[pedro_hab]

I don't understand why go after the VPN, I think most people don't use a VPN correctly.

What good is a VPN when multiple apps on your computer are phoning home?

If the law has a suspect IP, couldn't they just ask google, microsoft and facebook what accounts were accessed with that IP?

To use a VPN correctly wouldn't have to use a fresh OS and absolutely not login to any accounts connected to the IP you are trying to hide?

[KronisLV]

> To use a VPN correctly wouldn't have to use a fresh OS and absolutely not login to any accounts connected to the IP you are trying to hide?

Even then fingerprinting would still present an issue, even without explicitly logging in, with most browsers.

For example: https://coveryourtracks.eff.org/

Also have a look at this: https://www.amiunique.org/

So you might need to have a browser that lies and presents configuration information that is common enough not to be unique, probably an OS inside of a VM might be one of the possible starting points. Outright denying access to some of that might actually help identify you, but pretending to be a common setup might not even work that well.

I'm frankly not sure whether privacy on the web is even truly possible nowadays, at least without a lot of effort. Even with a VPN, I treat the web as something that is more or less "spying" on me regardless, in the metadata collection and storage sense.

[wing-_-nuts]

And if you do go out of your way to avoid fingerprinting, get ready for endless captcha prompts, automatic shadowbanning, etc as punishment

[swapfile]

>automatic shadowbanning

Yes that seems to be the case here on Hacker News as well as it seems like my submissions and comments don't show up unless I'm logged in. Let's see about this one.

[kevviiinn]

I see your comment just fine but iirc accounts with few posts might show up as dead

[ranger_danger]

Ever used creepjs? It's literally impossible to escape fingerprinting that actually works now. Also if you use not-Windows, no browser currently properly spoofs its javascript OS value, especially if queried within a WebWorker, so that alone makes you stand out way more just by not using Windows, at least until browsers make a way to spoof that too.

And the people that say "just disable CSS/JS"... guess what? Almost nobody does that, which makes you stand out even more!

[autoexec]

> So you might need to have a browser that lies and presents configuration information that is common enough not to be unique,

there are so many ways to fingerprint a user that trying to blend in with the crowd is pointless. If anything, it's better to have your browser present a unique fingerprint that regularly changes than to have to pray that you've somehow managed to avoid every single thing that could possibly flag you individually.

[jenadine]

I believe the "a fresh OS" makes fingerprinting useless.

[akyuu]

Not really. Modern web browsers expose a lot of information, such as your language, time zone, screen resolution, CPU and GPU details (number of cores, vendor, model...), etc. There's even <canvas> fingerprint which depends on your GPU driver version.

If you use a custom built desktop computer, you're going to have a pretty unique browser fingerprint because few people will use the same exact hardware configuration. On the other hand, if you use Apple hardware you'll look the same as other Mac/iPhone users. The other option is to use Tor Browser or Tails OS, but I don't think that's feasible for everyday browsing.

As other people have said, it's suprisingly difficult to have privacy on everyday browsing today. Personally, I blame Google. I believe they purposefully pushed modern web standards into maximum user data exposure for their own profit.

[steve1977]

So, one could think a solution would be to not use modern browsers. But then this alone makes you stand out again I guess.

Maybe VPNs should start to offer “browser anonymization” as a service.

[akyuu]

That's also surprisingly hard. Even assuming that every feature you need will work (which won't probably be the case), many popular websites as well as nearly all banking/shopping sites are behind Cloudflare, captchas or something else that doesn't like non-standard browsers at all. You will be automatically flagged as a suspicious user or a bot and will be prevented from accessing the site or be presented with tons of captchas. Google won't even let you access your account or Gmail.

At least that's been my experience. In fact, I've even encountered problems while using Chromium and Firefox on Linux, just because some sites didn't like the user agent.

In short, to use the modern web you need a modern browser, and modern browsers are very leaky and fingerprintable by design.

> Maybe VPNs should start to offer “browser anonymization” as a service.

The problem is that they'd need to render the website server-side and then serve it to you. That has their own problems, as the VPN provider now has total control of all web content you see.

That already exists, by the way: https://www.puffin.com/secure-browser

I'd say the most realistic options to avoid browser fingerprinting is either using Apple hardware or sandboxing the browser inside a virtual machine. And it's better to use Chrome because it has the most users by a large margin. Firefox, Brave and the new Mullvad browser do implement some anti-fingerprint mitigations, but they have few users so you'll stick out more.

