[gvb]

So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

The downside in a nutshell: "Researchers recently tested 300 free VPN apps on Google Play and found that nearly 40 percent installed malware or malvertising on users’ machines."

"Bob" very likely doesn't know you even exist and doesn't care. The downside of VPNs is that many VPN hosting companies are even less trustworthy than "Bob" and do care who you are. An unscrupulous VPN provider can MitM your connections, harvest anything you give the VPN's app privilege to see (probably a lot), etc.

Step one of security is to understand the threat you want to defend against and make sure your defense against that is (a) adequate, (b) appropriate, and (c) not compromising you in other ways.

[mirimir]

Well, never use free VPNs!

Also, don't choose a VPN based on some online review. Most of those are basically paid advertising. Either "pay if you want a good review" or "pay more for highter rank", or stuff by independent affiliates, who get paid for referrals.

Better, choose VPNs that have been recommended by consensus in relevant communities. Torrent users. Wilders. Me ;) And by the way, I do consult for IVPN, but my opinions are otherwise unbiased.

[tomaskafka]

And then you have stuff like AV companies' VPNs for which you pay AND your data gets sold.

(Basically, all AV companies listed on stock market sell your data.)

[mirimir]

well, I've suspected that. But can you point to evidence?

I wrote a post last summer for IVPN's blog. Bottom line, AhnLab and Emsisoft seemed to be the only commercial ones that don't share data.

AhnLab: “AhnLab will not collect any personal information other than [data collected during software use] and will not disclose such data to any third party.”

Emsisoft: “Any information we collect from you is only used by us to serve you better. Your information is never given to a third party.”

[btown]

What is your opinion on PrivateInternetAccess?

[godelski]

They've been recommended by a lot because they recently backed up their claims of no logging (FBI asked them for data, and they couldn't provide it). You'll see that they are ranked pretty high on this list, where there are some breakdowns. They are pretty cheap and popular too. Popular helps by making associations more difficult. That is seeing a VPN server accessed page X and that you were accessing the VPN server at said time. A college student was connected to a bomb threat by this method, being he was the only one on campus to be using TOR at the time the bomb threat was made (from TOR). You'll be fine with any VPN that is relatively popular and doesn't do any tracking.

[Odin78]

A relevant detail to that story is that he admitted his guilt under questioning. Had he continued to deny any involvement, they would not have been able to prove that he was sending the bomb threat, as it could have been from someone who wasn't on campus.

[godelski]

Very true. But there have been several instances of cases like this. And this thing doesn't matter if your VPN logs or not[+]. But what I was trying to point out is that these types of access collisions are important to understand. And why I don't think people should roll their own VPN.

[+] I'm not trying advocate crime here or advising how to avoid it. Just trying to bring to light a vulnerability.

[confounded]

> And why I don't think people should roll their own VPN.

People who are interested in not being identified probably shouldn't. But there are good security reasons to potentially do so.

[mirimir]

Criminals are great examples, because their OPSEC failures are often detailed in court records, reported in the media, and discussed online. One of my articles on IVPN's website uses several such OPSEC failures (Silk Road, Sheep Marketplace, etc) as examples.

[AsyncAwait]

It's also worth noting that PIA supports several free software projects.

[kuschku]

Or, to phrase it differently: PIA outright bought a great number of previously community-run projects, and is concentrating power.

Freenode and Snoonet, two major IRC networks, are now owned by them.

[calcifer]

Enough. You do this on every mention of PIA and you have been told to stop or get banned [0]. I don't know why you are on this crusade when there is not even the slightest hint of wrongdoing [1] so please, easy on the conspiracy theories.

Disclaimer: Happy PIA customer.

