The general rule is that if someone offers you security but does not charge you for it, they are most likely to compromise your privacy at some point and it usually happens when you need protection the most. That's the case with https. I personally think it's never a good idea to rely solely on pre-built security protocols instead of spending a buck or two on a vpn.
I have to choose my ISP out of the ~10 that serve my house (this might be just one or two if I lived in the USA), and price and speed are also large factors in the choice. I can choose a VPN from hundreds, even after I've filtered by acceptable prices and speeds - in other words because they actually compete on privacy.
ISPs are regulated, and operate in the country I live in. They know my real identity, bill me regularly, and have (IMHO) a pretty strong incentive to violate my privacy -- either for commercial purposes, or by law. VPNs are not necessarily in my jurisdiction, exist in a highly competitive space, and live or die by their reputation for privacy. You can buy, e.g., time on Mullvad by mailing cash in the post -- or via a whole string of privacy-preserving altcoins. It doesn't get more anonymous than that.
Fair enough, that rationale actually makes sense in the context of that sort of VPN. The sorts of VPNs I don't trust are those like Nord VPN or one of the others with huge advertising budgets.
But by the time they die, they've already compromised you. And even the strongest claims of privacy have been shown time and again to be outright lies.
> It doesn't get more anonymous than that.
Yes, it does. TOR. Those VPNs? They've got your source IP, which as people are enjoying pointing out is almost as good as an identity. Not much anonymity there.
>if someone offers you security but does not charge you for it, they are most likely to compromise your privacy at some point and it usually happens when you need protection the most
I don't get this, could you give an example of where this happens?
Well, don't buy from a VPN provider that is suspiciously cheap.
If a no-name company starts selling suspiciously cheap smartphones, the odds of those smartphones being backdoored/stolen/broken goes up pretty dramatically. That doesn't mean that every company selling smartphones is equally untrustworthy.
Of course it's a problem how hard it is to tell if a VPN company is trustworthy, but that's a problem that exists for almost every 3rd-party relationship I enter into.
I wouldn't believe any corporation who says this. A profile of a self-identified private person's traffic is likely worth a lot more than what a niche audience will pay for privacy.
VPNs have a history of lying about their business models, about how private their service really is. International contract enforcement won't exactly leave you with a lot of leverage if (pragmatically, when) they lie to you.
And merely being international certainly won't stop a state level actor who is intent on gaining access to your traffic.
Something I seldom see listed here is simply the possibility of splitting the profile:
- My ISP knows all my normal internet traffic, and all the caveats that apply (HTTPS, SNI, IPs, etc)
- My VPN knows a much smaller subset of traffic used for a different purpose. Also, do this in a VM, or on a separate computer, or otherwise somehow containerize your cookies and browser and things. (no, I still don't think people are correlating between profiles using webgl in any large-scale way. If they were, I'd be getting fewer CAPTCHAs.)
Yes, the VPN could presumably violate their privacy statements and sell your information, but that still avoids the primary concern: an ad domain that lives on the two websites you'd like to visit (ie, the normal vs the private site) With a new IP, and a different host (VM, physical computer, etc) there's nothing to correlate. The website in question doesn't know it's you -- only the VPN does. And it doesn't seem likely they're going to sell your information in such a way that the website can figure out which cookie to correlate with which identity.
So, the primary tracking method of the internet should be defeated in this way.
IP tracking is pretty old-school, and unless you're perfectly scrupulous about your split profiles locally, there's probably a well known bridge between these profiles.
And if IP obfuscation is that important, you'll likely be using TOR, not a VPN (which have proven to be a nearly transparent shield).
>there's probably a well known bridge between these profiles.
That's my plan -- that there is no bridge between the profiles. I'll admit, the likelihood that I'm doing this perfectly is definitely not 100%. But I'll bet it covers most cases.
You don't really always need a VPN to bypass SNI based censorship since most implementations give-up on reading SNI when the ClientHello TCP segment is split over two IP packets [0] (apologies John Nagle [1]). Besides, there are various tricks just at the TCP-level that could be employed to bypass SNI related attacks [2] (though, a pretty competent firewall/censor would remain unaffected, which is where ESNI comes in).
