530 comments

[ 4.9 ms ] story [ 339 ms ] thread
It uses Mullvad, and is the same price as Mullvad. I am assuming Mozilla gets a cut. When my current Mullvad subscription expires, I will switch over.
Indeed. Can someone explain why it's not available outside of the US, though? I don't see the logic behind that.
So they can test/ramp up infrastructure rather than open the service up to 8 billion potential customers, and not upset existing customer base.
It's less flexible than Mullvad. This new service is Wireguard-only, and as far as I can tell, requires you to use their custom app.

Mullvad additionally supports OpenVPN and other protocols, and is client-agnostic.

> Wireguard-only

That's great - less features and options are a plus for vpn services.

> requires you to use their custom app.

Sounds odd, if it's just using wireguard.

Might be opinionated to support a high quality user experience.

Guard rails can be good depending on your audience.

I second this. My family uses ProtonVPN and their own app is so clean and simple that even my mother can use it.

They support OpenVPN for when that's needed.

I’ve been speedtesting a few VPN networks, and the biggest surprise has been how fast Mullvad + Wireguard are. I need to try NordLynx (NordVPN’s flavor of Wireguard) for more of an apples-to-apples comparison, but at least on the speed metric, it looks like Mozilla chose a good partner.

Making deeper data exploration possible is a work in progress, but you can see what I have so far here: https://vpnwire.co

Is Mullvad the only provider you are using with WireGuard?
Yep, the rest connect with OpenVPN at the moment
How close is Mullvad to your max bandwidth? In other words how much loss of bandwidth do you see?
Max bandwidth is about 7 Gbps
deleted
Yeah this comment makes no sense. That would be terrible publicity for Mozilla.

Also, Reddit uses HTTPS (like every other mainstream website) so Mozilla/Mullvad can't see what you're posting or even what your username is.

As long as there's no leaks over http traffic of course. Advertisers are great at data exfiltration.
Essentially their former CEO was/is against gay marriage and donated to some organisation that was campaigning against it.

People found out, some employees weren't happy also some sites put up a message when Firefox users visited.

OkCupid (a dating site) straight up blocked Firefox users saying that they prefer users to use other browsers.

So as Mozilla is a company. They decided to get rid of the CEO. Because he was now bad for business.

However for some people in the tech world. This was an unforgivable sin: an attack on free speech.

I think this was a setup.

Brendan Eich is the creator of JavaScript and was the CTO of Mozilla.

He is intelligent and works hard on open source. However, he HAD opposed same sex marriage.

While he was CTO of Mozilla, no one cared. When he became CEO, there was a smear campaign to get rid of him.

I respect his contributions, but not his politics. He has the freedom to say what he believes - I still use Firefox. IMHO this was just an excuse to get ride of him as CEO.

Yeah, I never really understood all the animosity against Mozilla or Firefox around this.

IMO giving money toward homophobic causes is reprehensible, and Eich sounds like someone I wouldn't want to be friends with or work with, but he is not Mozilla and Mozilla is not him.

> He has the freedom to say what he believes ... IMHO this was just an excuse to get [rid] of him as CEO.

I support the right of employees to hold their executives to high standards, even (especially?) when those standards aren't directly related to the work they do. It was a messy situation and perhaps not handled perfectly, but I don't see anything wrong with the end result being his resignation. Yes, the timing was suspicious (I would have been uncomfortable reporting to him "even" as a CTO), but I would argue more along the lines of "took you long enough" instead of "why is this suddenly an issue now?"

> ... but not his politics

I really dislike seeing things like this phrased as "politics". Treating other people with respect and giving them equal rights isn't politics, it's basic human decency. I hope in 50 years we look back at this time period and are appalled at how we treated our fellow humans.

(comment deleted)
> promote legal views that Mozilla disagrees with

How would they know?

The parent is transparently concern trolling so it's not worth engaging with, but to answer your question it's important to remember that VPN providers have access to all of your traffic. Even if you use HTTPS and other encrypted standards you can probably infer a lot of personal information about a user by just monitoring when and where they connect to.

It's even arguably a bit worse than an ISP because any given internet connection may be shared across many users, and users often move between several connections managed by different entities. VPN on the other hand are generally personal and keeps tracking you regardless of whether you use your home connection, mobile data or a free WiFi connection.

I know this, I only asked because Mozilla, like most other VPN providers, promise not to snoop on your traffic, so OP's concern boils down to "but what if they're lying?", and you could ask that about virtually any service.
FTA: "we are [...] committing to never track your browsing activities"

But based on your comment it seems like you harbor a deep distrust for Mozilla, in which case obviously you shouldn't use their products?

Given the high ethical standard of Mozilla I’m not sure how popular this will be.

For example, a while back there were research showing nord was setting up users as proxies, there by making it impossible for Netflix to block these residential ips.

I don’t think Mozilla will do this.

Well, they use mullvad.net (I’m a customer), and they seem pretty trustworthy while Nord was always the opposite of trustworthy.
Every single time I start researching VPN services I end up more confused and with more questions than before because basically every vouched service has the same amount of negative comments too. Like feels like the whole sector is a honeypot (lol) of shady stuff and also they figthing against each other (or not?). So I just wait until when turns out Mullvad is also one of the bad guys.
I use ProtonVPN. Same company as ProtonMail. Highly reputable with a business model around doing privacy and encryption well.
NordVPN shares offices in Estonia with ProtonVPN. For that reason I find it sketchy.
I would like to read more about this, do you have a source?

I cannot find anything reliable that suggests this! Thanks.

This suggests the opposite of what you say in your original comment.
You should also link the HN thread where proton categorically denies the claims.

In particular, the claim that tesonet controls protonvpn's release signing key.

https://news.ycombinator.com/item?id=17258203

I was not the original person that replied to you. I was just providing with you with information on the incident they were referring to. Proton denied the claim but it is up to you whether you believe them or not.
>NordVPN shares offices in Estonia with ProtonVPN

What really? Some proof for that? ProtonVPN and ProtonMail is located in Switzerland Genève, i dont see any open positions for estonia

https://careers.protonmail.com/

I don't think NordVPN is sketchy, even with their latest hic-ups. They are however located in Panama as far as I know, which probably gives the US access for "drug trafficing".
IMHO ProtonVPN (and Mail) are the perfect honeypots
(comment deleted)
ProtonVPN provides the source code for their desktop and mobile clients in their GitHub organization [1]. Yes open source != safe; however this level of transparency is at least a step in the right direction.

They also have regularly been audited by independent organizations that are openly available for the public to see their compliance [2][3][4][5][6].

Do you have any evidence to suggest that they are honeypots?

[1] https://github.com/ProtonVPN

[2] https://protonvpn.com/blog/wp-content/uploads/2020/01/Proton...

[3] https://protonvpn.com/blog/wp-content/uploads/2020/01/Proton...

[4] https://protonvpn.com/blog/wp-content/uploads/2020/01/Proton...

[5] https://protonvpn.com/blog/wp-content/uploads/2020/01/Proton...

[6] https://protonvpn.com/blog/open-source/

And how do you know if what they built is exactly what's in that source?
Hehe, exactly, oldest trick in the trade
You seem to not have read my comment. I said open source != safe or trusted.

You can download the entire repository, and self compile yourself after you inspect the code.

I call that bullshit until you have a single proof for that.

Everything is opensource, the data s are located in Switzerland on there own hardware. They have open communication and a yearly transparency report:

https://protonmail.com/blog/transparency-report/

Ask yourself why you want a VPN.

Is it to avoid your ISP collecting browsing data off you and selling it?

Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good enough.

Is it to watch geo region blocked videos?

Then pretty much any service will work for you. Except that video streaming sites have caught on and blocked hosting provider IP blocks. So that might require you to shop around.

Do you want the most privacy or want to get around blocking?

Then get a VM from a provider and configure a VPN to it. Wireguard works fine.

Want to do something illegal?

Don't expect a VPN to save you.

>Want to do something illegal? Don't expect a VPN to save you.

I'm not condoning piracy, but VPNs are generally a foolproof way to avoid DMCA letters from your ISP. Privacy means something different to every individual, everyone's threat model is different. And many models can benefit from a VPN; journalists, activists, and many others might find benefit from using a VPN.

Are DMCA letters still a thing?

It seems like Torrenting died out significantly over the last 5 years.

I moved to Germany and apparently they're still very much a thing here. Torrenting popular shows sans VPN is -- at least according to Germans on reddit -- an easy way to get sued, and forced to pay hundreds of euros.

Obviously, I have no interest in testing this out myself, so I take their word for it.

I lived in Germany for years, and this is absolutely the case. Don’t mess with torrents in Germany without a VPN.

Except for those Linux ISOs, of course.

