Every single time I start researching VPN services I end up more confused and with more questions than before because basically every vouched service has the same amount of negative comments too. Like feels like the whole sector is a honeypot (lol) of shady stuff and also they figthing against each other (or not?). So I just wait until when turns out Mullvad is also one of the bad guys.
Is it to avoid your ISP collecting browsing data off you and selling it?
Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good enough.
Is it to watch geo region blocked videos?
Then pretty much any service will work for you. Except that video streaming sites have caught on and blocked hosting provider IP blocks.
So that might require you to shop around.
Do you want the most privacy or want to get around blocking?
Then get a VM from a provider and configure a VPN to it.
Wireguard works fine.
VPN’s just mean you’re trusting someone else than your ISP. Instead of your ISP seeing you go to site.com, now your ISP sees you connecting to a VPN and the VPN sees you connecting to site.com.
For this reason I am highly suspicious of any VPN service that markets itself as some “magical privacy wormhole”, which is 99% of VPN providers.
Honest ones I know of are Encrypt.me and Mullvad, who both tell you they should be mainly used to secure yourself on open WiFi and to circumvent geo blocks.
If you want a private internet connection, use TOR.
I regularly think that claims of astroturfing are overblown, but it is common in the "privacy" focused industry to FUD competitors to gain market share.
I'm immediately reminded of some shady search engine CEO going on OAN and other fringe shows posing as a security researcher to spread FUD about DDG to drive traffic to his site (can't find the link for it now.) That OAN video even went around the security industry (among compliance and less technical folk) who were persuaded DDG was now worse than Google for consumer privacy.
Some reasons you might get some negative vibes from looking into consumer VPN services:
* Some consumer VPN services have been found to be doing sketchy things. And you can imagine the business is attractive to people intending to do sketchy things, since it's a powerful/lucrative position to be in right now. (In addition to the business possibly being attractive to people just wanting to provide a useful and honest service for a fair price.)
* There seem to have long been referral kickbacks by some consumer VPN services, which I assume is the cause of some of the huge amounts of noise on the Web and such about them (e.g., search hits on some non-VPN topics, such as some home theatre search terms, overwhelmed by SEO articles, the purpose of which is to then herd the reader towards particular VPN services with a kickback). Even some endorsements by organizations might essentially be more about revenue than about merits.
* I speculate that it doesn't help if one of the main historical uses of consumer VPNs has been for activity that would be considered copyright-violating in the US (e.g., unauthorized trading of video files, or circumventing region restrictions). Without making any moral judgments, I think it's fair to say that constitutes "conscious rule-breaking" for some, so I wouldn't be surprised if there's an disproportionate culture of rule-breaking around the whole space.
Every time the VPN service industry is discussed on HN there is a barrage of comments that use keywords like “honeypot”, “snake oil”, and “shady”. I’m not denying that the industry has problems, but in this thread I’d like to focus on how we can improve it.
Please tell me - What makes a VPN provider trustworthy, and how do you _know_?
Personally I believe a trustworthy provider is _characterized_ by consistent actions that show transparency, honesty, and conscientiousness. Nevertheless, such consistent action doesn’t actually prove trustworthiness.
A good VPN honeypot, or reseller of your network traffic, is publicly indistinguishable from a trustworthy one. So what can the users do? What tools, technology, process, or ecosystem do they need to tell honest and dishonest apart? What do we need to build?
We all recognize that VPN providers are in a great position of power over their users. How do we tilt the scales in the users’ favor? What are _strong_ signals of trustworthiness?
Come on Mozilla, hurry up! I want to give you money for goods and services (I also donate monthly [1]), but I'm not that interested in a VPN (I can and do also pay Mullvad).
Give me that real internet stuff - email, calendar, file sync, chat(?) - give me Firefox Premium. Bundle in the Lockwise password manager. I'd pay good money to see a company fill the void of paid, privacy first essential internet services and I think Mozilla is one of the foremost existing players to pull it off. They've started talking about Firefox Premium a while ago now [2] and it's obviously not easy to build all of this in a lean way, but I'll happily pitch in. If only to help make Firefox development less dependant on Google or Yahoo.
Only Mozilla can make me pay for Google services like Email/Calendar etc. I think I subconsciously trust the brand more than most internet companies out there.
I'd pay at least $10/month or $99/year for Firefox Accounts, just as they stand today, because they give me at least that much value. Integrate full 2FA into Lockwise, so that I have 2FA that'll never die with a broken phone, and I'd pay more. Add a secure calendar I can use with friends and family, and I'd pay more. (I'd hesitate to say email, just because running that is a can of worms I wouldn't wish on my worst enemy, but I'd absolutely pay for that too.) I would love to have all of my major services tied into my Firefox Account, with the same level of security, privacy, and trust I've come to expect.
