection of more detailed reviews, selected from the list at random so as to remain impartial. Recommended.

https://thatoneprivacysite.net/vpn-section/

For example, TunnelBear scores highly on security, but poorly on ethics.

I suspect that, for less savvy potential customers (read: the vast majority of them), "That One Privacy Site" can do more harm than good.

I wrote a bit about choosing VPNs, and about my concerns with TOPS, here: https://davepeck.org/2017/04/16/why-its-hard-to-choose-a-vpn...

PS: Since this is HN, I just want to say that if you can, you should run your own VPN. Use Algo, full stop -- it's put together by some of the best in the business. If you do decide to go with a third party provider, hopefully the six criterion I suggest in my post are helpful.

I don't see how having more information can be harmful. There's even a simplified red/yellow/green table if you don't want the details.

TOPS is one of the extraordinarily few impartial guides to VPN providers. We would be far worse off without it.

Running your own VPN is fine if your goal is to protect yourself from a malicious LAN, but useless if you're trying to hide your identity. The IP of whatever provider you choose can reveal your identity just as easily as your home IP.

> I don't see how having more information can be harmful.

It can be harmful in the hands of less savvy potential VPN customers, when it leads them entirely to the wrong conclusions. (You're unlikely to fit in this category.)

Like I said, I'm pretty sure anyone can understand red=bad and green=good.
If you use TOPS and simply choose the provider with the most green, you'll have made a terrible mistake.
I never said anything about picking "the most green". The columns are labelled and described in detail on a separate page.
Neither, I suspect, did you read my post. We can probably end here. :-)
Looks to me like you're primarily advertising Cloaks, owned by a US-based company. There are tons of reasons why privacy-minded users would want to avoid a company under US jurisdiction, but you mention none of them.
There might indeed be reasons to avoid US jurisdiction -- that's true, but it's not relevant to the point I attempt to make, which is that labeling the US "bad" by default and without qualification is silly, and is one (of several) ways TOPS might lead less savvy potential customers astray.

As an aside, I'm skeptical that there are "tons" of actually good reasons to avoid US jurisdiction. I don't doubt that good reasons exist. It's just that I've seen plenty of bad ones! :-)

And to clarify: no, advertising Cloak is absolutely not my goal. If you're interested, I'm always happy to recommend trustworthy VPN services that aren't Cloak. I mention Cloak in that post because in my (biased!) opinion it's a good exemplar of the six criterion I look for. That's no accident, since I co-founded Cloak and built it in part to satisfy those criterion. That I'm Cloak's co-founder is pretty clearly disclosed both here on HN and on my personal blog. I should mention, for completeness, that I'm no longer affiliated with Cloak.

Nah, I don't buy your reply but totally understand your perspective. My assessment and general advice stands as is, for most people (including US citizens) it makes a lot of sense to avoid any US or UK based VPN providers. I'd personally also avoid a company operating under French jurisdiction.
The problem I've found with running my own vpn is that I could not find affordable vps with anywhere near as affordable bandwidth and speed. The main vps providers all cap your download/upload. ovpn is what I settled on and am quite happy.
Yes, this is definitely an issue - I should really put an asterisk on my “roll your own” proclamations. Better VPN providers offer numerous POPs and generally good network perf that can be hard to replicate on one’s own. (That said, these are necessary but not sufficient conditions for a given VPN provider to be “better”.)
So much wrong about this blog post - first, written by the creator of a VPN company, someone obviously biased, with a stake in the industry:

Many of the items you claim are not addressed by TOPG absolutely are. Questionable/sketchy product marketing & SEO, ethical business practices, etc are all covered in the detailed comparisons Ethics section. Other items you claim he SHOULD look at go against his methodology and are impossible to indepdently verify - such as technical architecture and sustainability.

The main purpose of jurisdiction is to see which countries are more likely to illegally spy on its citizens and which have a track record of being an "enemy of the internet". You claim a VPN located in the US (like the one you made and have a stake in) are subject to government agencies such as the FTC, but many if not most of these companies are regularly allowed to flout FTC rules on native advertising and bad SEO and such which is why the industry is largely in the misinformation mess that it is - and we all know about Five Eyes and why that matters - any laws claiming to protect its citizens are kind of negated by programs such as PRISM, XKeyScore, and every other one we've learned about from Snowden.

You claim you get suspicious of TOPS reliability is because the data is wrong on Cloak - "TOPS claims that Cloak’s native apps leak IPv6 and DNS traffic." The detailed comparison actually shows whether the service officially tunnels or actively blocks IPv6 and runs its own first party DNS server. This is worded plainly in the header and further explained in the glossary. Lastly, if these are actually not the case for yours or any service, all he requires is a link to the official site where the data can be validated. I'm wondering if the point of the article was a lead up to the end in an attempt to turn people away from TOPS so your joke of a service (which surprise surprise, didn't score so well on the chart) isn't seen for what it is.

Whoa there, WillyTheWalrus!

Thank you for creating a new and anonymous HN account just to deliver your important message.

Alas, it is confused in many particulars. Normally I wouldn't feel the need to reply to posts such as yours, but today the oppressive heat wave seems to have lifted from Seattle and I happen to have a delicious coffee beverage in hand.