I got C&D from Daedalic Entertainment. They demanded 1.1k or something along the lines. I was on welfare at the time, so a lawyer was not within my means,so I objected. I'm not sure what happened next because I probably didn't open the letter from the court (getting a manila envelope is fucking scary in addition to the stress of already being broke) but they seemed to have got a verdict against me and suddenly I owed over 2k. That being said I got a few letters from lawyers and replied with a legal note promising not to do it again (with any clause concerning automatic fines removed) and beat them by simply ignoring their demands afterwards. So it's entirely possible that I simply fucked myself with Daedalic by not opening their first letter and replying with a note. I haven't pirated in years but have gotten a VPN and will start back up because the fragmentation in the streaming space pisses me off too much especially since there's stuff I can't legally get here.
Just go to any popular torrent site and see the number of people in the swarm. A little harder for less popular stuff but nowhere near dying out.
Maybe in the US. Definitely not in ex-USSR. I don't know of any single person who's paying for anything other than Steam games (and that's only because they have prices adjusted to our ridiculous wages.)
Can't wait for the "you don't need a VPN" folks to acknowledge that they don't understand why lots of people actually use VPNs. It's DMCA, man. DMCA.
Rather ironic that people pay for VPN services to access content that they won't pay for.

Just don't bother with Big Media content and they won't need a VPN...

There's plenty to do in life other than torrenting the latest HBO series.

Rather, it is used for accessing content that you can't pay for, given that Amazon Prime, Disney+, HBO Go, and I'm sure many more are (or were in the past) simply not supported on linux devices.

And, "Plenty to do in life" is a value judgment, and isn't relevant to this discussion.

They'll go after you for downloading something you already paid for, or was free to begin with.
"Millions for defense, but not one cent for tribute." -- Robert Goodloe Harper
I got one about a month ago (United States, the smallest of the three ISPs available in my area). My ISP had a screwy way of injecting the complaint, which I almost missed. I had to call them and actually request the complaint be sent by mail so I could see the details, which I don't understand why they didn't do in the first place... They actually served it to a guest in my house, who thankfully told me about it, so I could investigate.
i torrent from home, i also work from home.

i just never wanted my job to hire some dumb IT consulting firm to do some cross between IPs on a swam and IPs VPNing in as a "threat analysis" and my dumb name getting dragged into an office. I know it's far fetched, but $40 a year of PIA keeps my mind at ease.

if you work from home and your company provided computer do not talk exclusively to a VPN tunnel into their network, I doubt they will pay a threat analysis.
They're too busy working through Twitch at the moment.
It goes w/o saying but most if not all the cloud providers map IP to account, so using a VPS may have get your account sanctioned or revoked.

Defiantly don't spin up these VPN/VPSs on an account you don't mind losing.

Have received DMCA emails from DigitalOcean for torrenting on their boxes. Can confirm.
There are seedbox services that allow public torrents and don't forward DMCA emails.
If you're going to do that kind of stuff, make sure the provider is based in another country. That gives you a pretty strong layer of protection against these kinds of things. Of course, nothing is entirely foolproof...
I used to work at an ISP, and once a month I would stuff envelopes with DMCA letters. I can assure you, that the only thing your ISP is doing with this letters is laughing at whatever porn you downloaded. They're just a scare tactic, and if you get one, you can almost certainly ignore it.
Didn't Cox recently lose a big lawsuit for not actually doing anything to punish repeat DMCA offenders? I'd be cautious about assuming those letters are still harmless today.
No.

They got a $1bi shakedown in a local court because they successfully fought the RIA in 2015 and won (it was $25mi then).

This time, Cox legal team tried to simply stand behind the DMCA safe-harbor (just like google does) and somehow lost.

it will appeal and win (or likely settle out of court as RIAA already got what it wanted, a hole in safe-harbor)

This varies between ISPs. Some will shut off your connection after a certain number of DMCA letters.
I've had a connection shut off because of three letters. Spectrum.
Spectrum is a joke. They constantly call me and expect me to provide them my address and payment details like it is a sane thing to ask.

Which is sad because their pricing model is less stupid than most of the competition.

Yeah, I think "VPNs won't protect you from the law" is far too broad a brush to paint with. There's no credible evidence that these services won't prevent a court or regular law enforcement from tracing an IP to a name without some specific arrangement to unmask you beforehand (there's a specific case where Private Internet Access replied to a subpoena saying they had nothing to provide), so people worried about that might benefit from a VPN, but of course it does nothing for the rest of the threat model. Torrents are pretty much the perfect crime in that it's a simple exchange of bits between parties that have nothing to do with each other, most other types of illegal activity involve myriad other ways to get caught that have nothing to do with a VPN. People who rely on VPNs alone to protect them from getting prosecuted for things like hacking and people who say VPNs are useless are wrong in exactly the same way: they don't have a complete/realistic threat model.
> Is it to avoid your ISP collecting browsing data off you and selling it? Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good enough.

Wouldn't your ISP still see what IP's you are visiting? Then, your ISP could just reverse DNS that IP to get the domain name, right?

Not necessarily, many sites are hosted on the same VPS, or the IP could just be one of 5000 CloudFlare servers serving up the page you requested.
Maybe, but most ISPs are lazy/cheap and can't do a full-take packet capture of all customers data at the same time. The ones that I have seen usually have a custom or logging DNS server that associates each domain request with a customer account. So yes, in many cases, changing your DNS server is enough to avoid the larger DNS sniffing operations. You should also use an IP check query to make sure that you are really using the DNS server you think, and that you're not being DNATed back to your ISP's DNS server.
DNS is super trivial to redirect. I've been on ISPs that redirect _all_ DNS traffic to their servers regardless of where it was sent. The best solution here is to switch to DoH. Of course then your DoH provider gets to log all of that sweet info instead.
Not if you run your own DoH endpoint on a VPS!
I have my own unbound running on a VPS. My network intercepts all port 53 traffic, filters out ad servers, and then forwards over wireguard to my VPS. I should probably enable DoH as well. I'm feeling kind of lazy about it though.
I think ceasing to use your ISP provider's unencrypted DNS services will already bring quite some boost in privacy for the average internet user. That's why I recently switched to using DNSCrypt (https://github.com/DNSCrypt/dnscrypt-proxy) with one of the public providers listed here: https://dnscrypt.info/public-servers (pick one run by some university or internet activism organization).
It also brings an increase in recaptcha puzzles lol
Most ISP's wouldn't care... and they shouldn't
This time when I changed internet service providers from Cox to AT&t fiber, I was shocked to find that I could not change my DNS to point to the OpenDNS servers!
AT&T requires you to use their DNS? Did you try doing DoH to bypass?
> Is it to avoid your ISP collecting browsing data off you and selling it? Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good enough.

8.8.8.8 is Google’s DNS so you’re really just trading being tracked by an ISP to a giant advertising company...

The privacy policy for 8.8.8.8 is actually really good: https://developers.google.com/speed/public-dns/privacy I wish more google products were so explicit in what they log and for what purposes.

(Disclosure: I work for Google)

Not related to this thread: Do you have any way to communicate with actual humans inside of Google who can do anything? There are demonstrable issues with 8.8.8.8, yet I cannot get anything but the occasional form response from every address I've tried.
Could you point what you believe to be the issues in the thread?
If you wanted to describe what was wrong, in a way that I can reproduce it, I could file a bug, yeah
Complaining about a reproducible issue on a public forum works. Even if you don't get direct feedback, there's a good chance it will get quickly forwarded to an teams' internal mailing list.

A lot of google engineers read hacker news comments, reddit threads, etc. all the time, and generally try and route good feedback where it belongs.

And then it's a shitty trade, because your ISP still can track you without much difficulty.
Not just track you, some ISPs will simply redirect all UDP port 53 DNS packets to their own DNS anyway.
Which ISP?

People arguing against DNS over HTTPS claim stuff the doesn't happen so it'd be good to have definite examples.

The best argument I've heard about DoH (at least Firefox's forced implementation) is that it turns a distributed collection problem for the bad guys with guns into one-stop shopping for the bad guys with guns.
I know until recently Sky broadband was doing this.
Though the last option doesn't give you anonymity. It just gives you privacy from your ISP. Any services you connect to can tie you to the IP of your VM. Sometimes the shared IP of a VPN provider might be desirable.
Just FYI just setting your DNS to 8.8.8.8 or 1.1.1.1 may not do that much. Not only is DNS in plaintext, but some ISPs simply redirect all port 53 DNS requests to their own DNS.

If you want privacy with your DNS, you should setup DoH using dnscrypt-proxy or perhaps DNS over TLS.

Personally, I think a better strategy with this whole vpn aspect is to just setup a vpn with pis in various countries + pihole. At least that way I know what the setup is happening in each locations and what expectations of privacy I can expect.

T-Mobile US was definitely doing this at one point: silently rerouting popular third-party DNS services back to their servers
Unless you are using a VPN/Wireguard/Proxy your ISP can simply look at the source address on the IP packets and do a reverse IP lookup to find out what site you are accessing. Doesn't matter if you are using DoH, DNS over TLS, DNSCRYPT, etc....

At a conference I was talking to one of the OpenDNS engineers on the DoH project and when I asked "so how does DoH help snooping if people can just look at IP headers?" they conceded that it really doesn't help if someone is determined to snoop.

Doesn’t work with a large number of sites because of Cloudflare.

