from Hacker News

Don't Use VPN Services

by ductionist on 10/22/19, 5:40 PM with 257 comments

by thothamon on 10/22/19, 10:52 PM
While it's true that your VPN provider _may_ be lying about their "no logging" policy, at a minimum, you get additional layers of protection. Your source IP is masked. A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs. If your VPN endpoint is in a different country than your network endpoint, then the legal obstacles get even higher.
Surely you shouldn't depend on that alone. Tor would be a wise additional layer of protection, if applicable. But to suggest that you get no privacy benefit at all from a VPN is like saying your host may be compromised, so you might as well use regular telnet rather than SSH.
by linsomniac on 10/23/19, 12:06 AM
"... because the provider can see all your traffic!"
However, if you don't use a VPN: Your ISPs (Broadband, coffee shop, whatever) can see all your traffic!
20 years ago I passed ALL my traffic on my laptop through a VPN, I just happened to run my own. But back then much less of the standard traffic was encrypted. Now, pretty much all web traffic is encrypted. So that makes the VPN less of a concern, IMHO. Depends on what you're doing though...
There was this one time I went to Defcon. Installed a scratch laptop for it. The firewall on it would only allow DHCP and OpenVPN on the physical interfaces.
by tomxor on 10/22/19, 11:18 PM
I mention this every time this comes up but it's info worth spreading... "sshuttle", make any server into a VPN without VPN server-side software, this takes the pain out of doing your own VPN, gives you far more obscurity, lots of flexibility and in my experience it also performs much better - which I believe is due to the TCP deconstruct-reconstruct vs traditional VPN which does TCP over TCP. The only disadvantage is it's only for TCP (no UDP or multicast).
For routing all your internet it's as simple as this (on the client only, no server setup):
```
    sshuttle -r user@1.2.3.4 0/0
```
That's it... server requirements are met by almost anything, you don't need root access, but it does need python, which most distros have by default. Now you can use your own little obscure server, yes it's not invulnerable a VPS provider can still look at you if they wish, but it's far less of a target than a purpose built consumer VPN provider.
It's also far more powerful for slicing up and mixing subnets or only routing specific targets ... for example unblock a specific site, but don't re-route other traffic:
```
    sshuttle -r user@1.2.3.4 sci-hub.tw
```
[edit]
Minor issue worth mentioning, not to disappoint people trying this out - it's currently necessary to use the -x option to exclude the server itself from being routed on Linux, I think this is due to a kernel bug? which is a little annoying, hoping this will go away eventually. This is not relevant to BSD or Mac, although on Mac you have other kernel bugs to worry about in XNUs network stack.
```
    sshuttle -r user@1.2.3.4 -x 1.2.3.4 0/0
```
[edit]
As "icelancer" has pointed out bellow, please note that using your own server ties your activity to your identity more definitively if you are the only one using the server and you pay for the server in your name. Not being a purpose built consumer VPN makes it a less likely target through significant obscurity, however in the event it IS targeted, it's uniqueness will make it easier to associate activity with you via the VPS provider.
> This also ties your identity to a provider definitively. That's fine, as long as you tell people that's what is happening. A good consumer VPN that isn't a garbage one offers plausible deniability.
by unicornfinder on 10/22/19, 9:26 PM
This post makes good arguments, but there's a very real reason to use a VPN provider over your own server - plausible deniability. With a VPN your traffic is mixed in with many, many other users', whereas with your own server, any traffic coming from that IP can safely be presumed to be yours.
by bArray on 10/23/19, 3:26 AM
Other reasons you might want to use a VPN:
* Geoblockers - Much media content is blocked based on geolocation, specifically geolocation based on your IP. (Netflix, Youtube, etc.)
* IP blacklist - I know a few people that have inherited a blacklisted IP simply through unlucky ISP IP allocation.
* ISP logging - So not a hostile ISP, but one that actively tries to log your data. (If you live in Europe, this is almost definitely happening. Apparently in the US ISPs even sell this data.)