I am surprised at how much money exists in the VPN industry. Whenever I watch even a mildly-popular YouTube video, it always has an advertisement for the latest VPN provider. As far as I can tell, there is only one reason there is this much money in the field -- to subscribe to US-based video streaming services from outside the US. But they never ever say that that's the reason, they always say things like "work from home securely" or "avoid being tracked". But, of course, your IT department already has a secure VPN for working from home, and that Facebook cookie works regardless of what your IP address is. In general, the sell of "you can't trust your network provider, so pay for an additional network provider that doesn't keep logs and only accepts payment in Bitcoins," doesn't seem particularly strong to me. Of course you can't trust the network layer. Nobody trusts the network layer. That is why we have TLS. (Anyone remember "wired equivalent privacy" when WiFi was a cool and new thing? Turns out wires don't offer much privacy.)
So why people are buying this service confuses me.
I am also confused at why people can run these services so cheaply. I looked into doing it myself (I had some ideas for actual value add), and the economics didn't seem that good. There is a lot of software between "ifup wg0" and "collect money from people that want a VPN". It seems expensive to write all that, unless a "yolo" strategy of starting up openvpn and setting up a couple NAT rules actually scales. (At the very least, you need to be able to distribute keys to pre-built clients, and if you want to make it smooth, you are looking at writing your own Windows/Mac/Android/iOS clients. Then you need all the business management software on top of that -- didn't get the Bitcoins so delete their private key, etc.) It seems like quite a bit of work that is quite expensive.
But these things exist left and right and have huge advertising budgets. So obviously I am misunderstanding something.
I don't understand this argument, but would like to.
I run https://everytwoyears.org, a political non-profit focused on ending the warrantless metadata collection of U.S. citizens' communications. From everything I know about these programs, they are _explicitly_ not collecting content of communications. These programs only collect the metadata about a communication. As citizens, we don't get to have a clear definition of "metadata" (that is classified!) but we can assume anything that isn't the message itself is at risk of being considered metadata, especially if it was shared with a service provider in the normal course of conducting business (i.e. routing a request).
For HTTP requests, I assume the body of the request would require a warrant before it can be persisted on a government server. The HTTP headers, if unencrypted, _might_ be considered metadata but I would be surprised. The IPV4 headers are more than likely metadata. DNS queries are more than likely metadata.
If you are trying to avoid _active_ surveillance, where your government has a warrant, a VPN isn't going to help you. If you are trying to avoid _active_ surveillance where your adversary doesn't need/want a warrant to search you, a VPN isn't going to help you. But if you are trying to avoid having your internet activity ending up, de-anonymized, in a metadata database that your government does bulk analysis on, a VPN does seem like it would help. It seems like it would help a lot.
A VPN is just a tunnel from one point to another. You'd have to establish why the remote end is more trustworthy than the local end. Being located in a hostile jurisdiction may be somewhat protective, but it would also seem likely that compromising foreign VPN services is within the NSA's wheelhouse.
I think you are correct that VPNs are a sort of half-solution.
There are a lot of people that think anything less than 100% isn't worth your time, so they suggest TOR - but TOR has all sorts of annoying limitations that preclude daily usage. Absolute solutions are seldom worth the 10x extra effort they frequently require.
Another set of half-solutions can be seen here which will make you more secure...
ESNI, DoH, DNSSEC, and TLS1.3 are fairly easy to setup - and worth your time .
Using Firefox with uBlock Origin & PrivacyBadger plus the above gets me to a good enough place.
Illegal stuff on the other hand -> TOR.
The problem with doing illegal stuff with only half-protections is that the authorities don't need to use the metadata to prove your guilt. After they raid your house they'll have all the parallel construction they need to make it stick. ...then again if you're just buying personal use amounts of drugs - no one at the FBI cares.
If you assume VPNs don't keep logs forever, then a VPN is very strong protection. Seems like all the anti VPN arguments are predicated on the VPN keeping exhaustive logs of every request. Given the volume of data and the incentives of businesses, i feel like thats probably not true for many VPNs. I generally believe them when they say they don't log, because its just more $$$ on storage that provide 0 value to the company unless they are required by law.
I use Mullvad, paid using BTC that came straight from a tumbler. I don't use it for any nefarious reasons, just wanted to see how such a setup would work. It was surprisingly painless. I think it took 15 minutes in total from moving my btc to the tumbler and having the tumbler move the btc to my Mullvad account.
Am I 100% secure? No, they know what IP I'm connecting from. Is my name attached to the VPN? No, not even close. I suppose if I wanted to further improve my security I wouldn't use my own home network, but public wifi's nearby.
But again, I didn't do it to stay "safe" or anonymous. Just wanted to see how the process would actually be.
I doubt it, unless you run the VPN. Governments have the same ability to leverage things like trackers, etc.
