204 comments

[ 4.3 ms ] story [ 221 ms ] thread
URL would be funnier if owner also owned the actual URL, but redirected everything to the extra one.

And it's unregistered!

https://www.namecheap.com/domains/registration/results/?doma...

Edit: Per below, missed the last dot. zoltanbalazs is registered. https://www.namecheap.com/domains/registration/results/?doma...

Also, what would be more interesting: a financial breakdown of how an average free VPN provider makes money.

I assume ad injection + selling traffic data, but does that make enough to offset the cost?

I believe at least one of the business models for "free" VPNs is to turn their users machines into exit nodes, and the real business is in selling those to people who want to spread their traffic across many residential IPs for usually dubious reasons (e.g. scalpers trying to scoop up concert tickets or limited edition sneakers or whatever without tripping bot detection).
afaik some free vpn providers use your own connection to offer residential ips for scrapping services or other vpn users.

I know I read a article about one where they at least routed some other traffic through the vpn app, but I can't find the article anymore.

holavpn was exposed by trend micro as a botnet for rent (best source I could find since the original white paper from trend micro seems to be gone: https://www.vice.com/en/article/pga9yk/your-tool-to-access-n... )

facebook used their vpn onavo to mitm users of snapchat, amazon, youtube: https://techcrunch.com/2024/03/26/facebook-secret-project-sn... – somehow I had missed this, I was only aware of the much older scoop about facebook using it to track underaged users: https://techcrunch.com/2019/01/29/facebook-project-atlas/

>facebook used their vpn onavo [...]

It's worth pointing out that while it operated as a VPN (so it could capture traffic), it was ostensibly marketed as a "security" app (ie. scanning your web traffic for threats). It's not really a good example of shady VPNs.

dotzoltanbalazsdotcom.com is unregistered.

zoltanbalazs.com was registered in 2021.

Oops! Mistake on my part. Updated above.

Sadly, doesn't look like there's anything hosted on zoltanbalazs.com

> When to use a personal VPN?

> - Geofence bypass

> - Piracy

> - Soft network block/censorship

Among all the people I know who use the kind of VPN services talked about here, these are exactly their reasons for using them. Obviously advertisements are going to shy away from these angles.

You may not even need a VPN to get around censorship, ISPs implementing legally mandated site blocks often only bother to enforce them at the DNS level so you can trivially bypass them by using an encrypted DNS resolver.
Encrypted DNS resolvers aren't trivial[0] for the ~99% of people who don't even know what they are, though.

[0] https://news.ycombinator.com/item?id=8863

Doesn't Firefox default to eDNS these days? I don't think it can get much more trivial than that
In the UK, at least, it isn't the default (because of "the children"/"terrorism"). But it's still just a setting in Firefox/Chrome to change (and I guess in Edge too).
Changing the "secure dns" option on their phone/computer is probably easier than installing a VPN app, tbh.
Even just using a different DNS can be enough. A certain popular movie uploader is/was blocked by my ISP at the DNS level but worked fine once I changed to OpenDNS.
If only the Great Firewall were so easy. ExpressVPN seems to be "OK" once/if it connects but it's not very fast when websites load megabytes of crap via a bazillion tiny requests (which is a problem in any bandwidth-limited and/or high-latency environment: use your browser tools to simulate a slow connection, website devs!).
Use a browser with DOH. Even works against corporate censorship.
Pretty funny to say they're snake oil, and then list 3 very good reasons to have one.
I think the snake oil claim is in regard to VPN companies marketing themselves as a security product. The security benefits that these companies claim in their ads are dubious but of course there’s other benefits to them, they just can’t advertise that they can be used for these things.

The problem is people who aren’t aware of this see these ads and think that they actually do prevent hackers from stealing their information.

> I think the snake oil claim is in regard to VPN companies marketing themselves as a security product

Considering that confidentiality is a vital component of overall security, it's not necessarily unreasonable to describe a VPN as a security product. Of course, it's not the panacea some companies claim; nobody's "surfing the web in full security and privacy" with just a VPN service.