* Speed - A few people report being able to get a faster network connection. (I'm not entirely sure why this is the case, but I can imagine there being edge cases where this is possible.)
Setting up your own VPN is NOT solution to every problem mentioned here, especially if you want to switch server location on a whim or are not technically minded.
by juped on 10/22/19, 10:02 PM
The primary reason people use VPN services, which articles like this always fail to address, is best illustrated at this URL: https://iknowwhatyoudownload.com/
by vesche on 10/22/19, 9:24 PM
https://thatoneprivacysite.net/#detailed-vpn-comparison
Sure, you're always trusting a VPN at their word that they don't log, the above gives a detailed analysis of which ones you probably shouldn't trust. You can always host your own: https://github.com/n1trux/awesome-sysadmin#vpn
You can also VPN chain (l2iptables), tunnel over TLS, etc. That gist post is pretty dumb imo
by octorian on 10/23/19, 1:20 AM
This actually reminds me of an episode that happened to me many years ago. Back then, it was "web anonymizers" (not VPN providers) that were all the rage. These programs would maintain a database of open proxies, and route peoples' web activity through those proxies.
Well, I had Apache misconfigured just long enough to get picked up by one of these apps. For years afterward, my server logs were chock full of attempts at logging into various accounts via HTTP. I seriously had thousands of Yahoo! username/password pairs just sitting in plaintext inside my server logs.
by S-E-P on 10/22/19, 10:44 PM
> And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble.
Hmmm? If you don't have record of it, the courts don't do much, at least in the US. If they subpoena you, and you don't have logs, nothing ever comes out of it. Outside of fines and things of that nature.
> The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.
How do you think insurance works, or why airlines habitually overbook? A trivial word problem if you will: If you had 10,000 users, you were subpoena'd and only 100 users did anything worth prosecution, that's what. For one lawyer, drinking a $10 coffee (or two $5 dollar) every week day for a month. that's 20 days, $200 a month. $2,400 annually. Assuming in this example only 1% of your users need defending, that's 99% of your coffee budget you don't have to worry about! For 10,000 users, a yearly subscription pulls in about $1,200,000 (we aren't doing any adjustment for taxes and all that garbage). If 99% of your users are behaving themselves.. or at least not doing something bad enough for the courts to take notice (which in the digital age, things like piracy are white noise) that means you still have $1,188,000 to help you in those, typically blanket cases (i.e. a court case in which 20 of your users were downloading illegal movies, and MGM got really upset). Since if you aren't logging, these infractions are dealt with in aggregate usually, since it can't be quantified. So number of lawsuits < bad users.
That's not bad, if all your lawyers needed was coffee monthly, then you could support, with 99% of your users cash, 495 lawyers coffee for a year! more than enough coffee to defend your business. Don't forget you can still use the "blood money" you got to buy them coffee!
The basic principle behind my oversimplified, and somewhat tongue-in-cheek example was to remind you that insurance is a lucrative business. I wonder how they survive if your monthly cost for liability (up to $500,000) isn't $500,000 per month!?!
by danShumway on 10/22/19, 11:30 PM
Reposting the last response I gave when this article came up.
----
> Your IP address is a largely irrelevant metric in modern tracking systems.
I don't believe this for one second.
Your IP address on its own is not sufficient to identify you. That doesn't mean your IP address is not helpful in identifying you.
If you have Javascript disabled, it is a heck of a lot easier to identify you with a combination of an IP address, user agent, and OS than it is to identify you without the IP address cutting down the pool of potential visitors.
On top of that, if you're targeting me and do a geo-location of my IP address, it will get you within 5 miles of my house. That's close enough that you'll know which county I'm in, which with a few other easily-obtained pieces of information will let you pull up my voter registration, which will give you my exact street address.
Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.
This argument comes up all the time, and I have never heard anyone explain it in a way that passes my sniff test. If you want me to stop using a VPN, you need to do a lot better than just claiming that IP addresses don't matter -- you need to show some kind of evidence to back that up.