A public VPN service is good for localized privacy. Even a cheap Ubiquity setup will be able to tell about your habits. It's probably good enough to avoid the attention of a civil or informal inquiry (DMCA, employer, etc).
I'm not qualified to analyze the technical details but I have some more practical grievances with VPNs. I paid for ExpressVPN for 1yr on going and found it disappointing despite being advertised as the expensive but good option.
First, geo blocking often catches it or provider has moved to other means to verify address. I don't use Netflix but for certain streaming sites in Japan that I use and BBC express does nothing.
Second, it doesn't get pass GFW whereas shadowsocks based solution does.
Overall it seems the only benefits are getting better speed sometimes and theoretical privacy benefits.
Browser fingerprinting means you can more or less be identified regardless of your IP address. Since tracking is more or less tied to the browser should you not use the VPN in some instance the browser fingerprint remains the same. So all the Facebook/Google tracking will be able to determine who you are after you change your IP.
They are explicitly collecting both the metadata and the content of all communications they are able to. They have burned their own when someone raises a complaint about their methods or dares to introduce crypto that respects constitutionality(https://en.wikipedia.org/wiki/Thomas_Andrews_Drake).
There’s a lot of gross stuff that your ISPs (which includes your mobile phone provider) do to further monetize your relationship with them, and having a VPN can negate that.
ISPs can observe your DNS lookups to their servers and assemble a profile on you based on the domain names you look up, and put you into a series of audiences that marketers can then use (for a fee) for ad targeting.
ISPs can also observer your DNS lookups to Google’s or anyone else’s public DNS servers.
ISPs can snoop on your unencrypted traffic, proxy it, and inject headers into HTTP responses to facilitate (you guessed it) the creation and sale of audience data to advertisers.
ISPs can transcode (and downsample) multimedia content to decongest their pipes or airwaves.
If you are a spy or a member of a disfavored political group, you should almost appreciate the scummy practices of ISPs, as it drives a bunch of non-spies and people not associated with disfavored political groups to adopt privacy-enhancing technologies.
If I worked at the NSA or CIA or FSB or Mossad or wherever, I would highly encourage lawmakers to enact laws to protect consumer privacy in order to drastically reduce the perceived need for people not in the above groups (et alia) to adopt VPNs and other technologies; there would be fewer “boring” people using such technologies, giving the needles a lot less haystack to get lost in.
Protocols are not designed for what we use them for, and buggy legacy applications that won't change their protocols or implement them correctly. The more people use VPNs, the more the problem gets buried behind a wall of abstraction. The proliferation of VPNs is really the burying of a problem, not the solution.
I don't care about being tracked, because I live my life in the open. I'm not a vulnerable minority, so I don't fear for my safety. I don't care what a random corporation (or anyone, really) knows about me. You could log into every digital account I have, and the only thing I'd be worried about you finding is an active session to my bank's website if I was still logged in at the time. I don't care if my ISP "monetizes me".
I also know how to browse the web as securely as possible, and that there are plenty of ways I can be hacked regardless of my network connection. The biggest risk I face is not from a VPN, but from my local network: if my internet modem or router gets compromised (either remotely or through my machine), I'm subject to local attacks a VPN won't protect me from. And if the government wants to hack me, they'll just guess what websites I'm viewing (either by conventional means or statistical traffic analysis), hack the server, and drop a payload through a browser 0-day.
I could see using a VPN if I was an activist, or of a class of citizen that's oppressed by my society or government. But even then, they'd figure out I was using a VPN, and realize I'm hiding something. So you could argue everyone should be on a VPN to make this less noticeable.
But then we go back to the beginning: we're not solving the root problem.
> At Mozilla, we are working hard to build products to help you control of your privacy and stay safe online.
> We know that we are on the right path to building a VPN that makes your online experience safer
Commercial VPNs are good for censorship circumvention or location spoofing. It is irresponsible to market VPNs as something which “protects” you online. In reality, they do nothing to improve security, and very little to improve privacy.
I’ve been speedtesting a few VPN networks, and the biggest surprise has been how fast Mullvad + Wireguard are. I need to try NordLynx (NordVPN’s flavor of Wireguard) for more of an apples-to-apples comparison, but at least on the speed metric, it looks like Mozilla chose a good partner.
Making deeper data exploration possible is a work in progress, but you can see what I have so far here: https://vpnwire.co
What an odd choice from Mozilla and Mullvad to segment this based on geography. Can you use it while traveling outside the US? Why not simply have a wait list? Mullvad already operates globally - what is the reason for the geofence? Is Mozilla not able to accept payment outside the US? (maybe not able to pay taxes?)
Forget the VPN--I already have a VPN provider and I have no interest in changing. Offer a paid e-mail service, on the other hand, and I'd sign on up Day 1.