Edit: it _is_ easy to read the destination address from TCP packets though.

Yea, you are correct. I got it mixed up, your ISP would look at the destination address of outgoing packets from your home.
Additional use case: you want to self host at home ? A VPN will give you a public, stable IP address without having to fiddle with your router and opening ports and NAT-punching and friends
(comment deleted)
Your ISP can sniff your DNS traffic as it is just a plaintext protocol.
As long as you don’t use encrypted DNS (e.g. DoH) it doesn’t matter which DNS server you use - the ISP sees your requests and the replies, and the sees you accessing the returned IP within 10 seconds.

Also, unless it’s behind Cloudflare. Most nontrivial sites today have a unique IP so even with DoH there’s a good probability any specific site will be identified.

If you want your ISP to stay ignorant of where you surf, you MUsT have a VPN.

I regularly think that claims of astroturfing are overblown, but it is common in the "privacy" focused industry to FUD competitors to gain market share.

I'm immediately reminded of some shady search engine CEO going on OAN and other fringe shows posing as a security researcher to spread FUD about DDG to drive traffic to his site (can't find the link for it now.) That OAN video even went around the security industry (among compliance and less technical folk) who were persuaded DDG was now worse than Google for consumer privacy.

VPN’s just mean you’re trusting someone else than your ISP. Instead of your ISP seeing you go to site.com, now your ISP sees you connecting to a VPN and the VPN sees you connecting to site.com.

For this reason I am highly suspicious of any VPN service that markets itself as some “magical privacy wormhole”, which is 99% of VPN providers.

Honest ones I know of are Encrypt.me and Mullvad, who both tell you they should be mainly used to secure yourself on open WiFi and to circumvent geo blocks.

If you want a private internet connection, use TOR.

Some reasons you might get some negative vibes from looking into consumer VPN services:

* Some consumer VPN services have been found to be doing sketchy things. And you can imagine the business is attractive to people intending to do sketchy things, since it's a powerful/lucrative position to be in right now. (In addition to the business possibly being attractive to people just wanting to provide a useful and honest service for a fair price.)

* There seem to have long been referral kickbacks by some consumer VPN services, which I assume is the cause of some of the huge amounts of noise on the Web and such about them (e.g., search hits on some non-VPN topics, such as some home theatre search terms, overwhelmed by SEO articles, the purpose of which is to then herd the reader towards particular VPN services with a kickback). Even some endorsements by organizations might essentially be more about revenue than about merits.

* I speculate that it doesn't help if one of the main historical uses of consumer VPNs has been for activity that would be considered copyright-violating in the US (e.g., unauthorized trading of video files, or circumventing region restrictions). Without making any moral judgments, I think it's fair to say that constitutes "conscious rule-breaking" for some, so I wouldn't be surprised if there's an disproportionate culture of rule-breaking around the whole space.

The hypothetical culture of rule-breaking might not be convinced by a culture of rule-breaking surveillance. Seriously, I think government has gone to far with surveillance and that just means that I want to minimize my data collection on a domestic level.
Public VPN services should not be trusted blindly. Online anonymity is very hard. However, you can still create your own VPN server on cloud providers for at least have some privacy while you are on an untrusted network.

Because of this reason, I created https://zudvpn.com - It is a free and open-source mobile application that's used to deploy a private VPN server on major Cloud Providers!

Github repo: https://github.com/zudvpn/ZudVPN

How do we know this is safe from bad actors? If it's in the U.S. is it safe from discovery? For example Watchtower tried to use 'copyright Infringement' to force reddit to give a usernames IP and account information. https://m.youtube.com/playlist?list=PLkdgWccrJAy53-jeBxM3Pk_...

VPN's are the only way of protecting what should be protected speech. You have to not keep logs or anything that allows a court to find the identity of a user.

> How do we know this is safe from bad actors?

You don't. You never will. This is the case not just for Mozilla but for all VPN services.

Until there's some kind of hardware-level attestation that verifies a server is running a particular software installation, that's going to remain the case.

> VPN's are the only way of protecting what should be protected speech.

No, if you want safety, a VPN is not the solution. VPN providers have invested a lot of marketing in trying to tell you otherwise but it's simply not true.

All a VPN does is move what little trust you're forced to have in your ISP to a different, often less-regulated ISP.

The solution if you want privacy and/or anonymity is a technology built for that purpose, like Tor or I2P.

> to a different, often less-regulated ISP

"Less-regulated" is usually the entire point of using a VPN. Regulations force your local ISP to keep detailed logs and reveal who was using a certain IP address at a certain time to various entities based on sketchy circumstantial evidence. If you go through a VPN then anyone trying to track back the IP address has to go through the VPN provider first—who probably doesn't keep such detailed access logs, and may well be in a completely different jurisdiction—before they can even begin to approach your local ISP. You certainly shouldn't rely on it exclusively, but it's an important part of defense-in-depth.

Forget the VPN--I already have a VPN provider and I have no interest in changing. Offer a paid e-mail service, on the other hand, and I'd sign on up Day 1.
This right here. And a hosted suite of productivity tools that have documented, public formats that contain all of your data (and not just a link to the cloud-hosted copies).

Amazing that GSuite's only real competitor in 2020 in Office365.

Would a Nextcloud instance work?
I've checked out Nextcloud a few times, but it really needs a sizeable and trustworthy brand that would host it for you, allow you to point a custom domain at it, and provide zero config email/calendering out of the box.

I'd trust Mozilla.

I second this wholeheartedly. I would be happy paying at least the $5/mo that they're charging for the VPN to have web-based access to privacy-respecting email service tied to a name I tend to trust like Mozilla (hopefully with a fairly vanilla domain name that doesn't get weird looks).

Purism's Librem One suite [0] comes the closest, but I just don't have the trust in them that I'd want before pulling the trigger. They have a history of making grand claims with sub-par delivery, which just doesn't cut it for a service like a primary email provider. They've claimed plans to add features like file storage for ages now with no updates. Email is just too important a part of daily life to risk it.

[0] https://librem.one/

I've heard good things from HEY[1]; I've been thinking about using their trial

[1]https://hey.com/

Hey looks great and I trust it will be around for a while. Unlike inbox from Google.

I would 100% sign up for hey if I didn't migrate to Fastmail this year.

Unfortunately it's invite-only, at least for now.
(comment deleted)
Isn’t $4.99 pricey for a VPN? I pay about 3 for Nord.
Nord locks locks you into an eternal contract and has a pretty bad reputation for multiple reasons.
>Nord locks locks you into an eternal contract

What do you mean? I paid NordVPM for a 2-year contract, which expires in a few weeks. What does "locks locks" refer to?

Sorry, it was meant to be a single "locks". And yep, I'm referring to that type of contract.
It is a bit pricey compared to the competition (lots of VPNs out there that cost ~$3/month) but apparently Mullvad is the VPN provider for this offering, and they cost $5 a month because they are considered one of the 'best' VPNs in terms of privacy (for example, they will accept cash payments: https://en.wikipedia.org/wiki/Mullvad#Privacy ).
Is it at all slow? I've found a lot of VPNs actually slow down my connection which makes me less willing to try them.
Price is in line with Mullvad which they are piggybacking off of. Nord has an iffy past and they advertise a lot(often exaggerated claims) which is a red flag for me.
(comment deleted)
It's a rebranding of Mullvad. I'm happy with Mullvad itself, and while I think Firefox is the most important browser I'm not very happy about Mozilla arguably destroying its brand and seemingly pivoting away from maintaining it. I'd directly pay for the development of FF, but not Mozilla's "btw, we now sell $completely_unrelated_product_without_even_an_ethical_business_model".

They seem to be relatively safe from forking though, because apparently the code base is too much of a mess. Yay.

You say that, but not enough people do directly pay for the development of Firefox. Of course, you are welcome to donate to the Mozilla Foundation.

Also, your complaint about an ethical business model seems unfounded, especially in this instance.

> you are welcome to donate to the Mozilla Foundation.

Which does not pay for the development of Firefox.

The Mozilla Foundation annual financial statement include its subsidiary Mozilla Corporation. And most of the Foundation's expenditure is staff costs, for the Firefox project.

If that doesn't satisfy you, note that targetted donations are also a thing.

Unless everyone does targeted donations, it's pointless. It's like adding water to one end of a pool and expecting the water level at only that end to rise. If only a small percentage of donators ear mark their donation to Project A, then the less money will come out of the general fund for Project A and more from the general fund will go to Project B. The money you just donated didn't increase the budget for Project A, instead the organization just increased the budget for project B.

In other words, targeted donations are not a targeted budget increase.

> Also, your complaint about an ethical business model seems unfounded, especially in this instance.

I have no concern about the VPN service itself since it's Mullvad which I like, but the devaluation of the branding (which I consider a long term problem).

Look at stuff like Firefox Send and Pocket. The latter is proprietary (holy shit, how is that ethical?) and the former bugs you with in-page pop-ups to get an account when you try to change the settings that looks either very stupid or malicious (and they invested a lot of money). I thought it was a bug at first.

