198 comments

[ 3.4 ms ] story [ 152 ms ] thread
Well then why is it if you actually try and sue a VPN provider for the logs, you won't be able to get them. this is the case for one scenario I know of where a subject got hacked and it was traced to a VPN service. Article is just FUD -- which this conversation could be warranted in some cases, but realistically I've found that it isn't the case. This doesn't mean that their outbound service isn't being logged by a third or unknown party like a government entity (which we know all traffic is logged), but hey it is what it is.
They have logs, they just don't keep them very long. (Allegedly.) So in theory, while they might not have logs for a past incident if it's been long enough, they most certainly have logs in very short term and/or can tell who's connected to what at the present time. So while many copyright actors will be too slow to get a hold of said logs, a government actor with significant interest will.

The biggest issue for me is that VPN providers have given me no particular reason to trust them. If I already have reasons to distrust large international corporations that say they care about my privacy, why would I go trust one I've never heard of on the Internet that says it cares about my privacy?

Under EU privacy regulations you could probably demand that your VPN provider gives you a copy of all information they have on you, including logs.

In the EU I've seen this successfully done with ISPs, ie. customers request logs and get a CD by mail. You'll have to insist and it might involve a small service fee.

I did this and the fee was 200 DKK, and that is around 33 USD.
So what exactly was in the logs?
Probably what is required under Danish "law", which would be every 20th TCP session or so...

Note: I write "law" because afaik the current logging directives have been found in violation of the European Human Rights declaration, I hear a legal battle is pending:

https://ulovliglogning.dk/en/

To be fair - I'd never rely on a VPN provider to protect me from government actors with significant interest.

"YOU’RE STILL GONNA BE MOSSAD’ED UPON" (from https://www.usenix.org/system/files/1401_08-12_mickens.pdf )

Whether or not your VPN provider gives you any particular reason to trust them - for some of us, the government has passed laws to require our ISPs to be "untrustworthy".

Can you give us some known examples of VPN Providers that were sued and didn't give logs?

I'd imagine a list of those ones would be considered more credible

A quick google shows a few.

I know PIA had an actual FBI subpoena.[1] (literally the first link I find) Of course there are collision based identification methods, but knowing that you use a VPN and were using something on the East Coast isn't much to go off of. Worst case I can see here is "User was the only one connected on the East coast at this time", but with PIA's userbase, that seems like an unlikely scenario.

There's also a list [2] (little old)

I remember looking a little closer back when the ISP stuff was happening and it wasn't too hard to find cases where specific VPNs were "tested in the field". But I remember coming across a few, I think Norad was also one of them.

[1] https://torrentfreak.com/vpn-providers-no-logging-claims-tes...

[2] https://torrentfreak.com/vpn-services-that-take-your-anonymi...

Yeah, except when PIA gave copies of the subpoena to the media, they only blacked out the content by adding a layer in the PDF.

So you can open it up in Acrobat, and see everything below.

Are you going to trust a VPN provider that can’t even black out text in a PDF?

For reference, here the content with the blacked out info un-blacked-out: https://i.imgur.com/u1hYerD.png and https://i.imgur.com/1a9YD0f.png

I haven't seen the PDF myself, but is it possible that PIA intentionally redacted the information in a reversible way?
You assume the PDF was created by someone very tech-literate.

It's far more likely it was created by some middle-level communications staffer.

Yes, this is more likely than intentional leak of the info and I don't know why you're getting downvoted. Someone who works at your company doesn't understand how PDF works -- that's OK, most people don't need to. It's unlikely that the guys who are busy running the servers are going to be spending their time dragging boxes over documents before they get posted online.
The whole point of a VPN is that you trust it more than your government or ISP.

If your VPN allows any intern to simply post PDFs online that contain such info, without the legal or security department looking over it, you're not trustworthy.

What's next? Next time they actually deliver someone's info, and it ends up in a PDF everywhere online, too?

Trust is a fragile thing.

Well, uh, that's definitely not the point of VPNs when I use them. It's very unlikely that a private VPN provider is more trustworthy than either a decently-sized ISP or a government.

VPNs are useful to avoid negative effects of traffic analysis and bad QoS, bad neighbors at a public access point, and give privacy or a different geolocation when accessing specific individual destinations on the web (e.g., an IRC server that would emit your IP into the public log). Generally, VPNs should be used as needed to serve one of these specific purposes, not 24/7.

Expecting protection from your government or ISP for $10 / mo is a tad unrealistic.

Interesting. PIAs entirely marketing argues differently, even going as far as the typical 2000s era scare tactics of telling me where my IP is geolocated, and that the government can read my data.
Is anything that is blacked out dangerous or a violation?

Could it have been done on purpose? To fulfill legal requirements and prove they aren't hiding anything.

Or could it be an accident? If the latter, then there are certainty questions to ask. I'd expect the legal department to have different tech skills than the IT department though. But still questions.