This right here. And a hosted suite of productivity tools that have documented, public formats that contain all of your data (and not just a link to the cloud-hosted copies).
Amazing that GSuite's only real competitor in 2020 in Office365.
I second this wholeheartedly. I would be happy paying at least the $5/mo that they're charging for the VPN to have web-based access to privacy-respecting email service tied to a name I tend to trust like Mozilla (hopefully with a fairly vanilla domain name that doesn't get weird looks).
Purism's Librem One suite [0] comes the closest, but I just don't have the trust in them that I'd want before pulling the trigger. They have a history of making grand claims with sub-par delivery, which just doesn't cut it for a service like a primary email provider. They've claimed plans to add features like file storage for ages now with no updates. Email is just too important a part of daily life to risk it.
When you connect to a VPN you advertise the fact that you are connected to a VPN to your local network, and hide your tunneled traffic. The tunneled traffic emerges elsewhere, with the extra encryption removed and proceeds as normal. Basically all a VPN provides is a mechanism to pretend that your butt is in a different seat. You hide your traffic from one network and expose it on another.
If you are on public wifi somewhere and are concerned about traffic that isn't otherwise encrypted (DNS comes to mind), or if your connection is in some way restricted (govt, shitty isp, etc), then a VPN can address these issues. But you have to keep in mind that your new network is similarly untrustworthy.
You might argue that by hiding behind your VPN provider, you are gaining anonymity. This might be true under the best circumstances, but this can _very_ easily break down. For example, the moment you load tracking_pixel.png then you are de-anonymized. That is saying nothing about the shady practices of the VPN providers themselves, or the governments that regulate them.
When people connect to a VPN, especially lay-people, there is this feeling that the VPN is providing security, and privacy. This is largely marketing BS designed to sell more subscriptions. When I connect to a VPN I might be able to obscure my activity from state actors, or avoid some coffee shops bogus DNS server. What I can't do with a VPN is avoid literally every other form of tracking. And of course if I connect to a VPN, then I should be ok with those same bad-actors knowing I am connecting to a VPN. And I should be OK with the VPN provider being able to monitor my unencrypted traffic. And I should be ok aggregating all of my encrypted traffic into one easy to watch place.
So what is a VPN providing the average consumer? If you want privacy install ad block software, https everywhere, enable DoH, don't log into social media sites, and clear your browser's cache frequently. If you want to avoid a state actor, then your best hope is probably something like Tor Browser.
> over 70% of early Beta-testers say that the VPN helps them feel empowered, safe, and independent
Well, does it make people empowered, safe and independent? Never mind what people feel - the users don't know the details of the implementation, so their belief could be mistaken.
Really smart from Mozilla; they leverage trust in their brand with a product for which trust is the most important feature. Making a VPN is a non-trivial technology project, but it's pretty straightforward how to do it well.
Couldn’t agree more. Often I see people wishing for Mozilla to add more services. Please just do one complicated thing really well, Mozilla!
I guess all these additional services help lure more users to Firefox, so there’s that.
Maybe Mozilla can eventually generate enough revenue to stop nuzzling on Google’s money teat.
I think I just convinced myself that additional services are good overall for Mozilla. But yes, I’m firmly in the spread your online presence wide camp.
Since they are using the infrastructure of Mullvad, what's the point of using Mozilla's software instead of using directly Mullvad's ?
Price related I'm paying 5€/month for Mullvad and Mozilla's VPN is at $4.99/month so when it will be available in Europe I expect it to be 4.99€.
If they where offering something more, I'll see the point, but here by them developping their own software to use someone else infrastructure seems to be a huge waste. If they wanted to put their Mozilla logo, they should have gone for a white-label product with Mullvad no ?
A little late in the game, but they're a brand I would hold in higher regard than 99% of the other providers out there. I believe that a lot of people misunderstand what exactly a VPN is and what scenarios it offers benefits of use in. I personally host my own VPN on a lowendspirit server [1] for when I'm on an untrusted WiFi network or I need to have an IP in the US (it comes in handy as a US citizen living abroad). I also use a VPN sometimes when I have a dev server (hosted on the server itself) that I'm developing/testing on since being on the same network as the server makes things easier, e.g. having a container with an API bound to the VPN network so that I can access it easily and without it being public facing.
Of course there's also the shady side of VPN use. If you're doing that it might be beneficial to use the VPN within a VM with strict firewall rules, i.e. only allow incoming/outgoing to/from the VPN. Doing so allows you to only send the traffic you want to over the VPN, thus reducing your exposure to any nefarious data collection that the provider might be doing.
I also want to subscribe to Mozilla. For viewing Mozilla as a foundation that does the right thing. Thankful for many of the Internet standards Mozilla helped develop.
Please help making Internet decentralized and private again.
