Why should you trust *your* VPN???
VPN services sound like a great idea. Send all your traffic (encrypted) to a VPN server and they fan out to the internet at large. So someone snooping on your traffic (e.g. your ISP) won't see anything about you but traffic to and from your VPN.
But ... now you must trust your VPN provider, since they will have all your traffic flowing through them.
And a lot of VPN's are not local to the US. Many are hosted in unfriendly waters. They are obviously high value targets for state-sponsored (and random) hacking.
This article showed up today writing about several VPN services in Hong Kong. All of them advertise "no logs kept" ... and all of them are keeping logs. And even keeping them in publicly accessible places.
https://www.theregister.com/2020/07/17/ufo_vpn_database/
... seven Hong-Kong-based VPN providers UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN all share a common entity, which provides a white-labelled VPN service. And they were all leaking data onto the internet
... records of websites visited, connection logs, people's names, subscribers' email and home addresses, plain-text passwords, Bitcoin and Paypal payment information, messages to support desks, device specifications, and account info.
Security is hard, the fear is strong, and the combination makes VPN services a ripe field for fraud.
discntnt_irny_srcsm
(18,577 posts)People worthy of suspicion are usually suspicious themselves and probably would use a VPN as a first line. Even if you find a VPN that really keeps no logs and is in a non-cooperating country, there's probably enough metadata collected which is likely precise enough to generally narrow down who your connecting with.
I'm not sure I would trust the VPS type doings either.
cayugafalls
(5,755 posts)Hundreds of thousands, possibly hundreds of millions of VPNs are being used currently to access work networks all across the globe during the pandemic. VPNs are everywhere. Hundreds of millions of connections per hour. Distilling the nefarious usage from the good is not something that would be worthwhile, except to maybe catalog all VPN connections and then parse them individually using a supercomputer to weed out corporate from personal.
I agree VPNs aren't perfect, but they are better than a raw connection to the internet if merely for the added protection from ads and marketing data collection. Just because someone uses a VPN does not necessarily mean they are a bad actor.
To each his own. I worked in IT for 30 years and VPNs are ubiquitous and used constantly. Fear or not, they work.
discntnt_irny_srcsm
(18,577 posts)I have since 2007. I have 2 VPNs running from my home network for LAN access from the internet. I'm not grouping the traffic by protocol or port. I'm thinking of certain entities that would group traffic by the dozens or hundreds of IPs associated with certain servers. If you don't think governments are subscribing to VPNs for that purpose, think again.
I'm suggesting that the VPNs offering public service and promising anonymity may not be able to make you anonymous enough.
I infer that the Utah Data Center has exaflop machines with enough storage to hold about 1 TB of data for every IP address on the planet. I base that on info that's 2 years old.
Ferrets are Cool
(21,957 posts)I wasn't even aware of them until recently. I do ALL my business on the interwebs and if it is worthwhile, I certainly don't mind another tax write off.
cayugafalls
(5,755 posts)Ferrets are Cool
(21,957 posts)CloudWatcher
(1,923 posts)I do manage a VPS machine for my own use ... as backup for the email server that I run and as a remote "place to stand" when I'm poking at the Internet. But yeah, I wouldn't trust them more than necessary!
I can't think of a reason to trust any VPN service. There is just too much useful information flowing through them to assume that they are secure and are going to remain secure.
The end of the article has some good advice:
Or use a VPN provider, and build into your threat model the fact it can see everything your ISP would otherwise be able to see.
SWBTATTReg
(24,085 posts)delivered via land lines, or a virtual network, whether method, were absolutely hands off for monitoring (other than the normal flow of all traffic via that pipeline to ensure that the network itself was working aok).
Listening in on communications on the links themselves were absolutely a no no too. You would get fired (and you should be). We had it in our annual rules of business conduct we had to read and sign off on.
I truly respected the company (it was SWBT back then, now ATT) for its strict adherence to these guidelines.
CloudWatcher
(1,923 posts)Well, any student of the NSA will tell you that they have been vacuuming up all the calls they can get their hands on for decades.