[terhechte]

Use the VPN from a VM. You can also configure Mullvad to use socks so that it can only be accessed from Firefox (which has OS independent socks settings)

[metadaemon]

I was under the impression the socks feature no longer works, are you currently using it?

[pulpfictional]

I am, through the mullvad add-on.

[therein]

Take their wireguard config, change allowed IPs to include only the IP of their SOCKS gateway.

And then use the SOCKS proxy over Wireguard while nothing else on your system is routed through it.

That's the only way you'll get Mullvad "split tunnel" on OSX.

Edit: Should have replied to the sibling comment but I guess this will do.

[metadaemon]

TIL, thanks!

[S201]

It works the same as always for me on Linux with SSH port forwards.

[jaystraw]

you can start chrome-based browsers with a flag from the commandline with os independent proxy settings

[troad]

> don't use a VPN correctly

People have different use cases for a VPN. I use one because I travel a lot, and spend a lot of time on dodgy public Wi-Fi. Not because I’m living some Jason Bourne fantasy.

[kleene_op]

That's what Jason Bourne would say.

[causi]

Yeah. A commercial VPN that's demonstrated its record-keeping policy under subpoena is reasonably safe if your objective is pirating media. HN commentators act like the VPN target market is Sino-Iranian freedom fighters who split their time between rescuing Uyghurs and searching for a way to cure their magical curse that makes them dissolve into dust if Google can tell they did a search for good restaurants in the area.

Most people are just trying not to get a scary letter from HBO.

[autoexec]

> Most people are just trying not to get a scary letter from HBO.

It's safe to assume that VPN company operating in the US is compromised but I figure that three letter agencies aren't going to spoil their honeypot over some kid downloading movies and TV episodes, which just gives you an added layer of protection against raids while also preventing your ISP from selling your browsing history and avoiding DMCA letters which unfortunately can get you perma-banned from your ISP based on nothing but unproven accusations from unreliable 3rd parties.

[can16358p]

My country blocks many websites and I'm pretty sure spies users' traffic too.

I can use VPN to access the web freely and while VPN provider can also log my traffic, I trust it MUCH MORE than my country's government.

[sdrinf]

Briefly, law requires establishing probable cause, that _one_ specific person has done specific things, to underwrite search warrant. VPN IPs are shared between users, meaning any one of the ~X00 users sharing a single ip could be doing any number of things at the same time.

[formerly_proven]

Briefly, non-US jurisdictions are not US jurisdictions and have different standards and procedures.

[mthoms]

I think the comment was made under the assumption the user lives in a place with a reasonably fair legal system. Of course all bets are off if you don't.

[fareesh]

If an app phones home at 11:00 AM and the illegal act is at 11:01 AM wouldn't it narrow down the list of suspects considerably?

[robjan]

No, because at the same time x number of users have their apps phoning home with what appears to be the same IP

[ementally]

How can you be sure that you are the only one in your country not connected to the same IP address provided by a VPN server?

[therein]

Well if they have ISP flow logs, that'll be trickier because it will enable very granular inspection of the traffic and the timings of that traffic.

However if they are trying to cast a wide net and inquire Google and other service providers for it, that will lead to a lot of collusions and they won't be able to tell it is from country A because it is from the VPN.

[fareesh]

Are you sure x is sufficiently large?

[peer2pay]

When tunneling through a VPN ideally thousands of users will share the same exit IP. So even if all your apps "phone home" identifiable information there is no way to prove that whatever traffic "the law" is trying to pin you on actually originates from your machine.

Unless of course if the VPN keeps detailed traffic logs which is why that’s generally frowned upon.

[nextaccountic]

> What good is a VPN when multiple apps on your computer are phoning home?

The point of a VPN is that whenever an app phone home, they will do so through the VPN. Standard VPN configuration (which I supose the Mullvad client performs?) is to entirely disallow any traffic that doesn't go through the VPN

[Root_Denied]

You're missing the reason this is important - the companies that run those apps (spotify, facebook, steam, discord, etc.) will be able to correlate your VPN connection with your non-VPN connection, and tie those both to an app account that identifies you.

It means unless you've got a dedicated download/seed box running your torrent downloads, one that doesn't have anything else on it and never connects to anything without a VPN connect, it's possible to track you down way more easily than you would think.

[kelnos]

Another easier option is to run the VPN client and torrent client in a Docker container, with networking separate from the host machine. Then the only thing using the VPN is the torrent client.

[lofaszvanitt]

You put the vpn on a physical device (router), so there is no way to circumvent it on the os level.