----
Broadcasting your IP address to every website you've ever visited is a completely valid concern that gets hand-waved out the wazoo whenever this subject comes up.
I've sent bug reports to sites that publicly tied IP addresses to comments/accounts so anyone could track your movement patterns over time. Yes, that info can be useful to an attacker trying to deanonomyze you. Yes, that info can be used to link users together. Yes, that info can be used to narrow the pool of potential visitors so other fingerprinting techniques are more powerful.
It is blanketly ridiculous to claim that an approximate county-level geolocation isn't a useful data-point to attackers. If IP addresses weren't useful, the Tor project wouldn't be going to such lengths to hide them.
by alkonaut on 10/22/19, 10:01 PM
I use a VPN because I want a proxy, and for e.g iOS it seems a VPN is the easiest way to set up a proxy.
The article lists several reasons to use VPNs but isn’t the biggest one these days simply to circumvent geographical content limitations for online services such as video streaming? Nearly everyone I know has used a VPN service at some point, and if you asked any of the non-technical ones what it is they might say ”a think that lets me watch the game broadcast when I’m in another country”.
People want proxies and the VPN providers provide VPNs that work like proxies. I can’t really see the downside to using the VPN as a proxy?
by cracker_jacks on 10/23/19, 12:47 AM
A terrible summary of why VPNs are useful. Goes on and on about privacy with no mention of bypassing censorship. It must be nice living in a place where you don't have to worry about access.
There's no point in privacy without access.
by devy on 10/22/19, 10:10 PM
The title should be renamed to "Don't Use 3rd Party VPN Services".[1]
On-prem VPN deployments with solutions like AlgoVPN[2] from TrailOfBits is still very useful. Let alone mass majority of the the corporate IT's internal VPNs that is required for some workforces to perform their jobs remotely on public Internet.
[1]: https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistco...
[2]: https://github.com/trailofbits/algo
by icelancer on 10/22/19, 11:47 PM
"There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs."
This is demonstrably false; look at any VPN provider that was subpoenaed and unable to produce documentation.
by kryogen1c on 10/22/19, 9:52 PM
>Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.
This is a tautology. If you use it as a proxy, then its a proxy. VPNs arent for this, and so are bad at it.
VPN use case is either to securely leave a network (hotel Wi-Fi, airport wifi) or to securely get to a network (home resources, corporate resources). If you want a proxy, find a proxy.
by johnjungles on 10/23/19, 3:35 AM
What about just setting up your own VPN on a cloud provider or a raspberry pi? You’d still be responsible for the traffic flowing through but at least you wouldn’t have ISP logging, get around geoblockers, keep a secure connection in public WiFi’s, fantastic for devops people who want to have local connections for debugging networking things on aws/gcp/cloud providers, etc...
I think you mean that you shouldn’t think of a VPN as an anonymous traffic tool like they advertise.
by computerex on 10/23/19, 4:35 AM
What a myopic viewpoint. ISP's can and do sell customer data:
www.cnbc.com/amp/2017/03/28/congress-clears-way-for-isps-to-sell-browsing-history.html
It's doesn't take a logical leap to infer that a company whose entire purpose and business model is to provide anonymization as a service is less likely to sell out its own customers than the ISP's.
Yes VPN's can log despite claiming they don't. But the well known ones are highly incentivized to do as they claim because lying would destroy trust and would ultimately destroy their business. Governments are also more likely to target giant national ISP's than some VPN provider whose servers are in some very liberal and consumer leaning countries outside the US. Also securing your own VPS on the internet and managing it without getting pwned is well outside the expertise of most people and is probably not recommended.
by jchw on 10/23/19, 12:02 AM
Although I agree with the general notion, social proof and a good track record are not bad indicators. I will always recommend Mullvad if you are looking for a VPN service that is trustworthy. I think VPN services that advertise a lot are a little sketchier, though surely some of them must be decent... maybe PIA?