They may sound like specific petty issues, but I consider them symptoms of a gigantic systemic problem.

I am aware of Mozilla's financial struggle, but don't think this is a good way to solve it, or much of a viable one at all. I fear it will completely dilute the Firefox brand, lose core user's trust (what they have left, anyway) and result in barely any revenue. It may well result in the permanent ruin of the Firefox (the browser) project, especially since it appears to be 100% dependent on Mozilla because of its high entry barrier.

I do see the idea behind the pivot I think, which is banking on the rising popularity of privacy, but honestly I don't think they even have much of a good reputation on that front. The wide public doesn't know ("Mozilla is like Google, right?") and the techies have been burned too often. Neither do they explain much in their surprisingly widely deployed phsyical ads (how much did that cost?).

What good is a VPN if you have to reveal all of your personally identifiable information to the vendor?

You're better off using Mullvad directly--it looks like they don't require you to fork over personal information to use their service.

Shameless plug: SatoshiVPN (https://satoshivpn.com) gives you access to your own private and anonymous VPN server with Outline pre-installed, no questions asked. Payments in Bitcoin only.

> What good is a VPN if you have to reveal all of your personally identifiable information to the vendor?

Because most peoples threat model doesn't include actors that can force a VPN provider to give up their data. They just use it because it's making it easier to not get data stolen in a coffee shop and watch US Netflix.

If you have two equally great user experiences and in one case you have to share your personal information, and in another you don't, which would you choose?
The one where the company behind has a good reputation and seems trustworthy. Like Mullvad where their real address, developers, history and open source projects are available on the website (https://mullvad.net/en/help/no-logging-data-policy/) and they have been around for a while without any scandals that I'm aware of.

If there's a new provider out with no name, company address, audits or history and tells me they are not sharing personal information I just have to take their word for it. So it's not much better than the alternative if I can't verify it.

Assuming Mozilla isn't compelled by law to share it's entire database of user information on a rolling basis without a warrant, I suspect (in the U.S.) it would be somewhat effective at shielding yourself from bulk metadata collection (government mass surveillance) of your online communications by obfuscating that metadata.

Compare this to your ISP and telecom providers. A subset of the larger providers willingly handed over the communication metadata of their users without warrant.

You know what they say about assumptions.
We know as of 2013 this was the case. Participating in the government's bulk metadata collection was voluntary. 2013 is a long time ago though.
Can you comment on the pricing? Am I understanding correctly that 1 year of your VPN service costs $195 USD?
That's correct. Or, $1 for 1 day. Or, 1 hour for free.
Public VPN services should not be trusted blindly. Online anonymity is very hard. However, you can still create your own VPN server on cloud providers for at least have some privacy while you are on an untrusted network.

Because of this reason, I created https://zudvpn.com - It is a free and open-source mobile application that's used to deploy a private VPN server on major Cloud Providers!

Github repo: https://github.com/zudvpn/ZudVPN

> At Mozilla, we are working hard to build products to help you control of your privacy and stay safe online.

> We know that we are on the right path to building a VPN that makes your online experience safer

Commercial VPNs are good for censorship circumvention or location spoofing. It is irresponsible to market VPNs as something which “protects” you online. In reality, they do nothing to improve security, and very little to improve privacy.

You do not need a VPN.

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

https://schub.io/blog/2019/04/08/very-precarious-narrative.h...

The "Don't use VPN services" argument is weak because it doesn't acknowledge one of the most common reasons for using a VPN: avoiding DMCA notices.
That’s what I said. VPNs are good for “location spoofing,” i.e. changing your web-facing IP address to a different region. VPNs are great for this purpose.

The issue is, VPN companies (Mozilla included) are marketing their service as one that improves your safety when it doesn’t.

The value of location spoofing is to access geographically-restricted content (like a netflix show that is available through their service in Europe but not the US), not to avoid DMCA notices. VPNs are valuable for avoiding DMCA because it hides from your ISP (the entity serving you the notice) what you are torrenting.
If you live in a place where the ISP actually looks at what you torrent and does something about it then you clearly need a VPN. Luckily that mostly happens in places where a DMCA is the least of your worries, like eastern europe and the middle east.
I don't know anything about how frequently Eastern European and Middle East countries act on DMCA. But I do know that this frequently occurs with US ISPs.
I see this take a lot. Serious question: doesn't the U.S. government surveillance program focus on collecting communication metadata for U.S. citizens? While it isn't clear what that metadata includes, we do have examples of past programs that have leaked (and the legal theory used to justify them) to guide us.

Given what we publicly know about these surveillance programs I could see FISC approving bulk metadata collection for the IPv4 header content, insecure HTTP header content, and DNS queries.

Wouldn't using a VPN, DNS over HTTPS, and HTTPS everywhere shield you from these bulk metadata collection programs? I run https://everytwoyears.org, a political non-profit focused on ending these programs, and I view VPNs as a key technical piece of preventing these metadata collection programs from functioning; if the security community doesn't believe they are effective, I would really like to know!

Another way of saying this: collecting _content_ of a communication requires a warrant (and our mass surveillance programs respect that from what we publicly know). Most people that I know aren't trying to avoid active (we have a warrant to search you) monitoring with a VPN, but trying to avoid passive warrantless monitoring. Obscuring communication metadata through encryption and tunneling seems to be an effective way of doing this.

This is a good question and I would like to discuss it.

If the government is able to passively collect metadata from your ISP, couldn’t they do the same thing with a VPN company?

The original form of the Presidential Surveillance Program didn't compel service providers to share this metadata. The providers willingly shared it. There is a reference to a service provider backing out of the agreement several years after it started stating they would feel more comfortable continuing to share their data if the government compelled them.

This may have changed since 2013.

If I were a government trying to gather metadata about web usage, the first thing I'd do is set up or acquire my own VPN company (and make it look convincing, of course).
(comment deleted)
I wouldn't.

What percent of the public do you think uses a VPN? And do you think VPN users are a representative sample of the general public?

VPN (and tor) users are the ones you'd be most interested in as a government. So it doesn't matter how much of the general population uses your VPN as long as you convince the ones you're interested in to use one.

And for all of those not using a VPN, just ask the ISPs.

(comment deleted)
> In reality, they do nothing to improve security

This is a bad take. I don't have the energy/time to go too in depth at the moment, but I've commented in more detail in the past. The short version:

- HTTPS isn't perfect, sites sometimes support old encryption protocols that can leak resource information. Most users aren't checking packets from native apps to ensure they're being sent over HTTPS, and browsers don't mark sites that are configured for old SSL/TLS versions as insecure.

- Most people aren't currently using encrypted DNS, and even as browsers like Firefox and Chrome move to turn it on by default, there will still be tons of older devices and native applications that lag behind.

- VPNs only encrypt your connection from you to the provider, but the space between you and the provider is the part that's most likely to be targeted by attackers. You are far more likely to accidentally send a plaintext POST request to an infected router than you are to be targeted by a nation-state actor on the open web.

- VPNs aren't just for hiding what sites you visit from your ISP, they're also for hiding your IP address. The linked claim that IP addresses are irrelevant is just outright wrong, IP addresses are extremely helpful for doxing, and sites like forums don't always secure them[0]. If you know my IP address, you'll be able to get surprisingly close to my real address.

A VPN on its own will not protect you or provide you with a noticeable privacy increase. And a VPN should not be the first thing you reach for if you're trying to improve your privacy. But if you're already using an adblocker, if you're already taking steps to mitigate tracking in Firefox, if you're already disabling Javascript on most sites, if you're already avoiding native apps that break the browser sandbox or engage in hardware tracking, you do eventually reach a point where your IP address is a concern you will want to address.

Ask yourself a few questions:

- If IP addresses don't actually matter for tracking, then why is TOR wasting so much time and energy trying to mask them?

- If masking an IP address doesn't provide any extra privacy, why do some services like Google Captcha penalize shared IP addresses?

- If IP addresses don't matter for tracking, why are so many sites using IP bans at all?

The answer is that IP addresses do matter, they're just not the only thing that matters.

----

[0]: https://danshumway.com/blog/gamasutra-vulnerabilities/

Agreed -- they provide some tiny specific benefits for security (e.g. against Wi-Fi hacking if accessing a site over HTTP, rare these days) and privacy (no geolocating), but the Mozilla copy says:

> feel empowered, safe, and independent while being online

Huh? This is doing nothing to protect me from any of the common attacks. It's not wiping my cookies. It's not anonymizing my browser fingerprinting. It's not blocking analytics or tracking. It's certainly not protecting my credit card details or password from being hacked from a website's server.

Am I more "empowered"? "Safe"? "Independent"? What is this nonsense marketing fluff?

To market this as being able to control my privacy or stay safe online is just completely disingenuous. Mozilla should be ashamed for trying to imply such strong claims that are just false.