We already have really good client-server confidentiality (and integrity) assurances from the wide adoption of TLS/HTTPS. Wrapping that in a VPN doesn't buy you all that much additional security. Maybe a little bit of DNS privacy and being able to mask your IP address on torrents, but that's all that comes to mind.
Similar to cryptocurrency in this respect. People would often tout nebulous benefits for hypothetical legitimate use cases, when in reality they were only ever really good at ponzi schemes and conducting illicit transactions.
That argument only makes sense if people don't really understand what a VPN is or what it is actually for. They're somewhat of an expensive and complex thing that usually noticeably slows down your internet connection... I doubt many people are buying them because they think it protects them from identity theft or something. I haven't seen an ad on the internet in a decade (thanks uBlock) - so I'm not sure if there's some ubiquitous misleading ads I'm missing.
renting a car - better rate if you are local.
Hmm… I’m going to try that. Thanks traveler.
Also plane tickets. It was less than half the price for me to buy Peruvian tickets in soles from LATAM than to shop on the equivalent site in USD
Damn. I was wondering why my tickets from Juliaca to Lima were so expensive.
I found the opposite when renting a car at the airport.

Renting a car in Belgium from the Canadian website is cheaper than renting the same car on the Belgian website.

I have mine always on for privacy. Is there a reason to not use it? The extra latency is close to 0 just use an exit node in the same city. Why should I donate all my browsing data to my ISP ?
There's another use case (and is why I primarily pay for one, mostly due to being too geographically mobile to want to set up a bunch of VPS around the US): bypassing throttling on low-cost pay-as-you-go MVNO networks.

I use Visible (pre-paid Verizon), and they very clearly deprioritize, say, youtube when things get crowded. I turn on my VPN and all of a sudden I can play 1080p no problem.

If you change your TTL you can fix that permanently without a VPN
The problem is that they are sold as a security/privacy product, because they can’t mention the more illicit uses (which the author mentions under “when to use a VPN”), which are the real use cases people buy them for.

It’s kind of like when shops selling bongs would market them as “tobacco accessories”, but there was a wink-and-nudge understanding about how they would really be used.

You mean like vibrating massagers?

Did you know the original vibrator was a medical device by doctors to automate treatment of Hysteria?

Haha, lookup what “hysteria” was and the medical “treatment” devised to “cure” it.

We might have a long way yet to go as a species, but we’ve sure come a long way.

We still have chiropractors and Chinese herbal medicine dispensaries.
The thing that bothers me is that we've had these things for so long, but no one does any actual research about them, so we still can't say that we know they don't work, but only that we don't know that they work. And "we don't know that they work" doesn't really convince people who say "thousands of years of tradition say that they work, and my great aunt was healed by it".
Research has been done, and has shown herbal medicines to not work[1], to nobody's surprise. Sure, there's not a huge amount of research into the matter, but this is comparable to the small amount of research time sunk into verifying if prayer can cure cancer.

Nonsense like "rhino horns look like an erect penis, so surely they will give you erections" should be dismissed without further discussion, but unfortunately a multi-billion dollar industry continues to wipe out rare and endangered species for magic cures that can't possibly work.

[1] A large subset of such medications are basically stimulants that make patients feel better but do more harm than good. My father in law was scammed this way by a herbal doctor that gave him such huge doses as to cause heart damage.

> Research has been done, and has shown herbal medicines to not work

Plenty of herbal medicines are effective. Which is why we need research to understand which ones are, and which ones are bullshit.

We have done this research, and the result is called "medicine" now instead of "herbal medicine".

Aspirin used to be extracted from tree bark.

Opium and morphine is the juice of the opium poppy.

Penicillin is from a mould.

Botox is from a bacteria.

Heck, there's an entire subset of the pharma industry running around testing every damned plant, weed, and flower to see if it has some sort of useful effect! There's even been movies made about this! https://www.imdb.com/title/tt0104839/

We've tested herbal medicines, and use the pure extracts from those that do actually work every day in every country.

That doesn't mean the guy selling dried tiger penis should be allowed to open shop next to a pharmacy and claim mysterious properties "unknown to science".

Or all those Nickelodeon commercials for wacky wiggling pens that are sooo hard to write with.
I buy them so I can have country specific ips
Which vpn provider do you use? I found it is somethimes a nightmare to use some of them due to blacklisted ip and endless captcha.
Exactly. Is there anyone whose primary use case for a personal VPN is not "Geofence bypass for region-locked content"??

Whenever a state in the US passes a new "we need your ID to watch porn" law, sales of personal VPNs must predictably skyrocket in that state.

