[infodroid]

This seems like bad advice because it doesn't address the legitimate need for keeping your browsing history private from overzealous, data-mining ISP's [1].

And even in the case of a known-hostile ISP that engages in invasive practices like supercookies or ad injection, it's unrealistic to ask users to set up and maintain their own VPS servers.

For the average internet user, a "glorified proxy" service that is hassle-free to set up is a simple and effective means of protection against such a menace.

[1] https://techcrunch.com/2017/03/29/everything-you-need-to-kno...

[hug]

It seems like bad advice because it is, frankly, just bad advice. Nearly all of his arguments fall down, even within his own post.

He says that VPN providers don't provide more security. They do, and he mentions this himself when it comes to the public wifi argument.

He says that VPN providers don't provide more encryption. They do. Another layer of transport encryption is another layer of transport encryption.[1]

He says that VPN providers don't provide more privacy. They do. Turns out a lot of networks do things like log DNS, which a decent VPN client can tunnel.[2]

He says there are two use cases for VPNs: There are a lot more.

He says that tunneling all of your traffic is a worse case for obfuscating your identity to a third party service. It's not, or at least I can't imagine how it would be.

He says that instead of a VPN, you can use a VPS with a VPN: That's just a VPN. It does all of the same things, including being outsourced to a third-party provider, except you lose a ton of the functionality of a real VPN service like geographical redundancy and spread.

He asks why VPN services exist, if for any other purpose than stealing traffic or data, but fails to understand any way in which a VPN service could be useful.

The entire piece is just the opinions of someone who is failing to see that other people have significantly different use-cases and threat models than he does.

-

[1] Especially if you think of "local -> internet" as easier to intercept than "somewhere internet -> otherwhere internet". Which it usually is. One involves something dumb simple like ARP poisoning. Another involves compromising a telco or the VPN provider itself, which is a teensy bit harder. All of this is even sillier if you consider the hostile-network scenario as well.

[2] Yes, you are offloading 'trust' that the VPN provider doesn't also log your DNS. There's more chance that they don't when they say they don't, than your corporate network doesn't when they say they do.

[tyler_larson]

A VPN tunnel in the abstract provides the benefits you mentioned, but a VPN service is a slightly different beast. It doesn't solve the problem with your untrusted ISP, it just gives you effectively a different untrusted ISP.

Imagine if, in response to the question, "how do I protect myself from snooping ISPs" someone provided the answer, "Just use an ISP that specializes in providing anonymity." You'd probably object on the following grounds:

* Saying you provide anonymity doesn't mean that you actually do. And track records tend to demonstrate otherwise.

* Your ISP still knows exactly who you are, even if they promise not to tell.

* ISPs who specialize in shady customers are more likely to be under surveillance themselves, meaning you're now more likely to be under surveillance rather than less.

* You're solving the wrong problem: you need end-to-end privacy, not just customer-to-ISP

You'd be right. But more importantly, these same objections apply to VPN providers. They more-or-less ALL specialize in aggregating known-suspicious traffic, which is not the bundle you want to be tied in with.

In fact, any argument you could make against using a Cloud VPN endpoint can also be made against a VPN service provider. Because, and this should be painfully obvious already, VPN providers just terminate their traffic through Cloud and/or Colo hosting providers as well; usually optimized on bandwidth cost over all else. So by setting up your on VM, you're just cutting out one of the middle men. There's nothing they can do that you can't do just as well without them.

[toyg]

> There's nothing they can do that you can't do just as well without them.

That applies to any service out there. Are you running your own mail server?

[hug]

It gives me a different untrusted ISP and transport layer encryption between my machine and the VPN endpoint. Which, y'know, you admit to later in your comment, so you clearly know what's up, but that's not exactly a minor thing. There's a couple of parties between myself and my content, and this just eliminates the bit players. Y'know, the nerds on public wifi.

And, yeah, I could set up my own VPN on a VPS I rent. They're only $5 a month. I'd just need a couple in the USA, a couple in the UK, a couple in a few different EU countries, a couple in Australia...