[0] https://news.ycombinator.com/item?id=14911509

[1] https://news.ycombinator.com/item?id=14911915

[fapjacks]

Yes, and interestingly, the Freenode staff had previously disabled Tor access to the Freenode network for over a year or so because of "attacks" which they claimed they could not handle. This was a pretty flimsy excuse once I finally found someone that knew the technical details, and though I chased the "right" people down several times to ask why Tor access had not been enabled, I never got a good answer. Cue PIA taking over Freenode, and within a couple of weeks, Tor access to Freenode was once more enabled. I've been a happy PIA customer for some years now, but that left such a huge and positive impression on me. I'm not completely sure the two things are simply correlated, but after talking to all those Freenode staffers over the years about it, I can't imagine it wasn't pushed by PIA.

[AsyncAwait]

I was actually primarily talking about their donation to the Krita Foundation [1], but yeah, it's good to be aware of the above, even if thus far I haven't seen anything nefarious from them.

[1] - https://krita.org/en/item/krita-foundation-update

[rapind]

"A college student was connected to a bomb threat by this method"

This is why we can't have nice things...

[mirimir]

I'd use them. They're among the least expensive. And they don't seem to retain logs or detailed access records, based on testimony to a US court. But that was about an exit in the US, where there's no legal requirement for VPNs to log. Where there are such legal requirements, maybe they (or any other VPN) would retain and produce logs.

When I checked in mid 2016, their custom Windows client leaked while the VPN was reconnecting after uplink interruption. But then, only six of the 29 VPNs that I tested didn't leak: AirVPN, FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN. Strangely, FrootVPN didn't leak using open-source OpenVPN, suggesting that they're doing something unusual at the networking level. PIA's OS X client didn't leak, however.

They do tend to oversell their servers, however. So you'll often get less throughput than with AirVPN, IVPN or Mullvad.

[ideonexus]

I've been very happy with PIA. It's cheap with minimal impact to my bandwidth. The concern is that, like all VPNs, we are trusting them not to keep logs. PIA claims that they proved in court that they do not keep logs because they provided no useful data to an FBI request. There's a debate over whether this proves they don't keep logs or not here:

https://www.privateinternetaccess.com/forum/discussion/26284...

Is this semantics? I am uncertain. I do think that it's in PIA's best commercial interests not to keep logs. It's the core of their business model. The moment a PIA customer's identity is revealed through them is the moment they lose all business.

[kilroy123]

I think they're good, but there are some downsides. Sometimes traffic can really slow down because they're _too_ big.

Another issue is, all their IPs are well known. When browsing while connected to them, you can run into a lot of issues: captchas, blocked sites, etc.

The other day I was accidentally connected and made a purchase. What a giant headache. My purchase was flagged and blocked and it took a lot of my time to call the company and get it cleared up.

[programbreeding]

A few weeks back I ran in to the same issue with accidentally making a purchase while connected to PIA. Mine was also flagged and I had to jump through several hoops to prove I made the purchase. It was a pain but I completely understand why that happened and I'm still very happy with PIA.

I will mention that while it doesn't magically fix slow speed issues, they have the ability to report a slow server through the app (on Windows, I can't attest to any others). You just right click the icon in the notification tray and click "Send Slow Speed Complaint." They do add more servers in areas that are overloaded.

[pnutjam]

I've used PrivateInternetAccess, they are trustworthy, but US based so count on them rolling on you if someone has a good reason to be interested in you.

[mirimir]

Well, they apparently didn't roll for a US court, in a case involving harassment, as I recall. Would they roll for the NSA? How would they handle a NSL? I have no clue. Their founder has said that, although he lives in the US, none of their server admins do.

[fnord77]

I don't use PIA, but one advantage of them is you can use a Starbucks or Target gift card to pay. Buy the gift card with cash then there is no trail.

[zo1]

>"Buy the gift card with cash then there is no trail."

Until it's important-enough for them to track down the card, figure out when it was bought, go over the security footage of who was buying at the time, extract footage of you buying it. They can then extract your face and match against a DB. Or perhaps see what car you enter into, and extract its license-plate.

Heck, even if they don't have that, they can ask the cell-phone companies to see which phone-numbers were connecting to the nearest tower during that period. That already narrows down the list to say, 1000 people?

