[hug]

It seems like bad advice because it is, frankly, just bad advice. Nearly all of his arguments fall down, even within his own post.

He says that VPN providers don't provide more security. They do, and he mentions this himself when it comes to the public wifi argument.

He says that VPN providers don't provide more encryption. They do. Another layer of transport encryption is another layer of transport encryption.[1]

He says that VPN providers don't provide more privacy. They do. Turns out a lot of networks do things like log DNS, which a decent VPN client can tunnel.[2]

He says there are two use cases for VPNs: There are a lot more.

He says that tunneling all of your traffic is a worse case for obfuscating your identity to a third party service. It's not, or at least I can't imagine how it would be.

He says that instead of a VPN, you can use a VPS with a VPN: That's just a VPN. It does all of the same things, including being outsourced to a third-party provider, except you lose a ton of the functionality of a real VPN service like geographical redundancy and spread.

He asks why VPN services exist, if for any other purpose than stealing traffic or data, but fails to understand any way in which a VPN service could be useful.

The entire piece is just the opinions of someone who is failing to see that other people have significantly different use-cases and threat models than he does.

-

[1] Especially if you think of "local -> internet" as easier to intercept than "somewhere internet -> otherwhere internet". Which it usually is. One involves something dumb simple like ARP poisoning. Another involves compromising a telco or the VPN provider itself, which is a teensy bit harder. All of this is even sillier if you consider the hostile-network scenario as well.

[2] Yes, you are offloading 'trust' that the VPN provider doesn't also log your DNS. There's more chance that they don't when they say they don't, than your corporate network doesn't when they say they do.

[tyler_larson]

A VPN tunnel in the abstract provides the benefits you mentioned, but a VPN service is a slightly different beast. It doesn't solve the problem with your untrusted ISP, it just gives you effectively a different untrusted ISP.

Imagine if, in response to the question, "how do I protect myself from snooping ISPs" someone provided the answer, "Just use an ISP that specializes in providing anonymity." You'd probably object on the following grounds:

* Saying you provide anonymity doesn't mean that you actually do. And track records tend to demonstrate otherwise.

* Your ISP still knows exactly who you are, even if they promise not to tell.

* ISPs who specialize in shady customers are more likely to be under surveillance themselves, meaning you're now more likely to be under surveillance rather than less.

* You're solving the wrong problem: you need end-to-end privacy, not just customer-to-ISP

You'd be right. But more importantly, these same objections apply to VPN providers. They more-or-less ALL specialize in aggregating known-suspicious traffic, which is not the bundle you want to be tied in with.

In fact, any argument you could make against using a Cloud VPN endpoint can also be made against a VPN service provider. Because, and this should be painfully obvious already, VPN providers just terminate their traffic through Cloud and/or Colo hosting providers as well; usually optimized on bandwidth cost over all else. So by setting up your on VM, you're just cutting out one of the middle men. There's nothing they can do that you can't do just as well without them.

[toyg]

> There's nothing they can do that you can't do just as well without them.

That applies to any service out there. Are you running your own mail server?

[hug]

It gives me a different untrusted ISP and transport layer encryption between my machine and the VPN endpoint. Which, y'know, you admit to later in your comment, so you clearly know what's up, but that's not exactly a minor thing. There's a couple of parties between myself and my content, and this just eliminates the bit players. Y'know, the nerds on public wifi.

And, yeah, I could set up my own VPN on a VPS I rent. They're only $5 a month. I'd just need a couple in the USA, a couple in the UK, a couple in a few different EU countries, a couple in Australia...

The service I pay for from a VPN provider is not ultra secure. It's not even above average secure. It is, however, somewhat secure. And yeah, sometime it lumps me with "known-suspicious traffic", but that's okay: What I'm doing is completely irrelevant to that fact.

[raides]

There is less of a chance that the Colo or shell account you are using to run psybouncer will hand over anything to anyone before you wipe the machine than there would be directly connecting to a VPN service. I think this is addressed to average Joe Americana who clicks the protect button in Facebook.

[josteink]

Your argument for VPN tunnels in general makes sense, especially if you're on a hostile network, and that includes hostile ISPs you feel you can't trust.

Your argument for VPN services completely forgets that a VPN service in this regard is just another ISP.

How do you know you can trust this ISP any more than the one you're already using?

[hug]

A VPN service provider is not an ISP in the single way that is most important to me: In a "my government mandates that ISPs perform metadata collection" kind of way.

My ISP tells me that they do, indeed, operate legally and collect metadata. They tell me that they do, indeed, inject JS sometimes. They tell me that they do, indeed, reserve the right to resell my anonymised data for marketing purposes.

My VPN service provider tells me that they do none of these things, and in fact have been reported in the tech media for telling courts to kindly go fuck themselves when it comes to logging.

Who do I trust collects less data? Well, to be honest, I'm 100% certain that the ISP is doing the things it tells me it's doing. I'm not 100% certain that the VPN provider isn't doing things it tells me it's not, but it's a damn sight sure less than 100%.

And, y'know, despite all that rhetoric: The main thing I use my VPN provider for is to watch the US version of Netflix.

[kbart]

"How do you know you can trust this ISP any more than the one you're already using?"

Simple. For example, you live in a country where ISP's are allowed to do whatever they want (or forced to do what government/letter agencies wants), so if you value your privacy and data, you use VPN company that's based on a country where private data is respected and protected by law.

[tjoff]

Well, the opposite is quite common.

Your ISP has strong laws that require a court order for anyone to take a peek or identify you. Your VPN provider does not but can legally do whatever they want with your data. Mining, providing/selling personal information etc. (and they are equally forced to reveal everything asked for when faced with a court order).

The combination of using a service such as a VPN (drawing attention to your activities) with less legal protection is in my opinion the biggest arguments against using a VPN.

[kbart]

Yes, but it's much easier to choose/change VPN than ISP, because because VPN providers usually are not geographically bound as opposed to ISP where it's not uncommon to be stuck with single ISP available. Furthermore, if you have a reputable ISP and your traffic is not being filtered/snooped, there aren't many reasons to use VPN service at all.

[tjoff]

Yes, but these are points that are very seldom brought up at all in these contexts yet they are quite important.

[josteink]

And how can you know this VPN provider is not a honey-pot setup by the same forces/agencies you are trying to avoid?

[kbart]

If you are such a high-level target that these agencies went out of their way to setup honeypot for you, no VPN will save you anyway. But in realistic case, nobody is going to setup honeypots just to capture your porn search history.

[kurthr]

He's apparently never been to China... or he'd already understand "Why VPNs".

[evanb]

> There are roughly two usecases where you might want to use a VPN:

>

> You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.

I think that covers the case you're worried about.

[kurthr]

Well, an entire country that is behind a firewall that dynamically blocks huge swaths of content by randomly slowing it down and dropping packets... is a little different than an ISP that uses MITM. The problem is not that they are spying on you when you use https, it's that you can't even get your email, search using google, checkout your code, or get to your financial information at all.

You can forget Github, Facebook, Instagram, NYT, but I'm not even trying to use those... I want to get my damn work done. If all my contacts were on WeChat, I only wanted to use Weibo, and could search using pinyin, I might be fine.

[hitekker]

Like most controversial technical advice, the point is not to educate but to pontificate. In addition to attention-seeking, the author's previous Github gists and associated twitter drama suggest a pathological need to be the "smartest" guy in the room.

Ugh.