Re: DNS-layer security: It is really not that hard to bypass it and if folks are subject to phishing via IDN homographic attacks (ex: https://www.xn--80ak6aa92e.com/) or typo-squatting attacks (ex: googel.com) then it is time for Firefox to up its game and improve upon DoH to tackle those, as well. Extensions are helpful too, but how many people care enough to remember and install those [3]?
Between HSTS (or https-everywhere [4]), DoH (thanks Mozilla!), ESNI (thanks Mozilla!), and domain-fronting [5] (thanks CDNs!) we've got a pretty good VPN-free future to look forward to in terms of anti-censorship which is what most users use it for (sure, if you care enough to not leak your IP address, discounting the fact that device / browser fingerprinting is a thing, then VPN helps, but by how much? [6]).
The VPN industry does a lot of "scareware" marketing, I feel, and ESNI is a potential existential threat to them. Time will tell.
IP addresses matter for tracking. If they didn't, then Tor wouldn't exist. Of course a VPN is strictly worse than Tor, but it's often strictly better than a straight connection from your ISP.
Knowing my IP address would get you within 5 miles of my house on most geo lookups, and that's information I'm transmitting to literally every single website that I visit.
> discounting the fact that device / browser fingerprinting is a thing
Device fingerprinting is something I can (to some extent) control locally on a site-by-site basis. I can disable Javascript, I can use containers, I can (to some extent) inspect what data websites can transmit. I can't control what a website does with my IP address, and I can't see how they store it or transmit it.
Again, to the privacy fatalists who think that protecting against fingerprinting is impossible: why is Tor wasting its time with features like letterboxing? Why is anyone in the advertising industry getting worked up about 3rd-party cookie blocking if that doesn't matter? Do you think that Mozilla/Apple are wasting their time by trying to harden the browser interface?
----
I'm kind of done arguing with people about this, so my position has evolved. My new advice is that if you think that moving trust is a fundamentally broken, universally bad idea, then you don't have to move trust. Don't buy a VPN. But in that case, you should still be thinking about setting up your own VPN on a remote server. That will give you most of the same privacy benefits. It won't make it harder to build up profiles on you, but it'll still mask your physical location, it'll still give you some level of disassociation between your physical identity and your online identity. In the US, it'll still mean that you're moving trust away from known hostile entities (ISPs and routers). It won't protect you from the FBI, but the point of a VPN is not to protect you from the FBI.
And honestly, deploying your own VPN on a remote server is simpler than trying to figure out whether or not DoH security is good enough to rely on yet (it's not, Firefox falls back on regular DNS when DoH fails), and whether or not ESNI is being widely used on most domains (it's not). Especially now that Wireguard has really come into its own and simplified this process, learning one thing is easier than trying to keep up to date with a dozen half-implemented security features.
Anyone who doesn't have the technical chops to deploy a Wireguard server on Linode also probably doesn't have the technical chops to talk about ESNI and DoH. Because Troy is completely right -- as nice as those technologies are, they aren't widely deployed enough or correctly deployed often enough to rely on as more than a defense in depth.
I don't necessarily disagree with your points. In fact, I am in agreement [0].
My observation is that most VPN users use it for anti-censorship. And as for the points Tory raised (VPNs as a security measure against phishing et al), most of them are better mitigated on-the-client like how Tor works so hard to mitigate browser fingerprinting on-the-client as well, for example.
Of course, I never touched upon anti-surveillance, and if that's your threat-model, VPN is absolutely a necessity amongst a myriad of other things [1].
I think "most VPN users use it for anti-censorship" is an unfounded opinion. Going strictly by people I know and the marketing materials from. VPN providers, most commercial VPN users use it for piracy.
It's hard to lend any more credibility to Troy Hunt's blog post than your typical YouTube shill. The eyes are still rolling. I understand Troy's reasoning is sound, but NordVPN is _still_ the same entity who markets widely on social media platforms, mainly using strategies that include spreading FUD.
Yes it's technically safer, no you probably don't need one, yes the advertising is largely misleading/fearmongering, and yes these VPN providers would love if it became common "knowledge" that all Internet users should pay a VPN-tax on top of their ISP bill to stay safe online.