What an odd choice from Mozilla and Mullvad to segment this based on geography. Can you use it while traveling outside the US? Why not simply have a wait list? Mullvad already operates globally - what is the reason for the geofence? Is Mozilla not able to accept payment outside the US? (maybe not able to pay taxes?)
"For example, over 70% of early Beta-testers say that the VPN helps them feel empowered, safe, and independent while being online."

What have these "feelings" got to do with anything? This is a measure of successful marketing and has nothing to do with the product or its efficacy.

Personally I use Windscribe and I really like it (I've used PIA & Mullvad in the past). I use it for watching US Netflix and to make it slightly less easy to track me on the net (I know there are many other ways). I also like the idea of not having my IP or the gov't spy on me _as easily_.

People buy on emotions
What was the 500 startup guys phrase?

A product has to get you “Made, Paid or Laid“

Where Made was like a sense of positive promotion like a made-man in the mob I think.

Emotion is everything. If a product doesn’t make you feel good you’ll only buy it because you have to.

I think "feeling" safe is an important component of a product. Of course the product has to also be effective, but if it's effective and people still don't trust it, then they won't use it. A good example of a similar situation is in the US military where we had to do yearly chemical weapons training that involved putting on a gas mask in a room filled with tear gas. The gas masks were already proven to work, but one purpose of the training was to make sure people trusted their equipment to keep them safe, making it more likely for them to use it when needed.
This is marketing copy. Criticizing it for being marketing copy is surely a little redundant. Besides, feelings matter. If the majority of VPN users felt that the security provided by the VPN was not worth the effort involved in using then that would indicate a failed product. Ignore that at your peril.
Tech became toxic years ago. Instead of facts and data, feelings and diversity matter.
=== edit because I feel this comment is not substantive enough / engages with a strawman version of your comment ===

I understand you're talking about where those feelings come from -- ie, that the feelings are more useful information when backed by the reason for them. And you do provide some of that in your post (privacy, watching US Netflix). But those are things that any trustworthy VPN with US-based endpoints can provide, so they're not a unique selling point, which means your recommendation basically boils down to unsubstantiated feelings again, to which:

=== Original comment ===

I don't use a VPN and have no horse in this race, but surely you see the irony in:

> What have these "feelings" got to do with anything?

Followed by

> I use Windscribe and I really like it.

"unsubstantiated feelings" heh, that's a pretty ungenerous/rude way of putting it. Here's a better way: "Can you explain why you like Windscribe? You say you've used other providers, how is Windscribe different?" If you're not clear on something it's always best to ask for clarification before accusing the other party of fabrication or making "unsubstantiated" claims.

So why do I like Windscribe? Good question! I like the ease of use of windscribe clients compared to other VPN clients I've used, the fact that I can add many devices, and the fact that it has endpoints in lots of countries. I had trouble with both the PIA & Mullvad clients & configuration on my desktop and phone eventually. I don't require much, as you say VPN is a commodity product, I just want it to be easy to use & Windscribe is and they seem committed to adding features & fixing bugs. I also have met the team, they're local to me, and they seem trustworthy.

I'm not sure if you read TFA, but here's the context of what I highlighted:

> We started working with a small group of you and learned a lot. With the VPN in your hands, we confirmed some of our initial hypotheses and identified important priorities for the future. For example, over 70% of early Beta-testers say that the VPN helps them feel empowered, safe, and independent while being online.

"we confirmed some of our initial hypotheses and identified important priorities for the future ... Beta-testers say that the VPN helps them feel empowered, safe, and independent"

What type of initial hypotheses might have been confirmed by learning that people "feel empowered" by using a VPN? This is what I don't understand. Of course users motivated enough to try a beta VPN product like using VPNs–I'm not sure what insight that adds. Can you help me connect the dots here?

My feelings about a VPN provider based on personal experience is not beta testing that "proves" a product. Mozilla suggests here that these "feelings" prove "confirm their hypothesis" and put numbers next to the feelings, like 70%. I am questioning the relevancy of these numbers & it strikes me as pseudo-scientific to put these numbers in the intro as some sort of proof that their product has value. Throwing up meaningless numbers like this gives me the impression of smoke and mirrors/bullshit.

> "unsubstantiated feelings" heh, that's a pretty ungenerous/rude way of putting it.

Thank you for the feedback. It wasn't meant to be rude, but I see now how it can be interpreted that way (particularly with the unedited original comment below, which was intended to be... not rude, but let's say, harsher than I'm proud of, a few hours later). Text is hard -.-

Asking clarifying questions instead is a good suggestion. Your answers are good, too; if I'm ever in the vpn market, I'll put Windscribe on my shortlist to research more thoroughly.

> I'm not sure if you read TFA

I have not and do not currently intend to. I checked in with the comments because I was curious how it would be received. I replied to your comment because I was frustrated at what seemed to be hypocritical criticism. I still think your original comment is light on detail/justificatipn, so I'm happy my reply, however rude and imperfect, lead to your second comment, which is the type of thing I was hoping to find when I opened the thread :)

I would counter that how safe people feel, and to what extent they have an expectation of privacy online will determine their behavior. The technical effectiveness of the product is one thing, but how users perceive it will determine whether it offers them any real benefit. These things do matter.

Remember Foucault's panopticon: If someone merely thinks they might be surveilled their behavior will change in profound ways. More concretely, if you think the government may be spying on your browsing habits, maybe there are sites you won't visit or comments you won't post or videos you won't watch. It's important not only that the product works, but that people feel it works so that they can behave more freely on the internet.

Who is the target market for this in the markets it actually operates (US)?

The only people I know that uses VPNs do so to download torrents and evade DMCA notices. And in that case it only really works if the VPN provider is itself located outside of US jurisdiction and collects little to no information about you the user.

I am surprised at how much money exists in the VPN industry. Whenever I watch even a mildly-popular YouTube video, it always has an advertisement for the latest VPN provider. As far as I can tell, there is only one reason there is this much money in the field -- to subscribe to US-based video streaming services from outside the US. But they never ever say that that's the reason, they always say things like "work from home securely" or "avoid being tracked". But, of course, your IT department already has a secure VPN for working from home, and that Facebook cookie works regardless of what your IP address is. In general, the sell of "you can't trust your network provider, so pay for an additional network provider that doesn't keep logs and only accepts payment in Bitcoins," doesn't seem particularly strong to me. Of course you can't trust the network layer. Nobody trusts the network layer. That is why we have TLS. (Anyone remember "wired equivalent privacy" when WiFi was a cool and new thing? Turns out wires don't offer much privacy.)

So why people are buying this service confuses me.

I am also confused at why people can run these services so cheaply. I looked into doing it myself (I had some ideas for actual value add), and the economics didn't seem that good. There is a lot of software between "ifup wg0" and "collect money from people that want a VPN". It seems expensive to write all that, unless a "yolo" strategy of starting up openvpn and setting up a couple NAT rules actually scales. (At the very least, you need to be able to distribute keys to pre-built clients, and if you want to make it smooth, you are looking at writing your own Windows/Mac/Android/iOS clients. Then you need all the business management software on top of that -- didn't get the Bitcoins so delete their private key, etc.) It seems like quite a bit of work that is quite expensive.

But these things exist left and right and have huge advertising budgets. So obviously I am misunderstanding something.

I think you're right, a lot of VPN usage has to do with circumventing some tiered, segmented, bullshit content provider restrictions such as region or schedule or device type.

The fact that all these people are paying for a service plus VPN means the services are leaving money on the table. If they would simply offer what we want, when we want, where we want it, on the device we want, on a single service without a hassle, many consumer would be lined up for that.

They must massively oversubscribe their services, far beyond ISPs. The advertising probably brings in a lot of profitable users who aren't pushing tons of BitTorrent traffic as well. With the insanely high affiliate commission they're offering I can't think of another way.
The conspiratorial side of me says that they have alternate revenue streams as well. Why should only google get that sweet cash from a steady stream of user data?
1Tbyte for $1-$0.5, that gives you 30Gbyte per day. At $5 resale, there's some room for profits.

If I am not mistaken, that's 10 hours of video streaming in excellent quality per day.

The VPN providers are not paying per gb. They are paying for IP transit, probably in the range of 50c / mbps. They make money by oversubscribing, just like any ISP.
No, your premise is wrong, all major browsers have committed to removing third-party cookies, or have already done so. And after third-party cookies, your IP address is the next-easiest way to track you across sites.

that Facebook cookie works regardless of what your IP address is

Firefox has been blocking third-party cookies by known trackers, including Facebook, since last year [1]. Safari started blocking all third-party cookies (not just known trackers) in March [2], and Chrome committed in January to work towards removing third-party cookies [3].

And of course, all major browsers have provided the option to block third-party cookies since before IE6. I use this option, it rarely breaks things, and it's only getting rarer—and I don't use a VPN, so this would make me measurably harder to track across sites.

[1]: https://blog.mozilla.org/blog/2019/09/03/todays-firefox-bloc... [2]: https://webkit.org/blog/10218/full-third-party-cookie-blocki... [3]: https://blog.chromium.org/2020/01/building-more-private-web-...

