37 comments

[ 3.5 ms ] story [ 53.9 ms ] thread
I'd like to point out that a regime may find it worthwhile to compromise more kinds/sizes of VPNs than we might expect.

The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.

With online development responsibilities, I don't find VPNs to be compatible with what I do all day.

That said, the few implementations I have test before seemed leaky and not as useful as they claim.

Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.

I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".

Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."

Making sensible choices requires thinking things through, and understanding what it really is that you are doing, or refrain from doing it. Experts are just as prone to neglecting this as novices. But expressing your misgivings about prevailing orthodoxies is an ungrateful undertaking as it tends to make people angry, and there is little honour to be had in getting vindicated.
On the contrary so far to me only the so called non-technical users' VPN use cases have made any sense to me - "I want to access/do this site/streaming/p2p. I can't do this without a VPN. Hence I am using a VPN". That's it. No drama, no virtue signalling, no lecturing. Just a need.

It's the technical users whose myriad VPN use cases rather baffle me which in most cases eventually achieve little to none other than some sort of feeling of satisfaction or maybe placebo.

Additionally, all these VPNs do it with very pretty graphics. If the OSes went overboard with their Wi-Fi and Ethernet connection graphics, embellishing the connection security[1], VPN services would evaporate.

[1]

UNIVERSAL-->SECURE CONNECTION

https://youtube.com/v/zXyG_HncULU

What is this list that doesnt include NordVPN and ExpressVPN?
I'd love to know how many people use VPNs because of "fear of being hacked" (hack covering everything non tech-savvy here).

Almost everyone I know use VPNs only to bypass restrictions, not for fear or privacy.

MullvadVPN seem to be pretty decent at the moment, but it looks like they're laying down a worldwide VPN infrastructure of sorts that other VPN companies can rent (similar to phone networks)

This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now

I use tailscale with an exit node. I just need location control. Wireguard gives me that.
VPNs don’t really stop fingerprinting techniques, if anyone is using it for that.
The notion of "zero trust" shouldn't just mean corporations not having to inherently trust users and networks. It should also mean users not having to inherently trust corporations.

VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.

I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.

Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.

> Yolo Technology Limited

I mean, this seems like the company name equivalent of the yellow and black stripes on a wasp. It is a _warning_.

Ive been a proton supporter since email. I like theor product suite. I use a vpn for all the reasons listed here, but mostly for obfuscating my traffic (and torrenting).
I’ve been keen to point out there is more utility in the technology underlying VPNs than the VPN functionality itself. The WireGuard handshake and transport encryption are lightweight and secure and I added support for it to my service as an option to secure data in flight. It’s getting used by developers and enterprises, not consumers.

IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).

That's why we sell only the service [1] and point our users to the default app install (Wireguard in our case). Ever since Holla VPN and the entire Brightdata/Luminati clusterf~ VPNs are a risky business for users. Most of them are proxy nodes underneath, they rent you datacenter IPs while they sell your residential internet to third parties.

[1] https://www.anonymous-proxies.net/products/

My pet theory for a while now has been that all of the biggest VPNs are secretly run by the NSA or other equivalent nation-state organizations.
How realistic is possibility that some VPN providers use clients (computers of person who installed VPN) to just be able to crawl (or rent crawl infra) sites and make it look like regular residential traffic? (This is speculation i heard somewhere)

Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.

i’m not sure what this list is, why investigate vpn companies yet dont even look at nordvpn, pia, express, or others that are wildly popular yet still shady af with their real world origins?

i mean, those companies are so popular they’re almost normie household names. the couple i looked at from the papers list have a small fraction of downloads compared to the above.

i agree that we absolutely need a deeper dive and a lot more transparency on who owns these companies but i’m curious why they chose to avoid the elephants in the room.

Do people here trust their ISPs more than their VPN providers? That’s the question!

On the other hand, as far as privacy from the end point is concerned, users can be identified regardless of IP addresses. Visit fingerprint.com, you will get an identifier, then connect to a privacy VPN and change servers once in a while. The website will identify you, tell you are the same user visited last week from such location, and the number of times you visited.

Browsers (except Tor) send so much data that accurate identification is possible without IP address. And services could refuse to work if users don’t provide the required information, although that info could be randomized.

I’d probably use a VPN if I need to do something sketchy or egregiously illegal, but self hosted and behind 7 proxies. Or I could just use TOR and exercise a bit of OPSEC.
I don't use a VPN for anything that would get me in the cross hairs of a nation-state. I use it to trade crypto outside my jurisdiction, make sure my ISP doesn't get torrenting complaints, obscure my traffic from wifi networks I don't trust, that sort of thing. None of these things have enough money or power behind them that peeling away the VPN is worth it, so it's good enough.
I'm surprised no one has mentioned iCloud Relay-style Multi-Party Relays yet: https://www.privacyguides.org/articles/2024/11/17/where-are-...

It greatly improves on the existing VPN trust model by separating the "who" (connecting IP, potential payment info, etc.), from the "what" (IP traffic). You no longer have a trust a single entity not being malicious or compromised.

Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.

so now i have to trust two providers doing the right thing instead of one?
I've been happy with AirVPN, curious to hear how others feel about them. Pretty reliable and seems good enough for my purposes, at least.