We're almost there. All the technology is already in place, and the only thing stopping it from happening is consolidation.

[mrarjonny]

I have been pleased with their service. It wasn't much hassle to set up, particularly. Was certainly a little trickier on my linux machine.

I find the speed has almost been completely acceptable. I have had only a handful of times where it seemed sluggish and bogged down.

I know there is a some question of whether they can truly be trusted? Do they truly not keep logs? And they are US based which are all things to consider. I weighed those factors against the customer reviews, price, and simplicity of their service, and I think my choice has served me well. Their rates are dirt cheap for what seems to be a reliable service.

[leadingthenet]

Would you recommend IVPN?

[mirimir]

Well, of course I would! They're one of the oldest. Except for the the first generation, anyway, such as Anonymizer (now basically owned by the CIA) and Cryptohippie (still very cool, but very expensive).

And they have great clients for Windows, OS X and iOS. I've found a few others that are just as leak-free.[0] However, the data there are old, and just about all VPN services have improved their clients. What's most relevant about the site is the testing protocol. There's more about that in an IVPN guide.[1]

I also recommend AirVPN, Mullvad and PIA. But not necessarily for their clients. I mean, IVPN doesn't have a custom Linux client. So in many cases, you need firewall rules. And you need to make sure that you're not using an ISP-assigned DNS server with the VPN.

0) https://vpntesting.info/

1) https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-lea...

[kakarot]

The great thing about Mullvad is you can use OpenVPN instead of their client if you want. And those guys really know what they are doing.

[rhblake]

Even better, with Mullvad you can now use WireGuard instead of OpenVPN, for considerably better performance and possibly better security. I've configured my EdgeRouter Lite to route all wifi traffic on my default home network through WireGuard for a couple of weeks and it has worked very well.

https://www.mullvad.net/blog/2017/9/27/wireguard-future/

[mirimir]

You can use open-source OpenVPN with any VPN service that offers OpenVPN connectivity. You can also use AirVPN's client Eddie, which has a pretty decent built-in firewall.

[DeathRabbit]

Just adding another vote for Mullvad. Tried a few others, have had the best luck with Mullvad (bandwidth, # of servers, rock-solid connection, etc.)

[fapjacks]

I use OpenVPN to connect to PIA both on my Linux machines and Android.

[accatyyc]

Same applies to IVPN, FWIW.

[tacon]

My VPN activities run on a old Windows box, and I did not want to trust the VPN clients to not fail and blast my data in the open for a day or two before I noticed. I ended up writing a SafeVPN Windows service that kills processes within 30 seconds of VPN failure.

I used PIA for a couple of years without issue, but then it went into some kind of decline for me, always driving network traffic to zero after a few hours. After changing hardware and reinstalling the OS with no effect, I finally tried AirVPN and things went back to normal. AirVPN is a bit more expensive, but their client is light years ahead of the PIA client.

[mirimir]

It's better to use Windows Firewall, because blocking is virtually instant. Basically, you set LAN as a private network, and the VPN as a public network. For LAN, you allow connections only to the VPN server(s) that you use, plus a DNS server that's not associated with your ISP. You can also allow connections to other LAN devices, if you like. For the VPN, you allow all output, but only input for established connections.

[j_s]

Can you point to a writeup of how to do this?

The only step beyond this that I have seen is a recommendation to use OpenBSD as a firewall in a virtual machine.

[tacon]

Interesting feature of Windows firewall, thanks. As the AirVPN client connects, it checks several hundred servers for the lightest load, so for that default behavior, I don't know which IPs to configure locally.

[sushid]

Various sites on the internet (e.g. Reddit, piracy sites, etc) will recommend either PIA and/or Torguard over anything else.

[mirimir]

That's because PIA and Torguard are willing to outbid others to get that ranking :) Or so I've heard.

That's why you generally ignore online reviews.

[sushid]

Well my Torguard license is expiring soon. Who would you personally recommend instead?