Either they're saying reduced ad targeting has lowered "unwanted" purchases or they're saying that they've safely pirated software, media, book, etc. without incurred.
Now, I don't know what the expected cost of torrenting an HBO show is but I guess the parent commenter might think it's relatively high.
This is silly. But let's take it seriously for a moment, and talk about threat models, the ones that Troy Hunt has brought up specifically.
1) Threat: Unencrypted Traffic
An international VPN doesn't solve this. If the traffic is not requested over HTTPS, it will be equally unencrypted once it exits the VPN tunnel. At which point your traffic is not only vulnerable to the VPN and the VPN's ISP, it's vulnerable to the various national firewalls and interconnects your traffic is traveling over that it wouldn't normally.
2) Threat: Phishing
Troy Hunt's Nord VPN only prevents this because the VPN is intercepting and changing DNS requests. It won't help with DNS over HTTPS, as an aside.
3) Threat: Privacy
As pointed out in 1 and 2, using the VPN doesn't increase your privacy; it actually decreases it. All a standard VPN does is change your source IP.
A couple of other threat models:
4) Rogue ISP
Now, if your ISP is truly rogue, a VPN might help lessen some of the problems, but no more than conscious awareness while browsing the web will. If it's not a secure page, it's not a secure page, whether it's been served over a VPN or the most hostile ISP known to man.
5) Government Wiretapping
A VPN, even an international VPN, will never stop a state level actor if they really want your traffic. International agreements (such as 5 eyes) exist to make these kinds of requests easy.
IMO, the only real use of a VPN is to bypass IP based region checks. But since VPN endpoints can be detected, that kind of fix is a cat and mouse fight at best.
There are three legitimate use cases for a VPN of some sort, one of which is well solved by using a browser extension like https everywhere and enabling dns over https in a modern browser.
1. Coffee shop WiFi: if an adversary ARP poisons your WiFi hotspot (or is the coffee shop owner), and you are browsing http websites, you can get owned pretty easily. This can be solved through things other than a VPN (see above).
2. Bypassing region locks
3. Piracy. If you live in a region where your ISP will snitch on you, using a VPN gives you some safety from that, especially if your VPN provider knows little about who you are, and couldn’t really snitch on you if it tried (see Mullvad paid in cash for instance). Most VPN providers will just throw out copyright infringement notices.
I thought a lot of people use VPNs specifically to avoid DMCA requests? From what I understand, it works extremely well in those cases and I imagine that most VPN use-cases stem from region check bypassing and DMCA request avoidance (but I could be wrong).
In all seriousness, what would be the best way of increasing both anonymity and privacy online? Not from nation-states, but hackers/data breaches/ad-tech/local law enforcement?
It's an interesting but frustrating topic. It seems like every potential solution has some major caveat that someone will invariably point out as making the solution useless.
For example, I am wanting to export all of my data from my social media (texts, posts, location data from Google, etc) for posterity and then delete the accounts. But I also want to keep it safe and secure. So I use VeraCrypt containers. But then what if my Kinesis keyboard has some firmware embedded reading my passwords? Now I'm screwed. And if I backup online with Backblaze, and use their E2E encryption but one day they change their software so that it records the password when typing it in. It almost feels helpless.
> It seems like every potential solution has some major caveat that someone will invariably point out as making the solution useless.
You have to come up with a threat model. You have to decide what threats are the most important to you.
I'd group them into three domains, based on the amount of effort involved in mitigating the threat. From the most work to the least: Threats you absolutely and utterly must avoid at any cost and effort. Threats you want to avoid, but you're not willing to the extent of fighting a state-level actor. Threats where it would be nice to have them mitigated, but it's not worth exceptional effort or cost.
For your backblaze (BB) example, your threat is "BB's client can't be trusted" and the sanctity of the data falls in bucket two.
To mitigate your distrust of BB's client, you'd want to make sure it never sees unencrypted data. And so, you'd do something like encrypt the data with your own key, and then send it to BB. You'd want to use a second computer (or a dual boot system) to ensure that the OS which hosts BB's client is not running when the encryption is happening, and share the resulting encrypted binary files with the computer that will do the upload.