The service I pay for from a VPN provider is not ultra secure. It's not even above average secure. It is, however, somewhat secure. And yeah, sometime it lumps me with "known-suspicious traffic", but that's okay: What I'm doing is completely irrelevant to that fact.

[raides]

There is less of a chance that the Colo or shell account you are using to run psybouncer will hand over anything to anyone before you wipe the machine than there would be directly connecting to a VPN service. I think this is addressed to average Joe Americana who clicks the protect button in Facebook.

[josteink]

Your argument for VPN tunnels in general makes sense, especially if you're on a hostile network, and that includes hostile ISPs you feel you can't trust.

Your argument for VPN services completely forgets that a VPN service in this regard is just another ISP.

How do you know you can trust this ISP any more than the one you're already using?

[hug]

A VPN service provider is not an ISP in the single way that is most important to me: In a "my government mandates that ISPs perform metadata collection" kind of way.

My ISP tells me that they do, indeed, operate legally and collect metadata. They tell me that they do, indeed, inject JS sometimes. They tell me that they do, indeed, reserve the right to resell my anonymised data for marketing purposes.

My VPN service provider tells me that they do none of these things, and in fact have been reported in the tech media for telling courts to kindly go fuck themselves when it comes to logging.

Who do I trust collects less data? Well, to be honest, I'm 100% certain that the ISP is doing the things it tells me it's doing. I'm not 100% certain that the VPN provider isn't doing things it tells me it's not, but it's a damn sight sure less than 100%.

And, y'know, despite all that rhetoric: The main thing I use my VPN provider for is to watch the US version of Netflix.

[kbart]

"How do you know you can trust this ISP any more than the one you're already using?"

Simple. For example, you live in a country where ISP's are allowed to do whatever they want (or forced to do what government/letter agencies wants), so if you value your privacy and data, you use VPN company that's based on a country where private data is respected and protected by law.

[tjoff]

Well, the opposite is quite common.

Your ISP has strong laws that require a court order for anyone to take a peek or identify you. Your VPN provider does not but can legally do whatever they want with your data. Mining, providing/selling personal information etc. (and they are equally forced to reveal everything asked for when faced with a court order).

The combination of using a service such as a VPN (drawing attention to your activities) with less legal protection is in my opinion the biggest arguments against using a VPN.

[kbart]

Yes, but it's much easier to choose/change VPN than ISP, because because VPN providers usually are not geographically bound as opposed to ISP where it's not uncommon to be stuck with single ISP available. Furthermore, if you have a reputable ISP and your traffic is not being filtered/snooped, there aren't many reasons to use VPN service at all.

[tjoff]

Yes, but these are points that are very seldom brought up at all in these contexts yet they are quite important.

[josteink]

And how can you know this VPN provider is not a honey-pot setup by the same forces/agencies you are trying to avoid?

[kbart]

If you are such a high-level target that these agencies went out of their way to setup honeypot for you, no VPN will save you anyway. But in realistic case, nobody is going to setup honeypots just to capture your porn search history.

[kurthr]

He's apparently never been to China... or he'd already understand "Why VPNs".

[evanb]

> There are roughly two usecases where you might want to use a VPN:

>

> You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

I think that covers the case you're worried about.

[kurthr]

Well, an entire country that is behind a firewall that dynamically blocks huge swaths of content by randomly slowing it down and dropping packets... is a little different than an ISP that uses MITM. The problem is not that they are spying on you when you use https, it's that you can't even get your email, search using google, checkout your code, or get to your financial information at all.

You can forget Github, Facebook, Instagram, NYT, but I'm not even trying to use those... I want to get my damn work done. If all my contacts were on WeChat, I only wanted to use Weibo, and could search using pinyin, I might be fine.

[hitekker]

Like most controversial technical advice, the point is not to educate but to pontificate. In addition to attention-seeking, the author's previous Github gists and associated twitter drama suggest a pathological need to be the "smartest" guy in the room.

Ugh.

[__jal]

It was addressed, indirectly, at the end - "You are on a known-hostile network". In my case, one of my links is Comcast, a known-hostile network.