Is "geofence bypass for region-locked content" actually “illicit”?
> Is "geofence bypass for region-locked content" actually “illicit”?

Yes, in practically every jurisdiction. It’s wilful breach of contract, tortious interference with the content distributor’s licensing schemes and copyright infringement.

Unless you have any explicit court case decisions to the contrary, I'm calling bullshit. I did a simple Google search and could not find any examples of someone being sued or prosecuted for region bypass.
> Unless you have any explicit court case decisions to the contrary

I also don’t think there is prosecutorial precedent for murdering someone with a sea cucumber; that doesn’t make it licit (or legal).

When was the last time you heard of anyone murdering someone with a sea cucumber? People obviously use VPNs all the time for region bypass, and have for years, so if anyone had an issue with it it surely would have had some relevant legal proceedings.

Laws only mean what courts say they mean. Besides that, I have simply never heard any argument of region bypass being illegal or otherwise illicit, and you haven't provided any evidence to the contrary.

A notable exception being the use of a VPN to access region-protected content.

INAL, but while this use case might violate ToS, the case law suggests that courts deem this to be fair use provided you don't breech other laws in the process (e.g, copyrights).

Agree that it's the digital equivalent of jaywalking.
> tortious interference with the content distributor’s licensing schemes

No it's not.

Tortious interference with a business relationship is no doubt what you're referring to here, but it's a long bow with multiple layers of indirection. It is "intentionally acting to prevent someone from successfully establishing or maintaining business relationships with others".

Miramax, as a content distributor, might license their content to Netflix.

You are a customer of Netflix.

Now say you are a customer of NordVPN.

For one, NordVPN isn't trying to prevent you maintaining a business relationship with Netflix. Nor is it trying to prevent Netflix having a business relationship with Miramax.

NordVPN may provide you means by which you can choose to be in violation of your TOS with Netflix. It's not acting to ensure you are.

Netflix doesn't have to -allow- this, hence VPN/proxy detection. But they have recourse, drop you as a customer, for you, the customer's, actions, not for NordVPN's actions. Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix.

> Miramax can't argue that NordVPN acted to interfere with their licensing scheme with Netflix

No, but they could argue that the VPN user interfered with their licensing scheme. (If everyone in a region circumvented geoblocks, why would someone in that region pay for regional rights to that content?) They wouldn’t, because it’s not worth it.

This is false, it is not illegal. You might be in violation of a specific contract, but that is far from it being illegal. For example Steam might ban you if you circumvent a region lock. Reason for that is that there are other legal requirements for them as a market place.
> This is false, it is not illegal.

I highly doubt you know the laws in every region globally. This may be true in yours, but it's not a good idea to make such blanket, objective statements online.

> Exactly. Is there anyone whose primary use case for a personal VPN is not "Geofence bypass for region-locked content"??

Hi! /waves I use a VPN to stop my ISP from monitoring my traffic and selling my personal information. My VPN (usually) exits in the same "region" as my real location; I guess if I hit a geoblock I could look at that, but it hasn't come up.

You can set mullvad (which offers VPN service) as your DNS over https server. Traffic is also mostly encrypted by https. Your ISP still gets the destination IP addresses, though they are harder to track.

Wouldn’t that address your concern?

I think this is the old way of thinking about it.

Skipping the broader discussion of AI, the ridiculous amount of automatic and human impossible pattern, matching and correlation with seemingly harmless data is something that I don’t think we are equipped to fully comprehend.

The time at which I hit some meta CDN, seems harmless. Until combined with some cookie and some access time to some asset it uniquely identifies me to previously anonymized data.

So no, I do not think HTTP and a good DNS are enough.

No; until Encrypted Client Hello is ubiquitous HTTPS still has domains in cleartext. Also, I don't think we should be casually dismissing tracking by IP addresses.
Hi! /waves I use a VPN to stop my ISP from monitoring my traffic and selling my personal information.

But then how do you stop your VPN company from doing the same? You essentially have two ISPs now.

If the local ISP has a 100% chance of monetizing my data and the VPN provider has anything less than that, then it's still a win.

(Longer answer: This boils down to the weighted probabilities; if the ISP was meaningfully regulated such that it was legally restricted from doing certain things with my data, that might matter, and one should also play in the exact likelihood that either party is selling my data. In my case the weighted probability is wildly in favor of a VPN, but I suppose I can imagine situations where that wouldn't hold.)