The keyboard on the encrypting computer could still be a threat, but that's getting into the "state-level actor" levels of effort to counter.
I run my own WireGuard VPN on AWS Lightsail simply because [a] I don't want my local ISP knowing my browsing habits, and [b] using a clean, consistent US IP address is suitable for my work and other accounts.
I also use DoH via NextDNS, which is tunneled through the VPN as well for backwards compatibility.
The above setup keeps me secure and covers 99.9% of my use cases. If for some reason I need actual anonymity (which is the rare 0.1%) I'll then use Mullvad.
If OTOH someone's threat model requires anonymity 99.9% of the time, then I hope they'll also be adept at jumping through a few more hoops than simply trusting some $3 VPN provider that sponsors YouTube videos — IMHO of course.
Have you looked at Streisand? Super easy script that sets up wireguard and several other protocols for you all at once, all you need is a VPS https://github.com/StreisandEffect/streisand
> I want a "secure by default" internet with all the things encrypted all the time
Not this way, though. There are certainly security problems with non-ssl traffic, but the cure may be worse than the disease. If browsers continue restricting access to non-ssl sites, lawmakers might try to regulate who can get a cert, and what root CAs web browsers can include. This will turn the web into a walled garden. At first, it will probably be a blacklist of scam sites, so everyone goes along with it, then terrorist, piracy and child porn content, eventually an App Store like model, with the EU and the US acting as gatekeepers.
Using a different, illegal browser or operating system might not be an option, as that's also starting to require certificates, see notarization and secure boot.
The right way would be warning users if a site's cert changes, but without root CAs (like in SSH). The WPA3 protocol, which can also work in passwordless networks, is a welcome development too. A combination of those two would solve 80% of the problem, without creating those risks.
Never knew that HTTPS can be preloaded or not, this is useful, I'll need to be more vigilant. Also, good point about ad blocks, especially if you share a computer with children, they click on a lot of dubious things.
Honestly, for an average Joe like myself, a lot of this goes over my head. All I know is that you have to be careful, don't give away your information to questionable sites, and if you're looking to visit some more dangerous sites a VPN won't hurt.
I see a lot of comments deconstructing Troy's arguments, all I can say is that obviously a VPN is not a magic bullet, we can debate that until the cows come home, but if you can afford to get a pay to play VPN like NordVPn, it is safer to buy one, than to not have one at all.
My #1 concern — I don’t trust my ISP. I don’t trust any of the big ISPs in this country, or any other.
The NSA and other government agencies are outsourcing their spying on domestic people to the ISPs, who are willing to do whatever the government agencies want, in return for large sums of money. The NSA gets what they want, which is to continue to dragnet the entire Internet, both domestically and elsewhere around the world, and yet they are not held responsible for scanning or interdicting any of that data domestically because they’ve outsourced that part of the job.
On top of that, the ISPs are doing deep packet inspection and deep packet rewriting to suit their own ends, like serving up the ads of their choice instead of other ads, or serving up the content of their choice (including applying traffic shaping to reduce the quality of that video you watch from a provider that does not have a zero rate agreement with them), or hijacking your DNS packets and sending you to whatever services they want.
I have more trust in certain VPN providers, than I do in any of the large ISPs. So, I’m willing to trust them to become my new virtual public endpoint where my traffic is unwrapped and made visible to the rest of the systems on it’s journey around the world.
So, yes — I use VPNs. I use VPNs all the time. In fact, my next move is going to be setting up equipment to do whole-house VPNs, so that no traffic can escape my systems that would be visible to my ISP regardless of what kind of deep packet inspection equipment they might have.
For me, a VPN is just the next logical step of HTTPS everywhere.
49 comments
[ 7.4 ms ] story [ 94.7 ms ] thread> It doesn't get more anonymous than that.
Yes, it does. TOR. Those VPNs? They've got your source IP, which as people are enjoying pointing out is almost as good as an identity. Not much anonymity there.
I don't get this, could you give an example of where this happens?
2) I trust a company who’s entire value proposition is privacy more than one who’s value proposition is having a monopoly on the local fiber.