by tootahe45 on 10/23/19, 12:05 AM
Before anyone buys a vps from Lowend talk like he recommends, most of the providers on there are trash-tier and massively over-sell their services which is why they seem cheap but performance ends up very poor. And why would i trust a vps vendor with 10 customers over a VPN provider?
by badrabbit on 10/23/19, 4:21 AM
Use to have this view,now conceded that a vpn provider with good reputation and accountability is best. Your local ISP sell whatever data or inject whatever content thet desire,and your rights mean little if your contract stipulates they can sell this access to a 3rd party and this 3rd party can then resell analyzed or raw data to anyone including your own government. If you perform methodical risk analysis,you will find having the ability to damage reputation of your first-hop provider is an ideal leverage. Never negotiate from a position of weakness (e.g.: ISP or Tor exit nodes)
by bloody-crow on 10/23/19, 4:10 PM
Even if you assume that VPN provider is listening and analyzing all your traffic, it's still preferential to your internet service provider doing the same thing. Fost starters, the internet provider just knows more about you. You probably have a contract with them, they know your exact physical location and they have your SSN. A malicious actor from within internet provider having access to all this information could potentially blackmail you by revealing your porn logs to your spouse, or your unsavory private reddit history to your employer etc.
Second, your VPN provider could be in a different country, and that would make data mining your traffic slightly less interesting to them. It'd also make data acquisition via subpoena of some sort from your country slightly more bureaucratic.
Third, if you have reservations about your VPN provider, you can just cancel your account and go to a different one. Changing VPN providers takes 5 minutes, while changing internet service provider can take months, or in some cases might not even be possible.
by throwaway13337 on 10/22/19, 9:22 PM
This is silly.
Most people use VPNs to get out region restrictions.
These are getting more and more common due to local governments making laws that affect the whole internet - think GDPR - that individual site owners do not want to abide by so they block IPs. VPNs solve this very real problem for those still wanting access to the content.
They're also used for subverting content region licensing. For example, with Netflix.
by breatheoften on 10/23/19, 1:26 AM
Off topic but — anybody know a good/recommendable vpn service that supports MacOS without requiring third party software and which allows inbound access to the external ip associated with the service ...?
I need to ssh back to my laptop frequently because of some annoying restrictions with a service provider I use (heroku). I _can_ do shenanigans with ssh tunneling on a publicly accessible server I control - but it’s actually pretty annoying to work that way in my scenarios.
I’ve tried a few vpn services that offer “static ips” but the services I’ve tried filter inbound connections to that ip ... does anyone know a good vpn service that can effectively gives me a public IP address so I can make inbound connections to my developer machine while I’m random shitty coffee shop WiFi ...?
by smurda on 10/23/19, 6:06 AM
“remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble”
Disagree. It is always easier for the legal team to say, “sorry we don’t store the logs” as a way to absolve themselves.
by p0cc on 10/22/19, 10:06 PM
The title is misleading because the article focuses on using VPN providers to obfuscate traffic when this is one use case of VPN technologies. The gestalt types of VPN usage are:
* Remote Access VPN: Connect to resources on your corporate network. An example of this is you're in a coffee shop on holiday and need to access a corporate resource.
* Site-to-Site VPN: Connect networks on two sites together. An example of this is you're in a branch office and need to connect to a resource in HQ.
Note that VPN providers give you a limited Remote Access VPN to their network, which they control. They can do whatever they want to your now-decrypted traffic before they send it out to the internet. If you want to obfuscate your traffic, Tor is a better candidate.
by dontbenebby on 10/23/19, 3:41 AM
Being able to use airport wifi (or other public wifi) is actually a pretty big deal IMHO.
I really value not having to constantly leave my phone on, blasting my location to anyone who cares to ask.
https://www.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hu...
(I self host my VPN, so I'm fairly confident the provider isn't going to jeopardize their entire business model to add extra analytics. Sites I visit get the IP of the VPN, and conversely my ISP sees my traffic going to a random server in Denver. It's win-win.)
by otakucode on 10/23/19, 12:11 AM
>There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.