Keep in mind that Chrome also sends a high-entropy identifier that is certainly sufficient to identify you in combination with an IP address, to every Google property, including DoubleClick, on every request (first or third party).
What is the main benefit of using a VPN?

I download music, movie, tv, etc files via torrent using my Canadian IP address and I have never seen anything more than an email from my ISP saying essentially "so and so company thinks you downloaded their material, don't do that ok?".

Is the general public so afraid of getting the odd email that paying $5/$10 month to make them disappear is a good deal for them?

Why wouldn't people just use TOR for free? It was extremely fast the last I checked.

tor begs you not to use their service for torrenting. it would also be a lot slower than a VPN

i use a VPN (to Montreal since it supports port forwarding) because i work from home and i don't want my IP that VPNs to work for a major company also being part of a torrent swarm.

I wish Mozilla would also offer a DNS-over-TLS service instead of just offloading it to Cloudflare or NextDNS.
When you connect to a VPN you advertise the fact that you are connected to a VPN to your local network, and hide your tunneled traffic. The tunneled traffic emerges elsewhere, with the extra encryption removed and proceeds as normal. Basically all a VPN provides is a mechanism to pretend that your butt is in a different seat. You hide your traffic from one network and expose it on another.

If you are on public wifi somewhere and are concerned about traffic that isn't otherwise encrypted (DNS comes to mind), or if your connection is in some way restricted (govt, shitty isp, etc), then a VPN can address these issues. But you have to keep in mind that your new network is similarly untrustworthy.

You might argue that by hiding behind your VPN provider, you are gaining anonymity. This might be true under the best circumstances, but this can _very_ easily break down. For example, the moment you load tracking_pixel.png then you are de-anonymized. That is saying nothing about the shady practices of the VPN providers themselves, or the governments that regulate them.

When people connect to a VPN, especially lay-people, there is this feeling that the VPN is providing security, and privacy. This is largely marketing BS designed to sell more subscriptions. When I connect to a VPN I might be able to obscure my activity from state actors, or avoid some coffee shops bogus DNS server. What I can't do with a VPN is avoid literally every other form of tracking. And of course if I connect to a VPN, then I should be ok with those same bad-actors knowing I am connecting to a VPN. And I should be OK with the VPN provider being able to monitor my unencrypted traffic. And I should be ok aggregating all of my encrypted traffic into one easy to watch place.

So what is a VPN providing the average consumer? If you want privacy install ad block software, https everywhere, enable DoH, don't log into social media sites, and clear your browser's cache frequently. If you want to avoid a state actor, then your best hope is probably something like Tor Browser.

If it’s terminating at a host you don’t control it ain’t private.
Why the hell would anyone trust mozilla.org while they work tirelessly to make money?

Google, who are unapologetically pro-money, at least listened to feedback about DoH.

Downvote without a response. Seriously - where does this magical trust come from, when we've seen Mozilla do what's against the interests of normal people in favor of doing what they can do to make money or to push traffic towards people who make money?
> Why the hell would anyone trust mozilla.org while they work tirelessly to make money?

In what fantasy world do you live where hosting services and building products costs zero dollars? Not sure how Mozilla could operate at all without making money.

Every time someone mentions a VPN provider in my techie social circles, the "A VPN doesn't protect you" crowd piles in, usually with links to something like: https://gist.github.com/joepie91/5a9909939e6ce7d09e29

I don't understand this argument, but would like to.

I run https://everytwoyears.org, a political non-profit focused on ending the warrantless metadata collection of U.S. citizens' communications. From everything I know about these programs, they are _explicitly_ not collecting content of communications. These programs only collect the metadata about a communication. As citizens, we don't get to have a clear definition of "metadata" (that is classified!) but we can assume anything that isn't the message itself is at risk of being considered metadata, especially if it was shared with a service provider in the normal course of conducting business (i.e. routing a request).

For HTTP requests, I assume the body of the request would require a warrant before it can be persisted on a government server. The HTTP headers, if unencrypted, _might_ be considered metadata but I would be surprised. The IPV4 headers are more than likely metadata. DNS queries are more than likely metadata.

If you are trying to avoid _active_ surveillance, where your government has a warrant, a VPN isn't going to help you. If you are trying to avoid _active_ surveillance where your adversary doesn't need/want a warrant to search you, a VPN isn't going to help you. But if you are trying to avoid having your internet activity ending up, de-anonymized, in a metadata database that your government does bulk analysis on, a VPN does seem like it would help. It seems like it would help a lot.

I think you are correct that VPNs are a sort of half-solution.

There are a lot of people that think anything less than 100% isn't worth your time, so they suggest TOR - but TOR has all sorts of annoying limitations that preclude daily usage. Absolute solutions are seldom worth the 10x extra effort they frequently require.

Another set of half-solutions can be seen here which will make you more secure...

https://www.cloudflare.com/ssl/encrypted-sni/

ESNI, DoH, DNSSEC, and TLS1.3 are fairly easy to setup - and worth your time .

Using Firefox with uBlock Origin & PrivacyBadger plus the above gets me to a good enough place.

Illegal stuff on the other hand -> TOR.

The problem with doing illegal stuff with only half-protections is that the authorities don't need to use the metadata to prove your guilt. After they raid your house they'll have all the parallel construction they need to make it stick. ...then again if you're just buying personal use amounts of drugs - no one at the FBI cares.

I think you cut right to the core of where I get lost in the VPN argument.

Tunneling (even through TOR) isn't sufficient if you have someone well funded, highly skilled, and very motivated to watch you. I would posit that purely technical solutions will never solve human problems. Perfect, unbreakable, encryption can be trivially passed with a set of cleverly placed jumper cables.

The key, in my opinion, is trying to align technology with the laws that (mostly) already successfully protect us from jumper cable wielding adversaries.

From my understanding, The U.S. government interprets "metadata" as having no societal expectation of privacy and therefor they don't need a warrant to collect it. These questionable metadata collection programs seem like they can be effectively thwarted through half measures, like E2E encryption of the metadata (use HTTPS and DNS over HTTPS), obfuscation of the metadata through tunneling (use VPNs), etc.

Some metadata I don't have a good answer for, like location data when my cellphone pings the local towers. I can chose to share my location data w/ the tower so it can route calls to me, and submit to that possibly ending up in a government database, or I can keep my phone from talking to the cell tower being unable to send/receive calls. I don't see a half measure...

Do you have a good write up on how to get all that setup by any chance? Also, any body has a comparison of Brave vs Firefox when it comes to privacy?
https://www.androidpolice.com/2020/06/07/brave-browser-caugh...

I was using Brave until this story came out and switched over to Vivaldi for the stuff that absolutely demands the Blink engine.

Point one, if they _repeatedly_ continue to do this kind of thing, what kind of stuff are they also getting away with? Or what's the next big surprise around the corner?

The second point is I really no prefer Vivaldi as things like sync work (it's been broken for a long time in Brave) and there's more exposed in the prefs for techie types who like to tinker with that kind of thing.

Firefox continues to be the every day browser and it keeps getting better as time goes on (another +1 for take my money for email, calendar, file storage, etc.).

So you were okay with the Binance widget but not the referral code?
Not OK with any of that crap which is why Firefox + uMatrix is the daily driver.
Encrypted SNI is a solution in search of a problem.

Unencryptable metadata (destination IP) makes it pretty worthless. Even on shared services like Cloudflare, things that are of interest for collection are probably paying enough that they get stuck on dedicated IPs. The 4chans of the world that might not be paying still make sense from a provider perspective to move to isolated IPs for DDoS mitigation.

Censoring proxies actually look at SNI to deconflict shared IPs where pornsite.com and travelblog.com are on the same Cloudflare IP, and will just revert to blocking the destination by default.

(I'm picking on Cloudflare here specifically because they are pushing it - but this applies to MaxCDN, Akamai, etc just as much)

> and will just revert to blocking the destination by default

Good. That's way better than being able to tell which site you were trying to go to. It's more expensive for the misbehaving network operators as well; block some popular sites just because they share an IP address with something you want to censor and people are bound to complain, even if they couldn't care less about the censored sites.

And what happens when the IP address returned by Cloudflare is a random draw from one of several million addresses?
I doubt it, unless you run the VPN. Governments have the same ability to leverage things like trackers, etc.

A public VPN service is good for localized privacy. Even a cheap Ubiquity setup will be able to tell about your habits. It's probably good enough to avoid the attention of a civil or informal inquiry (DMCA, employer, etc).

> Governments have the same ability to leverage things like trackers

It's not clear to me whether the methods trackers use to de-anonymize you are considered "content" or "metadata", and whether the U.S. government would need a warrant to access tracker information.

Do you have thoughts?

You can buy the data on the market without a warrant.

VPNs seems like a really obvious bypass of controls and surveillance capability. I’m sure the folks at NSA, et al thought of it too.

They can think of it, sure. But when you read their testimonies, and read the summaries of leaked documents, you can see they are attempting to be law abiding even if they _really_ stretch to interpret the law.

Just because they know its a way to thwart their system doesn't mean they have another "legal" way to collect the same data.

