Create a gist now

Instantly share code, notes, and snippets.

@joepie91 /vpn.md
Last active Dec 15, 2017

What would you like to do?
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

(A Russian translation of this article can be found here, contributed by Timur Demin.)

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

The post is fine but the headline is wrong. Especially since you clearly state valid use-cases for a VPN. So, yes, there are reasons to use a VPN. (Another use-case, probably covered in 2) is access to country-restricted services like netflix, bbc, etc). You just should never rely on a VPN to guarantee your anonymity.

nv-vn commented Dec 1, 2015

You just should never rely on a VPN to guarantee your anonymity

same goes for Tor or any other privacy service. you should always take as many measures as possible to prevent yourself from being tracked if you want to guarantee anonymity.

Owner

joepie91 commented Dec 1, 2015

@DynamicShitposter420 You're welcome to contribute to the discussion in a constructive manner (whether agreeing or not), but if all you're going to do is attacking me and trolling, then you can go elsewhere.

The post is fine but the headline is wrong. Especially since you clearly state valid use-cases for a VPN.

Yes, and this is intentional. My experience is that, whenever any claim is made of a VPN being even remotely usable for some usecases, people immediately assume that that includes theirs. This way, people need to read and understand the actual content of the article (and its described limitations and valid usecases) before drawing a conclusion.

Additionally, the concerns for "VPN services" remain applicable. You should still self-host your VPN.

I disagree, if the use-case is avoiding DMCA letters and alike. It's way too complicated to set it up in a way so it is not tied to your name. The vast majority of torrenters lack the ability to set up a VPS (let alone make sure it's anonymous) and run VPN servers securely. A VPN provider is the better solution.

Owner

joepie91 commented Dec 2, 2015

If you are not capable of obtaining a VPS anonymously, you are also not capable of obtaining a VPN anonymously, so this does not make a difference. It also still does not address the privacy concerns. If you just want to torrent and use a different service as a pincushion, then what you want is a proxy, not a VPN.

How does it matter that you're not able to obtain a VPN anonymously (we are talking about IP-address I suppose)? Your point in the original is that you're never anonymous to the VPN (which is why you shouldn't trust them). However, they don't pass on data to DMCA litigation companies (unless we are talking about HMA and alike who clearly state in their ToS that they log & pass on data).

As for proxies, how are they more secure? Also, please tell me where I get a 1Gbit proxy with unlimited traffic and ideally port forwarding, I'd definitely be using that.

Ok, but if you use TOR and VPN?

johwest commented Jan 11, 2016

A better solution is pay voor use from usenet and torrents ,so that your no longer afraid for trouble.
Now cost VPN money.

How does using your own VPS help? It's still easy for someone to trace the IP to your VPS and then to you.

I think the take-away here is not not fool yourself into thinking that VPN is some sort of short-cut for Tor. In other words, don't fool yourself into thinking you're anonymous, and for the love of everything good and holy, don't think that your VPN will go to jail for your activities.

However, I use VPN services all the time (for example, https://freevpn.ninja). There are times when either:

  • I am behind a restrictive firewall, such as at a public library or a church.
  • I need to get into an internal network with other clients, such as my browser.

And I don't buy the argument that your IP address is not a valuable asset to trackers and ad companies. Some website owners block Tor, because they cannot get honest GeoIP lookups out of a client when the request comes out af a Tor exit relay. In fact, the whole point of Tor is to obfuscate your source IP address, while remaining encrypted between the Tor client and the relays.

However, as mentioned, don't have any false ideas about your security or anonymity when using VPN services. Understand the tech and your risks using the tech. That applies for anything, not just VPN and Tor.

1n1r2 commented Jul 16, 2016

VPN services have been bothering me since forever. This is the first article I have found to address my concerns.

Yes: VPN builds a secure tunnel
No: It does not protect my private communication
It's a giant keylogger on the net that I have given permission to steal my keystrokes.

It merely funnels the secure keystrokes through a proxy that can log them.

I think I'm safer logging in directly to secure connections ( https: ) to a specific site.

Talk me down, please. Why should I trust any single portal ( even if they do have multiple
connection sites ) to monitor my internet traffic ? Oh sure, it might be preferable in an
insecure environment like an airport terminal or coffee shop.

I trusted my employer's VPN while I was working, but I'm retired now.

Still looking for more articles or discussion to address my paranoia.

This makes absolutely no sense.

Do not use HideMyAss, Expat Shield, Hotspot Shield because they datamine/keep logs.

Do not use ProXPN, at 300kbp for free, you are going to limit your speeds to around 31KBs/s. Not only that but they do not use a open source client and the level of security is not confirmed to be completely secure.