[mirimir]

AirVPN, IVPN, Mullvad or PIA. They've all been around for several years, and focus on privacy. And I've never heard anything bad about any of them. PIA is the least expensive, and IVPN costs the most. AirVPN and IVPN are probably the fastest. IVPN and Mullvad probably have the best technical expertise.

[jen_h]

Or just DIY if you're just a regular Joe or Jane, it's quick, cheap, and easier than most assume.

[needcaffeine]

I’m curious about your DIY solution and what that involves.

[msh]

Algo is quite easy to install and run

[EGreg]

Why do you think that just because a VPN isn't free, it won't ALSO sell you out on the other side?

[JamesBarney]

Basically how much they have to lose.

Say for instance there are two vpn services. Both have a 100,000 users. One makes $1,000 a year off of advertising, and the other makes $1,000,000 a year($9/month). Now both are approached by a nefarious gentleman who offers them $20,000 a year to harvest their user's information. But every year there is a 25% chance people find out and your service is shut down.

Who takes the deal? Maybe the free guy, but very few people would risk a 1M/year revenue stream to make a little extra cash, but someone might risks a much smaller revenue stream for a comparatively bigger payoff.

[thomnottom]

That's not what was said. "Free VPNs are not to be trusted" does not imply "All paid VPNs can be trusted".

[FooHentai]

But to flip that around, what about adding payment into the mix has any bearing at all on the trustworthiness of a VPN provider?

[macintux]

Payment means there may be a viable business model other than sharing private information. Realistically I don't know how you can ever be sure, but I'd absolutely never trust a free VPN service.

[blacksmith_tb]

It's not so much that they couldn't sell you out, but that if word got around that they had, it would be bad for business.

[midwife_cry_sys]

Everytime you turn around we heart of another free VPN selling data. How else do they stay in business.

[earenndil]

Why not just use a trusted solution like openvpn and only use providers who provide openvpn servers? That immediately gets rid of one half of your problem; and as for the other half, vpn services that allow for connections via openvpn are likely to be more trustworthy. In addition, the vpn company can't MitM connections which are already on an encrypted channel outside of the vpn conneciton.

[gowld]

> use providers who provide openvpn servers

how can you prove what the provider is using? people can lie

[wyldfire]

This suggestion is intended to solve the "free VPN app installs malware" problem and not solve the "VPN provider who actually logs/is in league with govt/MPAA/etc" problem.

[FooHentai]

Indeed. Threat models are crucial here.

[ghostly_s]

OpenVPN is a protocol. If the VPN provider supports it, you set it up in your own client that supports OpenVPN. Using a VPN provider that requires you use some proprietary app is madness.

I recently signed up for such a service, in order to get my Nintendo Switch online for multiplayer gaming. My home internet connections sub-let from the landlord and could be considered semi-hostile -- not able to connect to peers on the Switch due to triple NAT, and I suspect some QoS throttling as well. The VPN solves my routing problems, but if anyone has a suggestion for another option here I'm all ears.

[benchaney]

It is irrelevant what software the provider is using as long as they use the openvpn protocol. This will be obvious to anyone who tries to connect using openvpn.

[thinkloop]

Can you explain further, how can you be sure things weren't aded to the software?

[flavor8]

When you use a VPN service that supports openvpn, you:

a) Install OpenVPN yourself (open source)

b) Download an OpenVPN profile from the VPN company

c) Configure OpenVPN with the profile

Specifically, you don't have to install any binary software from the company itself.

[benchaney]

To the client side or the server side? On the client side, you should download the code from a location you trust. On the server side, it is irrelevant if something is added to the software for the attack we are discussing.

[thomnottom]

You can use your own OpenVPN client.

[hultner]

Isn't openvpn kind of a hack and a IKEv2/IPSEC based strongswan solution to prefer?

[mirimir]

It's arguably no more a "hack" than TLS is one. Right?