So I'll bite:

> First, written by the creator of a VPN company

Guilty as charged. That I co-founded a VPN company is disclosed quite clearly, both here on HN and on my blog. Let there be no confusion. :-)

> someone obviously biased

It's hard to judge another person's biases from afar. I generally refrain from accusing others of bias when I don't know.

But I definitely understand how you might reach the wrong conclusion here. If it helps, I will reiterate that I am no longer with my old company (I sold it quite some time ago); I no longer have skin in the VPN game.

---

Before I dive into your specific points, I want to make a meta-point that seems to have been missed both by you and by other people who responded to my post:

TOPS is, in the right hands, a valuable resource. The person who built TOPS appears to have extremely good intentions and has done an amazing amount of useful work.

The problem isn't TOPS in isolation. The problem is when TOPS gets in the hands of the typical unsavvy potential purchaser of VPN services. It is my belief that the right axes on which to judge VPN services are fundamentally resistant to objective measure. In my experience, unavvy customers armed only with objective information are likely to go astray.

Okay, on to the specifics:

> Questionable/sketchy product marketing & SEO, ethical business practices, etc are all covered in the detailed comparisons Ethics

Let's take a look at the current ethics columns. Today, they break down more-or-less into two buckets.

The first bucket has to do with affiliate marketing and effectively asks three questions of both the VPN provider and its affiliates: is SPAM avoided, is the copy ethical and is disclosure followed properly? Alas, the gradations of unethical behavior run pretty deep in the VPN affiliate world (ask me over beer sometime), and go far beyond copy and disclosure. TOPS is providing useful information here, but capturing the fullness of affiliate behavior would probably require an armada of columns.

The second bucket is for "good faith" behavior and has exactly three columns, including "contradictory logging policies" (do they say 'no logging' but it looks sketchy?), "claims 100% effectiveness" (nobody can!), and "incentivizes social media spam". These are interesting in a shallow sort of way... alas, it's hard to go particularly deep while remaining objective.

Which brings us to the crux of the matter:

> Other items you claim he SHOULD look at go against his methodology and are impossible to independently verify

Yes and, again, this is the point of my post!

I believe that some of the most important attributes of a VPN provider to consider are precisely the ones that cannot be objectively measured. In other words, trust signals are potentially far more important than many of the objective columns on TOPS. Perhaps I argue this unsuccessfully, but there you have it.

At the end of my post, I suggest six trust signals to look for. These are things that, realistically, cannot be captured objectively. These are also things that I recommend to all potential VPN customers. A handful of VPN providers (including the one I co-founded and providers like TunnelBear and VyprVPN) fit the bill.

> The main purpose of jurisdiction is to see which countries are more likely to illegally spy on its citizens and which have a track record of being an "enemy of the internet"

Yup, the US is bad... which has little to do with whether a VPN provider based in the US is fundamentally trustworthy.

There's a bunch o...

I checked the VPN I use, and I think the analysis presented does not correspond to the privacy policy and FAQ of the service.
Just email TOPG, he'll change the chart to match the site. You just have to point out what doesn't match and give a link to where it can be verified.
I use KeepSolid. I've been really impressed. I think his review has done them a disservice. They have a really helpful app on all platforms and their staff are friendly, too.

Disclaimer: none. I have no affiliation other than I am a customer.

They have been fast, and honest with all 2 of the issues I have had with them over the last almost 3 years. I would strongly recommend them to anyone. If there was a real issue with the service he should have talked about that.
> The screenshot of their app on the iOS App Store shows a bunch of credible logos of their mentions, but then quotes "VyperVPN is the best service on the market" as coming from a reddit comment by a random user. Questionable tactic.

That's referring to reddit the company, and it was quoting one of reddit's sysadmins: https://www.goldenfrog.com/blog/reddit-gives-every-employee-...

Ah good catch, will update that.
> Extremely bland, stock-photo website. I felt uncomfortable giving them my email address, let alone my payment info.

That's not valuable information.

> A heavily marketed product lacking inspiration which I ultimately couldn't get to work properly.

At this point you've given up even trying. It's not a useful comparison any longer.

This comment is a nice example of how the "I'm a rational person and only features matter"-mindset actually works against its stated goal.

With any VPN provider, there are certain crucial features where you have to trust them, "no logging" being the most prominent.

Since you're unable to get to the actual truth (until it's too late), you're left with trying to get a sense of the provider's character: are they supporting open source projects in the privacy space? Do they advocate for causes you believe in (by, for example, participating in the net neutrality blackout)? Do they take pride in their work ("show source" may be helpful here)? Do they have humour?

None of these are definitive. But in my experience, it's actually pretty hard for people who aren't members of a certain community to emulate it convincingly.

I agree with your basic premise, and I definitely use some kind of fuzzy gut feel metric when doing my own evaluations. That said, if someone is claiming to do an unbiased review, we need more than gut feel.

If your goal is no logging and one of your metics is "Do they have humor"? You're in deep trouble.

(comment deleted)
Obviously not ideal for non-technical users, but I found it really easy to spin up a VPN on Digital Ocean.

