> I find DoH + HTTPS to be enough. / Why do so many of you use VPNs?
They solve different problems, and can be used together.
HTTPS encrypts the contents of packets between your browser and the server. Therefore it reveals to your ISP what service you are using and when, which also indicates where you are at that time (e.g., in front of your computer at home). And it reveals to the Internet service (e.g., Facebook, etc.) identifying information about your computer. That metadata - knowing what people are doing and when, and identifying information - is generally considered to be as valuable as the contents of their transactions.
VPNs encrypt everything between your computer and the VPN provider. That hides from your ISP and other intermediaries everything you do, other than indications of activity (though traffic could be your computer downloading an update, or example, without you being home). It hides some identifying information from the Internet service, such as your IP address, though your computer may communicate much more that identifies it. However, a VPN reveals to the VPN provider everything that would have been revealed to the ISP; you are merely shifting your trust from one vendor to the other (which is why HTTPS and VPNs are used together).
In a sense, a VPN provider becomes your ISP, including determining the apparent location of your computer - you can look like you are in a different country, which might change what DRM-controlled media you can access. (VPNs also are used for secure tunnels, for example by remote workers and by security-concious network administrators.)
I’d never considered SNI sniffing. Great point. I’m quite fortunate in that the ISP I’m with (AAISP) is fairly privacy first and don’t _appear_ to be snooping on me in any meaningful way.
That said, I can’t say the same for my phone provider.
> don’t _appear_ to be snooping on me in any meaningful way.
SNI is cleartext enough to be passively logged, so you never know. Maybe some government-mandated (or supplied) switch is logging them to some short-lived log file in case they ever need to pull your hostname history.
Note that SNI sniffing protection is in the works by encrypting the client hello[0]. While it's been in draft for some years now, Chrome has a lot of work being put into it[1], so hopefully it'll be done sometime next year with support within Cloudflare and browsers soon after.
But do you also trust your phone carrier? (I don't trust either my ISP nor my phone) Or when you're out on WiFi that isn't yours? It's a cheap way to add a little extra bit of security and privacy.
I have shitty ISP that's slow when accessing many sites. It has great connection to mullvad servers though, so I can work around my ISP issues with VPN.
My country is also blocks many sites and requires ISP to transparently route all DNS traffic to DNS servers that implement the government's block list. DNS over https is also really slow with frequent timeouts. I suspect they mess with popular DoH servers to discourage people to use it. Again, VPN solves this.
I think DoH + HTTPS works well in concert with a VPN, they're not mutually exclusive. VPN has a host of benefits, including relative anonymity, that go beyond encrypted egress to the public web.
They solve different problems, and can be used together.
HTTPS encrypts the contents of packets between your browser and the server. Therefore it reveals to your ISP what service you are using and when, which also indicates where you are at that time (e.g., in front of your computer at home). And it reveals to the Internet service (e.g., Facebook, etc.) identifying information about your computer. That metadata - knowing what people are doing and when, and identifying information - is generally considered to be as valuable as the contents of their transactions.
VPNs encrypt everything between your computer and the VPN provider. That hides from your ISP and other intermediaries everything you do, other than indications of activity (though traffic could be your computer downloading an update, or example, without you being home). It hides some identifying information from the Internet service, such as your IP address, though your computer may communicate much more that identifies it. However, a VPN reveals to the VPN provider everything that would have been revealed to the ISP; you are merely shifting your trust from one vendor to the other (which is why HTTPS and VPNs are used together).
In a sense, a VPN provider becomes your ISP, including determining the apparent location of your computer - you can look like you are in a different country, which might change what DRM-controlled media you can access. (VPNs also are used for secure tunnels, for example by remote workers and by security-concious network administrators.)