I don't know the answer, and really would like an answer if someone does know the correct one.

There's nothing confidential in those images. It is a matter of public record that Detective Andrew Perley #660 wanted to know who was routed through 184.75.214.66 on 2013-2-19, and that his interest was communicated to the VPN provider on 2013-4-22.

I'm not sure why they went through the rigmarole of pretending to black something out. Maybe they were just fucking with him?

They sent the blacked out version to the media, and Ars and others published them like that.

So why did they black it out? As a childish joke? Also not inspiring trust in them.

And if they just blacked it out, without need of doing so, and fucked that up, then the question is if they're trustworthy if their security team doesn't double check their blacked out PDFs.

The problem isn't with the content, but with the process.

To some extent it will be more credible, but the usual "Past Behavior is No Guarantee of Future Performance" type caveats are going to apply regardless.

I know I certainly don't have the time, inclination, or frankly the expertise, to keep abreast of the internal developments in a VPN provider's business, which will likely be private anyway, as well as the evolving legal/regulatory framework wherever they operate. Similarly, policies regarding logs or data retention can evolve over time, one of course has to trust that any retention policy disclosed in public is actually adhered to in private.

If you really are someone who has to give serious consideration to the risk of logs being pulled, I'm not sure any commercial third party provider is a "safe" option.

The way I see it (guessing, not knowing anything specific), the better commercial VPN services -- at least in or ensared into U.S. law -- may not keep logs, in general. But when a three letter agency with relevant authority (being more generous WRT some VPN services, maybe only unavoidable authority), asks for logging for specific users or perhaps some other narrow logging profile, then such logging starts and is made available.
That's hardly the only concern. What if they have an arrangement to sell your traffic data to ad networks? Inject ads via dns poisoning? Inject Bitcoin mining JavaScript into http? Throttle traffic unless e.g. Netflix pays for bandwidth?

VPN just substitutes an unregulated ISP for a somewhat regulated ISP.

Someone would notice a VPN firm fucking with their only service in those ways (well, maybe not the first way), and then they wouldn't have any more customers. That's the difference between these firms and ISPs: they face actual competition!
Someone technical enough to notice would notice, I think that’s a small portion of people who are being preyed on by Big Privacy.
The VPN I used is based in a country where the US can't come and subpoena / sue people, which is the main protection I can think of. Worst that can happen is their servers being shutdown in countries that can, and it happens on a daily basis. Using a US-based VPN seems like a bad idea either way.

Additionally, why would a VPN keep logs at all? With no traces, they have "plausible deniability" that some of their users are doing horrible, horrible things online. This is the main reason I trust my VPN provider to not have logs. IIRC, the only thing they look for is email spam (which is fairly easy to detect with very minimal / time restricted logging), as it spoils their IP addresses too quickly.

Debugging and assessing abusive behaviour is far easier with some level of history.

That might be a few minutes, hours, or days. Weeks, months, years, not so much.

There is a point to be made in there somewhere, that your VPN needs to be an entity you trust (at least more than the alternatives), if you pay for its services, expecting privacy for the price.

A more helpful rant than the OP provided, would be one that informs you of ways to evaluate the trustworthiness of various VPN providers.

So we've seen several VPN services that have proven to be malicious, insofar as selling your browsing history to advertisers (see Hola Better Internet[0]), but have we actually seen a VPN provider being a 'honeypot' yet?

I guess we should qualify the term. In my mind, that would be a hostile government who sets up a VPN service for the purpose of attracting citizens who wish to avoid their censorship, and then arresting the users.

[0]https://lifehacker.com/hola-better-internet-sells-your-bandw...

Some Tor relays are absolutely honeypots
As always the title is a bit of an overreach.

If you are going to attract the attention of governments (PSN and Sony hacks, etc), yes, don't expect a VPN to shield you.

If you're pirating a show that isn't available in your region, or checking up on an old workplace website, etc, a VPN is likely perfectly fine and will save you from legal scare letters, an old employer seeing your visit, etc.

Wait, we're supposed to worry about an old employer seeing a visit to a public company website? How would that even happen, and why would anyone care?
Only justification I could think of is a strict reading of CFAA, where in your exit paperwork the employer commands you not to access any company systems, and the Web site is technically a company system. Though “protected” would be quite arguable there.

I occasionally have crons from my personal infrastructure running into an employer for operational purposes (offsite monitoring or whatever), so I’ve blackholed outgoing traffic to former employers to be on the safe side in case I miss one. So I can see where that sentiment is coming from, though I think it’s a legal stretch.