I VPN to a $5 vps in a distant country. I kill and move/re-up it once or twice a year.

They probably could sell my traffic, but I estimate it (based on vibes) as being less likely than for most other intermediaries

It’s their business (value proposition) to not do the same and most explicitly commit to that. They also get third party aidiots and publish results. This isn’t fool proof but it’s better than trusting Comcast or ATT or whoever.
(comment deleted)
You're just trading your ISP for a different third-party who has all the same incentives.
> You're just trading your ISP for a different third-party

Yes.

> who has all the same incentives.

And no. The ISP has little to no competition or incentive to not sell my information, while the VPN provider has loads of competition and often has user privacy as a core part of their value proposition.

Besides - even if both of the did have the same incentives, one openly says they're selling my data and one says they're not. At worst it's a gamble between the VPN lying and the ISP telling the truth.

You don't have competition between ISPs? I can trivially switch between as many (if not more) ISPs as well-known VPN providers.
In many (US, at least) locations, there is only a single provider of fixed broadband. Not sure how it is elsewhere, but without a more customer-friendly framework (infrastructure isn't owned by the same entity selling user access), I can't imagine too many places have multiple, parallel cable or fiber networks in a single town/city.
The availability of internet service providers typically varies by state and even by city. In many cases, your choices might be limited. Often, you may find yourself restricted to a single cable provider, with the possibility of DSL, but not much else, unless you consider wireless options. Installing a wired line can range from very difficult to nearly impossible. Cities might impose a moratorium on new installations, often due to lobbying, and even if installation is permitted, the costs can be exorbitant. For example, the cost of laying new lines can reach into the hundreds of thousands of dollars, with service providers generally unwilling to cover these costs. One recent quote I saw was as high as $160,000.
Sir I would have you know that I participate in no such illicit tomfoolery. My VPN use is strictly for torrenting pirated content!
I reckon the majority of VPN sales are actually people being bombarded by adverts and sponsorships for VPNs and think that is actually of benefit. I am constantly bombarded by questions on which VPN product to use from people who are even unaware you can steal content.

"Are you downloading films from anywhere?"

"Huh what from Disney Plus?"

My dad used to complain that he couldn't get on certain websites, got CAPTCHAs a lot more than he used to and often prices came up in US dollars on his computer, turns out he paid for a 3y plan to NordVPN and had it start on start up on his computer.

He can barely work the Sky box never mind stream stuff from the internet, he got duped into thinking it would make him "safer" when in reality it just makes using the internet a lot harder as everyone flags your traffic as malicious based on the datacentre IP.

Why is your assumption that VPN traffic is being blocked because it's malicious?
If you read carefully, you may see that they did not say that "VPN traffic is being blocked because it's malicious"
Because it absolutely is.

I occasionally fire up Mullvad when I’m on the go. I get blocked way more often when I use it

Because people run crawlers and perform illegal activity, and/or because ‘security companies’ sell the IP lists as low reputation potentially malicious IPs?
Anyone who has browsed through one of these personal VPN services - or even a DIY VPN from a datacentre IP - for more than about 10 minutes will have experienced the increase in captcha's.
>Anyone who has browsed through one of these personal VPN services - or even a DIY VPN from a datacentre IP - for more than about 10 minutes will have experienced the increase in captcha's.

So has anyone behind random CGNAT.

It's the same with any broker service. Fire up a Hurricane Electric IPv6 tunnel for the same effect.
Because I've hosted websites where blocking datacentre IPs has caused a massive reduction in spam and malicious activity - and tried to use Google search with Mullvad dialled only to be greeted by a CAPTCHA every other search.
As someone who operated a high fraud target during the pandemic, I am comfortable asserting that while not all commercial VPN traffic is fraudulent or malicious, most fraudulent or malicious traffic is over VPN.
Torrenting and buying a service cheaper are two examples.
Yes, lots of people have other primary use cases? Why is that even a surprise?

VPN companies are more trustworthy than my ISP. Many get third party audits and publish results. And if the VPN company and server are in a privacy friendly country, they are hard to subpoena. Individual privacy being the default is itself valuable.

This is leaving aside numerous other reasons like avoiding censorship or persecution or whatever.

Yes, I was using a bit of hyperbole.