Yeah I've heard this one before.

I use Mullvad, paid using BTC that came straight from a tumbler. I don't use it for any nefarious reasons, just wanted to see how such a setup would work. It was surprisingly painless. I think it took 15 minutes in total from moving my btc to the tumbler and having the tumbler move the btc to my Mullvad account.

Am I 100% secure? No, they know what IP I'm connecting from. Is my name attached to the VPN? No, not even close. I suppose if I wanted to further improve my security I wouldn't use my own home network, but public wifi's nearby.

But again, I didn't do it to stay "safe" or anonymous. Just wanted to see how the process would actually be.

> I use Mullvad, paid using BTC that came straight from a tumbler. I don't use it for any nefarious reasons, just wanted to see how such a setup would work.

> But again, I didn't do it to stay "safe" or anonymous.

I sincerely hope that you're trying to stay safe if you're admitting to money laundering on a public forum.

Tumbling coins has nothing to do with money laundering, it's just a way to anonymize them....
Tumbling coins has everything to do with money laundering. Of course, the source of the funds isn’t necessarily illicit.
Money laundering is turning dirty money into clean, that appears legitimate, taxable etc. If the source isn't illicit, it isn't laundering because there's nothing to clean.

Tumbling coins is just obscuring their origin.

The two don't inherently have anything to do with each other.

Even if you tumble "dirty" coins, you've got to explain to the IRS the source of income behind the new coins. Tumbling, in and of itself, doesn't achieve that.

Bitcoins may get a pass because they aren't technically "money", but in general any business that transfers money on behalf of another entity without knowing exactly who both the sender and recipient are—and registering as a money transmission business, a very expensive process—will be considered to be involved in money laundering. Even if the money is provably "clean" to begin with. A company that implemented anything like a "tumbler" for USD would most certainly run afoul of anti-money-laundering regulations.

It's not right, but that's the way the rules are written.

Like cyberpunk said. It's not money laundering, it's a way of anonymising the bitcoins.
He's actually technically correct, as that is the very definition of money laundering. The difference is (assumedly) the money he's laundering wasn't obtained via illegal means.
A VPN is just a tunnel from one point to another. You'd have to establish why the remote end is more trustworthy than the local end. Being located in a hostile jurisdiction may be somewhat protective, but it would also seem likely that compromising foreign VPN services is within the NSA's wheelhouse.
If nothing else, it significantly reduces the entropy of your IP when websites are fingerprinting you, especially if your ISP assigns you a static IP.

Even if you don't have a static IP, I suspect the entropy of your /24 (IPv4) is also a lot smaller when over VPN.

Do you understand the words you're using?
I thought I did? The condescending attitude is unnecessary. Happy to clarify my point if my initial comment was confusing:

Websites such as http://panopticlick.eff.org/ showcase how fingerprinting works. They tell you how many bits of information they can extract from various datapoints they get out of you when visiting their site, such as User-Agent.

Panopticlick does not use your IP address as a datapoint, but actual trackers most likely do. If not your IP directly, then a prefix thereof (such as your /24), to account for ISPs w/ dynamic IP allocation.

If you have a static IP, there's a lot of bits of entropy in it, i.e. it's great for fingerprinting. It's basically sufficient, by itself, to uniquely identify your home. The handful of devices in your home can then likely be distinguished by the User-Agent.

If you're part of your ISP's small dynamic IP pool (e.g. a /24), there's probably still a lot of entropy in there. How many people in your neighborhood are also on Linux and have the same set of fonts installed? Probably just you.

Your VPN's dynamic IP subnets, OTOH, can be a lot larger, and the members of the pool are not geographically close to one another, so there's probably a lot less fingerprinting entropy in your IP in that case.

I think the negative reaction to your earlier comment comes from your mis-use of the term entropy. A static ip, for purposes of tracking you as an individual, has very, very little entropy (in fact, none) . High entropy would be a dynamic IP that is refreshed from a large pool very often.

Additionally, very few ISPs assign static IPs anymore, not unless you pay 5x the price for a business account. Trackers, by and large, don't really pay much attention to IP, since much more reliable metrics have been implemented. Sure, it probably is used to a small extent, but there are much more effective steps that can be taken.

https://en.wikipedia.org/wiki/Entropy_%28computing%29?wprov=...

VPN users get IPs from a small pool, so little entropy. The larger pool you select IP from, the more unique is your IP.
Unless I set up my own VPN I'll share a VPN server and IP with other people. That makes my traffic inherently more anonymous once it has left the VPN server, since you can't correlate traffic to a single person anymore. So even if traffic in the data center is analyzed, that's better than my ISP analyzing traffic.

Thus we only have to establish that the VPN provider is at least as trustworthy as my ISP. That's a pretty low bar to clear in many places. I have no doubt some VPNs are operated by nefarious actors (no better way to collect high quality data), but I don't think that's a concern with Mozilla.

You should expect that the government can compel a VPN provider to correlate traffic to subscriber information exactly the same way it does with a residential ISP.
Sure, but the set of governments that can compel my ISP might be different from the set of governments that can compel my VPN. I don't care about all governments equally, and my own government has a disproportional impact on me compared to most other governments.
If they have a warrant a VPN isn't going to protect you. If you think you are under active surveillance, you want more than a VPN.

Write-ups of the 2013 leaks revealed they did not compel ISPs to correlate traffic to subscriber information. It doesn't seem like they had any subscriber information in their database, only enough metadata about the communications to later compel a ISP to provide the subscriber information _postmortem_ (i.e. who did this cellphone number belong to on this date?).

ISPs weren't even compelled to share that metadata. It was a voluntary program. Some ISPs said no. Others said yes and then later backed out. In the end something like 80% of the traffic the NSA was after was able to be collected through the ISPs that voluntarily shared their data.

But, again, this was 2013. 2013 was forever ago, things may have changed.

> I'll share a VPN server and IP with other people.

Yes, now the NSA have a single point where data can be collected that would be much more interesting than at your ISP.

Agreed.

I think the key for me is that, at least under the original Presidential Surveillance Program, the providers that participated were not compelled to share their user's metadata. They shared it willingly, regularly, and in bulk. There is reference to a service provider backing out of this agreement a few years later, telling the NSA they would feel more comfortable sharing the data if it were compelled.

It's not clear if this has changed since 2013. But assuming Mozilla, or Mullvad, isn't compelled to share _all of their data_ it seems unlikely that they would willingly give that up to a government surveillance program.

I think ISPs have demonstrated they aren't trustworthy. For most people in the U.S., it seems, finding someone more trustworthy than their ISP is literally anyone who isn't admitting that they collect and share their private data. I would be surprised if Mozilla doesn't clear this bar.

Even if you trust your ISP, and it's not required to keep logs due to local laws, a VPN is often a good idea anyway. Geolocation from IP address can be scarily accurate - mine identifies me to within a mile radius of where I live.
> compromising foreign VPN services is within the NSA's wheelhouse

This is the explicit danger of VPN providers. Even if the provider is not complicit (which I believe applies to the likes of Mozilla), it still creates a centralized aggregation site for collection.

I'm not even sure a US-based VPN provider is safe. GCHQ just conducts the interception and would share the data with NSA. At that point, you are at the mercy of the NSAs locators being good enough to flag your tunneled traffic as "reasonably a US person" so it gets excluded.

> I'm not even sure a US-based VPN provider is safe.

Oh, I am sure that it is not safe, thanks to the PATRIOT Act. Even if they were not storing any metadata, VPN providers can be compelled to 1) share all data about their subscribers, which will include you, then 2) silently wiretap and decrypt everything. US courts will rubber-stamp, as they've consistently done in the past, and "that's all, folks".

Sadly it's not like you'll be much safer elsewhere: as soon as you step outside of the US, one of the strongest cybersec agencies on the planet (NSA) will have free reign on your traffic. But you can resist the legal attack (in some countries) and at least try to make it challenging on a technical level.

I hope Mozilla want to bring some innovation to the table that will make VPNs somehow more resistant to legal attack (not just in the US) but I doubt it.

That would still create protections for people outside the US but with US-friendly administrations. Using a VPN in less US-friendly nation could increase protection. Is it safe? Probably not. Is it safer? Most likely.
Again, from what I understand, this would be active surveillance targeting an individual and the bulk data would not be collected (even if technically feasible given the mechanism for collecting the individual's data).

From write-ups of the 2013 leaks, we saw references to violations of the legal theory used to justify the Presidential Surveillance Program. One of those violations was them unintentionally collecting the wrong data, due to how the ISP was bundling packets or something like that, which constituted a warrantless search, and they supposedly took that very seriously because it jeopardized the whole program.

My take on the surveillance program is that they try very hard to be law abiding, even if they have to stretch what the law means to justify the program. If you are worried they have a warrant for your communication, a VPN isn't going to help you. If they don't have a warrant, they will avoid U.S. citizen's content like the plague for fear of compromising the whole program.