So for the 99.999999% of the rest of us who don't use personal systems to provide monitoring services this argument doesn't apply. Seems like it would be easier to just use outside monitoring or setup some monitoring instances in the cloud that your employer owns than going through this effort.
I was just contriving an example, in that case theoretically a small employer with limited traffic. Or a peer's blog, etc etc etc.
If you don't like the employee example, think, "reading your ex's blog." You might want to read it but not advertise to your ex (through traffic logs) that you're reading it.
Exactly.. paid VPN services are useful really for thwarting ISP traffic snooping and organizations that monitor for piracy file downloading.
I'm sure the intended audience for enemies of the state are googling "should i use a vpn?" right now. What a silly article.

Understand vpn's, understand public VPN providers, evaluate the risk for whatever you're trying to do.

> If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

I feel like this sets up false equivalency. Tapping VPN provider and tapping individuals last mile are very different things. Of course it is debatable which one is more secure etc, but the fact remains that they have very different characteristics. I'd say that for almost any single attacker moving the hypothetical tap will not be happening at a push of a button, more likely it will not happen at all.

Furthermore, what is even meant by this "tap"? For most attackers breaking OpenVPN + HTTPS is just plain impossible, even if they somehow intercept the connection and position themselves between the VPN end point and the target server.
This is throwing the baby out with the bathwater, yes you should assume that your VPN provider is 100% logging your IP, traffic, referrer, etc, but you should also assume that any public wifi is being sniffed. A VPN won't magically hide your traffic, you're shifting the attacker in the threat model. But all this is also means that a VPN provider is less dangerous than public wifi is, which is really the reason you should be using VPN's.
If you already have an SSH client (which implies that you have somewhere to SSH to) and Firefox installed on your machine (not sure about Chrome) then you can prevent public wi-fi snooping right this very instant with a SOCKS proxy. This requires no new software on your machine, no money to change hands, and takes literally 30 seconds to set up. VPNs are overkill for that use case.
Only for firefox's traffic. There's almost certainly other software on your machine using the network and thus not going through the proxy unless you explicitly tell it to.
environment variables
Indeed, I had tunnel vision and was thinking only of web traffic. But at the same time, what software other than web-browsers-connecting-to-HTTP-sites is attempting unencrypted network communcation? If there are any system updaters or package managers trying to do their job over plaintext, that's important for people to know!
DNS lookups are generally unencrypted, no?

w/r to package managers, apt is usually unencrypted. Of course, there's signature validation that makes sure you don't get altered packages, but traffic can be snooped none the less.

You can ask Firefox to do the DNS lookup at the proxy end, as long as it supports SOCKS5 (I tunnel from my Windows machine to a remote Linux VPS using PuTTY, and this setup works great)
Another good alternative is to use sshuttle [0] which can tunnel all traffic that you instruct it to. It's quite simple to run as well.

[0]: https://github.com/sshuttle/sshuttle

Very useful for the ~12% of desktops on Mac OS or linux.

Not at all useful for the single largest desktop OS, Windows.

Even less sensible for the majority of Internet traffic, which is now on a mobile OS.

I have long wished for a port of sshuttle to Android; it should work fine, since Android has a native VPN API and working SSH clients.
Yes, I agree that this is overly generic. But it's important to realize that most people don't have the technical knowledge to approach this from a nuanced perspective. For them, it is all or nothing.

I wrote a post pretty similar to this about Tor several years ago. That's even worse than a VPN.

> But all this is also means that a VPN provider is less dangerous than public wifi is

Is it really? I guess it depends on what sort of threat you are trying to protect yourself from.

Using public wifi lots of places leaves different traces at completely disconnected ISPs/service-points. For an attacker, obtaining and correlating all these is probably not a realistic option.

Consistently using a third-party VPN service (as opposed to hosting your own) centralizes all your data in a single point which is much easier to target.

We've seen this little bit of FUD several times in the past and it's as inaccurate as it has always been. VPNs cover some scenarios but the author makes unreasonable, extreme demands and wants them to provide security no entity lower than major government-level can provide. A VPN is just one of many steps in hardening your machine and connection, it's not a silver bullet. A setup that's truly hardened against internet surveillance directed towards the average user _should_ also include a VPN as one of its components, that much is sure. A VPN will not protect you against Mossad, because as Mickens said, if Mossad is after you, you are going to die and there's nothing you can do to stop it. But a VPN will provide a very effective layer protecting you against location and IP based tracking and fingerprinting.
I suggest people lookup "The Market For Lemons"[1] as it is a good warning for what can happen to markets with extreme information asymmetry. VPN providers like many tech companies have a huge information asymmetry over their customers. There is no way to really verify many of the claims that a provider is making, especially when it comes to something like logging. The result is that the consumer can't actually distinguish a low quality product from a high quality product. This creates a disincentive for companies to actually provide a high quality product when they can provide a product that is lower quality and cheaper to produce and still pull in the same revenue from users. If this is allowed to go on without any form of third party intervention, the end result is a market filled of products with dubious quality.

[1] - https://www.iei.liu.se/nek/730g83/artiklar/1.328833/AkerlofM...

