[mirimir]

Because you have much more choice for VPN providers than for ISPs. And you can change VPN periodically, far more easily than changing ISP. Also, you can use nested chains of VPNs, much like Tor, to distribute trust. So adversaries must compromise multiple providers, quickly enough that logs will be available.

Edit: Also, you can pick VPN providers outside your adversary's sphere of influence. That's standard advice for users in China, for example.

[JumpCrisscross]

Also, you can pay for a VPN without revealing your identity. Not so with ISPs. I use a VPN, for instance, to mask my Tor usage from my ISP. (I'm an American using the Internet in the United States.)

[mirimir]

True. But the VPN provider effectively knows who you are, because they see your IP address. Or rather, a resourceful adversary can get your IP address from the VPN provider, and then get your identity from your ISP.

If you chain VPNs, however, it certainly makes sense to lease the second/indirect VPN anonymously.

[manquer]

I don't think IP alone will not be sufficient, for ex i am sure my ISP extensibly NATs the network and shares the same IP for many users. So much so that Google keeps asking for captcha every couple of days

[mirimir]

Maybe. But then logs would reveal who had some IP when.

[angry-hacker]

And now both of your vpn owners have your data connected to your ips. You do have more choice but if both of them sell the data, it doesn't make any difference.

[j_s]

If you need multiple residential IPs, use Hola's Luminati. If you don't trust them (a wise move), do so illegitimately.

https://news.ycombinator.com/item?id=13676600

You can also tunnel to Tor through domain fronting.

https://trac.torproject.org/projects/tor/wiki/doc/AChildsGar...

https://www.fireeye.com/blog/threat-research/2017/03/apt29_d...

[mirimir]

Right, you still need to trust someone.

If it really matters, you use nested VPN chains. Three deep is my standard, and I've managed six. Latency can be a couple seconds, but hey.

[JumpCrisscross]

What's the advantage of 6 nested VPNs over VPN + Tor?

[mirimir]

Consider CMU's exploit of the "relay early" bug. They identified users and onion servers through compromised entry guards. So with one VPN, the adversary knows the VPN exit IP. If they have authority vs the VPN provider, they get your identity. But if you're using nested VPNs, they need to go after the next VPN provider. Six is probably overkill. Maybe three is too. But it works well enough, so why not?