If the VPN provider has been ordered by a US court to produce log information, and they have appeared in court responding that it is not possible for them to do so as such logs do not exist, and the court has accepted this as true, that is adequate 'proof' in my eyes. It is something which puts them in the position of being extremely legally liable for in a way that advertising 'no logs' does not, since prosecution for false advertising is a joke.
by baby on 10/22/19, 11:15 PM
I agree with the content, but I would recommend dsvpn instead of the suggested solutions.
https://github.com/jedisct1/dsvpn
by linsomniac on 10/23/19, 12:14 AM
Aside: 15 years ago all of our employee laptops passed all of their traffic over our own VPN. One of my employees wanted to quantify how much having all our traffic go to our server space was slowing it down.
He ran a series of tests comparing latency and throughput of directly visiting sites on his home Comcast connection, vs. the VPN. Generally, the VPN was significantly faster.
I wasn't entirely surprised by this. Our facility had multiple high quality connections (Level-3, InterNAP), and one of those traffic optimizers that would add intelligence beyond just BGP.
by systematical on 10/23/19, 2:53 AM
The biggest value I've seen from VPNs is when certain networks block SSH. This happens to me all the time when staying in hotels. For my work I need SSH.
I've also had edge-cases where I need to obscure my country of origin. For instance, I couldn't stream Game of Thrones via Hulu/HBO Go this Summer while in Mexico. For some reason, Mexico is blocked. My VPN solved that.
For security? It's unlikely to help unless I am on an unsecured wireless network or something like that. Good read nonetheless.
by user4142 on 10/22/19, 11:48 PM
Now, with DoH, VPNs will be nore relevant if you don't trust our IPS.
Today, if you change you DNS to another resolver, your IPS won't bother because majority will not change and you can pass under their radar.
With DoH, IPSs will be forced to log filtered/mapped IP requests so they can keep doing whatever they're doing today with DNS queries.
So, when DoH matures, IPS won't see your DNS queries but it won't matter for them any more as they will be seeing all other requests
by exabrial on 10/23/19, 2:26 AM
> ... with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.
I know this is not a popular stance on HN, but ipv4 has built in casual anonymization, whereas ipv6 had built in casual identification. Both systems are defeatable, but what bothers me about ipv6 is that the invasion of privacy is the default.
Coincidentally, Google, Facebook, et all are pushing ipv6 very hard.
by davedx on 10/23/19, 6:38 AM
This reminds me of the “don’t use sms for 2fa” arguments.
by neumann on 10/23/19, 11:49 PM
This is focused purely on people who think VPN is for privacy/security. I use a VPN to get around geo-fencing - in Australia there is a lot of media agreements that mean you can't watch stuff here that is free elsewhere without paying for cable or a local streaming company. A small VPN with multiple exits so I can watch content that is free in the US and EU markets.
by terrycody on 10/23/19, 2:14 AM
This is BS, VPN is an legitimate service and many people rely on such services to do their things, it may pose some potential security issues, but in most cases, it won't cause big harm to you even when your credentials leaked.
Just try to use a very random username and password, payment can set to pay as a VCC or one time method.
by ComodoHacker on 10/23/19, 7:41 AM
Do random routing features like SecureCore of ProtonVPN add some value? I think they do in terms of anonymity.
by jacques_chester on 10/22/19, 9:18 PM
These arguments all assume that ISPs are more trustworthy than VPN providers.
One of these markets involves competing on security and privacy. One of them involves colluding on influencing FCC policy.
So even if a particular VPN provider is inept or corrupt, my expected return on the investment is higher than trusting TWC.
by sjy on 10/22/19, 10:00 PM
Can (2015) be added to the submission title? This hasn't been substantially updated since then.
by cookie_monsta on 10/23/19, 8:16 AM
A slightly less breathless analysis from Krebs (2017):
https://krebsonsecurity.com/2017/03/post-fcc-privacy-rules-s...
by bitL on 10/23/19, 3:09 AM
How about when you get a VPN from a country that has strong privacy laws due to bad experience with local snitches and which doesn't have intelligence-sharing treaty with any other country (including US) - like Romania. Wouldn't that be safer?
by Havoc on 10/22/19, 9:58 PM
I don't get how using a VPS is any better than just going without anything? It's got the exact problem as the VPNs...just shifts the end point.