Exactly what you say. Maybe the solution is to use two VPNs. That way the second doesn't know your home IP and the first has no info on the content. Like a home baked Tor.
You don’t thing a legal authority wouldn’t subpoena both?
First, they can be in different jurisdictions. Second, it depends on what threat model you use; I for one am hiding from my ISP, not the government.
I think that’s not his point. There is a probability p that vpn providers are not providing the service they advertise (ie lemon). But the probability that both are lemons become p^2 which is much lower (subpoena-ing a provider that maintains no log is useless).

Where it breaks I think is that you can chain as many VPNs as you want, only the last one sees what you are downloading, the others only see traffic to another VPN. So the authority just needs to subpoena that one.

The performance hit would be enormous
Why? Obviously latency would spike, but bandwidth should be fine.
Generally speaking, tunneling TCP inside TCP is a bad idea. Yes, it’ll “mostly” work with the added latency you mentioned, but it can go very poorly if the network starts having packet congestion or dropped packets.

If the “outer” VPN is UDP or IPsec, then not as much an issue, but many of the VPN providers commonly used are TCP based (of the ones I spot checked from a google search anyway). And remember, since they are TCPinTCP already, you are just making the situation even more likely to occur.

Further reading: http://sites.inka.de/bigred/devel/tcp-tcp.html

Most VPN systems use UDP, with TCP possibly being supported as a fallback solution for when UDP connectivity is broken.

The exception are things like SSH tunnels using sshuttle but they call themselves a "poor man's VPN" for a reason.

Though ironically sshuttle claims to fix this problem.
It's not clear to me that you're referencing data asymmetries in the same sense Akerlof does.

"Lemons" discusses a buyer and seller having different levels of knowledge about a product, not necessarily one another. The result, in the essay, is that buyers presume lower-quality product, and something of a self-fulfilling prophecy emerges in that sellers are aware that high-quality product won't trade on the market.

This is one of several types of Gresham's Law dynamics, where Gresham's Law can be generalised to describe both asymmetries of information and constraints on complexity.

The knowledge of the counterparty case verges more on one of control, in being able to know the other party's interests, motives, and/or vulnerabilities. That's ... well outside the scope of "Lemons", and has far more to do with power and control dynamics.

(Though it might also result in presumptions on the part of customers of such a monopoly.)

Part of the answer, in both cases, is to provide more information or trust through various mechanisms, including regulation, audits, etc.

The part of the ISP market which is as described in "Lemons" is in knowing what information is or isn't collected, and how it's used. The inability to do so does lead to race-to-the-bottom tendencies, a phenomenon also frequently described as "a (sort of|kind of) Gresham's Law".

Searching for variants of that phrase within Google Books is quite interesting. Examples include: legal citations, neighbourhoods, immigration/immigrants, coin, politicians, divorce law, environmental regulations, mass / popular media, television, bicycles, software, consumer electronics, and more.

See also: the Tyranny of the Minimum Viable User https://www.reddit.com/r/dredmorbius/comments/69wk8y/the_tyr...

I've also explored Gresham's Law quite a bit: https://www.reddit.com/r/dredmorbius/search?q=%22gresham%27s...

The information asymmetry I was referencing was simply the knowledge of whether data is or is not recorded and how much is recorded. A VPN service that records more data is what I would consider a lower quality product and a lemon. Once a company starts collecting information it can use that data for a variety of other purposes such as selling it to advertisers. That extra revenue stream is what would make a lower quality VPN product cheaper than a higher quality one with no logging.

Also the end result of a market full of lemons is something that develops over time. I don't think the VPN market is mature enough for buyers to have learned to presume a lower quality product. I would even argue that the information asymmetry is so extreme in the case of VPN services, that a user can purchase a product, user it for years, and still not be able to accurately assess its quality. This would slow down the development of a true market for lemons.

Fair enough.

The "Market for Lemons" dynamic has an earlier precursor, the horse trader. In looking up Gresham's Law references, I've run across H.L. Mencken's "Bayard vs. Lionheart" (1926), which references "David Harum". That was a novel, and film, and later (after Mencken's writing) a radio serial, about a horse trader.

Horses, as complex and nonuniform goods, had developed a reputation for unreliable and underhanded dealing. The lasting legacy of the novel itself is the expression "horse trading".

https://en.wikipedia.org/wiki/David_Harum

https://amomai.blogspot.com/2008/10/hl-mencken-bayard-vs-lio...

It’s actually ironical that it requires hard work and money to stop modern software from becoming data hoarders.
Steve Gibson specifically recommends TunnelBear because they submitted themselves to a public security audit.

https://www.tunnelbear.com/blog/tunnelbear_public_security_a...

Other than TunnelBear, ProtonVPN is run by the ProtonMail folks and is based out of Switzerland, so they would respond to any foreign subpoena with a polite "fuck off."