I agree it should have been much more prominent, because this is exactly why I use one, and why many folks I know use one.

[bigiain]

"a known-hostile network"

aka "the internet"...

[paulie_a]

Good, I want to be known as actively hostile

[rsync]

"it's unrealistic to ask users to set up and maintain their own VPS servers."

I think that sshuttle[1] changes that calculus.

sshuttle allows you to make any ssh server a VPN endpoint. So you don't need to configure IPSEC or make an SSH tunnel or anything like that - you just need a login on an ssh server somewhere.

[1] https://github.com/sshuttle/sshuttle

[GordonS]

AFAIR, it doesn't work for Windows clients, which are a rather large user segment. Still, it is impressively simple to use for Linux and OSX users.

[rsync]

... and it works for FreeBSD and as of our (rsync.net) sponsorship of work done last year, has DNS support in FreeBSD with ipfw as the backend.

[bigiain]

And (for some of us) even regular/non-malicious but law abiding ISP's - who're now required by law to keep logs of your "metadata" aka: which websites you visit...

https://www.ag.gov.au/dataretention

[yorby]

VPN providers have just as much insight about your traffic as your ISP... it's just a matter of time before they monetize it... and they both know who you are (unless you are very very very careful, which is almost impossible).

[lagadu]

Negative on that: all a VPN provider knows about me à priori is my IP (and all that comes with that, like ISP and rough location) and which monero payment ID I used to pay it with (which is entirely useless). In contrast an ISP knows everything: my address, name, bank account, contracted service, fiscal number, etc.

If either of them is going to use my traffic data against me, I'd rather it be the former, who I can easily replace within minutes and has less information about me.

[rphlx]

It does not totally invalidate the benefits you mentioned but from what I've heard there are mature commercial services that map consumer IPs to meatspace IDs (name, phone number, address, household income, credit score, etc). The ad industry is both a consumer and a producer of these databases for obvious reasons. Highly likely that multiple levels of law enforcement have access to them as well.

[sk5t]

VPN providers are replaceable in ways in which last-mile ISPs are not, so they have more of an incentive not to trash their reputations.

[thsowers]

This gist was also written in 2015, I think the knowledge of ISPs data-mining is more public now (even though it was likely going on then anyways in some format)

[bjoli]

Yeah. M ISP has sold data on customers before which is why I uses VPN.

I chose one which seems moderately high profile (where a court case could ruin their reputation), and they are apparently planning on supporting wireguard later on. Seems I picked the right one :)

[c16]

Have you ever considered it would be easier for the government to pay the VPN providers a large sum to hand over the data, avoid a big public lawsuit, and silently mine all the data without having to break the encryption?

[bjoli]

The ISP an the VPN providers are already mandated by law to hand over my data at any goverment request, but a VPN provider is not required to store data for 6-24 months. That is not what I'm afraid of.

I just trust my VPN provider more than my ISP. The data policy of my VPN is much better: they cannot legally sell my data,whereas my ISP make no such promises.

[c16]

Don't get me wrong - I pay for a VPN subscription too for when I'm travelling/public wifi, but it's much easier to quietly hand VPN providers a nice sum of money for them to just hand over the keys. Everyone leaves happy.

Based on that, I believe if you want an extra level of security for every day use, then go for a big VPN co. If you're doing highly sensitive style stuff, then there's probably better software and services out there. It's all about your threat model I suppose.

[bjoli]

I am using mullvad.net, which I would consider large enough.

They operate in a jurisdiction where I can actually hold them liable and where I know which of their claims are leally binding.

[rbcgerard]

Who do I trust more Comcast (ISP) or F-secure (VPN)? Pretty easy answer...

[irundebian]

None of them?

[anonytrary]

> doesn't address the legitimate need for keeping your browsing history private from overzealous, data-mining ISP's

I think the point of the article is that an arbitrary VPN provider is really no different than an overzealous, data-mining ISP. Unless people can trivially join some sort of anonymized, decentralized mesh network, they are going to be forced to trust a third party at some point.