72 comments

[ 3.2 ms ] story [ 142 ms ] thread
I've always assumed that VPN service providers are nation states looking for people trying to avoid the attention of nation states.
The only VPN I use is one that I host ... I also use Tor though
VPN = Rented proxy?

Even running your own VPN means that the destination knows your IP and that IP range is known to be allocated to a particular cloud provider and at any particular time, any cloud provider knows by the second which VM/tenant their allocated IPs are attached to.

So who are you hiding from and are you really hidden?

My ISP is well known for using Deep Packet Inspection techniques to look at what you're doing and where, and to shape traffic to sites they want to discourage -- like NetFlix. And they inject their own ads into web pages, which could be a source of malware. It's trivial for large providers to get root certs so that they can MITM any TLS traffic on their network, unless you're using pinned certificates.

So, I need to protect myself against my ISP.

And their name? AT&T.

Do you have any proof that AT&T are conducting mass-scale MITM attacks against their users?
Okay, I concede that they have injected cookies into HTTP sites for tracking purposes, and maybe injected ads. But 8 years later the web landscape has changed, everyone uses TLS by default and we have Certificate Transparency, so this sort of thing can't be done anymore.

The most they can do now is spy on your DNS and redirect unresolved domains to some ad-filled page.

It's worth considering that spying on DNS is a tremendous privacy leak, much more than "the most they can do" implies. An aware user might configure their system with DoH and use a privacy respecting DNS provider but for many users on a default home connection the ISP is pretty much able to build up a traffic profile of everything you visit and when you visit it. A VPN provider can close this hole too quite easily.

Just from DNS, your ISP can:

1. Infer shopping habbits.

2. Infer which communication services you use (flag users hitting signal.org)

3. Infer when you install, update, or open programs based on telemetry DNS, potentially the versions being run, and how long they run for.

4. Infer when you're most active, infer sleeping habits.

5. Infer probability of health problems if you're hitting more medical sites.

6. Infer political alliance from news sites you visit.

And much more.

Since US congress dropped the rules preventing ISPs selling this data this might be the most insidious thing your ISP can do today.

If you believe that a VPN provider is less likely to spy due to it being the incentive for a paying customer, then a VPN with a no-log DNS option is a huge privacy win. I would argue DoH with NextDNS by itself does more for your privacy than any VPN does with IP masking.

How many folk here on HN are using 1.1.1.1 or 8.8.8.8 for DNS?

I do not believe that Google/Cloudflare are not doing something with the DNS data.

Data is a commodity after-all.

It depends on what they're using the data for.

Cloudflare if they use their DNS data, is likely to use it to improve their network and security products. Google likely uses it to sell intrusive ads.

I know which one I'm more comfortable with.

So, the original statement that companies like AT&T can trivially get root certificates and MITM TLS traffic is just crazy talk, and you were right to challenge that.

> The most they can do now is spy on your DNS and redirect unresolved domains to some ad-filled page.

But this isn't really true either. There's a lot more that can be done with a packet stream than spy on DNS, even if the actual payload traffic is encrypted. A combination of DNS, SNI, IPs, and packet sizes and transmission patterns can allow fairly granular classification of traffic by type, and specific connections can then be traffic-shaped, e.g. by explicit throttling to some target bitrate or by applying differential QoS to them.

"It's trivial for large providers to get root certs so that they can MITM any TLS traffic on their network"

Seriously? Just like that? You can pretend that you are a random site.com and get a SSL lock icon in 2023 if you are big enough?

Its already worse than that. Any provider sitting between you and LetsEncrypt could pass the HTTP challenge on your behalf and get themselves certified as your server.
I'd love to hear how exactly they'd pull that off.
In Linux, you can do a dstaddr/dstport based redirect in the iptables FORWARD chain to your own http server and serve the ACME challenge/response things from there. This is basically a transparent proxy setup.
What does that buy you? The challenge is merely an authorization, intercepting it does not get you a certificate.
What else would i need to request the certificate?
The ambition is that this will be addressed by supporting RFC8657[0], which would allow domain owners to restrict HTTP-01 issuance by declaring an issuance policy through DNS records. It's been live at staging for years and still waiting to make it to prod[1].

DNS-01 attacks are by default similarly vulnerable to MitM between the issuer and your DNS server, which can be mitigated by setting up DNSSEC.

[0]: https://datatracker.ietf.org/doc/html/rfc8657

[1]: https://community.letsencrypt.org/t/prod-support-for-rfc8657...

No, it isn’t. Browser root programs have certificate transparency (SCT embedding) requirements which would immediately reveal to the world if an ISP started to use a trusted root to MITM its users.
Basically no.