> based out of Switzerland

Switzerland is no longer the bastion of privacy it once was. In fact, it's been nine years since every single Swiss Bank rolled over on their customers to placate the IRS. And it's only been downhill from there since.

I'm really okay with this. Taxes are the price we pay for civilisation and people dodging them are stealing from you.
Surveillance of money, and surveillance of speech, association, location, etc. are not the same, and one does not justify the other.
I believe they were saying that they were OK with the Swiss banks giving info to the IRS about tax dodgers. Which I'm ok with too. I'm not ok with random web traffic being disclosed to authorities.
Switzerland and the United States are not the same country. That the United States can steamroll the sovereignty of independent nations like this is not very good. Diversity and competition among jurisdictions is important.
True. There used to be a way to open up anonymous bank accounts in Switzerland where anyone with the account #/access code could withdraw/deposit cash, but no more. Unless I'm mistaken, Switzerland also has its own version of KYC laws.

p.s. I pay all my taxes and take all the deductions I can.

Indeed. They're still outside of the 5/9 eyes, the EU, and have cantankerous judges. However the actual laws are no-longer that privacy preserving.

Iceland seems to be the best country for that. However, there are few services, little competition, and high costs.

If anything, a better title would be “Use VPN services for security, not privacy”. I don’t know about others, but whenever I’m using a VPN, I pretty much only have security in mind for when I’m using public WiFi’s.
As always, you have to do what is right for your threat model. I personally run my own VPN mainly for peace of mind when I'm on untrusted LANs. It's actually not that hard to do, and I can easily serve both my phone and my computers.

And as always, if you have an APT after you...you have bigger problems than what VPN provider you should use.

This gist is at best a straw man.

I view VPN services more as "Kabuki Theater": The major governments need to keep up the pretense that they aren't reading our traffic via arrangements with the VPN providers, and in return they promise to keep our actions secret BUT ONLY if we aren't engaging in a national crime such as terrorism or espionage.
This seems like bad advice because it doesn't address the legitimate need for keeping your browsing history private from overzealous, data-mining ISP's [1].

And even in the case of a known-hostile ISP that engages in invasive practices like supercookies or ad injection, it's unrealistic to ask users to set up and maintain their own VPS servers.

For the average internet user, a "glorified proxy" service that is hassle-free to set up is a simple and effective means of protection against such a menace.

[1] https://techcrunch.com/2017/03/29/everything-you-need-to-kno...

It was addressed, indirectly, at the end - "You are on a known-hostile network". In my case, one of my links is Comcast, a known-hostile network.

I agree it should have been much more prominent, because this is exactly why I use one, and why many folks I know use one.

"a known-hostile network"

aka "the internet"...

Good, I want to be known as actively hostile
This gist was also written in 2015, I think the knowledge of ISPs data-mining is more public now (even though it was likely going on then anyways in some format)
It seems like bad advice because it is, frankly, just bad advice. Nearly all of his arguments fall down, even within his own post.

He says that VPN providers don't provide more security. They do, and he mentions this himself when it comes to the public wifi argument.

He says that VPN providers don't provide more encryption. They do. Another layer of transport encryption is another layer of transport encryption.[1]

He says that VPN providers don't provide more privacy. They do. Turns out a lot of networks do things like log DNS, which a decent VPN client can tunnel.[2]

He says there are two use cases for VPNs: There are a lot more.

He says that tunneling all of your traffic is a worse case for obfuscating your identity to a third party service. It's not, or at least I can't imagine how it would be.

He says that instead of a VPN, you can use a VPS with a VPN: That's just a VPN. It does all of the same things, including being outsourced to a third-party provider, except you lose a ton of the functionality of a real VPN service like geographical redundancy and spread.

He asks why VPN services exist, if for any other purpose than stealing traffic or data, but fails to understand any way in which a VPN service could be useful.

The entire piece is just the opinions of someone who is failing to see that other people have significantly different use-cases and threat models than he does.

-

[1] Especially if you think of "local -> internet" as easier to intercept than "somewhere internet -> otherwhere internet". Which it usually is. One involves something dumb simple like ARP poisoning. Another involves compromising a telco or the VPN provider itself, which is a teensy bit harder. All of this is even sillier if you consider the hostile-network scenario as well.

[2] Yes, you are offloading 'trust' that the VPN provider doesn't also log your DNS. There's more chance that they don't when they say they don't, than your corporate network doesn't when they say they do.

There is less of a chance that the Colo or shell account you are using to run psybouncer will hand over anything to anyone before you wipe the machine than there would be directly connecting to a VPN service. I think this is addressed to average Joe Americana who clicks the protect button in Facebook.
He's apparently never been to China... or he'd already understand "Why VPNs".
> There are roughly two usecases where you might want to use a VPN:

>

> You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

I think that covers the case you're worried about.