* Support for paying content creators without advertising
* Decentralized CDN and compute
* fast privacy
Given the high ethical standard of Mozilla I’m not sure how popular this will be.
For example, a while back there were research showing nord was setting up users as proxies, there by making it impossible for Netflix to block these residential ips.
How do we know this is safe from bad actors? If it's in the U.S. is it safe from discovery? For example Watchtower tried to use 'copyright Infringement' to force reddit to give a usernames IP and account information. https://m.youtube.com/playlist?list=PLkdgWccrJAy53-jeBxM3Pk_...
VPN's are the only way of protecting what should be protected speech. You have to not keep logs or anything that allows a court to find the identity of a user.
You don't. You never will. This is the case not just for Mozilla but for all VPN services.
Until there's some kind of hardware-level attestation that verifies a server is running a particular software installation, that's going to remain the case.
> VPN's are the only way of protecting what should be protected speech.
No, if you want safety, a VPN is not the solution. VPN providers have invested a lot of marketing in trying to tell you otherwise but it's simply not true.
All a VPN does is move what little trust you're forced to have in your ISP to a different, often less-regulated ISP.
The solution if you want privacy and/or anonymity is a technology built for that purpose, like Tor or I2P.
I download music, movie, tv, etc files via torrent using my Canadian IP address and I have never seen anything more than an email from my ISP saying essentially "so and so company thinks you downloaded their material, don't do that ok?".
Is the general public so afraid of getting the odd email that paying $5/$10 month to make them disappear is a good deal for them?
Why wouldn't people just use TOR for free? It was extremely fast the last I checked.
[+] [-] haunter|5 years ago|reply
[+] [-] Jonnax|5 years ago|reply
Is it to avoid your ISP collecting browsing data off you and selling it?
Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good enough.
Is it to watch geo region blocked videos?
Then pretty much any service will work for you. Except that video streaming sites have caught on and blocked hosting provider IP blocks. So that might require you to shop around.
Do you want the most privacy or want to get around blocking?
Then get a VM from a provider and configure a VPN to it. Wireguard works fine.
Want to do something illegal?
Don't expect a VPN to save you.
[+] [-] leokennis|5 years ago|reply
For this reason I am highly suspicious of any VPN service that markets itself as some “magical privacy wormhole”, which is 99% of VPN providers.
Honest ones I know of are Encrypt.me and Mullvad, who both tell you they should be mainly used to secure yourself on open WiFi and to circumvent geo blocks.
If you want a private internet connection, use TOR.
[+] [-] badRNG|5 years ago|reply
I'm immediately reminded of some shady search engine CEO going on OAN and other fringe shows posing as a security researcher to spread FUD about DDG to drive traffic to his site (can't find the link for it now.) That OAN video even went around the security industry (among compliance and less technical folk) who were persuaded DDG was now worse than Google for consumer privacy.
[+] [-] neilv|5 years ago|reply
* Some consumer VPN services have been found to be doing sketchy things. And you can imagine the business is attractive to people intending to do sketchy things, since it's a powerful/lucrative position to be in right now. (In addition to the business possibly being attractive to people just wanting to provide a useful and honest service for a fair price.)
* There seem to have long been referral kickbacks by some consumer VPN services, which I assume is the cause of some of the huge amounts of noise on the Web and such about them (e.g., search hits on some non-VPN topics, such as some home theatre search terms, overwhelmed by SEO articles, the purpose of which is to then herd the reader towards particular VPN services with a kickback). Even some endorsements by organizations might essentially be more about revenue than about merits.
* I speculate that it doesn't help if one of the main historical uses of consumer VPNs has been for activity that would be considered copyright-violating in the US (e.g., unauthorized trading of video files, or circumventing region restrictions). Without making any moral judgments, I think it's fair to say that constitutes "conscious rule-breaking" for some, so I wouldn't be surprised if there's an disproportionate culture of rule-breaking around the whole space.
[+] [-] pipermerriam|5 years ago|reply
[+] [-] miniyarov|5 years ago|reply
[deleted]
[+] [-] kfreds|5 years ago|reply
Please tell me - What makes a VPN provider trustworthy, and how do you _know_?
Personally I believe a trustworthy provider is _characterized_ by consistent actions that show transparency, honesty, and conscientiousness. Nevertheless, such consistent action doesn’t actually prove trustworthiness.
A good VPN honeypot, or reseller of your network traffic, is publicly indistinguishable from a trustworthy one. So what can the users do? What tools, technology, process, or ecosystem do they need to tell honest and dishonest apart? What do we need to build?
We all recognize that VPN providers are in a great position of power over their users. How do we tilt the scales in the users’ favor? What are _strong_ signals of trustworthiness?
Disclosure: I co-founded Mullvad.