You would have to be forced to install an extra root certificate that allows the ISP to MITM your traffic, or have a CA turn rogue and start issuing certificates for other people (e.g. DigiNotar). Both of these attacks would be detected by the Certificate Transparency system, so everyone would know. And for very big domains (google/facebook) browsers pre-bundle the certs they expect to see and refuse to honour any other cert, this is known as static key pinning.

Nation states would be more likely to just tap up Cloudflare to spy on the traffic since a huge % of the internet goes directly to them and is unencrypted at that point.

No, it's not true.

You can tell it's not true, because if MITM certs signed by trusted root CAs were being issued, they'd appear in Certificate Transparency logs.

Although mis-issued certificates have happened [1] it is very rare, and convincing a root CA to intentionally issue you such a certificate would be very, very far from trivial.

[1] https://www.computerworld.com/article/2714719/rogue-google-s...

It really shouldn't be and (AFAIK) isn't trivial for people to get root certs any more unless they can get end-users to install them on their systems.

It used to be relatively straightforward (you could buy security appliances that had them) but that was quite a long time ago, things have tightened up considerably since then.

So if an ISP wants to do this, the only other option is a mandatory proxy.

How many root certificate authorities are there in the world that are trusted by default by most browsers, or have their authority cross signed by one of the trusted root certificate authorities.

At last count, the number I heard of was north of 300. All it takes is one of them being semi shady and being willing to sell or cross sign root certs for someone else, like an ISP. And surprising number of those 300+ are pretty shady.

This is one of the methods used in the Great Firewall of China. Or Russia. Or a number of other countries. And most of those countries have smaller annual budgets than AT&T.

Of course, that's also why a lot of people in China use VPNs.

Just like any sufficiently well funded company or country can go to certain businesses in Israel and get professional zero day/no touch malware that they can drop on any unsuspecting target. And Israel is not the only country selling that kind of technology.

I don't dare to call my virtual home network a "VPN" anymore because people will instantly ask which provider its using. I need a new word that means virtual private network but doesn't have the "rented proxy for hiding my identity" meaning.
LAN.

Or 'virtual home network'.

Yes, that's what it is for many people today.

Through to be more precise "Rented proxy which uses an opaque encrypted tunnel and can be setup in a system wide transparent manner which avoid all the pain traditional web proxies tend to introduce. Also a proxy which at least pretends to keeps your side of the connection private and might provide (or pretend to provide) some additional security benefits compared to a traditional web proxy.".

> So who are you hiding from and are you really hidden?

Your ISP, in most countries ISPs will analyze network data and sell some aggregated statistics, but in some countries they can go far beyond this in ways which can have noticeable negative effects on your life.

In case of using anything with a P2P connection to untrusted 3rd parties which seems fine initially but turn out to be fanatics, extremists, or crazy (in a negative/dangerous way) . E.g. if you play online in a game which uses P2P someone might use this to trace you down, maybe try to hack you and especially in combination with ISPs selling to private infos might be able to easily find out where you life. This can put your life in danger, even if you aren't a streamer or parts of a frequently harassed minority.

Overreaching not person specific state surveillance, not that you have anything to hide but you shouldn't tolerate it anyway. I mean just because you don't have anything to hide today doesn't mean you don't have tomorrow, potentially in retrospective. I mean for an extrema example I don't think most Jews in 1938 did expect they have to hide for their live in Germany just a few years down the line. And who knows what will happen in the future.

VPN isn't exactly supposed to provide safety though.
That's the primary argument in vpn commercials.
It's funny because arguably you achieve less safety routing your traffic through someone else's servers.
VPNs basically solve three mass issues:

* Pretending to be in another country to evade geoblocks by internet resources.

* Using P2P and avoiding law enforcement attention of your own country.

* Avoid your own country's legally enforced IP and DNS blocks of specific resources.

VPNs are fairly efficient at all that without providing any additional anonymity.

As far as I see there are 2 uses for VPN.

1/ Being "safer" using public wifis. I use 5g hotspot to my phone to avoid that. 2/ Proxy to other countries for streaming reasons. Still use it for this.

All the rest is just bogus marketing speak.

3. Avoiding government blocks/censorship/monitoring (if you trust your government less than the VPN provider). Not every country has open and free access.

4. Accessing your home country's internet while abroad, since many sites redirect you to a foreign market version

5. Checking if another geo has cheaper prices. Tom Scott mentioned he got cheaper prices on international rental cars by VPNing to the destination country than when going direct from a foreign country.

6. At least in the USA, ISPs can sell your browsing habits(DNS lookups, connection end-points) to third parties. A VPN that doesn't sell this data protects you from that level of snooping from the ISP.
7. Hiding torrent usage from my ISP so they don’t cut my service.
Y'all forgot adblock via at-home (or at least self-hosted) PiHole, for when you want to block ads on LTE.
There is one more and that is unreliable or filtered connections.