Well, an entire country that is behind a firewall that dynamically blocks huge swaths of content by randomly slowing it down and dropping packets... is a little different than an ISP that uses MITM. The problem is not that they are spying on you when you use https, it's that you can't even get your email, search using google, checkout your code, or get to your financial information at all.

You can forget Github, Facebook, Instagram, NYT, but I'm not even trying to use those... I want to get my damn work done. If all my contacts were on WeChat, I only wanted to use Weibo, and could search using pinyin, I might be fine.

A VPN tunnel in the abstract provides the benefits you mentioned, but a VPN service is a slightly different beast. It doesn't solve the problem with your untrusted ISP, it just gives you effectively a different untrusted ISP.

Imagine if, in response to the question, "how do I protect myself from snooping ISPs" someone provided the answer, "Just use an ISP that specializes in providing anonymity." You'd probably object on the following grounds:

* Saying you provide anonymity doesn't mean that you actually do. And track records tend to demonstrate otherwise.

* Your ISP still knows exactly who you are, even if they promise not to tell.

* ISPs who specialize in shady customers are more likely to be under surveillance themselves, meaning you're now more likely to be under surveillance rather than less.

* You're solving the wrong problem: you need end-to-end privacy, not just customer-to-ISP

You'd be right. But more importantly, these same objections apply to VPN providers. They more-or-less ALL specialize in aggregating known-suspicious traffic, which is not the bundle you want to be tied in with.

In fact, any argument you could make against using a Cloud VPN endpoint can also be made against a VPN service provider. Because, and this should be painfully obvious already, VPN providers just terminate their traffic through Cloud and/or Colo hosting providers as well; usually optimized on bandwidth cost over all else. So by setting up your on VM, you're just cutting out one of the middle men. There's nothing they can do that you can't do just as well without them.

> There's nothing they can do that you can't do just as well without them.

That applies to any service out there. Are you running your own mail server?

It gives me a different untrusted ISP and transport layer encryption between my machine and the VPN endpoint. Which, y'know, you admit to later in your comment, so you clearly know what's up, but that's not exactly a minor thing. There's a couple of parties between myself and my content, and this just eliminates the bit players. Y'know, the nerds on public wifi.

And, yeah, I could set up my own VPN on a VPS I rent. They're only $5 a month. I'd just need a couple in the USA, a couple in the UK, a couple in a few different EU countries, a couple in Australia...

The service I pay for from a VPN provider is not ultra secure. It's not even above average secure. It is, however, somewhat secure. And yeah, sometime it lumps me with "known-suspicious traffic", but that's okay: What I'm doing is completely irrelevant to that fact.

Your argument for VPN tunnels in general makes sense, especially if you're on a hostile network, and that includes hostile ISPs you feel you can't trust.

Your argument for VPN services completely forgets that a VPN service in this regard is just another ISP.

How do you know you can trust this ISP any more than the one you're already using?

"How do you know you can trust this ISP any more than the one you're already using?"

Simple. For example, you live in a country where ISP's are allowed to do whatever they want (or forced to do what government/letter agencies wants), so if you value your privacy and data, you use VPN company that's based on a country where private data is respected and protected by law.

And how can you know this VPN provider is not a honey-pot setup by the same forces/agencies you are trying to avoid?
If you are such a high-level target that these agencies went out of their way to setup honeypot for you, no VPN will save you anyway. But in realistic case, nobody is going to setup honeypots just to capture your porn search history.
Well, the opposite is quite common.

Your ISP has strong laws that require a court order for anyone to take a peek or identify you. Your VPN provider does not but can legally do whatever they want with your data. Mining, providing/selling personal information etc. (and they are equally forced to reveal everything asked for when faced with a court order).

The combination of using a service such as a VPN (drawing attention to your activities) with less legal protection is in my opinion the biggest arguments against using a VPN.

Yes, but it's much easier to choose/change VPN than ISP, because because VPN providers usually are not geographically bound as opposed to ISP where it's not uncommon to be stuck with single ISP available. Furthermore, if you have a reputable ISP and your traffic is not being filtered/snooped, there aren't many reasons to use VPN service at all.
Yes, but these are points that are very seldom brought up at all in these contexts yet they are quite important.
A VPN service provider is not an ISP in the single way that is most important to me: In a "my government mandates that ISPs perform metadata collection" kind of way.

My ISP tells me that they do, indeed, operate legally and collect metadata. They tell me that they do, indeed, inject JS sometimes. They tell me that they do, indeed, reserve the right to resell my anonymised data for marketing purposes.

My VPN service provider tells me that they do none of these things, and in fact have been reported in the tech media for telling courts to kindly go fuck themselves when it comes to logging.

Who do I trust collects less data? Well, to be honest, I'm 100% certain that the ISP is doing the things it tells me it's doing. I'm not 100% certain that the VPN provider isn't doing things it tells me it's not, but it's a damn sight sure less than 100%.

