Don't use VPN services.

vpn.md

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

• A Russian translation of this article can be found here, contributed by Timur Demin.
• A Turkish translation can be found here, contributed by agyild.
• There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

---

This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.

---

Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

I can see that you're an internet tough guy know it all

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

Tell me you don't know what you're talking about without saying you don't know what you're talking about.

Web is shitty like that. If you're not using your corporate overlords' preordained DoH servers, you can't even get Encrypted Client Hello, due to the way browsers want to shove this shit down our throats. Let alone cookies and other metadata. XSS on the other hand, is a constant cat and mouse game. Threats get better and better at Cross Site Scripting while we try to block it. Google for example really loves to skirt around XSS protection in browsers and extensions. The only real defense against XSS is running no scripts at all, and good luck getting anything done that way on the modern web. Plus even that isn't an absolute defense.

This isn't a contest of who can copypaste the most buzzwords from wikipedia, and your little rant has nothing to do with VPNs.

This isn't a contest of who can copypaste the most buzzwords from wikipedia, and your little rant has nothing to do with VPNs.

You literally asked.

VPNs won't protect you from XSS, if you were wondering.

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

That thing's a girl? I thought it was a robot.

DNS traffic isn't encrypted either. You can see for yourself with 'ngrep port 53'. Just plain text.
But yeah, nukeop always has been like that.

I accept your concession.

Thought you said you were done. Can't believe a word you say.

DNS traffic isn't encrypted either. You can see for yourself with 'ngrep port 53'. Just plain text. But yeah, nukeop always has been like that.

However, sensitive info like passwords, credit card numbers, etc. is not passed via DNS, and one can use a DNS over HTTPS service to encrypt their queries.

Or just set up DNS over TLS in Unbound.

Some VPN services even offer their own DNS solutions in addition to tunnels.

Some VPN services even offer their own DNS solutions in addition to tunnels.

Yeah that's standard, as a proper VPN connection for any amount of privacy can't have leaks and can't get by simply tunneling a query to a public dns through their tunnel, it'd increase latency noticeably. But also, that means the data broker running your Virtual Public Network sees the queries even if you manage to encrypt your metadata.

And let's not pretend proxies run by data brokers aren't viewing that data.

And of course, between fingerprinting, SSL stripping (standard VPN grift), and cross site scripting, your attack surface just isn't lessened by a public proxy.

And of course, between fingerprinting, SSL stripping (standard VPN grift), and cross site scripting, your attack surface just isn't lessened by a public proxy.

Yet nobody ever thinks as to what is in those VPN client apps or whether they reconfigure your clients to accept MITM keys.

What "data broker"? We're not talking about public proxies here though.

What "data broker"? We're not talking about public proxies here though.

Unless you're talking about setting up a VPN back to your home network, and not a VPN service, you're talking about a public proxy marketed as a VPN, or as I like to call it, a Virtual Public Network.

We're not talking about that, that's just you confusing nomenclature. A VPN is very different from a public proxy, don't be intentionally obtuse.

We're not talking about that, that's just you confusing nomenclature. A VPN is very different from a public proxy, don't be intentionally obtuse.

A VPN or a VPN service? There's a difference.

Have fun with your sophistry

You just love shitting on yourself don't you nukeop

I have just visited nytimes website via HTTPS. Out of 12 cookies, 5 were without 'secure' flag, which means that they are being sent unencrypted, in clear text.

The secure flag only means that the cookie won't be sent unless you are using secure/https connection. If you enable HTTPS-only mode in your browser (or its policy), even not-secure-flagged cookies won't be independently sent insecurely.

If you explicitly navigated to a http:// site and accepted the prompt about connection not being secure, then the not-secure-flagged cookies would be sent in plaintext alongside everything else. A VPN wouldn't encrypt them between the VPN server and the target domain either.

Thank you for accidentally inspiring me to blog about browser policies to enforce HTTPS everywhere.

• https://aminda.eu/blog/english/2024/05/17/https-everywhere.html

The types of cookies that are sent without this flag don't matter anyway, they're usually simple user preferences.

@Mikaela
I read the blog, and thanks for clarifying about cookies. I just wanted to remind you that I responded in the context of nukeop claiming that HTTPS can be an alternative to a VPN on any WiFi network. I need to emphasize that HTTPS only encrypts web traffic, nothing else. A VPN encrypts the entire traffic between the user and the VPN server, so it does offer better security on a random WiFi network, provided the VPN server is trustworthy and configured correctly. Additionally, nothing stops anyone from using HTTPS-only over a VPN; these technologies are not mutually exclusive. Moreover, it is also possible to use a VPN inside another VPN with HTTPS-only.

@nukeop
User preferences are used for fingerprinting and tracking, so they do matter a lot.

What's your threat model and what data that isn't encrypted by HTTPS is a vulnerability for you?

Not encrypted by HTTPS: text messages, voice and video calls, VOIP, instant messaging, file sharing (torrent), metadata (timestamps, location information, device identifiers), some media streaming like Twitch, emails.

Ok, let's consider this point by point:

• Text messages: SMS protocol is not affected by VPN. SMS messages are not sent over the internet, so they don't touch wifi.
• Voice, video calls, VOIP, media streaming (Twitch): this is commonly realized by web sockets, and WSS lets you encrypt traffic with TLS as you do with HTTPS
• Instant messaging: usually realized via HTTPS
• File sharing (torrent): BitTorrent supports protocol encryption
• Metadata: there are many different kinds but those you named are parts of data sent over HTTPS
• Emails: depending on your client, will be secured by HTTPS between you and your email server, and the connection between your email server and the destination server is not affected by your VPN. GPG can be used to encrypt email

@sneer69 & everyone, please stop feeding the troll! I prefer to stay subscribed, but this conversation is driving me nuts.

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

This.

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.