Re OpenVPN vs IKEv2/IPSec, this IVPN FAQ seems accurate.[0] But then, I helped edit it, so I'm biased. Still, if anyone can point to inaccuracies, I'll recommend fixing them :) The major weakness is pre-shared IKE keys.

On the other hand, I get from IVPN that the IPSEC implementation in iOS is very secure.

0) https://www.ivpn.net/knowledgebase/160/Is-using-L2TPorIPSec-...

[joecool1029]

Don't see why you're getting downvoted. From a user standpoint, IKEv2 doesn't require a secondary client and integrates with most major OS better.

For example: It's way easier for a client to install a mobileconfig to ios that supports on demand VPN than it is to have them download and configure openvpn. Fairly set and forget.

[JetSpiegel]

IKE is a nightmare to admin, only for Cisco level bureaucracies.

[MichaelGG]

OpenVPN protocol is sorta weird (I wrote a clean room client and server impl). But IPSec stuff is such a pain to deal with that it is not worth it despite it having better OS integration.

[patcheudor]

>So what is the downside to using a VPN if you're aware that they aren't foolproof vs not using a VPN at all?

Rarely addressed: VPN CLIENT ISOLATION.

The majority of us sit behind a NAT'd address range provided by our physical router, thus isolating our machines via a hardware router / firewall from our ISP. When you connect via a VPN, you are not automatically isolated from other client-peers on that VPN and must implicitly trust the VPN provider has properly configured client isolation. You can do testing, like firing up Wireshark and listening for broadcast traffic or simply by trying to nmap other hosts on the network, however, whatever you find could change with a configuration setting at any time.

[DavideNL]

Exactly my thoughts;

One way to further "secure" this would be to run the VPN client on a hardware router like pfSense (instead of directly on your laptop) and block all incoming connections on the vpn client tunnel interface?

A disadvantage of this method would be that the WIFI signal from your Laptop to the router is no longer secured by the Vpn...

[patcheudor]

That's how I do VPN. I have my ISP connected router, then a DMZ network with my test servers & three routers: 1) guest, 2) main, 3) VPN. I then use a virtual LAN from (2) to (3) over a virtual interface on (2) to connect to (3) which is NAT'd. Honestly though, the whole advice of "get a VPN to be secure" is ridiculous because it can end up exposing you far more than what you were previously, especially if you are running a VPN client on a host that is running a media client / server like Plex, Kodi, WinAmp, iTunes (Bonjour), etc. If you are a developer and using The Fiddler, Charles Proxy, or the Burp Suite, then there's an easy route to the rest of your internal network. I know the first time I was on a VPN and saw someone on the VPN come through my interception proxy it freaked me out enough to instantly understand the dangers of VPN services.

[fulafel]

It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

"Processing in hardware", meaning application specific hardware acceleration, is a not a plus in security related things: it's not safer, and it doesn't exist in most boxes, and it's often impossible to field upgrade when bugs are found. It's done to speed things up/lower cost at large scale, but that's irrelevant for consumer/small office gear.

[patcheudor]

>It's more effective to block what you want on your host firewall and not rely on the the network to keep you safe.

I agree and am a big fan of host firewalls and host intrusion prevention systems, however, they must of course cover the VPN tunnel in their scope. In many cases they do not.

[mirimir]

It is a configuration option, for sure. But I've never even heard of a VPN service that put multiple clients on the same subnet. It'd be a security nightmare. And I can't imagine what the advantage to the provider would be.

[baldfat]

Another downside:

Recently the Federal Government sent out a malware to certain persona of interest. That malware played a higher pitch sound than can be heard by the human ear. They were able to track that person and identify them because they heard the sound on the computer's microphone. TOR or VPN can stop this.

[pubg]

Without a source to corroborate, the tinfoil hat factor is extremely high with this one

[drawnwren]

I slightly agree. However, these days it seems more and more that "thing elite spy agency does to track terrorist" is on about a 6 months to 1 year lead on "thing startup does to target ads."