And, y'know, despite all that rhetoric: The main thing I use my VPN provider for is to watch the US version of Netflix.

Like most controversial technical advice, the point is not to educate but to pontificate. In addition to attention-seeking, the author's previous Github gists and associated twitter drama suggest a pathological need to be the "smartest" guy in the room.

Ugh.

VPN providers have just as much insight about your traffic as your ISP... it's just a matter of time before they monetize it... and they both know who you are (unless you are very very very careful, which is almost impossible).
VPN providers are replaceable in ways in which last-mile ISPs are not, so they have more of an incentive not to trash their reputations.
Negative on that: all a VPN provider knows about me à priori is my IP (and all that comes with that, like ISP and rough location) and which monero payment ID I used to pay it with (which is entirely useless). In contrast an ISP knows everything: my address, name, bank account, contracted service, fiscal number, etc.

If either of them is going to use my traffic data against me, I'd rather it be the former, who I can easily replace within minutes and has less information about me.

It does not totally invalidate the benefits you mentioned but from what I've heard there are mature commercial services that map consumer IPs to meatspace IDs (name, phone number, address, household income, credit score, etc). The ad industry is both a consumer and a producer of these databases for obvious reasons. Highly likely that multiple levels of law enforcement have access to them as well.
> doesn't address the legitimate need for keeping your browsing history private from overzealous, data-mining ISP's

I think the point of the article is that an arbitrary VPN provider is really no different than an overzealous, data-mining ISP. Unless people can trivially join some sort of anonymized, decentralized mesh network, they are going to be forced to trust a third party at some point.

Who do I trust more Comcast (ISP) or F-secure (VPN)? Pretty easy answer...
"it's unrealistic to ask users to set up and maintain their own VPS servers."

I think that sshuttle[1] changes that calculus.

sshuttle allows you to make any ssh server a VPN endpoint. So you don't need to configure IPSEC or make an SSH tunnel or anything like that - you just need a login on an ssh server somewhere.

[1] https://github.com/sshuttle/sshuttle

AFAIR, it doesn't work for Windows clients, which are a rather large user segment. Still, it is impressively simple to use for Linux and OSX users.
... and it works for FreeBSD and as of our (rsync.net) sponsorship of work done last year, has DNS support in FreeBSD with ipfw as the backend.
Yeah. M ISP has sold data on customers before which is why I uses VPN.

I chose one which seems moderately high profile (where a court case could ruin their reputation), and they are apparently planning on supporting wireguard later on. Seems I picked the right one :)

Have you ever considered it would be easier for the government to pay the VPN providers a large sum to hand over the data, avoid a big public lawsuit, and silently mine all the data without having to break the encryption?
The ISP an the VPN providers are already mandated by law to hand over my data at any goverment request, but a VPN provider is not required to store data for 6-24 months. That is not what I'm afraid of.

I just trust my VPN provider more than my ISP. The data policy of my VPN is much better: they cannot legally sell my data,whereas my ISP make no such promises.

Don't get me wrong - I pay for a VPN subscription too for when I'm travelling/public wifi, but it's much easier to quietly hand VPN providers a nice sum of money for them to just hand over the keys. Everyone leaves happy.

Based on that, I believe if you want an extra level of security for every day use, then go for a big VPN co. If you're doing highly sensitive style stuff, then there's probably better software and services out there. It's all about your threat model I suppose.

I am using mullvad.net, which I would consider large enough.

They operate in a jurisdiction where I can actually hold them liable and where I know which of their claims are leally binding.

I use a VPN for one reason only: to watch Olympics coverage that is good. I'm not ashamed of that.
I use a VPN to (a) prevent my employer from recording my visits to anywhere and (b) my government from doing the same. I use ProtonVPN. This seems like a good use case. And Proton seem like a good bunch. Anyone have any feedback?
your employer doesn't have access to your computer? if they do, they more than likely can see the traffic before it reaches the VPN...
It’s my own machine but of course I’m using their WiFi network.
So we can't absolutely trust a VPN provider - but do we have more trust in Comcast/AT&T/Verizon/etc?
So what's the alternative? Trust my ISP not to do the same? No thanks, I'll take my chances that my well-regarded and relatively cheap VPN service has both less resources to handle massive data storage for as long term, and is no less incentivized to turn huge profits or protect themselves by spilling everything to the government, even if both would under extreme duress. For what I pay, the VPN is a worthwhile little extra protection, not to mention the extra portable security when I have no choice but to use public wifi.
If you're reading HN, one alternative is spin up your own VPN on AWS/Gcloud/DigitalOcean/etc. It's not hard, and there are some scripts / ansible playbooks to automate the process.
Yes, but with all due respect, this misses the point: If my concern is privacy, consider the business incentives to each party for divulging info about me to a government agency or marketer. The cloud services you describe receive revenue from thousands of different companies with various business needs and concerns. Little ol' me won't be a blip on the radar revenue-wise, even if it's a big news story in the internet privacy world. For the VPN on the other hand, a sizable - maybe the lion's share - of their customer base has the same priority as me. If it gets out in public that the VPN caved either to pressures of the state or corporate greed on my data, they'd just as easily do so to anyone else, and customers would flee en masse.
The movie studio will send a DMCA to AWS who will pass it on to you, then what?