Would there be any benefit in using a number of VPS round robin style? I've got access to a handful...
by nly on 10/22/19, 10:19 PM
I use a third party VPN service to get around the fact that my residence comes with broadband that hijacks all DNS and routes all HTTP (port 80) connections through a Squid...
I also feel sharing an IP with many other users adds to the level of anonymity.
by hansdieter1337 on 10/23/19, 12:37 AM
If you want privacy use TOR+VPN. TOR for anonymity, a VPN for a “clean” breakout IP. Oh, and make sure to pay for the VPN using a form of anonymous payment. And, make sure that your devices won’t give up your identity.
Anonymity is actually pretty hard...
by peterwwillis on 10/23/19, 1:12 AM
I need an IPSec VPN a couple times a year to get around network issues. Trouble is, when I need it, I can't connect to it to buy it, and I don't want to pay for it year round. Pay-as-you-go IPSec would be great.
by ru999gol on 10/23/19, 7:15 AM
that's an astonishingly idiotic argument, most of what he talks about also counts for your ISP too. They might log everything too and not tell you about it, but at least my ISP never made their whole business case around protecting my privacy.
And also what exactly would be their incentive in building up their infrastructure to facilitate this logging, do you have any idea how much storage space each VPN node in their network would need just to log everything?
And even if they were to log everything you are still sharing a IP with hundreds of other people making you less identifiable to at least the websites you are visiting.
100% FUD
by to-too-two on 10/22/19, 11:43 PM
I’m way out of my element here, but would it be plausible in the future for say, Firefox, to offer a simple and free VPN like service? Something in the vein of incognito mode (it’s UX simplicity).
by linsomniac on 10/23/19, 12:09 AM
I've always been amazed at the prices I see for the VPN services, they seem improbably low. Which makes me wonder where they make their money.
by sarah180 on 10/23/19, 3:03 AM
The author admits in comments that this is clickbait. Not much to see here except "the providers you trust might not be trustworthy."
by TomMckenny on 10/22/19, 11:32 PM
It would be nice if there were an independent auditing organization that could confirm an ISP's claims.
by readhn on 10/22/19, 11:33 PM
one thing that was not mentioned- your ISP logging your data. Too much of my data in my ISP's hands is not a good thing. I'd rather tunnel out through a "trusted" 3rd party server then give all my data traffic to Comcast or whatever.
by Iv on 10/23/19, 3:50 AM
I wholeheartedly agree and I am surprised to not see Tor mentioned as an alternative.
by badsavage on 10/23/19, 7:47 AM
Hehe, at least someone is talking about it. Online privacy is a dream in the 2010s
by drdrey on 10/22/19, 9:39 PM
Seems to be from 2015
by sarim on 10/23/19, 7:22 AM
Says a person living in a free democratic society...
by jaimex2 on 10/23/19, 4:27 AM
Fantastic post. I've long given up trying to explain this to morons paying for NordVPN and similar products.
by sidcool on 10/23/19, 5:05 AM
Is 1.1.1.1 a dependable VPN?
by _57jb on 10/23/19, 5:04 AM
If it is necessary
Run....your....own....vpn
by rhacker on 10/22/19, 10:09 PM
Use a VPN and a proxy.
by lugg on 10/22/19, 9:59 PM
"unless you are on a hostile network"
Which I consider my ISP.. no, I can't just change ISP, I live under five eyes. I don't get a choice.
This article is rediculous. It's just a clickbait title and a whole bunch of ranting saying the exact opposite.
by diminoten on 10/22/19, 9:23 PM
Wasn't this already recently posted?
Also, it's a terribly constructed article, genuinely terrible. Completely wrongly assumes a specific threat model that isn't accurate for the target audience.