17 comments

[ 3.4 ms ] story [ 48.1 ms ] thread
So is this just going to be a list of Q and A that VPNs fill out?
So we're going to identify untrustworthy VPN providers - by trusting they'll answer these questions honestly. Right. <closes tab>
I guess this allows you to at least hold them accountable if they mess up?

Although the nature of a VPN is that it's going to be very hard to tell if they mess up. I agree that this feels a bit like trusting trust. I'd be a little more interested if part of this process outright required an independent security audit or something with the results made public.

They go right up to recommending that some kind of independent auditing board be made, and then just say, "but we don't have the resources to do that."

They've already got some responses, there's a link to the answers at the top of the article.
Came for a recommendation ... left disappointed.

In the past I found a relatively sane comparison site for most of these vectors on reddit (that I can now ... not find due to an OS reinstall literally yesterday).

Ended up going with iVPN for reasons that are currently unknown.

I'm with Freedome purely based on Troy Hunt's recommendation. Pick someone you trust and listen to them, I reckon.

Every "VPN review" website just seems shady as all hell.

The people I trust say not to use VPN services; look in past HN discussions of the subject.
At all, or "roll your own"?

I'm not going to roll my own. I'm using it for basic security and obfuscation; I'm not a high-risk target. Therefore, a recommendation for a service is still required.

I was talking about commercial, third party services. Roll your own can work better. Tor might be the best option, depending on your adversary: As I understand these things, it works well against corporate tracking and against getting swept up in government mass surveillance; but if you have something in particular to hide from an oppressive government, it may attract attention.

Using commercial VPN services, all you do is shift your Internet gateway from your ISP to your VPN service provider; it's not clear which one is better. They also are honeypots: All someone needs to do is compromise the VPN provider and they have everyone's confidential data. Many VPN providers (almost all of whom, I'd guess) have poor security practices - security is expensive; consider how much security your monthly fee buys. It's just a juicy, high-ROI target.

The creator of Algo, an automated roll-your-own VPN, knows much more more than I do; this is worth reading IMHO:

https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...

All that said, I think you do have a point. I'd try Tor, though.

I think the problem is there is no "good" recommendation. At the end of the day, you're trusting the VPN provider to play it straight.

Now if the VPN provider goes on record as saying they don't do any of these shady things, at least you'll have some grounds to go after them legally if they actually do them. I suspect this is why the questionnaire also has a bit about ownership.

Mainstream IP/identity anonymization should be something we're striving for online, both for site visitors and site operators.

Tor is the only project I know of (please comment if you know about others) that removes needing to trust someone from the equation. But Tor is slow and doesn't have many secondary benefits that make it worthwhile to recommend to someone who doesn't care about privacy.

VPNs require trusting a third party, so obviously they aren't great for someone like Snowden. But at least I'm trusting someone I chose instead of being forced to trust Verizon or Comcast. And at least the speeds are good enough to use it for everything, even normal browsing, without feeling guilty that I'm stealing bandwidth from journalists. And at least there are enough benefits that I can recommend VPNs to non-privacy conscious friends and family members.

I dunno. I view this as an unsolved problem. I have no idea how to solve it. But I'm very interested in seeing it solved. I'm glad that Tor exists, but I still don't feel like I could stick it on a router and send literally all of my traffic through it without significant downsides. Certainly I don't think I could install it on my parent's router.

Am I being overly critical? Have things improved, or are there any promising efforts to improve them? I can't even imagine what a technical solution would be that wouldn't rely on bouncing traffic around a bunch of nodes (which doesn't seem to scale well) or aggregating everyone's traffic under a central authority (which is admittedly fragile).

In the meantime I'm using a VPN because it's better than trusting Verizon.

(comment deleted)
> Tor is the only project I know of (please comment if you know about others) that removes needing to trust someone from the equation.

I2P

It’s a Sisyphean task.

Given how easy Algo or Streisand are to set up, why would you bother with VPN providers, most of which have questionable practices and would probably not hesitate to lie on such a questionnaire?

I use streisand and I love it. Easy setup, lots of options, and most importantly, I don’t have to trust a VPN provider. I do have to trust my cloud provider. But it’s encrypted and, to my knowledge, pretty much opaque to them.

Either way my primary motivation is to obscure my traffic from unscrupulous data traffickers.

And tor is also an option, although I won’t use it.

I'm conflicted about Tor. On the one hand, it (or something equivalent) is necessary to fight traffic analysis, but it also slows you down dramatically, and a significant proportion of its users in the US at least are involved in serious crimes like pedophilia, which is why I would never consider hosting an exit node:

https://www.wired.com/2014/12/80-percent-dark-web-visits-rel...