Hacker News new | ask | show | jobs
by 0daystock 1507 days ago
Paradoxically, the most trustworthy thing you could do as a VPN provider is explain why most people don't need and won't actually benefit from a VPN. Outside of a few limited use cases (accessing location-restricted content, connecting to legacy services) and with almost-ubiquitous end-to-end TLS encryption deployed on the Internet, there's really not a lot of good reasons to use a VPN (and many good reasons not to). Reasoning about this in a transparent and objective way is something I've never seen VPN providers do, and for this reason I struggle with trusting them.
2 comments
__turbobrew__ 1507 days ago
DNS queries are still leaked (from most users) regardless of end-to-end TLS. There is of course DNSSEC and DNS over HTTPS, but those are not used by the majority.

Another use case you missed is downloading/uploading pirated/copywrited content. Good VPNs receive DMCA notices and throw them in the garbage.

You are right that VPNs are not useful for many use cases and they can give users a false sense of security.

link
easrng 1507 days ago
DNSSEC doesn't help privacy, it helps security.
link
tptacek 1507 days ago
You mean it helps record integrity. The "security" story with DNSSEC is much more of a mixed bag than that; there's a reason it's very rarely deployed in the industry.

You're definitely right to point out that DoH helps with the VPN DNS privacy problem and DNSSEC doesn't.

link
__turbobrew__ 1507 days ago
Yes you are right. I meant DNSCRYPT.
link
kfreds 1506 days ago
Thank you.

I disagree with your assessment of the use cases for a VPN. Just one example: Your IP address is often a great identifier, making a VPN or Tor a useful starting point for online privacy. This is more or less what we say on our website as well.

Based on your comment however I think you might find the follwing links to IVPN refreshing:

https://www.ivpn.net/blog/why-you-dont-need-a-vpn/

https://www.doineedavpn.com/

https://github.com/ivpn/doineedavpn.com

link
0daystock 1506 days ago
> Your IP address is often a great identifier, making a VPN or Tor a useful starting point for online privacy.

See, this is exactly why I don't trust you. This is used car salesman talk. IP addresses are only one minor tracking mechanism out of many which defeat obscuring originating IP by means of VPN altogether (canvas fingerprint, cookies, font/screen tracking, etc.) You're trying to say if I use a VPN, I get privacy because websites don't know my IP, but this isn't even remotely accurate. Do you explain this anywhere in your marketing materials? If not, it doesn't really help me, it just helps you sell the product.

link
kfreds 1502 days ago
> IP addresses are only one minor tracking mechanism out of many which defeat obscuring originating IP by means of VPN altogether (canvas fingerprint, cookies, font/screen tracking, etc.)

I agree. This is why I said "useful starting point". A user looking for browsing privacy needs to do more than just use a VPN or Tor. Obscuring your IP address somehow is necessary but not sufficient. This is what I meant.

Category: [Misunderstanding]

> You're trying to say if I use a VPN, I get privacy because websites don't know my IP, but this isn't even remotely accurate.

No, I said it's a "useful starting point". I did not say it's sufficient. I could have been more clear, but I was in a hurry when I wrote it.

Category: [Misunderstanding]

> Do you explain this anywhere in your marketing materials?

We do! On our landing page you are met with this:

"... a ... VPN is a good first step toward reclaiming [your right to privacy]."

Right below is a button ("What is a VPN?"), which leads to a page containing a header ("How a VPN protects your privacy"), which explains further:

"Using a VPN is a great first step toward protecting your privacy, but it's not the ultimate solution (we wish it was!). However, it's easy to improve your privacy ninja skills."

The quote above links to a guide explaining what is necessary to protect your browsing privacy: https://mullvad.net/en/help/first-steps-towards-online-priva...

Category: [Question]

With this reply I believe I have shown you that we (Mullvad) do "reason about this in a transparent and objective way", both on your website, and with people giving us feedback.

As an aside I think IVPN's approach might be more to your liking, but nevertheless none of your stated concerns apply to us. As I've shown above they came down to two misunderstandings and a question.

If you have any other concerns I'd love to hear them. I appreciate your feedback. If we only spoke with people who gave us positive feedback we wouldn't improve as much.

link
0daystock 1500 days ago
Essentially, you're giving people knives and saying you can be a chef, because knives are a "useful starting point". It's going to result in some cut up fingers and knuckles, for sure. Cooking is about a lot more than handling knives, but a knife seller won't really explain this, just as you haven't sufficiently done with VPNs.
link