Many of the VPN providers are suspiciously cheap.
If a no-name company starts selling suspiciously cheap smartphones, the odds of those smartphones being backdoored/stolen/broken goes up pretty dramatically. That doesn't mean that every company selling smartphones is equally untrustworthy.
Of course it's a problem how hard it is to tell if a VPN company is trustworthy, but that's a problem that exists for almost every 3rd-party relationship I enter into.
I wouldn't believe any corporation who says this. A profile of a self-identified private person's traffic is likely worth a lot more than what a niche audience will pay for privacy.
VPNs have a history of lying about their business models, about how private their service really is. International contract enforcement won't exactly leave you with a lot of leverage if (pragmatically, when) they lie to you.
And merely being international certainly won't stop a state level actor who is intent on gaining access to your traffic.
[0] https://en.wikipedia.org/wiki/Room_641A
[1] https://www.usatoday.com/story/tech/news/2017/04/04/isps-can...
- My ISP knows all my normal internet traffic, and all the caveats that apply (HTTPS, SNI, IPs, etc)
- My VPN knows a much smaller subset of traffic used for a different purpose. Also, do this in a VM, or on a separate computer, or otherwise somehow containerize your cookies and browser and things. (no, I still don't think people are correlating between profiles using webgl in any large-scale way. If they were, I'd be getting fewer CAPTCHAs.)
Yes, the VPN could presumably violate their privacy statements and sell your information, but that still avoids the primary concern: an ad domain that lives on the two websites you'd like to visit (ie, the normal vs the private site) With a new IP, and a different host (VM, physical computer, etc) there's nothing to correlate. The website in question doesn't know it's you -- only the VPN does. And it doesn't seem likely they're going to sell your information in such a way that the website can figure out which cookie to correlate with which identity.
So, the primary tracking method of the internet should be defeated in this way.
And if IP obfuscation is that important, you'll likely be using TOR, not a VPN (which have proven to be a nearly transparent shield).
That's my plan -- that there is no bridge between the profiles. I'll admit, the likelihood that I'm doing this perfectly is definitely not 100%. But I'll bet it covers most cases.
Re: DNS-layer security: It is really not that hard to bypass it and if folks are subject to phishing via IDN homographic attacks (ex: https://www.xn--80ak6aa92e.com/) or typo-squatting attacks (ex: googel.com) then it is time for Firefox to up its game and improve upon DoH to tackle those, as well. Extensions are helpful too, but how many people care enough to remember and install those [3]?
Between HSTS (or https-everywhere [4]), DoH (thanks Mozilla!), ESNI (thanks Mozilla!), and domain-fronting [5] (thanks CDNs!) we've got a pretty good VPN-free future to look forward to in terms of anti-censorship which is what most users use it for (sure, if you care enough to not leak your IP address, discounting the fact that device / browser fingerprinting is a thing, then VPN helps, but by how much? [6]).
The VPN industry does a lot of "scareware" marketing, I feel, and ESNI is a potential existential threat to them. Time will tell.
[0] https://twitter.com/vinifortuna/status/1304189371688660992
[1] https://en.wikipedia.org/wiki/Nagle%27s_algorithm
[2] https://geneva.cs.umd.edu/posts/china-censors-esni/esni/
[3] Not sure if uBlock Origin defends against such attacks, but wouldn't it be rad if it did?
[4] https://www.eff.org/https-everywhere
[5] https://en.wikipedia.org/wiki/Domain_fronting
[6] https://news.ycombinator.com/item?id=19601503
Knowing my IP address would get you within 5 miles of my house on most geo lookups, and that's information I'm transmitting to literally every single website that I visit.
> discounting the fact that device / browser fingerprinting is a thing
Device fingerprinting is something I can (to some extent) control locally on a site-by-site basis. I can disable Javascript, I can use containers, I can (to some extent) inspect what data websites can transmit. I can't control what a website does with my IP address, and I can't see how they store it or transmit it.
Again, to the privacy fatalists who think that protecting against fingerprinting is impossible: why is Tor wasting its time with features like letterboxing? Why is anyone in the advertising industry getting worked up about 3rd-party cookie blocking if that doesn't matter? Do you think that Mozilla/Apple are wasting their time by trying to harden the browser interface?
