[stonepresto]

Up front, I believe Mullvad is the best commercial VPN solution and is doing a great job at making good privacy more accessible.

However, a lot of the comments here seem to be hailing VPNs in general as the solution to privacy on the internet.

I would like to remind people that VPNs only really protect you against two things: your ISP and the endpoint. And that's assuming that your ISP isn't doing some shady analytics.

That being said, knocking those two things off the board is a huge benefit to privacy and absolutely should be done.

[morjom]

>..a lot of the comments here seem to be hailing VPNs in general as the solution to privacy on the internet.

..where?

[jtriangle]

Literally every youtube ad spot for any vpn that advertises on youtube heavily.

Which realize, is 100% of what most people think about VPN's, a nasty side effect of dishonest marketing.

[computerfriend]

But none of those YouTube ads are comments here.

[wwfredrogersdo]

> that's assuming that your ISP isn't doing some shady analytics

Can you elaborate on this? So ISPs often engage in tactics that thwart VPN usage? Which ISPs? What tactics?

[trevyn]

It is my understanding that many ISPs and backbone providers sell or otherwise disclose full detailed packet metadata, including precision timestamps, and that there are companies that aggregate this data across the entire Internet.

At which point your VPN becomes just another hop in the trace.

VPNs, no matter how secure they themselves are, are effective for accessing lightly geo-locked content and defeating unsophisticated analytics and tracking. They are really not a serious privacy solution in any sense, unfortunately.

[robertlagrant]

I don't understand this area well enough, I think. Doesn't a VPN encrypt the routing information that tells the packet where to ultimately end up? I.e. my ISP can see the traffic going to the VPN, but can't look inside it, and can't see where it goes from there?

[trevyn]

Correct, but the destination ISP chain (and of course the destination service itself) can equally see the traffic coming from the VPN, and if you have packet metadata (precise timing and packet sizes) from two sources on either side of the VPN, it is trivial to correlate those two streams.

[shrimp_emoji]

Note that Mullvad's WireGuard settings offer a "multihop" feature, meaning the VPN destination your ISP sees and the VPN endpoint the end service sees differ.

[wintermutestwin]

I'm not sure how that protects you though. ISP sees your traffic going into WG1. They know all of Mulvad's IPs, so isn't it just as easy to correlate that traffic when you exit through WG2?

/question from ignorance

[robertlagrant]

> VPNs, no matter how secure they themselves are, are effective for accessing lightly geo-locked content and defeating unsophisticated analytics and tracking

Circling back to this statement: aren't they also useful on public Wifi?

[bippihippi1]

the reason the uk wants an encryption backdoor is because it's expensive to do statistical analysis of encrypted traffic. there's ways to make it more difficult, but if you own the certificate that a tls endpoint uses you can just open it and reencrypt it for the destination. this is called break and inspect. if a vpn uses different certificates and is built well, there would have to be a flaw (spyware, vulnerability, etc) on one of the endpoints for anyone other than you and the vpn to read the encrypted data.

[rvnx]

Why would they even do so ? Large ISPs are public, so this activity would appear as extra revenue (if they sell traffic data) in their financial reports and annual reports.

The most likely is that ISPs are just respecting the local laws, and doing the minimum retention as required by the law (because more data storage = more costs),

and that their actual fear is that someone leaks this data and causes reputation damage, so they'd avoid storing anything if they can.

[mattlutze]

ISPs are also in the business of analytics [1, 2], and a significant percentage of customers hiding their traffic reduces the value of their analytic products.

1: https://www.bleepingcomputer.com/news/security/ftc-isps-coll... 2: https://surfshark.com/blog/isp-selling-data

[drpossum]

This view is extremely western, not all ISPs are obligated to show "financial reports", and "shady analytics" does not imply a user's complete network traffic record into perpetuity. And even if your arguments were valid, this is not limited to the ISPs financial gain, but surveillance which occurs in every country.

[mike_d]

> Why would they even do so ? Large ISPs are public

Ehh, not really. China Telecom for example is 70% owned by the State. You aren't going to be able to buy shares in Parsnet.

[bippihippi1]

for security, all dangerous malware runs on encrypted traffic

[axus]

https://en.wikipedia.org/wiki/Room_641A

[stjohnswarts]

those two are huge though, and part of any multilayered approach to security. I doubt if most people think "VPN and done"