But that said, on this point I do agree with the author: privacy improvements from using a VPN are marginal for the average user due to the now widespread use of HTTPS. Yes, your ISP can see which domains you visit, but that's about it. I'm curious if there have been any successful lawsuits or prosecutions based solely on domain access logs.

Unless you're using DNS over HTTPS or DNS over TLS. Then they can't.

Side question: Anyone know of a gateway or self-host service which supports DNS over HTTPS relay?

i.e. it will accept vanilla DNS requests, but if it needs to forward requests, it will only do so to DoH / DoT servers?

I do that with pihole.
I absolutely despise my ISP’s business arm, but I trust their network arm not to do something stupid. I certainly trust them more than a company in a remote tax haven with a broken legal system.
Sweden and Switzerland are hardly 'remote tax havens with broken legal systems.' you don't actually prefer your ISP's DNS service over something like say, Quad9's, do you?
LOL. Several of the large ones are owned by the same entity.

The main reason they exist is to do grey market bypass of controls becoming media access. If you trust them to not do some grey/shady exploitation of your metadata, more power to you. Sounds foolish to me.

My ISP Comcast (sometimes called Xfinity) has regularly done MITM attacks that inject javascript into web pages since 2013. Surfing the web without tunneling my connection is unacceptable with an ISP that commits CFAA crimes like this. It is a valid use case for a VPN or VPS tunnel for the 30 million of us stuck with a comcast monopoly.
I am old fashioned. So I would use a VPN if I want to prevent my landlord from getting a cease and desist letter from a lawyer when I download warez. Mostly audio books, and textbooks, but also movies and music.

Ie, it's the use case where you Pirate all the media, and use a VPN as a security bandaid against anti-post-scarcity busybodies.

Piracy is also listed under the "When to use a personal VPN?" heading.
It is, but I believe the comment you replied to was in response to this line.

> Is there anyone whose primary use case for a personal VPN is not "Geofence bypass for region-locked content"??

So... piracy, but worded fancy?

There's no ethical difference between faking your location to bypass licensing and copyright and downloading a file via torrent to bypass licensing and copyright. Both are piracy.

My primary use case for a vpn is i dont trust people on my guest network and dont want their traffic looking like it is coming from an ip associated with me. I am not protecting against 3 letter agency levels of surveillance so i dont need the extra benefit and slowness of tor, i just need to move that traffic to a different jurisdiction to complicate things enough that people dont bother to figure out it came from my network on the off chance that someone i let on myguest network does something untoward.

does that count?

That's a valid privacy concern But is a VPN service a good solution? Certainly not if you are on a shared IP with the VPN. I know you can get some with a dedicated IP, but with most VPN providers it is still probably coming out of a cesspool of ips that you don't want any kind of association to.
Shared ip is even better if you are reasonably sure the provider deletes logs (i.ec you are using mullvad). Good luck proving in a court of law which of the firehouse of clients did whatever you are claiming.
Your use case is valid, I’m just kind of curious why they’re on your guest network if you don’t trust them? Like an AirBnB or something?
Except that use-case doesn't even work because any service worth a salt just blocks the VPN's IP addresses. For example: US citizen living in US goes to the UK and uses VPN service to watch US-based netflix. Netflix blocks this.
There's also bypassing nanny software in coffee shops. I've had checking a word meaning on Urban Dictionary and checking the odds of Trump winning 2024 blocked by that. I guess for naughty words and gambling?
I felt stupid when someone told me what the 'roses in a glass' tubes that were sold in convenience stores were really used for, but I guess it never occurred to me that crack pipes would be something these places would want to be associated with. At least it restored my faith in romantic gestures a bit to know people weren't buying them as a token of love.
The bodega sells whatever people want to buy, as long as it doesn't get the bodega in trouble for doing so.

Beer, wine, booze, tobacco, and vapes are obvious, but things like cough medicine (dextromethorphan), diarrhea pills (loperamide), little roses in neat glass tubes, and air dusters (let's kill some brain cells!) are perhaps less-obvious.

The bodega wants to be associated with being the place where a person can stop in and buy anything, from a can of soup to a pair of pants.

What's the deal with loperamide?

I once asked why levothyrox, a drug to compensate a dying thyroid, is so regulated (at least in France). It's not like it's psychotic or something, it is just a hormone. Turns out people were buying it expecting weight loss...

It's because of such idiots that people whose life is already complicated gets it even more.