----
I'm kind of done arguing with people about this, so my position has evolved. My new advice is that if you think that moving trust is a fundamentally broken, universally bad idea, then you don't have to move trust. Don't buy a VPN. But in that case, you should still be thinking about setting up your own VPN on a remote server. That will give you most of the same privacy benefits. It won't make it harder to build up profiles on you, but it'll still mask your physical location, it'll still give you some level of disassociation between your physical identity and your online identity. In the US, it'll still mean that you're moving trust away from known hostile entities (ISPs and routers). It won't protect you from the FBI, but the point of a VPN is not to protect you from the FBI.
And honestly, deploying your own VPN on a remote server is simpler than trying to figure out whether or not DoH security is good enough to rely on yet (it's not, Firefox falls back on regular DNS when DoH fails), and whether or not ESNI is being widely used on most domains (it's not). Especially now that Wireguard has really come into its own and simplified this process, learning one thing is easier than trying to keep up to date with a dozen half-implemented security features.
Anyone who doesn't have the technical chops to deploy a Wireguard server on Linode also probably doesn't have the technical chops to talk about ESNI and DoH. Because Troy is completely right -- as nice as those technologies are, they aren't widely deployed enough or correctly deployed often enough to rely on as more than a defense in depth.
My observation is that most VPN users use it for anti-censorship. And as for the points Tory raised (VPNs as a security measure against phishing et al), most of them are better mitigated on-the-client like how Tor works so hard to mitigate browser fingerprinting on-the-client as well, for example.
Of course, I never touched upon anti-surveillance, and if that's your threat-model, VPN is absolutely a necessity amongst a myriad of other things [1].
[0] https://news.ycombinator.com/item?id=19603091
[1] https://news.ycombinator.com/item?id=21601031
Yes it's technically safer, no you probably don't need one, yes the advertising is largely misleading/fearmongering, and yes these VPN providers would love if it became common "knowledge" that all Internet users should pay a VPN-tax on top of their ISP bill to stay safe online.
My VPN subscription has saved me hundreds, if not thousands of dollars.
Now, I don't know what the expected cost of torrenting an HBO show is but I guess the parent commenter might think it's relatively high.
1) Threat: Unencrypted Traffic
An international VPN doesn't solve this. If the traffic is not requested over HTTPS, it will be equally unencrypted once it exits the VPN tunnel. At which point your traffic is not only vulnerable to the VPN and the VPN's ISP, it's vulnerable to the various national firewalls and interconnects your traffic is traveling over that it wouldn't normally.
2) Threat: Phishing
Troy Hunt's Nord VPN only prevents this because the VPN is intercepting and changing DNS requests. It won't help with DNS over HTTPS, as an aside.
3) Threat: Privacy
As pointed out in 1 and 2, using the VPN doesn't increase your privacy; it actually decreases it. All a standard VPN does is change your source IP.
A couple of other threat models:
4) Rogue ISP
Now, if your ISP is truly rogue, a VPN might help lessen some of the problems, but no more than conscious awareness while browsing the web will. If it's not a secure page, it's not a secure page, whether it's been served over a VPN or the most hostile ISP known to man.
5) Government Wiretapping
A VPN, even an international VPN, will never stop a state level actor if they really want your traffic. International agreements (such as 5 eyes) exist to make these kinds of requests easy.
IMO, the only real use of a VPN is to bypass IP based region checks. But since VPN endpoints can be detected, that kind of fix is a cat and mouse fight at best.
1. Coffee shop WiFi: if an adversary ARP poisons your WiFi hotspot (or is the coffee shop owner), and you are browsing http websites, you can get owned pretty easily. This can be solved through things other than a VPN (see above).
2. Bypassing region locks
3. Piracy. If you live in a region where your ISP will snitch on you, using a VPN gives you some safety from that, especially if your VPN provider knows little about who you are, and couldn’t really snitch on you if it tried (see Mullvad paid in cash for instance). Most VPN providers will just throw out copyright infringement notices.
