Hacker News new | ask | show | jobs
by danShumway 2437 days ago
Am I not understanding your argument?

> they need to compromise your ISP or your VPN

Part of the point of a third-party VPN is that the ISP/router can't tell what you're doing -- you assume that they're untrustworthy. Compromising the ISP would be useless, unless your VPN is for some reason sharing the same info with your router, in which case... install a competent VPN client.

I don't see how you're adding an additional failure point, you're just moving the same failure point somewhere else.

Yes, once the VPN endpoint makes the request, an ISP can still intercept it. But this is one of the few cases where adding an additional network hop very likely does not matter at all for your privacy. Once your request is going over the open Internet there are already so many opportunities for people to spy on it. The benefit is in disassociating that request from you, not in hiding it once it goes public.
1 comments
fulafel 2437 days ago
The confidentiality protection is not really absolute - the encrypted VPN traffic is susceptible to traffic analysis[1]. For example, your traffic pattern fingerprint could be correlated and matched to your online identity if your ISP and an ad network or another globally positioned middleman actor colluded on it.

[1] A term of art in intelligence & cryptanalysis, https://en.wikipedia.org/wiki/Traffic_analysis

link
GhettoMaestro 2437 days ago
Respectfully, unless your adversary is the NSA, and they are targeting you, your argument is full of shit.
link
fulafel 2437 days ago
Why do you think it would be unworkable for a corrupt ad network in cahoots with your corrupt ISP to correlate your web requests based on time, length and previously seen traffic from the VPN IP?
link
GhettoMaestro 2437 days ago
Because it is way too much effort with questionable return on investment.
link
fulafel 2436 days ago
I agree that the business case is not that obvious but converting a "can't be done" argument to a "not interesting enough" is already pretty significant. The amortized cost per user would be very low after all, assuming this was used for automated mass surveillance.
link
GhettoMaestro 2436 days ago
> [...] The amortized cost per user would be very low after all, assuming this was used for automated mass surveillance.

Honestly I think this is the total opposite case. "Full take" collection systems are notoriously money pits due to the nature (hence, full take). Targeted surveillance will ALWAYS be far more cost efficient than blanket mass surveillance.

link
guest0914 2437 days ago
Can't it be automated?
link