I'm sure it wouldn't be hard to make it almost a turnkey operation, just run the script and you're good to go, and then it would be a viable option for non-technical people.

Of course, not ideal for anonymity, but a perfectly fine solution for if you want the security benefits of a VPN, or to get around geoblocking (I originally spun up my VPN to watch something that was geoblocked, now I keep it for when using open wifi connections).

Do DigitalOcean's IPs fall in a well-known IP range that would make it a target for IP blacklisting, as in the apparent case of AWS [0] (i.e. EC2 and Heroku)?

[0] https://news.ycombinator.com/item?id=883622

Probably. I was using it to watch Top Chef Last Chance Kitchen on BravoTV's website. I don't think they're so strict on it compared to Netflix.

My main use for now it is for security, not for watching geoblocked things, so I'm not so worried about it.

Both iOS and macOS (I don't know about windows, I havent used it recently) have built-in VPN clients so what would be the advantage to using a client from the VPN provider?
The built-in VPN clients support old broken insecure protocols (PPTP) and expensive, hard to implement and hard to deploy protocols (IPSEC-LLTP), whereas public vpn providers tend to use simple, secure, easy(er) OpenVPN for the bulk of their connections. So you need a addon client to use them for their best features.
Thanks. I've only ever used VPNs to access corporate networks. I'm not going to pretend to be knowledgeable in this area.
There are a couple of reasons:

* If you need to change your location (country) often, the apps usually have a dropdown where you select the country you wish to connect to

* It's easier to setup, especially for novice users

* They can have additional features, like a kill switch that makes sure that if the VPN connection drops you don't send any traffic over your non-VPN connection

Is the TunnelBear "Vigilant" feature like a kill switch? So if the VPN drops out, it doesn't revert to downloading via non-VPN?
Yeah, vigilant is the equivalent of a kill switch. So not connected to VPN = no internet
> PIA, Somewhat boring company.

I fail to see how being a boring company has anything to do with the service they offer. If anything, being boring is a very good thing.

No fluff. Down to business.

Sounds like a perfect provider. Prices are clearly stated on the site. You get what you pay for. They have some guides for people that might need more help setting it up.

...¿? I don't really need fun. Just want something that's boring, quick and works.

I'm (British) getting the impression that VPNs are becoming rather important to Americans (int al). Please bear in mind that us foreigners don't always get the memo about the current flavour of the day in all countries. I'm well aware that citizens of CN and many others really need privacy but it seems that there is a reasonably recent strange US fetish with VPNs.

Could someone please explain?

Iirc, a few months ago congress repealed a law banning ISP tracking of customer traffic.
US Congress passed a law earlier this year that dismantled FCC internet privacy protections which prevented peoples' internet service providers from fully capitalizing on peoples' internet history. VPN use is a way to encrypt your internet traffic, use not-your-ISP's-DNS, and protecting private information from being siphoned and ultimately sold.

Hope this helps explain the fetish!

Disclosure: I am a PIA employee.

One reason might be that if you download pirated content you have to do so over VPN. Otherwise your ISP will likely reach out and let you know you are doing something illegal
Could use a breakdown of which criteria each provider supported, because just a colored circle doesn't show which of those criteria are supported or not.
You can hover over the circles to see the breakdown. I need to add click support for mobile though.
TunnelBear claims to be secure but all they offer is an opaque app. Uhh, no thanks. I prefer to run my own VPN client that doesn't have potential spyware in it. I am surprised this was so highly rated by someone reviewing VPNs.

edit: I know you can't make everyone happy, but there are a LOT of VPN options out there and only the very best should be making it through.

That is nice of them to release a sanitized version of the audit report. I would still prefer openvpn or some other open source client that has been more battle tested for something I intend to use as a privacy tool. I don't think it changes my basic position on a closed source client. Audits are always point in time.
PIA has a kill switch on its client. That makes it for me. Lose the VPN connection and you lose the internet connection.
> The speeds were good and the apps work but are kind of boring

... isn't the point of a VPN do just do its job and stay out of sight? Why is 'boring' even remotely relevant to the VPN equation?

As someone living in China, a VPN provider that doesn't provide direct download links to their Android client is completely useless. The only way for me to install an app from Google Play store is to flash a custom ROM and install the Google Play Store, install another VPN (?!!) to access the Play Store, and then download the app in question.

Furthermore, the fact that Apple has just pulled VPN apps from its App Store and the unfortunate fact that you can't sideload apps makes iOS an untenable OS choice.

> ... Apple has just pulled VPN apps from its App Store and > ...you can't sideload apps makes iOS an untenable OS choice.

I'm pretty sure you can still install VPN apps (e.g. Potatso 2) from the iOS App Store, although perhaps they're not available if you're logged in with a China iTunes account. iOS allows you to install apps from multiple iTunes accounts on the same device, though, so this doesn't seem like much of a limitation.

(Not sure if they're also blocking by IP address.)

Yeah. I was referring to installing the applications from China. I was unaware of the ability to add a non-Chinese iTunes account to circumvent the issue. Thanks for correcting me!