VPNReactor is confirmed to have logs, but you are welcome to use it. They have a 30 minute time limit, then you have to wait another 30 minutes.

Do not use TOR or Ultrasurf, Although some software take advantage of it, these tools are meant for threatened bloggers, anonymous free speech and whistleblowing, not so you can download the latest Justin Bieber album.

Personally, I prefer to run my own VPN for $10/$15 a year using a cheap 128MB VPS from either Prometeus [the best] or Ramnode. You can also use it for other such as running a very small seedbox or web seed, or a tiny bittorrent tracker. The problem with this is that if you use legitimate details, the VPN could be traced back to you, but that's the same with VPNs that use a dedicated IP address who will cut you off, but using a shared IP address could mean a couple of software conflicts.

I wish more input would comes in on that nice thread..
I totally agree with https://gist.github.com/joepie91/5a9909939e6ce7d09e29#but-how-is-that-any-better-than-a-vpn-service
But then again, VPS provider such as DO or Linode does have your IP address and Logs. which is enought for any warrant to fuck you up.

Rich700000000000 commented Sep 20, 2016

You're still connecting to their service from your own IP, and they can log that.

two paragraphs later:

Your IP address is a largely irrelevant metric in modern tracking systems.

Also:

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own. I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndBox.

Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

  1. So let me get this straight: VPNs aren't anonymous, so I should give my credit card to Digitalocean instead?
  2. Statistically speaking, it is more likely that a VPS provider will give you up if a cop so much as glances in their direction, where as a reputable VPN company will at least attempt to push back.
  3. Most all VPS providers are anti-p2p, which is what most people use a vpn for.
  4. Go on, find me a VPS with unlimited bandwidth, forever. I'll be waiting.

I think your main problem is that you're mixing up threat models. If I wanted total anonymity, I'd have a laptop with the usb ports hot-glued shut in an anti-EMP bag under my bed, running Tails off of a flash drive, only connect to wifi stolen from the neighbors with a yagi antenna two meters across, use tor AND run my own tor relay so that they couldn't determine the origin of the traffic.

But I don't want to do that. I want to read FanFiction without being judged by the sysadmins at Comcast. Which is why I have a VPN.

Also, you are NOT going to stand there and tell me that EVERY VPN SERVICE IN EXISTACE is a honeypot. That's not a safe assumption, that's stallman-meets-alexjones paranoid. Do you know how much that would cost? How complex that would be?
There have been court cases:

https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/

And all they could do was shrug their shoulders.

Also, ever heard of a Warrant Canary?

TLDR: FUD 0/10, FUD with rice 0.01/10

Con7e commented Nov 30, 2016

I agree with @Rich700000000000 .

The question here is: who can you trust more, your ISP or your VPN provider? Your ISP must not be trusted by default (especially now in the UK), hence a decent VPN provider is your best bet, the "lesser of the two evils".

gwigz commented Dec 1, 2016

What about plausible deniability, with a shared IP?

jameshadley commented Dec 30, 2016

I'm glad you're shining a light on public ignorance around VPN/proxy services but I don't agree that VPN services are useless. Most large/popular sites now use/require TLS and it is often the case that the visitor would prefer that the VPN provider were able to see the packet headers than their own ISP.

Why? Your own ISP have a lot of other information about you and, especially in the UK, are relied upon to supply the Government with personal information. It is less likely that a VPN provider would immediately divulge metadata to a government to which it does not answer - and it has less personal information about its customers than the residential/commercial ISP.

Sure, setting up your own is better in some ways. In others, it's not. For example, a commercial VPN will share IPs so it's harder to correlate packets leaving your home/office connection with packets arriving somewhere else. That said, for most people, the overwhelming feeling is expedience. When you have a full time job, a family and so on, a commercial VPN means one less thing to worry about.

Actually, I would not be surprised if several of the large, well-known, well-funded US-based VPN services are honeypots. But of course, there is plenty of choice and a bit of research can go a long way.

Never had a vpn and I've been sharing files for a long time, never had a summons from the MPAA or any other agency, never set foot in a court. Logically these snoop agencies can't monitor everyone's activity, it would cost a fortune. The cases where people have been taken to court for file sharing are few and far between in the UK where I live, I feel many of these VPN services are sold on a fear factor. UK ISP's will surrender your personal details if threatend with a court summons, proving that you were the person responsible for sharing the file is the difficult part.

tsjnachos117 commented Jan 5, 2017

I do agree with many of the points made in this article. However, I'm not so sure it's a good idea to reject VPN services altogether. Rather, it seems to me like a better solution is to use VPN services with caution.

