Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

CloudWatcher

(1,923 posts)
Sat Jul 18, 2020, 12:29 PM Jul 2020

Why should you trust *your* VPN???

VPN services sound like a great idea. Send all your traffic (encrypted) to a VPN server and they fan out to the internet at large. So someone snooping on your traffic (e.g. your ISP) won't see anything about you but traffic to and from your VPN.

But ... now you must trust your VPN provider, since they will have all your traffic flowing through them.

And a lot of VPN's are not local to the US. Many are hosted in unfriendly waters. They are obviously high value targets for state-sponsored (and random) hacking.

This article showed up today writing about several VPN services in Hong Kong. All of them advertise "no logs kept" ... and all of them are keeping logs. And even keeping them in publicly accessible places.

https://www.theregister.com/2020/07/17/ufo_vpn_database/

... seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service. And they were all leaking data onto the internet

... records of websites visited, connection logs, people's names, subscribers' email and home addresses, plain-text passwords, Bitcoin and Paypal payment information, messages to support desks, device specifications, and account info.


Security is hard, the fear is strong, and the combination makes VPN services a ripe field for fraud.
19 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies
Why should you trust *your* VPN??? (Original Post) CloudWatcher Jul 2020 OP
Using a VPN marks you as being suspicious discntnt_irny_srcsm Jul 2020 #1
How does a vpn mark you as being suspicious? cayugafalls Jul 2020 #3
I use a VPN to access an internal work network discntnt_irny_srcsm Jul 2020 #7
Can you explain to a VPN newbie why I should use one. Ferrets are Cool Aug 2020 #17
Here is a basic guide to what a VPN is and how to use. cayugafalls Aug 2020 #18
Thank you! Ferrets are Cool Aug 2020 #19
Virtual Private Servers CloudWatcher Jul 2020 #4
A shame. When I worked for the telephone company, privacy of telephone communications whether... SWBTATTReg Jul 2020 #2
Voice calls. CloudWatcher Jul 2020 #6
There are solid VPNs out there, you have to research. cayugafalls Jul 2020 #5
Research how? CloudWatcher Jul 2020 #8
VPN COMPARISON douglas9 Jul 2020 #12
Close, but no. CloudWatcher Jul 2020 #14
You can't trust a VPN, or anyone for that matter Miguelito Loveless Jul 2020 #9
Ouija boards .... CloudWatcher Jul 2020 #10
Interesting. kag Jul 2020 #11
Browsing Experience Security Check (Cloudfare) douglas9 Jul 2020 #13
Nice CloudWatcher Jul 2020 #15
We are not abandoning Hong Kong douglas9 Jul 2020 #16

discntnt_irny_srcsm

(18,577 posts)
1. Using a VPN marks you as being suspicious
Sat Jul 18, 2020, 12:50 PM
Jul 2020

People worthy of suspicion are usually suspicious themselves and probably would use a VPN as a first line. Even if you find a VPN that really keeps no logs and is in a non-cooperating country, there's probably enough metadata collected which is likely precise enough to generally narrow down who your connecting with.

I'm not sure I would trust the VPS type doings either.

cayugafalls

(5,755 posts)
3. How does a vpn mark you as being suspicious?
Sat Jul 18, 2020, 01:01 PM
Jul 2020

Hundreds of thousands, possibly hundreds of millions of VPNs are being used currently to access work networks all across the globe during the pandemic. VPNs are everywhere. Hundreds of millions of connections per hour. Distilling the nefarious usage from the good is not something that would be worthwhile, except to maybe catalog all VPN connections and then parse them individually using a supercomputer to weed out corporate from personal.

I agree VPNs aren't perfect, but they are better than a raw connection to the internet if merely for the added protection from ads and marketing data collection. Just because someone uses a VPN does not necessarily mean they are a bad actor.

To each his own. I worked in IT for 30 years and VPNs are ubiquitous and used constantly. Fear or not, they work.

discntnt_irny_srcsm

(18,577 posts)
7. I use a VPN to access an internal work network
Sat Jul 18, 2020, 01:26 PM
Jul 2020

I have since 2007. I have 2 VPNs running from my home network for LAN access from the internet. I'm not grouping the traffic by protocol or port. I'm thinking of certain entities that would group traffic by the dozens or hundreds of IPs associated with certain servers. If you don't think governments are subscribing to VPNs for that purpose, think again.

I'm suggesting that the VPNs offering public service and promising anonymity may not be able to make you anonymous enough.

I infer that the Utah Data Center has exaflop machines with enough storage to hold about 1 TB of data for every IP address on the planet. I base that on info that's 2 years old.

Ferrets are Cool

(21,957 posts)
17. Can you explain to a VPN newbie why I should use one.
Sat Aug 1, 2020, 11:31 AM
Aug 2020

I wasn't even aware of them until recently. I do ALL my business on the interwebs and if it is worthwhile, I certainly don't mind another tax write off.

CloudWatcher

(1,923 posts)
4. Virtual Private Servers
Sat Jul 18, 2020, 01:04 PM
Jul 2020

I do manage a VPS machine for my own use ... as backup for the email server that I run and as a remote "place to stand" when I'm poking at the Internet. But yeah, I wouldn't trust them more than necessary!

I can't think of a reason to trust any VPN service. There is just too much useful information flowing through them to assume that they are secure and are going to remain secure.

The end of the article has some good advice:

The Register suggests savvy readers wishing to encapsulate at least part of their traffic may want to roll their own VPNs using Trail of Bits' Algo, Google's Outline, or WireGuard, all of which are open source.

Or use a VPN provider, and build into your threat model the fact it can see everything your ISP would otherwise be able to see.