It's an opiate, and some opiate addicts like loperamide. It's certainly not the fix they're looking for, but some of them like it enough that -- unlike seemingly every other OTC drug they stock -- it is kept behind the counter at the Dollar General near me, so that a would-be buyer has to ask for it.

And that's not a result of regulation (anyone can buy as much as they want), but is rather a result of stock shrink. It tends to disappear in some less-than-savory neighborhoods.

(I use loperamide occasionally for its main intended purpose of settling my gut down enough that I can do something other than hang out near a bathroom while I quickly dehydrate, and more than once it has been legitimately hard to find in some areas when I've needed to buy more.)

NYC has Mullvad ads plastered everywhere. They bill themselves as protection from corporate surveillance. This is not wink-wink advertising. It’s an attempt to swindle somewhat tech literate people through a lie.

Sure you and everyone else on HN know what a VPN for, but that’s not the case for 97% of the people on a subway car who see their latest campaign.

Funny thing is, in my most recent trip, hotel's wireless network information contained a note which can be summarized as follows:

"Our hotel uses unencrypted wifi, so if you want any kind of privacy on hotel network, please use a VPN, kthxbye."

I've seen a lot of VPN ads that specifically advertise how you can take advantage of regional pricing and get around geoblocking for various services.
This is exactly what it is. Almost everyone I know here in my country, which has not (yet) gone China, who uses a VPN does so exclusively to access sites and services that are banned or not reachable here (read porn, p2p, and geo-limited services like Hulu, and Spotify before it was released here etc). No one, absolutely no one, uses it for privacy and security.
I've never seen a whole lot of value in personal VPNs; it's basically trading one network that can observe you for another. Often with unverifiable claims about not observing you.

But, it can be helpful to trade one network's routes for another, in cases where direct routing between you and your desired peers is poor for whatever reason. And it's clearly useful for circumventing geographic restrictions (as long as those imposing the restrictions dont' care to identify and restrict access through VPNs)

Mullvad and Proton at least have had their no logs policies court tested so I believe their claims.
In general I agree about it not providing security benefit, but they can reduce the exposure of eavesdropping like DNS leaking browsing patterns, and so on. Sure, you’re now leaking your DNS traffic to the VPN server, but in my opinion it’s better to leak that to somewhere external than somewhere close by (e.g. to companies or individuals directly related to your network that will use it for monitoring and monetisation)

https downgrade attacks and the like (html injection on http pages) can also be thwarted (unless they are done on the vpn->service path ofc),

Wouldn’t switching to something like Cloudflare’s 1.1.1.1 DNS mostly solve the DNS issue without going the VPN route? The user’s DNS provider would no longer be their ISP.
> The user’s DNS provider would no longer be their ISP.

Only if the ISP doesn't do DPI to transparently route any outgoing DNS traffic to their (censoring) servers. There have been enough cases of that.

Does that work anymore with DNS over HTTPS? I think the real leak is that until we get Encrypted Client Hello your HTTPS connections expose the domain in plaintext so DNS is kind of a moot point.
It does not. DoH and DoT is a real lifesaver for the privacy-minded people.

And it's hell for the security minded people. Before I could do DNAT on my router to redirect everything to my Pi-Hole, even the Google Mini that staunchly ignored the handed out DNS, but used 8.8.8.8.

But soon they'll start using DoH and I can't do anything anymore at all.

I believe IMDb on iOS already uses DoH.

It’s not that deep. People want to download shit and watch Netflix
The author calls it snake oil then lists legitimate reasons to use a VPN at the end
No better way to get traffic than rage baiting I guess.
Say I sell snake oil, and I say it will cure cancer. Then Peter comes and buys it because he lubricates his discumbulator machine with it. It has a legitimate use, and maybe I even know that, but I still sell it as a cancer cure (which it isn't). Its still snake oil.
(comment deleted)
Argument is based on the assumption that "probably only one percent of users correctly use a kill switch", and in general shows a low level of understanding of threat models and the swiss cheese security model. Author assumes to know the intentions of VPN users and asserts users are dumb, also throwing unnecessary barbs at "wannabe hackers". Unprofessional article, bad advice, no differentiation between nonlogging services and services like nordvpn that bundle google analytics and tracking into their application.

