WingNews logo WingNews
top | item 45118558

(no title)

davepeck | 5 months ago

Long ago, in the era of Firesheep and exploding prevalence of coffee-shop Wi-Fi, consumer VPN services were definitely valuable.

But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".

I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.

discuss

order

kfreds|5 months ago

The way I see it there's four use cases:

- protecting your privacy from your local ISP, WiFi, school, government etc

- protecting your privacy from some forms of online tracking

- circumventing censorship

- circumventing geographical restrictions

If you combine masking of your IP address with a web browser that protects you from various types of browser-based fingerprinting, you are more in control of your privacy online. You get to decide, to a greater extent, who you share very personal information with. That doesn't seem very silly.

(disclosure: I'm one of the deeply silly cofounders of Mullvad)

joecool1029|5 months ago

There's a niche fifth reason. Roaming between upstreams while not having open TCP connections drop. I use multiple ISP's and on mullvad I can swap which wifi/ethernet I'm on and all my connections stay up since wireguard is stateless.

dongcarl|5 months ago

Yup, when you're not using a VPN, even with encrypted DNS and HTTPS, you're still sending hostnames (e.g. wikileaks.org) over plaintext in TLS SNI for every HTTPS connection. I believe most firewall appliances now even prefer to use SNI for deep-packet-inspection since it's so reliable.

davepeck|5 months ago

Hi! Thanks for your deeply non-silly reply; it's nice to (virtually) meet a cofounder.

If you have time, I'd love to hear your thoughts on Mullvad's campaign here in Seattle.

For what it's worth, I suppose my perspective boils down to: the first three issues aren't issues here in town, or can be addressed in more direct ways (we have a wide choice of providers; 1st party browsers and services cover the gamut of tracking concerns; etc). Circumventing geographical restrictions is useful, but -- perhaps understandably! -- doesn't appear to be what Mullvad is advertising on the trains I ride.

Y_Y|5 months ago

> I'm one of the deeply silly cofounders of Mullvad

Cool.

Also funny, but it would be nice if you addressed the specific objection. Here are some of the new ads: https://mullvad.net/en/blog/advertising-that-targets-everyon... . Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?

westmeal|5 months ago

Thanks for running the service guys, I appreciate it

jkaplowitz|5 months ago

Also (3) work around overbroad restrictions on public Wi-Fi, which still sometimes do things like block Reddit or HN or SSH. But I guess more typical consumers than those of us here are less likely to experience those obstacles.

atkailash|5 months ago

Times Square at one point was practically half full of Mullvad ads. I already distrusted it but the sheer amount of money they spent to do that made it shadier to me

jorvi|5 months ago

Mullvad is rather principled on privacy. You can't even make a real account, you can only generate an account number that you can charge, and I assume they do some sort of clever tricks to keep themselves as blind as possible to who uses the account number. Firefox Relay is also just whitelabeled Mullvad, so they have Mozilla's stamp of approval.

Of the big VPNs, the only one's that have ever felt shady to me are NordVPN and Private Internet Access. NordVPN because of the sheer amount of false advertising they pay YouTubers to do, and Private Internet Access because of how cheap they are and how poorly they maintain their infrastructure. Their .ovpn generated files haven't worked for 2+ years now because they include certificates with malformed revocation dates, and refuse to pay the certificate authority to update them.

consumer451|5 months ago

Might I ask, what made you distrust them prior to that?

ranger_danger|5 months ago

what constitutes just the right amount of advertising to make it not shady to you?

arielcostas|5 months ago

I feel like other VPNs sponsoring YouTubers or others to talk wonders about them while not really using their product makes me trust them less, especially if they are based in some opaque jurisdiction like NordVPN (Panama) or ExpressVPN (British Virgin Islands) among others

elondaits|5 months ago

What about a malicious DNS (on a public spoofed or hacked WiFi) that forwards you to a lookalike domain? Unfortunately many times public WiFi doesn’t work with Google’s or Cloudflare’s DNS servers (I think the Deutsche Bahn’s WiFi was such a case, if I remember correctly, but I know I came across a few on the last few years while traveling). I don’t think there’s anything protecting against that when you’re using a browser.

Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).

raquuk|5 months ago

I don't think a malicous DNS Server can redirect your request to a domain that does not result in a certificate warning when using HTTPS.

With browsers adopting DoH, a public WiFi should not be able to interfere with DNS much.

hiatus|5 months ago

HSTS solves this to some extent. If you've visited the domain in the past (or the site operator submitted to the HSTS preload list), a different certificate presented would be flagged by your browser.

michaelt|5 months ago

Your better websites use "HSTS Preloading" to ensure users always get sent to the https version of the site - in which case even if the attacker redirected the DNS resolution, you'd just get an SSL error as the attacker wouldn't have a valid certificate.

Of course, an astonishing number of (even important, high-profile) websites don't bother with HSTS preloading ¯\_(ツ)_/¯

wink|5 months ago

You forgot 'connectivity from my home ISP to my favorite online game is temporarily degraded' but yeah ;)

akimbostrawman|5 months ago

>It's deeply silly

Why? In almost all countries ISPs are at the very least legally required to block websites and even surveil there customers. I trust mullvad about 100 times more than any ISP beholden to governments and profit incentive.

john01dav|5 months ago

What about (3) "bypass government censorship"? UK and China are examples of where this is desirable. This is different from (1) because it's broader than just streaming shows and is about authoritarian rather than capitalist restrictions.

NoGravitas|5 months ago

Add at least 18 US states to your examples if you consider age verification for porn to be government censorship.

eviks|5 months ago

Apparently, weaklings censor, so fighting them doesn't raise above the silly level

flumpcakes|5 months ago

I think the general discussion is conflating censorship with age restrictions. Lumping the UK with China is very disingenuous.

The UK law is stipulating adult content can only be viewed if you are provably over 18. They are putting all of that responsibility onto the websites/platforms to enforce that.

If a child goes to a shop and tries to buy a pornographic magazine and they are denied, is that censorship?

If a child tries to see an 18 film at the Cinema and is denied, is that censorship?

The fact is both of these were freely and easily done on the Internet as most websites do not verify a users age.

I do not like the online safety act as it is, but it is not "censorship".

ghssds|5 months ago

(3) The fare aggregator that sold you a ticket to visit BFE conveniently also geoblock that very place.

lr4444lr|5 months ago

That assumes that the user isn't connecting to a hotspot he doesn't know is compromised.