[anarchodev]

What is the mis-selling exactly? Doesn't seem to me that they're saying using their VPN will make you impenetrable to dedicated actors with nation-state resources. VPNs do help maintain one small level of privacy (namely from your ISP), and if you're using one it's a good bet you'll be interested in other privacy concerns too.

There are a lot of VPNs with really bogus claims on their websites but I didn't notice anything appalling about this.

[djrogers]

> VPNs do help maintain one small level of privacy (namely from your ISP)

So you've transferred the lack of privacy from one company (your ISP) to another (your VPN vendor). Heck - look what happened to Onavo - facebook bought them and reaped a treasure trove of private browsing habits.

[danShumway]

I use DuckDuckGo for web searches. Technically, I've just transferred my lack of search privacy from one company (Google) to another (DuckDuckGo).

I would of course prefer a zero-trust solution, but absent that, can I at least avoid giving my data the companies that are openly spying on me right now? At least until we figure out how to make Tor scale better for normal usage like streaming/games?

Transferring trust is definitely problematic, but it's also a thing that we do basically every single day all the time, and it's only in the context of VPNs where I see people suddenly advocating that anything less than a zero-trust solution is useless. Zero-trust solutions are the exception when we deal with companies. Most of the time we're just moving/centralizing trust.

[buzzy_hacker]

Well your VPN has a commercial interest in keeping your browsing private.

[vokep]

That hasn't proved to be the case. Nor does it appear so anyways, they have a commercial interest to appear as though they are interested in keeping your browsing private.

[mrmuagi]

So run your own VPN, at least you can minimize the trust to yourself?

[iudqnolq]

A VPN hiding your traffic from the websites you visit relies on substituting the VPNs IP for your own. If you're your own VPN, your VPN's IP is your IP.

I've used self-hosted VPNs running on AWS LightSail to have privacy from wifi operators I didn't trust, but it doesn't work for higher levels of surveillance than that.

For example, if your VPN runs on a server with a dedicated or at least relatively persistent IP and you're the only one using it an upsteam of the server like an ISP or a network of sites could track you cross-site and use that data to deanonymize.

[remarkEon]

I don’t have the time right now to do this, but someone with it (and probably more technical experience than me in that field) should write up a no BS guise to what these popular VPN services really are offering. It’s been hard, over the last couple months especially it seems, to wade through all the new products these companies are constantly dropping in this space.

[jlgaddis]

Tom Scott recently made an video [0] you might be interested in. It's well worth the seven and a half minutes to watch it, IMO.

> I tried to write a more honest VPN commercial. The sponsor wasn't happy about it.

[0]: https://www.youtube.com/watch?v=WVDQEoe6ZWY

[remarkEon]

Thanks for this

[humblebee]

My naive understanding of these common service VPNs is they provide privacy (when properly configured) from a physical network. Otherwise they aren't much different than an IPS. Once on the other end, everyone still know who you are. They don't provide privacy on the internet.

[kossae]

Something like this may suffice: https://thatoneprivacysite.net/#simple-vpn-comparison

[falcolas]

Between TLS and DNS over HTTPS, the number of things an ISP can reliably discern from your traffic is becoming vanishingly small. Once the TLS SNI plaintext hole is closed, it becomes smaller still.

One can argue that IPs and ports matter, but if all the IPs you visit are in AWS (and their ilk) over 443 (including real time communication protocols), it becomes meaningless.

[JohnFen]

> but if all the IPs you visit are in AWS (and their ilk) over 443 (including real time communication protocols), it becomes meaningless.

Perhaps, but what about all the traffic that doesn't go to AWS or use port 443? The vast majority of my traffic doesn't do those things, and very probably won't within my lifetime.

[pixl97]

What exactly are you doing that isnt using TLS? That's not most peoples usage on the web.

[danShumway]

I apologize for a somewhat snippy comment, but the idea that VPNS don't really protect against bad ISPs comes up all the time, and it drives me bonkers.

> Between TLS and DNS over HTTPS, the number of things an ISP can reliably discern from your traffic is becoming vanishingly small.

A) While encryption is commonplace, not everything on the web is encrypted. The most recent stats I can find[0] say that about 3-10% of common web traffic is still not encrypted. If you're browsing more interesting parts of the web (ie, old forums and independent sites, and not just Facebook/CNN) your stats are probably worse.

B) Even if all of the websites you visit are fine, a nontrivial portion of native apps also don't use encrypted endpoints, because unlike on the web there were never native warnings or lock icons in a URL bar to force them to make the change.

C) Even if the server is using TLS, there are numerous attacks based around measuring packet delivery times and request sizes to figure out exactly which static pages of a domain you're visiting. This is why Linux package managers have widely dismissed HTTPS -- it provides no privacy for their specific use-case, because anyone can figure out what you're downloading just by counting how many bytes get sent to you.

D) So you just turn on DNS over HTTPS, right? Sounds good, except pretty much none of your native apps or dedicated devices like game consoles, e-readers, and smart-home appliances support it unless you're handling it on the network level. Even if you are doing DOH on your router, it's not uncommon for dedicated devices to bypass your DNS settings entirely. Even Google is guilty of this, for a long time you could not set a Chromecast to use a custom DNS server.

E) Even if you have DNS over HTTPS, you still need to worry about SNI, and encrypted SNI still has relatively low adoption on the web outside of industry-leaders like Cloudflare.

----

But let's assume that none of the above applies to you. You're connecting to a site that's using TLS 1.3 and supports encrypted SNI. You're using DNS over HTTPS. In that scenario, knowing the IP/port of the server you're connecting to can still be good enough to unmask the domain.

You do bring up this point, but then you kind of just skip over it.

> One can argue that IPs and ports matter, but if all the IPs you visit are in AWS (and their ilk)

But they're not. Yes, if every single site I visited had the same IP, I'd be fine leaking that information. But they don't all have the same IP. I visit plenty of sites that are being hosted on independent hardware, on Linode servers, and so on. Servers with unique, static IPs are not uncommon.

Not only is this bad advice in the sense that it just isn't true, it's also bad advice because it's tying security/privacy to centralization. We want people to host their own stuff online, we don't want everyone to be on AWS and Google Cloud. We want diversity of hosting.

----

Finally, although I understand you're only talking about ISPs above, it's also worth noting that the point of a VPN is not just to obscure your traffic from your ISP, it's also to obscure your IP address from the sites you visit. That's also an idea that gets regularly dismissed by a vocal subgroup on HN, who are apparently of the opinion that the entire TOR project is just a waste of time because IP addresses don't actually matter.

VPNs are not a perfect solution. They're arguably not a even a good solution. But the problem that they're trying to solve does exist. There are reasonable, strong arguments to make against VPNs: that they aren't magic, that they're deceptively marketed, that shifting trust can be problematic. "IP addresses aren't worth protecting", or "DNS is fine already", are not reasonable arguments.

[0]: https://transparencyreport.google.com/https/overview

[packet_nerd]

> VPNs do help maintain one small level of privacy (namely from your ISP)

I never really saw that as a VPN's main purpose. Far from cutting out the ISP, you now have 2 ISPs. One that can see "everything" and another that can make inferences about your habits by analyzing your encrypted traffic.

The job a VPN actually does really well is hide your IP from sites and services that you visit which reduces the information they have available with which to track you.