[Someone1234]

> only use it for data over a VPN

Unless you run this yourself, I don't understand why you nor anyone thinks that adds to their data integrity? VPNs can, have, and are the subject of break-ins and have their own agenda and or government oversight.

People think that VPNs are this magical black box that makes you secure and private, because the YouTube ads told everyone so, the reality is that you are just adding an extra point of trust or potential failure. The needle has barely moved.

All while making performance, in particular latency, worse.

[cbsks]

In the context of not trusting your ISP (the mobile provider in this case) a VPN provides a lot of security. You aren’t “adding an extra point of trust or potential failure”, you are choosing to trust your VPN provider instead of your ISP.

[ehhthing]

VPNs still have massive problems with network diversity. They often rely on a tiny subset of transit providers, usually just Cogent/HE/Telia and some straight up all run on the same network, usually M247. While a carrier like Comcast has thousands of peering agreements and much more diverse routing. This means all traffic coming out of a VPN is viewable by a tiny group of network providers.

Sure, I would probably trust Cogent over Comcast, but the current state of the VPN market seems very stagnant in actually diverse network routing.

It's really hard to recommend a VPN for people who are actually privacy conscious simply because you're moving your data to a handful of transit providers that aren't put under nearly as much scrutiny as a normal consumer ISP.

[drivebycomment]

HTTPS already provides the same protection. VPN doesn't add anything for that.

About the only meaningful feature VPN provides is presenting a different IP address to the server.

VPN provides negligible extra security for most people, while adding extra exposure.

[CuriousCosmic]

VPNs are significantly better wrt protection than HTTPS.

VPNs create a separation between the client and the server (as you mentioned) so not only can the server (or those eavesdropping on the server's connection) not see the client's IP, those eavesdropping on the client can't see what services they are connecting to (other than the VPN).

Of course by combining knowledge from multiple sources you can still build a fingerprint but VPNs with sufficient utilization can serve as a mixer to obfuscate which users are taking part in which traffic. Doubly so if the VPN supports multi-hop routing where the client side VPN and the server side VPN are at different sites.

Really as long as you aren't leaking DNS and you use a reasonably secure + well utilized VPN, your client should appear as a black box that shouts opaque contents at a single server without leaking many details about the actual communication taking place.

Compare this with HTTPS + no VPN where only the contents are obscured and everyone eavesdropping (aka the ISP or anyone on the same network) can see every service you are connected to. That alone should be enough to fingerprint a given connection to a specific user.

[hunter2_]

I assume there's a sizable segment of VPN users who enjoy torrenting without DMCA letters catching up with them, FWIW. HTTPS doesn't help much with that.

[wepple]

I agree that VPNs are generally over-hyped, but they absolutely offer an increase in protection here.

ISPs have historically done slimey things like hijacking DNS, and HTTPS leaks tons of metadata like what sites you’re browsing and for how long, and what user agents you have can easily be fingerprinted. And there are still too many IoT and mobile apps that don’t strictly use TLS for everything.

[tesseract]

We concentrated in one place the internet traffic of people who care enough about privacy that they are willing to pay for an extra service. What could go wrong!?

[kornhole]

Yes I know the trust requirement of VPN's and hear this all the time. I run my own VPN. The point is that the carrier has too little data to identify me.