[+] [-] DCKing|5 years ago|reply
Give me that real internet stuff - email, calendar, file sync, chat(?) - give me Firefox Premium. Bundle in the Lockwise password manager. I'd pay good money to see a company fill the void of paid, privacy first essential internet services and I think Mozilla is one of the foremost existing players to pull it off. They've started talking about Firefox Premium a while ago now [2] and it's obviously not easy to build all of this in a lean way, but I'll happily pitch in. If only to help make Firefox development less dependant on Google or Yahoo.
[1]: https://donate.mozilla.org/
[2]: https://www.theverge.com/2019/6/10/18660344/firefox-subscrip...
[+] [-] typon|5 years ago|reply
[+] [-] JoshTriplett|5 years ago|reply
[+] [-] mattowen_uk|5 years ago|reply
It was fairly popular in some corporates for a while, until Lotus/IBM and MS stepped up their collaboration game.
---
[1] https://en.wikipedia.org/wiki/Netscape_Communicator
[+] [-] jrockway|5 years ago|reply
So why people are buying this service confuses me.
I am also confused at why people can run these services so cheaply. I looked into doing it myself (I had some ideas for actual value add), and the economics didn't seem that good. There is a lot of software between "ifup wg0" and "collect money from people that want a VPN". It seems expensive to write all that, unless a "yolo" strategy of starting up openvpn and setting up a couple NAT rules actually scales. (At the very least, you need to be able to distribute keys to pre-built clients, and if you want to make it smooth, you are looking at writing your own Windows/Mac/Android/iOS clients. Then you need all the business management software on top of that -- didn't get the Bitcoins so delete their private key, etc.) It seems like quite a bit of work that is quite expensive.
But these things exist left and right and have huge advertising budgets. So obviously I am misunderstanding something.
[+] [-] r3trohack3r|5 years ago|reply
I don't understand this argument, but would like to.
I run https://everytwoyears.org, a political non-profit focused on ending the warrantless metadata collection of U.S. citizens' communications. From everything I know about these programs, they are _explicitly_ not collecting content of communications. These programs only collect the metadata about a communication. As citizens, we don't get to have a clear definition of "metadata" (that is classified!) but we can assume anything that isn't the message itself is at risk of being considered metadata, especially if it was shared with a service provider in the normal course of conducting business (i.e. routing a request).
For HTTP requests, I assume the body of the request would require a warrant before it can be persisted on a government server. The HTTP headers, if unencrypted, _might_ be considered metadata but I would be surprised. The IPV4 headers are more than likely metadata. DNS queries are more than likely metadata.
If you are trying to avoid _active_ surveillance, where your government has a warrant, a VPN isn't going to help you. If you are trying to avoid _active_ surveillance where your adversary doesn't need/want a warrant to search you, a VPN isn't going to help you. But if you are trying to avoid having your internet activity ending up, de-anonymized, in a metadata database that your government does bulk analysis on, a VPN does seem like it would help. It seems like it would help a lot.
[+] [-] closeparen|5 years ago|reply
[+] [-] koheripbal|5 years ago|reply
There are a lot of people that think anything less than 100% isn't worth your time, so they suggest TOR - but TOR has all sorts of annoying limitations that preclude daily usage. Absolute solutions are seldom worth the 10x extra effort they frequently require.
Another set of half-solutions can be seen here which will make you more secure...
https://www.cloudflare.com/ssl/encrypted-sni/
ESNI, DoH, DNSSEC, and TLS1.3 are fairly easy to setup - and worth your time .
Using Firefox with uBlock Origin & PrivacyBadger plus the above gets me to a good enough place.
Illegal stuff on the other hand -> TOR.
The problem with doing illegal stuff with only half-protections is that the authorities don't need to use the metadata to prove your guilt. After they raid your house they'll have all the parallel construction they need to make it stick. ...then again if you're just buying personal use amounts of drugs - no one at the FBI cares.
[+] [-] ccktlmazeltov|5 years ago|reply
If you do use a VPN to mask your traffic, there are two questions to ask yourself:
1. who are you masking your traffic from?
2. can you trust the VPN network more?
In general, you cannot trust a VPN network more, and HTTPS is the solution as it provides end-to-end encryption with some important caveats (web PKI)
Running your own VPN is not a good solution either, because who owns the servers where your VPN is running?
[+] [-] zaptheimpaler|5 years ago|reply
[+] [-] tafl|5 years ago|reply
I use Mullvad, paid using BTC that came straight from a tumbler. I don't use it for any nefarious reasons, just wanted to see how such a setup would work. It was surprisingly painless. I think it took 15 minutes in total from moving my btc to the tumbler and having the tumbler move the btc to my Mullvad account.
Am I 100% secure? No, they know what IP I'm connecting from. Is my name attached to the VPN? No, not even close. I suppose if I wanted to further improve my security I wouldn't use my own home network, but public wifi's nearby.