Having wireguard style VPN on a network that is unreliable can keep connections alive that might otherwise be killed.

This usually isn't due to any error correction, just bypassing the stateful nat deciding your connection is not valid anymore.

Interesting! I'd never thought about that before.
Last: Self-hosting stuff and accessing it from remote. Reduces the burden to harden locally hosted and publicly accessible services. This is what I use VPNs the most.
Assuming all the sites you care about (From a security perspective) run over TLS, the wi-fi risk is less now than it used to be (when HTTPS uptake was lower).
The internet seems slightly broken if necessary to trust the first hop.
In the UK at least, most major ISP block torrent sites, and if a copyright holder complains to the ISP that your IP was downloading a movie they have the rights to, you may get a warning letter from your ISP through the post, including the filename you were downloading. This has happened to me in the past.

VPNs solve both of these problems for me, however shady they may be under the hood

Another example. Happened to me today. I was unable to pay online for a bus ticket until I set up VPN out of Cambodia to SG. I tried two cards by two different banks on three different ticketing sites. Without VPN all my payment attempts were rejected.
Also the original use of VPN: to be able to access the internal resources of a network while physically outside the network.
I've tried Mullvad but services like Firebase and Cloudflare randomly don't work with the Mullvad servers I use. There's no benefit to a VPN that makes you spend 20 minutes debugging your dev environment, only to remember you need to turn off your VPN before doing a `firebase deploy`.
I use PIA and some sites like Bugsnag, LogRocket don't work, what I do is have a special browser (Chrome Canary) that I set a split tunnel rule for so it bypasses the vpn. Same for steam and epic that will kill you with captchas for something as simple as the pc going to sleep and waking (new ip).
1. I would love to know why people are using VPNs. I suspect it's for evading region blocks but if it is for privacy reasons it would be a strong counter-argument to the idea that people don't care about privacy.

2. Is this whole article a marketing piece? My understanding is that NordVPN has a somewhat checkered reputation including a data breach in 2018. The linked list[1] of best VPNs also effectively lists NordVPN twice since Nord now owns Surfshark.

[1] https://www.techradar.com/vpn/best-vpn

I use VPN as some sort of disgruntlement if I'm honest.

Some how VPNs convinced me using it was sticking it to the man in the same way using cash is.

So I just leave it one. Don't think it affects me meaningfully I don't use websites other than Https nor am I interesting in any way.

Occasionally I get past geo-locked content. Maybe once or twice a month.

I run my own VPN on an EC2 instance. The main reason I do it is because even HTTPS leaks the domain names you connect to in addition to the IP address. It seems stupid to give that info to my ISP.
Wouldn’t AWS collect the same metadata on your traffic “to deliver a better service, fight abuse and etc”?

Genuine question, I don’t know. I feel like they are better than any ISP, but still monitor traffic on their networks.

They definitely can and do collect the traffic. But most ISPs actively sell your data to marketers. I don’t think AWS does that.
I use Cloudflare WARP to avoid ISP traffic shaping. I feel a lot more comfortable when my ISP just sees one outgoing wireguard connection.
Wrt 1.: A lot of "common non technical people" believe it makes browsing more secure and private, often in ways which VPNs do _not_ provide. And evading region blocks is a neat additional benefit (through I also would argue that the need to avoiding region blocks varies quite a bit over time and depending on which country you are in).

Also due to nation specific news sometimes spreading international, some people in regions where there is no major abuse of power of network carriers might think there is. E.g. similar how e.g. people in countries with only a small problem of police violence often think of it as being as bad as in the US due to how many "US sourced" stories they directly and indirectly hear.

Lastly some VPNs try to provide additional security measurements, like blocking connections to known malicious sites and servers. The problem with such services is that they can be abused, and do you trust them? At least I do not trust many VPN providers.

I use ProtonVPN mainly for reading & browsing on my iPad at the gym or McDonald's or airport. It adds a layer of protection, particularly in a public place where they explicitly say your connection is not private.

Probably it's not totally secure either, since nothing in this world is totally so, but Proton is reputable and reliable, along with Nord and a handful of others, so all I can do is hope for the best and probably avoid connecting to my bank and other sensitive uses.

As for teens using free VPN's, this just sounds very sketchy and I wonder if there should be a required course in approximately 9th grade high school teaching people safe internet use, kind of like driver's ed or home economics... necessary basic knowledge in this day and age.

Standard VPNs just shift the point of trust from the local network/ISP to the VPN provider, so the question becomes, can you trust the VPN company more or less than those local networks/ISPs?

This depends on quite a range of factors (e.g. what country you're in, what your personal risk profile is), so depending on the answers there, VPNs are more or less useful (from a security perspective).

