[kobayashi]

It's bad enough of an idea to connect to an open/untrusted WiFi network - now we're showing HN how to connect to random VPNs all over the world? My cursory opinion of this is that it's the worst idea ever I've ever seen make HN's front page.

[koolba]

> My cursory opinion of this is that it's the worst idea ever I've ever seen make HN's front page.

Not disputing that it's the worst but it could be even more worse.

It's missing the key component: a curl | bash install and upgrade script running over HTTP (not HTTPS). In this case it'd be extra hilarious as upgrades would presumably go over your existing VPN connection which could then hijack the script and run arbitrary code on your machine.

[hrrsn]

I gotchu' (/s)

curl http://pastie.org/pastes/10992864/download | bash

[stevekemp]

This looks like a node version of the previously submitted go tool `autovpn`, which I commented on previously:

https://news.ycombinator.com/item?id=13454960

This code also writes remote-content to a file, and then passes that to openvpn. Scary stuff.

[mrmondo]

I couldn't agree more, and in JavaScript to top it off!

Seriously people - don't just randomly connect to VPNs: you're essentially bridging your computer / network to a completely untrusted network that's more than likely to have all manor of people doing nefarious / dangerous things on it - do you really want to put yourself at risk as well as be associated with them?

[drvdevd]

I haven't actually looked at the code yet, but to be fair, if your connection through any VPN is completely encrypted (e.g. HTTPS only), then it's not much different to most ISPs...

They can grab metadeta but this is already being done with all the traffic we generate anyway, one should assume.

[neurostimulant]

Aren't VPN networks can specify DNS server the client should use after the connection established? That would allows DNS spoofing and MITM attacks.

[kijin]

Even with DNS spoofing, you can't MITM an encrypted connection with pinned public keys. That includes Google, GitHub, most social networks, and any SSH host to which you have previously connected.

Almost everything I do while on the move falls into this tamper-proof category. It's been a while since I stopped caring which Wi-Fi I connect to. I just borrow anyone's connection and tunnel right through.

[noja]

> That includes Google, GitHub, most social networks, that includes Google, GitHub, most social networks,

Nearly all websites do not using pinning.

[drvdevd]

So you would still need a trusted cert though right for the TLS MITM? And presumably SSH is not affected any more than on the open internet?

Anyway, while these may be valid attack vectors, since I started getting traffic injected by my ISP a few years ago, and DNS hijacked for advertising, my level of trust has dropped to the same as that of some $VPN, wherever, or $WIFI.

But that's just my opinion.

[dgfgfdagasdfgfa]

It's only bad if you think it's secure. It's not like a secured wifi is likely to be secure, either.

[mrmondo]

Most people don't understand whys secure and what's not, remember we live in a society where people generally don't know that connecting to a 'free' wireless network without a password means that all your traffic is completely unencrypted.

[dsmithatx]

I can't count how many times I've made a point on HN and someone has replied about how most people are so ignorant. If secure matters then you better read and educate yourself. Ignorance of the law is no excuse and ignorance in general is no excuse. It's not tech savy people's problem if most people refuse to exercise their brain.

Sorry if I sound like a jerk but, I get tired of this dismissive as if it's excusable. I feel like people think tech savy people should hold everyone's hand and help them figure out how to use technology. No one is forcing them to use technology as far as I can tell.

[rodrigogs]

That's not of my business, I cant protect people from themselves, and even if I could, I think it's wrong to protect somebody by restricting the options. Anyway... those arguments will never make a point against sharing an open tool.

[matthewaveryusa]

Not if you have a VPN, and not https websites. Only unencrypted traffic is unencrypted.

[dgfgfdagasdfgfa]

Perhaps we should simply encourage people to view their internet as public unless they see that green lock in the URL.

[rodrigogs]

Then make it better. It's opensource ;)

[dguido]

I already did. Here is how to createa a self-hosted VPN server at a cloud provider of your choice. Don't trust your network traffic to anyone but yourself:

https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-th...

https://github.com/trailofbits/algo

[mschuster91]

> Don't trust your network traffic to anyone but yourself

You still trust the cloud providers' upstream. In case of UK providers, the GCHQ sniffs upstream and ingress, so they can correlate traffic. Same for DE (BND, MAD) and basically all countries.

[dguido]

Yes, and you also have to trust your home ISPs upstream, and the routers upstream from that, and so on and so forth. Are you trying to say that using a VPN is useless?

[mschuster91]

> Are you trying to say that using a VPN is useless?

No, but you're making your traffic stick out and yourself a target for dragnet surveillance. The constant flow "packet in, other packet out" is easy to pick up for snoops, compared to "just packets out" from your home ISP.

[rahimnathwani]

Do you have users in China? I'm curious whether IKEv2 works well through GFW. I use Shadowsocks (on my Asus router, and on my Android/iOS devices), and it works well.

What would I gain in ease-of-use, performance, or security by switching to Algo?

[dguido]

It won't work. Algo is not for censorship avoidance. It's right up top in the readme. Sorry!

[kobayashi]

That's a common refrain. It's just that I don't think there's a good idea on which to build/improve. I commend you for putting (presumably) your work out here for all to see, and good on you for making your project FOSS, but this is not a project I will support.