My take? Do a threat assessment, build a threat model, know your adversary be it your own ISP selling your data or protection against hostile state entities when traveling overseas. There are many valid uses for the various types of commercial VPN and instead of an objective look at these services the author walks in with an assumption that they are all the same and never provide value to their customers, then bends over backwards to attempt to make weak arguments against a vast category of service.

Yep, HN is definitely not the article's target audience.
I think this is one of the biggest misunderstandings about security that there's one linear scale and that every solution can be assigned a generic positive/negative delta on that.
Author is correct that TOR has better privacy than a better VPN because TOR means you are truly anonymous (assuming the network is not majority compromised).

However, bandwidth and latency on TOR suck, and in many cases the endpoint IPs are blacklisted to hell due to abuse. A VPN is a nice middle ground where your can put another entity between yourself and your traffic, which is valuable against most opportunist adversaries. If a TLA wants me and can get a warrant, not even TOR will save me, but a VPN keeps the ISP from selling my traffic and the media trolls from sending me grumpy letters because the neighbors keep using my wifi to watch free content.

> assuming the network is not majority compromised

There is no such guarantee AFAIK, as long as a bad actor controls all the nodes in YOUR route, they can deanonymize you.

Everyone is pointing out that the article shoots itself in the foot by giving three very good reasons for VPNs and dismissing them. But I think there's a fourth reason that isn't mentioned:

The US doesn't have reasonable privacy laws and I don't trust my VPN to not sell my browsing history to anybody with two pennies to rub together.

Yeah, I can (and do) use DNS over HTTP, but the ISP still knows what IPs I am connecting too. It's trivial to find out what domains are hosted there.

An issue is that they're sold as a way to stop your ISP tracking what you're doing.

But why would I trust a random company with this information over an ISP, who yes aren't always angels, but at least are somewhat accountable.

Furthermore, they use their VPN clients as proxies and sell access to their network to scrapers and botnetters. Usually the rule of thumb is that if you're not paying, you're the product, but in this case they manage to double dip. That's where the real funding comes from.

https://oxylabs.io

If they claim to be operating an ethical service one more time I might start to believe it.
It is really question do you trust your ISP or do you trust your VPN provider? And if you are doing something your state might have interest in. Well VPN options might also be questionable. Either in some adjacent state, or other ways scrupulous...
My ISP is Comcast and my VPN is Mullvlad.

Guess.

Mullvad and it's not even close haha
>But why would I trust a random company with this information over an ISP, who yes aren't always angels, but at least are somewhat accountable.

ISPs often have captive markets and have enough political sway to grant them said captive markets. VPN companies have none of that, and live or die based on their reputation, so they arguably have more of an incentive to behave well. Meanwhile some ISPs have even admitted to selling your traffic for marketing purposes or are forced by the government to keep records. There's plenty of shady VPN companies out there, and not all ISPs are scummy and sell your info, but there's quite a bit of range between the scummiest ISP and the best VPN, and for a subset of people using VPNs definitely makes sense.

1) You can choose where in the world your traffic exits. 2) You can switch your VPN provider or even use/stack multiple and it’s easier than changing ISPs which encourages innovation. 3) ISPs and VPNs are regulated differently. In many if not most countries ISPs have to log and store certain PII.
My ISP is from communist country and my VPN is Mullvad.

Guess.

A lot of people have VPNs for single temporary reasons.

* In the Bible Belt (a.k.a. Chistianstan) and some Muslim countries it is to access porn.

* In Canada and Mexico is about accessing what Netflix doesn't provide to their countries.

* In hybrid offices it is about the second job that they do remote and hidden.

They want something simple for a couple of months and then just discard it. VPNs are good for that.

There are some states in the US that restrict access to porn?
Yes. Via the new age verification laws which require any site with a considerable amount of 18+ content to verify their users are 18+. This has passed in a few states. Leading Pornhub, and some other porn sites, to block access from those states.

The age verification laws are written pretty broadly and could be used to target a wide variety of content. Not just porn. Anything the state deems 18+ would require age verification.

These laws are facing some court challenges. If we're lucky, the laws will not survive.

VPN or not, the biggest MiTM threat to privacy on the web is Google. They may not be actively malicious and steal your bank info, or do other nefarious stuff, but they will always oppose end-end encryption. Google's stance is to lock out the competition under the guise of "protecting" users, so only they can spy on user data.
Fuck that is a good domain name
Back in the 90s, early 2000s, in Australia, there was an ISP called Dot, IIRC.