I'd expect that a lot of VPN use these days is geo-shifting to get access to region locked content, and they're not a bad idea for that.

I'd argue most people benefit by putting that data into another jurisdiction.

I.e. can your local law enforcement ping an email over to your ISP and just be handed years worth of IPs accessed? Or is there slightly more friction?

Put another way if I used an exit in Tehran how easy would it be to get my data for Norwegian law enforcement? Even if the end point was 4g in Oslo?

Looking at how insistent many authoritarian regimes are at forcing international companies to host data in their own jurisdiction, you're probably right. I live in one of those countries and definitely prefer certain VPN and hosting companies to my own ISP.
yeah the national law aspect is interesting, and I could see it really taking off as new restrictive laws get passed in specific countries.

To take one example the UK Online Safety Bill could make access to a load of content trickier (or even cause companies to stop offering services in the UK) at which time I expect a load of UK people will start using VPNs to shift their traffic to appear to come from non-UK locations.

Especially as you are more and more at risk of wrongful convictions based on (erroneous) big data and stupid laws. Nothing to fear if you have nothing to hide only works with a perfect system which dont exist outside of fairy tales.

Also dont think those are contradicting concerns. Be careful with what you trust which ISP or VPN provider with. Thinking you are good with just going with either category instead of the other is a recipe for disaster.

Also worth mentioning that to lock your ISP properly out, take a look at hardware firewalls with whitelists and properly chosen signatures for the vpn tunnel. Especially if they are forcing a router into your home network.

That's precisely what I use it for. However, lately, I've been using [controld](https://controld.com) to geo-shift without having to change connections. It works really well for that.
Is this similar to NextDNS but with Geo location spoofing?
I use a VPN anytime I am out of the house on my mobile, mostly because it obfuscates things when it comes to advertiser tracking and ISP snooping for advertising data. Better local access security on WiFi points is part of it as well, but ultimately I dislike snooping for ads, which every free WiFi at large businesses is definitely doing.
I use a number of VPNs, some commercial, some with VPS' on which I've installed a wireguard instance, to create additional steps for anyone (else) who wants to snoop my data.

Australia has legislated two-year metadata retention rules applied to ISPs, but not to VPN or VPS providers.

Sure, it doesn't take much for law enforcement to potentially get access to VPN and VPS data as well, but the more hassle, the more work, the more wasted time, the better.

Australia continues to creep me out. Really holding true to its prison island history.
(comment deleted)
> are people actually safe?

Inevitably: Safe against what?

Nation-states? No.

Your mom, your school, your church, and your work place? Sure.

it depends on a lot of questions:

- Where are you, the degree of abuse of power from network carriers wrt. things which change when users use VPN hugely differ.

- Who are you the degree of risk you are exposed to where VPNs can help can differ a lot.

- What do you do, e.g. if you do stream you probably want to keep your pace of of living private and in turn a VPN can noticeable reduce the risk.

- Which VPN do yo use, some are pretty bad, some outright malicious, many soso, some focus more on the "private network" part and might not provide the same degree of privacy for some use-cases. Also some come with additional security features, e.g. preventing connections to known malicious servers and sides (which also can be abused by whoever provides that features, so not always a plus).

- What do you even mean with "safe".

All in all I would say depending on the country you are if you are a "typical non technical user" the answer rang anywhere from "yes, quite a bit" to "no it makes no relevant difference".

Based upon the article, the Title should be "Free VPN services are bad". Which I believe is true.

If you need VPN, unless you know how to setup your own server, get paid ones. Most people can afford it.

But if at home, you live in what is generally considered a free country you probably do not need one. I guess there are cases were one may be useful at home. If in another type country, I think even with a VPN you could be at risk unless you are very careful.

The prevalence of browser fingerprinting really breaks the deal for me with VPN's. There's less value in hiding your IP and location if advertisers and websites can still uniquely identify you.
Half of these are just banned Reddit users....
A VPN is virtual PRIVATE network, a "commercial VPN" where the customer just have a client, and the server is from someone else means being in the service private network, or choosing to put a personal device on someone else LAN to be more direct and clear.

A VPN is logic if one have a homeserver and do want to connect from home while being outside, for instance to filter their own craphone traffic, accessing Home Assistant without exposing it too much on the internet and so on.

A VPN is logic for similar reasons for a company with nomadic workers.

The sole reason for using a "commercial VPN" is having a glorified proxy for accessing some geoblocked content, fully knowing that you have all your traffic diverted to someone else machine, perhaps with a proprietary client on you won machine and with high privileges.

That's is. There is NO EXTRA SAFETY for commercial VPN in privacy terms, except being sure that your own traffic would be monitored easily by third parties than by your own ISP, typically third parties hosted in some other countries while your ISP is local, so under local laws...