SWBTATTReg

(24,085 posts)
2. A shame. When I worked for the telephone company, privacy of telephone communications whether...
Sat Jul 18, 2020, 12:54 PM
Jul 2020

delivered via land lines, or a virtual network, whether method, were absolutely hands off for monitoring (other than the normal flow of all traffic via that pipeline to ensure that the network itself was working aok).

Listening in on communications on the links themselves were absolutely a no no too. You would get fired (and you should be). We had it in our annual rules of business conduct we had to read and sign off on.

I truly respected the company (it was SWBT back then, now ATT) for its strict adherence to these guidelines.

CloudWatcher

(1,923 posts)
6. Voice calls.
Sat Jul 18, 2020, 01:13 PM
Jul 2020

Well, any student of the NSA will tell you that they have been vacuuming up all the calls they can get their hands on for decades.

James Bamford in 1982's The Puzzle Palace (*) reported that the NSA recorded everything they could get their hands on, and legally only considered it intercepted if reviewed by a person.

But the value of recording everything is much less if it's widely known that they're doing it!

cayugafalls

(5,755 posts)
5. There are solid VPNs out there, you have to research.
Sat Jul 18, 2020, 01:08 PM
Jul 2020

They work if you get the right one.

Hundreds of millions of VPN connections are made each hour around the globe during this pandemic in all sorts of business scenarios. There is a difference, though, in that these are point to point connections and thus more secure, but the technology is the same.

If your provider is in the right country and does not have to comply with logging requirements then your most likely safe. Payments to most providers can be made with bitcoin or even cash in a mailed envelope. You can create an email exclusively for your vpn activities not tied to any other email and thus you have an even smaller footprint.

If you feel the need to get a vpn, do some research, learn about them and make an informed decision.

CloudWatcher

(1,923 posts)
8. Research how?
Sat Jul 18, 2020, 01:29 PM
Jul 2020

Other than checking the hosting country, how exactly do you research a VPN? Google?

Being hosted in Hong Kong now makes you vulnerable to Chinese government snooping.

Being hosted in the US makes you vulnerable to our own government snooping.

Being hosted anywhere makes you vulnerable to the bad behavior of the people running the VPN ... either intentional or accidental (e.g. not keeping their systems secure).

Even if they're being run responsibly today, they will always be subject to the laws governing the host systems. Just look at what China is doing and what our government is trying to do.

I'm all in favor of VPN services run by corporations to get their employees safely into their internal networks. They have reasons to keep the system secure.

So of course, VPNs *can* work. But the commercial VPN services that sell to the public and are hosted in Hong Kong? Trust them?

I've been in IT on & off for 40 years. Since the Internet was still called Arpanet

douglas9

(4,474 posts)
12. VPN COMPARISON
Sun Jul 19, 2020, 04:44 AM
Jul 2020

Welcome to the VPN Comparison! This section is meant to be a resource to those who value their privacy, specifically those looking for information on VPNs (that isn’t disguised advertising). When I started down the path of retaking my own privacy, there was very little unbiased and reliable information with regard to VPNs.

https://thatoneprivacysite.net/#detailed-vpn-comparison

CloudWatcher

(1,923 posts)
14. Close, but no.
Sun Jul 19, 2020, 11:32 AM
Jul 2020

You'll note that all the VPN services mentioned in the article *claimed* they did not keep logs. And they all did.

It's tough to do a VPN comparisons when they lie to you.

CloudWatcher

(1,923 posts)
10. Ouija boards ....
Sat Jul 18, 2020, 02:45 PM
Jul 2020

Yes, fortunately ouija boards have not proved to be very useful!

I've long advised people not to put anything in email that they don't want to read in a newspaper someday. The same should be said today about anything you do on the Internet

douglas9

(4,474 posts)
13. Browsing Experience Security Check (Cloudfare)
Sun Jul 19, 2020, 07:32 AM
Jul 2020

When you browse websites, there are several points where your privacy could be compromised, such as by your ISP or the coffee shop owner providing your WiFi connection. This page automatically tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).


https://www.cloudflare.com/ssl/encrypted-sni/

CloudWatcher

(1,923 posts)
15. Nice
Sun Jul 19, 2020, 12:52 PM
Jul 2020

Interesting link, thanks! Though I hadn't heard of 'encrypted SNI' before, it appears to be a reasonable idea, if not exactly taking the internet by storm.

In particular, if your web service is being hosted on a non-shared machine, then encrypted SNI buys you no additional security, since the IP address of the service is unique enough to determine the web server's identity.

But still, it's a step in the right direction.

douglas9

(4,474 posts)
16. We are not abandoning Hong Kong
Sun Jul 19, 2020, 02:37 PM
Jul 2020

On July 6, Chinese authorities forced through Article 43, a collection of new regulations that gave Hong Kong law enforcement sweeping online surveillance and censorship powers. These rules are an extension of China’s National Security Law, which cracks down on “separatism, subversion, terrorism and foreign interference.”

These laws give Hong Kong police the ability to put people in prison for sharing content online that the government considers “offensive” and foreshadow increased surveillance. There is little doubt the Chinese government will use these exceptional powers to crush Hong Kong’s pro-democracy movement and strictly curtail the freedom of expression.

In light of these developments, we have carefully considered whether ProtonVPN will continue to maintain servers in Hong Kong. After much deliberation, we have decided to keep our servers in Hong Kong, not only because we believe we can keep them secure, but also because we believe in fighting for Hong Kong.


https://protonvpn.com/blog/hong-kong-servers/

Latest Discussions»Help & Search»Computer Help and Support»Why should you trust *you...