There are advantages to using a VPN over a proxy. For one thing, since VPN providers usually have their own websites, it's usually not too hard to find a privacy policy (although, as pointed out in the article, verifying that the provider is doing what said policy says is nearly-impossible). Whenever I search for a proxy, I'm usually greeted with a webpage, which in turn is just a list of IP addresses and ports (presumably from third party servers). Tracking down each address to find anything resembling a privacy policy is far too complicated for many users. On top of which, there might not be any such policy to find, so it's really had to know what's being logged, and what isn't.

Most VPN providers like to brag about the encryption they use. Although it can be hard to know for sure what encryption is actually being used (many providers like to say "advanced" or "military grade" without really specifying which encryption method is actually being used), that's still better than many proxies, which might not be using any encryption at all. (PS: avoid using old protocols like PPTP. PPTP is particularly bad, since it only supports a few encryption techniques, all of which have become outdated. I generally recommend OpenVPN.)

Also, since proxies don't route everything (only apps configured to use said proxies), there's no guarantee your browser's extensions (Java, Silverlight, Flash, etc.), which are often run in separate executable processes, will also be routed. If they are not routed, you can generally expect said extension to leak your IP address. On top of which, many browsers will leak the users' public IP address, even if you don't have any such addons installed. For example, Firefox is prone to WebRTC leaks, and DNS leaks. If you are using a VPN, Firefox will only leak your VPN provider's IP address, NOT your actual IP address (or, at least that's my experience on Ubuntu, when NetworkManager is set to create a virtual "tun" device).

Of course, hiding your IP address is only the first step in protecting your privacy. Hardening your browser is equally important. If you use a browser that supports a large number of addons (Mozilla Firefox, Google Chrome, Chromium, etc), you'll find plenty of privacy-enhancing addons like Privacy Badger, NoScript, HTTPS Everywhere (or as I like to call it, "HTTPS wherever possible, including pages that offer HTTPS, but for some reason refuse to use it by default". Doesn't exactly roll off the tongue, does it?), uBlock Origin, DecentralEyes (Firefox only), and a boatload of others. Setting your user agent to whatever the most popular OS is (probably Windows 7 at the time of this writing) can help you blend into the crowd. It's also a good idea to get a canvas-blocking addons to prevent canvas fingerprinting. Last but not least, make sure to wipe your browsing info regularly. This is especially true for cookies, offline/HTML storage, and LSOs (aka "Flash Cookies"), as this information could easily be used to identify you.

As a final note, I'd like to mention the fact that all the privacy protection in the world won't mean a thing if you don't use said protection wisely. The TOR project, which aims to provide privacy through encrypted proxy-like relays (which, in turn, can be hosted by anyone who's willing to donate some of their bandwidth), has a very good list of DOs and DONTs, which can easily be applied to VPNs as well. Essentially, you compromise your privacy protections by identifying yourself (typically by clicking the "login" button) to a website, especially privacy-invading sites like Google and Facebook.

How about Open Source & Decentralized VPN? What do you think - would it help solve at least part of the problem?

arkbg1 commented Jan 25, 2017

Could you recommend any proxies? I'm asking for a friend.

Trauma7 commented Feb 15, 2017

He is absolutely correct! I am speaking from experience. From being betrayed by over a dozen of them. From the highest to lowest priced and recognizable free ones. If you are being stalked or tracked, an employee in an internet service provider ( any one they find you connecting to ) can and will betray you with the name of the VPN you are using. Then they move on to the VPN to betray you, with either two types of paper if you know what i mean. Do not listen to the lies! All VPN's have the ability, can and to monitor your connection to them.

Trauma7 commented Feb 15, 2017

The last should read; can and will monitor your connection to them. Even to the point of knowing the mac address of your device when you try to log on with a ISP unbeknownst to them.

k0nsl commented Mar 3, 2017

LOL, @nukeop.

Let's not forget to mention about how VPNs beg you so hard to pay them
It's very rare to find a free VPN
Every free VPN contains MB at the end all want you to pay money.
Seriously is there other way to stay secured?

@ghost

ghost commented Apr 5, 2017

I always thought the concept of a "VPN provider" was a bit of an oxymoron. I'd argue the most commonly intended implementation of a VPN is to bridge two private (trusted) networks over an insecure network, as opposed to knowingly letting some guy MITM all your traffic.

farinspace commented May 5, 2017

Excellent read, highly recommend that anyone who stumbles upon this page, go back and wade through the comments:

see: https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistcomment-1838431
see: https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistcomment-1963364
see: https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistcomment-1959840
see: https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistcomment-1637023

Your computer communicates i many ways you likely are not even aware of, email checking in the background, twitter checking, auto Facebook heart beat, apple server heart beat, iCloud pinging, browser logged into different services, etc. etc .. connecting with a VPN at a software level or even at a router level still exposes these communications on the same "line" you think is private. You likely need an entirely new device, purpose based, not associated with your identity ... and also consider from which network you establish a connection from (e.g. your ISP).