If it's truly located in their house and uses their IP, there's no chance it ends up on a list
In all seriousness, what would be the best way of increasing both anonymity and privacy online? Not from nation-states, but hackers/data breaches/ad-tech/local law enforcement?
It's an interesting but frustrating topic. It seems like every potential solution has some major caveat that someone will invariably point out as making the solution useless.
For example, I am wanting to export all of my data from my social media (texts, posts, location data from Google, etc) for posterity and then delete the accounts. But I also want to keep it safe and secure. So I use VeraCrypt containers. But then what if my Kinesis keyboard has some firmware embedded reading my passwords? Now I'm screwed. And if I backup online with Backblaze, and use their E2E encryption but one day they change their software so that it records the password when typing it in. It almost feels helpless.
You have to come up with a threat model. You have to decide what threats are the most important to you.
I'd group them into three domains, based on the amount of effort involved in mitigating the threat. From the most work to the least: Threats you absolutely and utterly must avoid at any cost and effort. Threats you want to avoid, but you're not willing to the extent of fighting a state-level actor. Threats where it would be nice to have them mitigated, but it's not worth exceptional effort or cost.
For your backblaze (BB) example, your threat is "BB's client can't be trusted" and the sanctity of the data falls in bucket two.
To mitigate your distrust of BB's client, you'd want to make sure it never sees unencrypted data. And so, you'd do something like encrypt the data with your own key, and then send it to BB. You'd want to use a second computer (or a dual boot system) to ensure that the OS which hosts BB's client is not running when the encryption is happening, and share the resulting encrypted binary files with the computer that will do the upload.
The keyboard on the encrypting computer could still be a threat, but that's getting into the "state-level actor" levels of effort to counter.
I also use DoH via NextDNS, which is tunneled through the VPN as well for backwards compatibility.
The above setup keeps me secure and covers 99.9% of my use cases. If for some reason I need actual anonymity (which is the rare 0.1%) I'll then use Mullvad.
If OTOH someone's threat model requires anonymity 99.9% of the time, then I hope they'll also be adept at jumping through a few more hoops than simply trusting some $3 VPN provider that sponsors YouTube videos — IMHO of course.
Then you just need to use your VPN endpoint for DNS.
I do something similar but with Wireguard and Pi-hole.
Not this way, though. There are certainly security problems with non-ssl traffic, but the cure may be worse than the disease. If browsers continue restricting access to non-ssl sites, lawmakers might try to regulate who can get a cert, and what root CAs web browsers can include. This will turn the web into a walled garden. At first, it will probably be a blacklist of scam sites, so everyone goes along with it, then terrorist, piracy and child porn content, eventually an App Store like model, with the EU and the US acting as gatekeepers.
Using a different, illegal browser or operating system might not be an option, as that's also starting to require certificates, see notarization and secure boot.
The right way would be warning users if a site's cert changes, but without root CAs (like in SSH). The WPA3 protocol, which can also work in passwordless networks, is a welcome development too. A combination of those two would solve 80% of the problem, without creating those risks.
The NSA and other government agencies are outsourcing their spying on domestic people to the ISPs, who are willing to do whatever the government agencies want, in return for large sums of money. The NSA gets what they want, which is to continue to dragnet the entire Internet, both domestically and elsewhere around the world, and yet they are not held responsible for scanning or interdicting any of that data domestically because they’ve outsourced that part of the job.
On top of that, the ISPs are doing deep packet inspection and deep packet rewriting to suit their own ends, like serving up the ads of their choice instead of other ads, or serving up the content of their choice (including applying traffic shaping to reduce the quality of that video you watch from a provider that does not have a zero rate agreement with them), or hijacking your DNS packets and sending you to whatever services they want.
I have more trust in certain VPN providers, than I do in any of the large ISPs. So, I’m willing to trust them to become my new virtual public endpoint where my traffic is unwrapped and made visible to the rest of the systems on it’s journey around the world.
So, yes — I use VPNs. I use VPNs all the time. In fact, my next move is going to be setting up equipment to do whole-house VPNs, so that no traffic can escape my systems that would be visible to my ISP regardless of what kind of deep packet inspection equipment they might have.
For me, a VPN is just the next logical step of HTTPS everywhere.