[ementally]

If your ISP suspects your IP address (can see your are connected to specific VPN server) they can just contact top websites, example: twitter, facebook or google and ask them if there are any users connected with the same IP at given specific time.

[woofcat]

This is a confusing take to me. So my ISP which has my billing information is trying to find out who I am by calling Google? They know who I am.

The inverse is what you're trying to prevent. Service ABC has malicious activity and calls Google to ask which accounts are accessing from that IP address. However this has two main problems.

a) Why would Google give this info over willingly.

b) Most VPN's assign the same outbound IP address to multiple users. So it's not a 1-1 mapping.

c) People who are using a VPN for something malicious are not also signed into Google.. I'd think.

[autoexec]

It's not a 1-1 mapping but it can narrow things down to you and maybe a handful of others. If you're doing something like file sharing repeatedly over several days/weeks they can pull data for all of that time and when your IP is the only constant they'd know it was you. If they have only a handful of people it could potentially be, and they care enough they can seize and search the devices of everyone to find the person.

Also, you don't have to be logged into google for google to know who you are. If you're using windows, your OS is also phoning home constantly with identifying data. If you use steam, it's also phoning home. Run wireshark sometime and see how much your computer is sending to random servers without you doing anything or being "logged in".

[ementally]

a) If they are unable to identify the user by any means then this is their only resort and google is going to happily hand it over.

b) Depends on the country you are in. You might be the only one connected to a specific VPN server at specified time, this also answers point c.

c) Would be surprised. Have a read of this recent Affidavit https://s3.documentcloud.org/documents/23723268/pompourin-af...

[kijin]

a) This is why you go through the legal system instead of asking Google directly. Report malicious activity to a three-letter agency of your choice, and let them do the dirty work.

b) You can reduce the list of suspects significantly by correlating activity on multiple services from the same IP address around the same time.

c) You'd be wrong... especially since Google never really forgets who you are, even when you are not signed in.

[Darthy]

I assume you mean "If any opponent suspects your IP address..."

You can counter that easily. That's why you should use a multihop VPN.

[mindslight]

I personally use a bunch of VMs for web browsing, all with different exit IPs.

And yes, a lot of people use VPNs but don't use them correctly. But I'd rather help them to use them more effectively, rather than shout down that VPNs "don't work". And even when they're not used correctly, most people don't have particularly omniscient threats. And even imperfect use still helps everyone else by creating cover traffic, a fluid market for VPN services, and more evidence to websites that (IP-based) nagwalls hurt legitimate visitors.

[aborsy]

You use Qubes OS?

Otherwise, a lot of ram, CPU and storage might be needed.

[mindslight]

Actually no, just home-rolled with virt-manager. I can definitely see the advantages of Qubes, but at this point it feels like it would be a lot of learning and changes for what is mostly a similar system. And I don't think it would work for the servers/daemons I run either.

[aborsy]

Yeah, even getting that beast installed on a typical machine may not be straightforward. It has very specific hardware requirements.

[autoexec]

You're right that this is a huge problem with modem OS/software that's constantly phoning home, and people would be wise to avoid using those programs/operating systems when using a VPN to hide their identity. but many VPNs offer plausible deniability by assigning many people the same IP.

A request to MS asking for who had a given IP address at a certain time could return multiple devices in different countries/states/cities. Narrows things down significantly, but not always a dead give away.

[miohtama]

You want to use VPN in places like United Arab Emirates and China where there are issues with Internet traffic

- WhatsApp calls and such are blocked, you force to use the local crappy app by the local ruler’s cousin otherwise

- They will outright send a re-educator to visit you if you browser the web about the sensitive topics

[autoexec]

> They will outright send a re-educator to visit you if you browser the web about the sensitive topics

This also true if you post the wrong things to social media in Canada (https://northernontario.ctvnews.ca/sudbury-ont-police-say-yo...) and in Australia (https://www.youtube.com/watch?v=vWZ06UThHas) and in the UK if you post something offensive they'll outright arrest you. I'm sure I read an article at some point about someone in the US being questioned by police for posting a movie quote to social media, but I can't seem to find anything about it now, just finding tons of examples of police in the US getting in trouble for posting racists things.

[Kuinox]

To watch movies that are not licensed in your country, on legals platforms.

[tadfisher]

The point of a VPN-as-a-service is that many thousands of connections originate from that same IP, making it difficult to correlate individual connections to an identity.

[jorblumesea]

IP != user. You'd only narrow it down to 10k suspects or something.