Helps with ISP snooping yes, though I expect it to be more expensive (VM and bandwidth in clouds isn’t cheap).

What do you consider expensive? You can easily get a VM with 1TB bandwidth for $5 a month.
I had AWS and Azure in mind.
Is there a good guide/link to these scripts/Docker container/whatever that allows people to set up OpenVPN with a secure non-leaky configuration that reliably forwards all their traffic?
It’s reasonably easy to set up a l2tp VPN on AWS, using cloudformation. Running an EC2 instance for a full month for this costs roughly $5 USD. I don’t really get why someone with a bit of tech skills (=using github) would use a third party VPN service from an unverified provider. Sure enough, if Five Eyes want to get your logs from AWS they will, but for avoiding airport or hotel WiFi’s snooping a simple l2tp VPN over AWS serves quite fine, and it works with mobile phones and laptops without requiring any additional software.
Do you suppose that Amazon, which actively sells cloud services to the US intelligence community, is less able or willing to spy on your setup than a VPN provider would be? I have some bad news for you.
AWS would lose lots of business if their complicity became public. Foreign customers have lost confident in the security/data compliance of public cloud in the wake of the NSA revelations.

It'd be bad for the NSA, too. I assume they are spying but only rarely act on the data they're slurping. If Amazon loses customers, and the NSA has eyes inside, the NSA loses their eyes.

> AWS would lose lots of business if their complicity became public.

So would any VPN provider. The incentives are no different, and neither are the opportunities, so recommending one over the other is a bit suspect.

> US intelligence community

If you're not from the US, you might care about your country's spying way more than about US spying.

I have much higher trust in my VPN than my ISP, which used to make you pay more if you didn't want to be spied on (AT&T).

It also stops them from sending me copyright notices which is a verifiable service.

I'm not overly concerned with traffic being traced back to me via my ISP, so I just run OpenVPN on my pfSense router. Whenever I'm on remote WiFi that isn't run by me, I hop on the VPN and route all traffic through it. Minimizes my exposure on public hotspots, which is what concerns me most.

It's irritating that I have to worry about my ISP, but not irritating enough for me to care. If that changes, I'll spin up a machine on some hosting provider and route traffic through there. It'll suck to have reduced speeds in that case though.

The bayesian guess that customers of a VPN service, specifically, are going to have more interesting traffic, is an interesting thing i hadn't really thought about.

I would think that setting up https://github.com/trailofbits/algo and getting good at moving around from cloud-provider-of-your-choice VMs wouldn't be a horrible idea.

A while ago I saw a link to https://github.com/StreisandEffect/streisand (probably here in HN) and I have it in the list of things-to-do to try it.

In the meantime I have a OpenVPN server at home just so I can log into my internal network from everywhere and use it when on public wifi... For the moment it's more than enough for me.

There’s a third, valid reason you should use a VPN: accessing geo-restricted content. This use case doesn’t require any privacy guarantees above a normal user-ISP relationship.
This has been locked down -- presumably including using targeting services provided by some businesses that apparently don't get reported on, much -- to the point where I've started talking about the "curated" Web/Internet.

There are already large, shadowy forces increasingly differentiating traffic. This also includes access at all via a VPN; more and more, I run into web sites that refuse to serve you at all if you hit them with an IP address associated with a VPN.

Or, they put you through rounds of Recaptcha.

At first, it was just the big commercial streamers. Now, it's a lot more.

Yes. And this applies much of the time even if you run your own VPN from a data center.
That, I wasn't aware of. It's been on my mind to set one up.

I principally use a VPN to keep Comcast and Verizon out of my business (there's no need I endorse for them to sniff -- much less inject into -- my traffic).

As archive.is and others and now increasingly even Google block me and make me jump through hoops, I'd been thinking rolling my own was the next step.

I suppose I can switch to business class Internet at home and run a local server, but...

Curated Internet. One not of our choosing...

Is that still possible? Around a year ago services like Netflix started to block VPNs to avoid exactly this usecase.
EarthVPN has stopped working for me for BBC iPlayer, but NordVPN works fine. I think they change the IPs every so often.
Absolutely. It seems they only blocked a few specific large providers and service types. I often route my netflix traffic through a smaller provider and I never got any service interruption.
Obviously, this guy has never been to China (or any other censored country for that matter).
My guess is US authorities already own, operate, or have otherwise infiltrated some of the major VPN providers out there.