James Bamford in 1982's The Puzzle Palace (*) reported that the NSA recorded everything they could get their hands on, and legally only considered it intercepted if reviewed by a person.
But the value of recording everything is much less if it's widely known that they're doing it!
cayugafalls
(5,755 posts)They work if you get the right one.
Hundreds of millions of VPN connections are made each hour around the globe during this pandemic in all sorts of business scenarios. There is a difference, though, in that these are point to point connections and thus more secure, but the technology is the same.
If your provider is in the right country and does not have to comply with logging requirements then your most likely safe. Payments to most providers can be made with bitcoin or even cash in a mailed envelope. You can create an email exclusively for your vpn activities not tied to any other email and thus you have an even smaller footprint.
If you feel the need to get a vpn, do some research, learn about them and make an informed decision.
CloudWatcher
(1,923 posts)Other than checking the hosting country, how exactly do you research a VPN? Google?
Being hosted in Hong Kong now makes you vulnerable to Chinese government snooping.
Being hosted in the US makes you vulnerable to our own government snooping.
Being hosted anywhere makes you vulnerable to the bad behavior of the people running the VPN ... either intentional or accidental (e.g. not keeping their systems secure).
Even if they're being run responsibly today, they will always be subject to the laws governing the host systems. Just look at what China is doing and what our government is trying to do.
I'm all in favor of VPN services run by corporations to get their employees safely into their internal networks. They have reasons to keep the system secure.
So of course, VPNs *can* work. But the commercial VPN services that sell to the public and are hosted in Hong Kong? Trust them?
I've been in IT on & off for 40 years. Since the Internet was still called Arpanet
douglas9
(4,474 posts)Welcome to the VPN Comparison! This section is meant to be a resource to those who value their privacy, specifically those looking for information on VPNs (that isnt disguised advertising). When I started down the path of retaking my own privacy, there was very little unbiased and reliable information with regard to VPNs.
https://thatoneprivacysite.net/#detailed-vpn-comparison
CloudWatcher
(1,923 posts)You'll note that all the VPN services mentioned in the article *claimed* they did not keep logs. And they all did.
It's tough to do a VPN comparisons when they lie to you.
Miguelito Loveless
(4,667 posts)Two people can keep a secret as long as one of them is dead.
CloudWatcher
(1,923 posts)Yes, fortunately ouija boards have not proved to be very useful!
I've long advised people not to put anything in email that they don't want to read in a newspaper someday. The same should be said today about anything you do on the Internet
kag
(4,107 posts)Thanks for the heads up.
douglas9
(4,474 posts)When you browse websites, there are several points where your privacy could be compromised, such as by your ISP or the coffee shop owner providing your WiFi connection. This page automatically tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).
https://www.cloudflare.com/ssl/encrypted-sni/
CloudWatcher
(1,923 posts)Interesting link, thanks! Though I hadn't heard of 'encrypted SNI' before, it appears to be a reasonable idea, if not exactly taking the internet by storm.
In particular, if your web service is being hosted on a non-shared machine, then encrypted SNI buys you no additional security, since the IP address of the service is unique enough to determine the web server's identity.
But still, it's a step in the right direction.
douglas9
(4,474 posts)On July 6, Chinese authorities forced through Article 43, a collection of new regulations that gave Hong Kong law enforcement sweeping online surveillance and censorship powers. These rules are an extension of Chinas National Security Law, which cracks down on separatism, subversion, terrorism and foreign interference.
These laws give Hong Kong police the ability to put people in prison for sharing content online that the government considers offensive and foreshadow increased surveillance. There is little doubt the Chinese government will use these exceptional powers to crush Hong Kongs pro-democracy movement and strictly curtail the freedom of expression.
In light of these developments, we have carefully considered whether ProtonVPN will continue to maintain servers in Hong Kong. After much deliberation, we have decided to keep our servers in Hong Kong, not only because we believe we can keep them secure, but also because we believe in fighting for Hong Kong.
https://protonvpn.com/blog/hong-kong-servers/