WingNews logo WingNews
top | item 45127289

(no title)

5f3cfa1a | 5 months ago

> a DYI VPN may hide my home IP but it does not hide my identity unless the server i route through is not owned by me.

Again, threat model matters – hide your identity from whom?

You certainly won't hide it from someone who can seize payment records. You will struggle to hide it from someone who has control of enough of the internet to correlate data across sites, like Google or Cloudflare. But if you're looking to be pseudonymous in the face of a single site, or a small set of sites that don't conspire to unmask users? It might work just fine.

(unless as you rightly note they block your hosting service's ASN;-))

discuss

order

em-bee|5 months ago

sure, threat model matters. no protection is 100%, but more is better. using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server. i might hide it somewhat if i use that proxy only for this purpose, not point any DNS records at it, not reveal any public data, never use it for services where i log in, etc.

truly anonymous hosters are high profile targets for law enforcement, so in my opinion they are higher risk than even VPN providers. not interested in getting caught up with that crowd. and for the good VPN providers at least a court order is necessary, and if the VPN doesn't log usage, they can't prove anything.

there is no threat model where your own hosted proxy could ever provide better protection than any VPN. i use my own proxy because it's free, because i already have a server where i host my website, not because it provides me with any kind of protection. to get that, a VPN would be easier and cheaper.

5f3cfa1a|5 months ago

> sure, threat model matters. no protection is 100%, but more is better.

You can't just say "threat model matters" and then treat security as an absolute gradient (poset?). That means you don't have a real threat model.

> using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server.

Bold claim – you've gotta show your work for this one.

> there is no threat model where your own hosted proxy could ever provide better protection than any VPN.

"no threat model [em-bee can imagine]", maybe :)

Here's one for you: how do you know your VPN provider doesn't log usage? You SSHed in and looked at /etc/syslog lately? Went to their hosting provider and opened door 641A?[0]

You sell a VPN and accept US cash? You are interacting with the US financial system and are open to all sorts of laws and enforcement levers that get to be pulled against the company that sold you that service & pinky swore they didn't log.

How sure are you about that "no log" claim if your VPN provider had a visit from a friendly FinCEN CI and some HSI folks who explained what a "US nexus" is?

All this said, I don't necessarily disagree with you: my personal threat model is that bigger fish exist than me, and a paid VPN provider fits the risks I take. Yours might be the same. But I don't see how you reasoned your way there.

[0]https://en.wikipedia.org/wiki/Room_641A