[jamiek88]

Wouldn’t even surprise me if it was the other way around either.

Some of the brightest minds of this generation are working on ad tech.

Sadly.

[ethbro]

Angelheaded hipsters burning for the ancient heavenly connection to the starry dynamo in the machinery of night, indeed.

[ionwake]

Interesting thanks

[baldfat]

Sorry here is the source:

https://www.bleepingcomputer.com/news/security/ultrasound-tr...

It appears to have happened already

[jm547ster]

Wow, now 44.1kHz sound cards should be very desirable

[sloppycee]

> A team of researchers from the Brunswick Technical University in Germany discovered [234] Android apps that employ ultrasonic tracking beacons to track users and their nearby environment.

https://en.wikipedia.org/wiki/SilverPush

My tinfoil hat is spinning!

[im3w1l]

Ability and motive...

Are they able to do this? Yes, for sure.

Are they willing to this? For terrorists or maffia bosses, no doubt. For smaller fish? Maybe they can't be bothered. Or maybe they can.

[Florin_Andrei]

Once it's productized, it's probably easy to reuse.

[im3w1l]

Technically, but maybe not bureaucratically.

[0XAFFE]

Here is a source, but no „malware“ but ads, the line gets more and more blurry

https://arstechnica.com/tech-policy/2015/11/beware-of-ads-th...

[gozur88]

I'm surprised a computer speaker has the frequency response to play an inaudible tone.

[isostatic]

Tested my kids - they could hear an alleged 21khz tone out of laptop speakers. The actual level of the tone doesn't matter - it was above my level of hearing. Wasn't a double blind, but they told me when it started and stopped based on a bash script with random intervals.

[BenjiWiebe]

I'm 20 but I can still hear 20 khz, albeit not very well.

[isostatic]

I could when I was 20, did a proper hearing test when I joined my company. 15.625khz was very noticeable - I scoffed at the old timers who couldn't hear it.

I can no longer hear it. Still I can hear 1khz, so that's what's important.

[jm547ster]

Most wouldn’t, I’d imagine OP is referring to a mobile device, look at Androids dev docs they recommend sticking to 44.1khz, which we know does fail into the range of human hearing with its 22khz reproduction, albeit fewer people. I’d suspect the person being spied on would become suspicious upon many children they encounter and even more dogs fleeing from their direction.

[thinkloop]

If they were able to gain access to a person's microphone doesn't that mean they are already compromised?

[schoen]

> TOR or VPN can stop this.

You're saying that the persons of interest in this case were identified and targeted only based on an IP address and not based on some other aspect of their online activity?

[nathancahill]

Wasn't this how they caught the Silk Road guy? Ross Ulbricht? They played a loud noise from his computer in a public area, as I recall.

[marme]

that is not how they caught him. They used a correlation attack. He was stupid and posted something using his personal email on stackoverflow about setting up tor website and processing bitcoin transactions. He then used a linked account to advertise silk road a few times. This made him a prime suspect. They followed him for weeks and watched that every time dread pirate roberts logged in and posted on silk road he was sitting in a cafe or library on his computer connected to a vpn. This was enough for them to get a search warrant and they found all the other evidence they needed to convict him on his laptop

[jstanley]

Do you have a source for that? I've never heard it before.

[nathancahill]

Nevermind, they chatted with him, but that was to ensure that he was logged in to SR before grabbing his laptop in an unencrypted state, not to identify him: https://www.wired.co/2015/01/silk-road-trial-undercover-dhs-...

[koolba]

> That malware played a higher pitch sound than can be heard by the human ear.

That should be "... can not be heard ..." right?

Also, do you have a link with more details.

[wccrawford]

No, it's right as-is.

[koolba]

Ah I think I read the "higher" as "high" and misunderstood it.

[jstanley]

That still doesn't really make sense. I think you misread "than" as "that".

[Tushon]

"a higher sound than can be heard" or "played a sound, which cannot be heard due to its pitch"

would both work, but your interpretation isn't correct.