Hacker News new | ask | show | jobs
by luckylion 2065 days ago
> Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

Wow, I didn't know VPN providers have broken SSL and can read all that traffic.

This was on the frontpage before. Are people just upvoting it for the clickbait headline without reading the points that are being made?
6 comments
jsnell 2065 days ago
The article isn't making that claim. Logging the traffic can for example mean storing CDRs for the connections. The kind of thing your ISP could also do, and in many jurisdictions is legally obligated to.

They could do per-flow logging of TCP flows (subscriber 89 made a TCP connection to 1.2.3.4:567 starting at 12:00:05, ending at 12:02:04, transferring 10kB up and 1MB down). In the worst case this would also include the TLS SNI, which is transmitted in plaintext.

Or it they could do logging based on the endpoint (subscriber 89 transmitted 1MB from IP 1.2.3.4 in the 15 minute interval 12:00-12:15).

link
CyberRage 2065 days ago
Well he's not wrong. traffic is far more than perfectly configured TLS.

DNS, SNI and mixed content are all insecure for the vast majority of users. You can learn a lot from HTTPS traffic.

link
daveoc64 2065 days ago
I'm not sure I get your point.

If you think TLS is adequate to stop a VPN provider figuring out what you're doing, why isn't it good enough to stop the ISP/Government/evil coffee chain IT team?

link
luckylion 2065 days ago
It's good enough to stop the government to know what exactly you send, but not who you send it to. The VPN provider can know what servers you send it to, but that's usually not your threat model.

Short of using a VPN provider that's a front operation of the government you're trying to avoid, VPNs do a good job in adding a layer of protection. The proposed solution in the article (rent a VPS) does not, as the IP is unique to you and tied to your identity, the hoster has no incentive to protect your identity.

link
M2Ys4U 2065 days ago
Even if your content data are encrypted using TLS, your metadata will still be logged.

And metadata can be just as useful for violating your privacy as content data.

link
andreareina 2065 days ago
Or maybe they employed the principle of charity. The provider can see all your [encrypted] traffic [including from/to pairs].
link
raverbashing 2065 days ago
They don't need to look in the content, they only need to check your DNS queries
link
_ph_ 2065 days ago
That is why one should use DNS over https, so to track your DNS queries they would have to track your requests at the DNS server.
link