Might reduce chances of prosecution if they’d have to reveal the compromised a particular VPN to convict.
This is very totally legit that public VPN services are complete trash. Online anonymity is very hard. However, you can still create your own VPN server on cloud providers for at least have some privacy while you are on an untrusted network.

Because of this reason, I created zudvpn.com - It is a free and open-source mobile application that's used to deploy a private VPN server on major Cloud Providers!

Github repo: https://github.com/zudvpn/ZudVPN

Why would a VPS server be any more secure than a VPN provider? They have the same ability to view outgoing traffic and can very easily log the source ip address.
http://zudvpn.com does not provide complete anonymity. The idea is that you control your own server and you make sure that nobody is logging your every move. Even though public VPNs claim that they don't log, you should not blindly trust them.

Check GH repo to see how https://ZudVPN.com generates SSH key on your phone and locks the VPN server with the key that is only available for you.

Most people use a VPN because it lets them have a different geolocation (to watch Netflix in a different country, access thepiratebay, etc.)

If you do use a VPN to mask your traffic, there are two questions to ask yourself:

1. who are you masking your traffic from?

2. can you trust the VPN network more?

In general, you cannot trust a VPN network more, and HTTPS is the solution as it provides end-to-end encryption with some important caveats (web PKI)

Running your own VPN is not a good solution either, because who owns the servers where your VPN is running?

HTTPS protects content. Content requires a warrant in the united states.

The bulk metadata programs, as far as we know, only collect metadata. Which two IP addresses communicated, the routes they took, the size of the payloads, etc. are all "metadata".

HTTPS, AFAIK, does not solve this.

Using a VPN adds indirection but can give you a sense of false security as well.

Metadata is obviously the least important data to analyze, but for example a VPN does not hide the size of payloads. TLS 1.3 do addresses that and let's you randomly pad messages but I don't think anybody use that.

You can use HTTPS with a VPN. With HSTS and certificate transparency, a modern browser will not let you get compromised by a HTTPS MITM.

I also trust many VPN providers more than my ISP, which actively engages in MITM like compressing images to be a lower resolution on HTTP pages on 4G networks.

There’s a lot of gross stuff that your ISPs (which includes your mobile phone provider) do to further monetize your relationship with them, and having a VPN can negate that.

ISPs can observe your DNS lookups to their servers and assemble a profile on you based on the domain names you look up, and put you into a series of audiences that marketers can then use (for a fee) for ad targeting.

ISPs can also observer your DNS lookups to Google’s or anyone else’s public DNS servers.

ISPs can snoop on your unencrypted traffic, proxy it, and inject headers into HTTP responses to facilitate (you guessed it) the creation and sale of audience data to advertisers.

ISPs can transcode (and downsample) multimedia content to decongest their pipes or airwaves.

If you are a spy or a member of a disfavored political group, you should almost appreciate the scummy practices of ISPs, as it drives a bunch of non-spies and people not associated with disfavored political groups to adopt privacy-enhancing technologies.

If I worked at the NSA or CIA or FSB or Mossad or wherever, I would highly encourage lawmakers to enact laws to protect consumer privacy in order to drastically reduce the perceived need for people not in the above groups (et alia) to adopt VPNs and other technologies; there would be fewer “boring” people using such technologies, giving the needles a lot less haystack to get lost in.

> ISPs can also observer your DNS lookups to Google’s or anyone else’s public DNS servers.

edw, could you elaborate on that, please? I thought changing to public DNS servers like OpenDNS provides some security from ISP tracking.

Traffic between you and the public DNS servers isn't encrypted, so your ISP can still read it.

(I suppose this is one of the problems that DNS-over-HTTPS is designed to fix.)

Thank you for the answer, stuuuuuuuuu! I'll look into it.

...

DNS-over-HTTPS can be enabled in Firefox via Network settings, turns out.

In addition to the lack of encryption mentioned, some ISPs transparently intercept DNS requests and reply to them with their own.

Test your own ISP: try something like

nslookup news.ycombinator.com 1.2.3.4

If you get a response, your ISP is gaslighting you.

Some ISPs even tried to replace NXDOMAIN replies with their own "services". That was particularly popular in the last decade, though I haven't seen any recently.
Good thing we don't willingly give that data to anyone.
A VPN can negate that but now you're putting your trust in the VPN company's hand.
I'm not qualified to analyze the technical details but I have some more practical grievances with VPNs. I paid for ExpressVPN for 1yr on going and found it disappointing despite being advertised as the expensive but good option.

First, geo blocking often catches it or provider has moved to other means to verify address. I don't use Netflix but for certain streaming sites in Japan that I use and BBC express does nothing.

Second, it doesn't get pass GFW whereas shadowsocks based solution does.

Overall it seems the only benefits are getting better speed sometimes and theoretical privacy benefits.

If you assume VPNs don't keep logs forever, then a VPN is very strong protection. Seems like all the anti VPN arguments are predicated on the VPN keeping exhaustive logs of every request. Given the volume of data and the incentives of businesses, i feel like thats probably not true for many VPNs. I generally believe them when they say they don't log, because its just more $$$ on storage that provide 0 value to the company unless they are required by law.
They are explicitly collecting both the metadata and the content of all communications they are able to. They have burned their own when someone raises a complaint about their methods or dares to introduce crypto that respects constitutionality(https://en.wikipedia.org/wiki/Thomas_Andrews_Drake).
I'm not able to see anything here that references the content being collected. Maybe I'm not looking closely enough?
A VPN is a crappy hack around a bigger problem.

Protocols are not designed for what we use them for, and buggy legacy applications that won't change their protocols or implement them correctly. The more people use VPNs, the more the problem gets buried behind a wall of abstraction. The proliferation of VPNs is really the burying of a problem, not the solution.

I don't care about being tracked, because I live my life in the open. I'm not a vulnerable minority, so I don't fear for my safety. I don't care what a random corporation (or anyone, really) knows about me. You could log into every digital account I have, and the only thing I'd be worried about you finding is an active session to my bank's website if I was still logged in at the time. I don't care if my ISP "monetizes me".

I also know how to browse the web as securely as possible, and that there are plenty of ways I can be hacked regardless of my network connection. The biggest risk I face is not from a VPN, but from my local network: if my internet modem or router gets compromised (either remotely or through my machine), I'm subject to local attacks a VPN won't protect me from. And if the government wants to hack me, they'll just guess what websites I'm viewing (either by conventional means or statistical traffic analysis), hack the server, and drop a payload through a browser 0-day.

I could see using a VPN if I was an activist, or of a class of citizen that's oppressed by my society or government. But even then, they'd figure out I was using a VPN, and realize I'm hiding something. So you could argue everyone should be on a VPN to make this less noticeable.

But then we go back to the beginning: we're not solving the root problem.

I'm a fan of James Mickens' "Mossad or Not-Mossad" internet threat models ~essay: https://www.usenix.org/system/files/1401_08-12_mickens.pdf
Despite his somewhat annoying style, that article has many good points about the aloofness of security researchers. However, I will disagree on two points which the article contains:

1. Tor is (rightly) used by anyone who has a good reason for remaining anonymous. (See [REALNAMES] for who this can be.) Anyone trying to smear Tor as only used by drug dealers and other unsavory types are themselves suspect of having an agenda of discouraging Tor use for anyone lest they be suspected. This can only lead to an installation of Tor being viewed as a suspicious thing in itself; who would want that?

2. His threat model of Mossad or not-Mossad leaves out one important actor, which we can call the NSA. They, and others like them, unlike Mossad, are not after you personally in that they don't want to do anything to you. Not immediately. Not now. They simply want to get to know you better. They are gathering information. All the information. What you do, what you buy, how you vote, what you think. And they want to do this to everybody, all the time. This might or not bite you in the future. He seems to imply that since nothing immediately bad is happening by using slightly bad security, then it’s OK and we shouldn’t worry about it, since Mossad is not after us. I think that we should have a slightly longer view of what allowing NSA (et al.) to know everything about everybody would mean, and who NSA could some day give this information to, and what those people could do with the information. You have to think a few steps ahead to realize the danger.

[REALNAMES] Who is harmed by a "Real Names" policy? https://geekfeminism.wikia.org/wiki/Who_is_harmed_by_a_%22Re...

Browser fingerprinting means you can more or less be identified regardless of your IP address. Since tracking is more or less tied to the browser should you not use the VPN in some instance the browser fingerprint remains the same. So all the Facebook/Google tracking will be able to determine who you are after you change your IP.
Yup. But it isn't clear to me whether that tracking information would be considered "content" (and require a warrant) or "metadata" and be subject to mass warrantless data collection.

Do you have thoughts?

I don't know. Probably better to ask a lawyer something like this.
Please take notes from Mullvad and give some basic transparency about the data centers and whether the servers are rented or owned and etc. Stuff like that goes a long way for people who are genuinely serious about privacy.
I won't be switching to this. I've been paying €4.99 monthly for Blokada VPN on Android. It's pretty reliable and offers ad blocking as well. Also supports up to 5 devices.
Nice, witch shady Marketing-Firm are you working for?

Any point's for 'Blokada' being more trustworthy than AT&T ;)