But again, I didn't do it to stay "safe" or anonymous. Just wanted to see how the process would actually be.
[+] [-] egd|5 years ago|reply
[+] [-] Spooky23|5 years ago|reply
A public VPN service is good for localized privacy. Even a cheap Ubiquity setup will be able to tell about your habits. It's probably good enough to avoid the attention of a civil or informal inquiry (DMCA, employer, etc).
[+] [-] yurlungur|5 years ago|reply
First, geo blocking often catches it or provider has moved to other means to verify address. I don't use Netflix but for certain streaming sites in Japan that I use and BBC express does nothing.
Second, it doesn't get pass GFW whereas shadowsocks based solution does.
Overall it seems the only benefits are getting better speed sometimes and theoretical privacy benefits.
[+] [-] bluedays|5 years ago|reply
[+] [-] WealthVsSurvive|5 years ago|reply
[+] [-] edw|5 years ago|reply
ISPs can observe your DNS lookups to their servers and assemble a profile on you based on the domain names you look up, and put you into a series of audiences that marketers can then use (for a fee) for ad targeting.
ISPs can also observer your DNS lookups to Google’s or anyone else’s public DNS servers.
ISPs can snoop on your unencrypted traffic, proxy it, and inject headers into HTTP responses to facilitate (you guessed it) the creation and sale of audience data to advertisers.
ISPs can transcode (and downsample) multimedia content to decongest their pipes or airwaves.
If you are a spy or a member of a disfavored political group, you should almost appreciate the scummy practices of ISPs, as it drives a bunch of non-spies and people not associated with disfavored political groups to adopt privacy-enhancing technologies.
If I worked at the NSA or CIA or FSB or Mossad or wherever, I would highly encourage lawmakers to enact laws to protect consumer privacy in order to drastically reduce the perceived need for people not in the above groups (et alia) to adopt VPNs and other technologies; there would be fewer “boring” people using such technologies, giving the needles a lot less haystack to get lost in.
[+] [-] miniyarov|5 years ago|reply
[deleted]
[+] [-] peterwwillis|5 years ago|reply
Protocols are not designed for what we use them for, and buggy legacy applications that won't change their protocols or implement them correctly. The more people use VPNs, the more the problem gets buried behind a wall of abstraction. The proliferation of VPNs is really the burying of a problem, not the solution.
I don't care about being tracked, because I live my life in the open. I'm not a vulnerable minority, so I don't fear for my safety. I don't care what a random corporation (or anyone, really) knows about me. You could log into every digital account I have, and the only thing I'd be worried about you finding is an active session to my bank's website if I was still logged in at the time. I don't care if my ISP "monetizes me".
I also know how to browse the web as securely as possible, and that there are plenty of ways I can be hacked regardless of my network connection. The biggest risk I face is not from a VPN, but from my local network: if my internet modem or router gets compromised (either remotely or through my machine), I'm subject to local attacks a VPN won't protect me from. And if the government wants to hack me, they'll just guess what websites I'm viewing (either by conventional means or statistical traffic analysis), hack the server, and drop a payload through a browser 0-day.
I could see using a VPN if I was an activist, or of a class of citizen that's oppressed by my society or government. But even then, they'd figure out I was using a VPN, and realize I'm hiding something. So you could argue everyone should be on a VPN to make this less noticeable.
But then we go back to the beginning: we're not solving the root problem.
[+] [-] surround|5 years ago|reply
> We know that we are on the right path to building a VPN that makes your online experience safer
Commercial VPNs are good for censorship circumvention or location spoofing. It is irresponsible to market VPNs as something which “protects” you online. In reality, they do nothing to improve security, and very little to improve privacy.
You do not need a VPN.
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
https://schub.io/blog/2019/04/08/very-precarious-narrative.h...
[+] [-] RandomBacon|5 years ago|reply
[+] [-] LeoPanthera|5 years ago|reply
Mullvad additionally supports OpenVPN and other protocols, and is client-agnostic.
[+] [-] vpnwire|5 years ago|reply
Making deeper data exploration possible is a work in progress, but you can see what I have so far here: https://vpnwire.co
[+] [-] notRobot|5 years ago|reply
[+] [-] e12e|5 years ago|reply
[+] [-] AdmiralAsshat|5 years ago|reply
[+] [-] numbsafari|5 years ago|reply
Amazing that GSuite's only real competitor in 2020 in Office365.
[+] [-] qchris|5 years ago|reply
Purism's Librem One suite [0] comes the closest, but I just don't have the trust in them that I'd want before pulling the trigger. They have a history of making grand claims with sub-par delivery, which just doesn't cut it for a service like a primary email provider. They've claimed plans to add features like file storage for ages now with no updates. Email is just too important a part of daily life to risk it.