In an attempt to be edgy, their website was at:

triplew.dot.net.au

"triple w dot dot dot net dot au"

There's a fourth use-case: occasionally, gaming.

I play Final Fantasy XIV, an MMORPG - apparently, supposedly, the peering connection between AT&T and FFXIV's US ISP (NTT) was particularly bad. [1]

This manifested as pretty severe connection issues for AT&T customers playing FFXIV. Except, it was a chronic issue that would only flare up when that particular connection point was stressed.

One of the easiest workarounds? Hop on a VPN.

That's one example. Anecdotally, I have a few friends that toggle VPNs on and off when they encounter "network weather" in games. Personally, I'm a bit skeptical they're truly so often mitigating problems by toggling a VPN (instead of, say, just waiting a couple minutes), but hey, they swear by it.

[1]: https://forum.square-enix.com/ffxiv/threads/482155-Bad-lag-a...

It’s true that their privacy promises are dubious…but they’re great for IP switching.

I run a low-volume scraper which benefits a ton from keeping the IP address fresh.

So I guess, in a sense, I’m grateful that enough people are paying for ~nothing to make the service pretty great.

Try to travel the world and access financial or governmental institutions, then tell me about usefulness / uselessness of VPN.
It's baffling that banks/governments that do geoip based risk assessments (ie. the ones that would lock your account if you tried logging in from a random country) wouldn't flag logins from a VPN/datacenter IP. Those basically tell you nothing about where the user is actually logging in from, and they should therefore treat them as if you're logging in from a random country.
Digital Ocean droplet and Tailscale?
The author specifically excludes "Company VPNs" and VPNs to "phone into your home network" from the scope of the article.
The "DIY VPN" is worse for 3 reasons:

1. it's more expensive than commercial VPNs, which you can often get for <$3/month, or even less with promos/cashback sites

2. you're limited to one region, which means you can't use it as effectively for geoblock evasion purposes.

3. you get less anonymity because you get a static ip that's assigned to you only, as opposed to a commercial VPN provider where you can connect to hundreds/thousands of servers each of which are used by probably hundreds of users.

If a VPN provider doesn't keep logs and if their routes to you are not being tapped for packet timing correlation then they are superior in privacy to DIY VPNs due to them laundering your connections/packets with multiple other people.
I need a VPN to do a lot of stuff with crypto now because websites are blocking Americans. $5 a month and having to use it is annoying, but I'd have missed out on thousands of dollars of income if I wasn't using one.
There is a fourth use case for VPNs: evading traffic shaping and censorship on public wifi hotspots. Many hotels block not just porn sites but also legitimate news pages (e.g. Torrentfreak), and most drastically throttle YouTube, Netflix and other streaming-heavy sites.

A fifth use case is related: evading bad peering. Deutsche Telekom was infamous for years to "double dip", i.e. requiring that other (backbone/regional) ISPs pay them for peering, and so DTAG customers that tried to access Hetzner servers were throttled as the Hetzner-Telekom link got saturated in the peak traffic times.

[1] https://www.golem.de/news/hetzner-und-netzneutralitaet-extra...

The link to AWS was/is really bad as well, since that has to go through Telia.
For real, this is the only case where I wouldn't mind AWS to actually use their market size firepower. Throttle all of DTAG on a single 1 GBit/s link and tell them, either you peer with us for free like everyone else, or you'll have to deal with annoyed users.
My use case:

- In Hotel, Airport. VPN can be used to bypass DNS based captive portal. - Yes true hopefully all website are encrypted with ssl, but still an attacker can easily fingerprint me through my internet usage, even though everything is ssl, there are still a lot of plain-text data flying around. So yeah, ProtonVPN, ftw.

>Yes true hopefully all website are encrypted with ssl, but still an attacker can easily fingerprint me through my internet usage

So an "attacker" can figure out that you browse hacker news. Who cares?

I care, and my feeling is that more people do each day as they become aware of how tracked they are. Why does anyone need to know anything about me - it feels like a violation. There are all sorts of possible costs to that, but I think many of us value privacy on its own.

But as for an attacker - maybe they discover something about you from one compromised service and correlate it to something else. Or maybe they extort you in some way. Who knows - there are many possibilities and it’s safer to reduce exposure.