Show HN: Simple JavaScript VPN detection using timezones

While others seem to be beating up on the idea a bit, I thought it was a really helpful reminder. Without having thought about it too much, my default assumption would have been that Netflix, for example, would block VPNs by comparing IP against a blacklist of known endpoints.

The underlying concept - checking user level information and comparing against network information - is an interesting and valuable way to think about it. This is a nice, simple illustration of that idea. Thanks for sharing it.

Maybe add an error message if ipapi.co isn't reachable.

uBlock blocked it on my end, and all I see is the "learn how it works" link, and above that is invisible text saying "Browser Timezone" and "IP Timezone".

I think you need to look at the offset, rather than the timezone name. For example, if I fly to somewhere in e.g. the Central Europe timezone I don't always pick a city in the same country when setting the timezone; I just pick Paris or Berlin or whatever comes to mind first.

But then if you only look at the offset, you'll have even worse VPN detection since any VPN exit in the same timezone offset won't be detected. This is not really a good way to detect VPN.

Another false positive. Really simple one. Browser timezone Asia/Calcutta and IP timezone Asia/Kolkata ... The city changed its name a very long time ago and both the names refer to the same city.

Looked like an interesting idea, but seems like there are many reasons for false positives.

Yet another false positive: When privacy.resistFingerprinting is enabled in Firefox, UTC is reported, at least for me (and even when disabled, the timezones do not match despite both being correct: CET vs. Europe/Berlin). So it seems like a cool idea, but not very practicable.

Thanks for all the feedback! It was just a fun idea I had before going to bed and it's definitely not fleshed out.

I know that services like Netflix do VPN detection in much fancier ways and had noticed it when traveling abroad. There's no motivation for me to implement it in anything I do.

Thanks again and sorry for wasting your time!

It's a silly check, with a silly workaround: if a website uses this, you can just change the OS'es timezone, so the browser would report the same thing as GeoIP.

Seems to give false positive on Windows 10 as in my Date setting on OS level time zone is selected as something like Helsinki, Sofia, Kyiv, Tallinn, etc. (UTC+02:00) so both Firefox and Chrome reports it as "Europe/Kiev". While I am in a different country so IP address obviously reports differently. I wonder if it was thought about timezones where a lot of small countries can be in the same one.

Same here (Tenerife Spain), false positive

(fellow developer, please do not ban VPNs if you can't guarantee 0 false positive)

Another false positive here. Geoip is correct, but timezone is not. (Belgrade instead of Ljubljana).

It's a clever thinking, but only for vpns in other countries, the solution would probably fit netflix and other streaming services.

This doesn't work, I'm on holiday and it thinks I'm using a VPN.

Got a false positive in Taiwan because your IP lookup service provider (https://ipapi.co/json) returned no timezone.

False negative when the VPN exit is in the same country. This doesn't detect you're using a VPN.

False positive. I’m in London but I’m using my Portuguese number for 4G roaming.

False positive, I’m in Copenhagen, but my browser reports Oslo.

false positive as well. this is not a good idea.