[0] https://librem.one/
[+] [-] xii22|5 years ago|reply
[1]https://hey.com/
[+] [-] Skunkleton|5 years ago|reply
If you are on public wifi somewhere and are concerned about traffic that isn't otherwise encrypted (DNS comes to mind), or if your connection is in some way restricted (govt, shitty isp, etc), then a VPN can address these issues. But you have to keep in mind that your new network is similarly untrustworthy.
You might argue that by hiding behind your VPN provider, you are gaining anonymity. This might be true under the best circumstances, but this can _very_ easily break down. For example, the moment you load tracking_pixel.png then you are de-anonymized. That is saying nothing about the shady practices of the VPN providers themselves, or the governments that regulate them.
When people connect to a VPN, especially lay-people, there is this feeling that the VPN is providing security, and privacy. This is largely marketing BS designed to sell more subscriptions. When I connect to a VPN I might be able to obscure my activity from state actors, or avoid some coffee shops bogus DNS server. What I can't do with a VPN is avoid literally every other form of tracking. And of course if I connect to a VPN, then I should be ok with those same bad-actors knowing I am connecting to a VPN. And I should be OK with the VPN provider being able to monitor my unencrypted traffic. And I should be ok aggregating all of my encrypted traffic into one easy to watch place.
So what is a VPN providing the average consumer? If you want privacy install ad block software, https everywhere, enable DoH, don't log into social media sites, and clear your browser's cache frequently. If you want to avoid a state actor, then your best hope is probably something like Tor Browser.
[+] [-] ptx|5 years ago|reply
Well, does it make people empowered, safe and independent? Never mind what people feel - the users don't know the details of the implementation, so their belief could be mistaken.
[+] [-] kennystone|5 years ago|reply
[+] [-] mulmen|5 years ago|reply
Mozilla controls my browser. I have no interest in giving them control over any other part of my online life.
I like how Mozilla is run and hope other organizations emulate them to provide these other essential services.
[+] [-] pixxel|5 years ago|reply
I guess all these additional services help lure more users to Firefox, so there’s that.
Maybe Mozilla can eventually generate enough revenue to stop nuzzling on Google’s money teat.
I think I just convinced myself that additional services are good overall for Mozilla. But yes, I’m firmly in the spread your online presence wide camp.
[+] [-] wiether|5 years ago|reply
Price related I'm paying 5€/month for Mullvad and Mozilla's VPN is at $4.99/month so when it will be available in Europe I expect it to be 4.99€.
If they where offering something more, I'll see the point, but here by them developping their own software to use someone else infrastructure seems to be a huge waste. If they wanted to put their Mozilla logo, they should have gone for a white-label product with Mullvad no ?
[+] [-] cameronperot|5 years ago|reply
Of course there's also the shady side of VPN use. If you're doing that it might be beneficial to use the VPN within a VM with strict firewall rules, i.e. only allow incoming/outgoing to/from the VPN. Doing so allows you to only send the traffic you want to over the VPN, thus reducing your exposure to any nefarious data collection that the provider might be doing.
[1] https://lowendspirit.com/
[+] [-] unknown|5 years ago|reply
[deleted]
[+] [-] acd|5 years ago|reply
Please help making Internet decentralized and private again.
* Support for paying content creators without advertising * Decentralized CDN and compute * fast privacy
[+] [-] saltedonion|5 years ago|reply
For example, a while back there were research showing nord was setting up users as proxies, there by making it impossible for Netflix to block these residential ips.
I don’t think Mozilla will do this.
[+] [-] devwastaken|5 years ago|reply
VPN's are the only way of protecting what should be protected speech. You have to not keep logs or anything that allows a court to find the identity of a user.
[+] [-] Youden|5 years ago|reply
You don't. You never will. This is the case not just for Mozilla but for all VPN services.
Until there's some kind of hardware-level attestation that verifies a server is running a particular software installation, that's going to remain the case.
> VPN's are the only way of protecting what should be protected speech.
No, if you want safety, a VPN is not the solution. VPN providers have invested a lot of marketing in trying to tell you otherwise but it's simply not true.
All a VPN does is move what little trust you're forced to have in your ISP to a different, often less-regulated ISP.
The solution if you want privacy and/or anonymity is a technology built for that purpose, like Tor or I2P.
[+] [-] flyGuyOnTheSly|5 years ago|reply
I download music, movie, tv, etc files via torrent using my Canadian IP address and I have never seen anything more than an email from my ISP saying essentially "so and so company thinks you downloaded their material, don't do that ok?".
Is the general public so afraid of getting the odd email that paying $5/$10 month to make them disappear is a good deal for them?
Why wouldn't people just use TOR for free? It was extremely fast the last I checked.