Additionally keep in mind that timestamps and IP addresses will both likely lead to the tracking down of accounts that are associated with your VPN or VPS leading to your identity.

As @jameshadley mentioned, many of these so-called secure VPNs could very well be honeypots.

As @joepie91 mentioned if you are not able to obtain a VPN, VPS anonymously there exists enough data to trace back to your identity.

I disagree, if the use-case is avoiding DMCA letters and alike.

This has been my use-case as well. I've also found it useful to access pages otherwise restricted by country, such as streaming South Park from their official page. Not interested in security or anonymity.

I was considering a VPN service because I generally tether my pc to my phone and use my phone's unlimited data since the ISP's in my area suck so much donkey ass. I ran my unrestricted tethering data out then just used an app to tether it and prevent the bandwidth restriction from affecting me. Since the network congestion on my phone is basically non-existent my speed is pretty good compared to what I got from landline ISPs even after exceeding the monthly limit and being given lower priority. However, I'd very much like to avoid any unnecessary questions regarding my usage (lots of pc gaming). Would a VPN service help with that?

I would usually agree with you but there are many good services out there, you just need to know which one to choose from the myriad of providers, many are bad, many keep logs of what you are doing, but there a few of them that are quite reliable. Some even offer free trials for you to test their software before purchasing anything, i would advise you to look into some lists of the best vpn services in 2017 .

You all should check out Mysterium an opensource and decentralized VPN This definitely could solve the problem. It's equally built on a block chain technology @nukeop

blhyip518 commented May 30, 2017

I find many reviews at google seach results.How much credibility do you think as they talk? such as this one.
Best VPN Services of 2017 – Top VPN in the World
https://itday.com/vpn/best-vpn-services-of-2017/

You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM)

This is now increasingly becoming a problem where ISPs are being handed the power to do whatever they like with their customers' metadata. If you're in the position of having no choice but to use an ISP that has this power and you're in doubt as to whether your usage data is being sold, monitored or you're being traffic shaped due to what the ISP believes you're doing, this strengthens the case for using a VPN.

Legislation is moving to make ISPs hostile to their own customers and for the moment use of VPNs are not criminalized, but who knows how long this will be the case.

purchase a VPS and set up your own

This statement is a "stop, wait" moment because this is subject to exactly the same argument and consideration as But my provider doesn't log! and There is no way for you to verify that. Unless you own an entire data center and own all the tin and edge devices that the VPS depends on, there's no way to know if the VPS provider is retaining network logs or not. This presents exactly the same problem you have if you use a public VPN service - how can you fully trust the VPS host provider?

This gist is biased towards positing arguments against end users using VPN services and the issues in that area. However there's a whole other scenario that this gist doesn't touch upon at all: consider a business that is co-located with two branches that are connected via VPN technology for sharing sensitive business data between the offices. The business might use a regular ISP with static IPs either end or a private WAN circuit provided via some telecoms provider.

Clearly there's no commercial VPN service in play here in this B2B scenario, the VPN servers is / are hosted within the business on private hardware, the VPN technology in use will be a flavor of exactly the same VPN technology used by all commercial VPN service providers and in this case we have true end to end tunnel encryption. In this scenario it's 100% incorrect to make a sweeping generalization statement of "do not use a VPN" because this type of setup works and can be trusted.

Where does that leave us? For personal user use where encrypted tunneled traffic leaves the VPN and exits onto the internet I agree that the implementation and use of any VPN involves a certain amount of trust. Whether you use a public commercial service or you host your own VPN server on a remote VPS makes no difference to this fact. Whatever the type of VPN, the weak link is the part you don't have full control of - the part just after where the traffic leaves the tunnel and becomes regular non-tunneled / non encrypted traffic. In other words if you must use a VPN for general internet use, choose carefully before you put your trust in any provider.

For the record, for my own personal use case I lean towards a self hosted VPN as being the best option.

Personally, I am using Express VPN for last two years and I have never experienced any kind of problem till now. The only Trusted VPN service I would like to recommend. Express VPN providing me with best promising service. It is better to go safe and go for trusted VPN service and provide strong encryption rather than to wasting money on not so good VPN Service Providers. https://www.reviewsdir.com/best-encrypted-vpn-providers/

szepeviktor commented Jun 17, 2017

I lease a $3 VPS and use PuTTY as a SOCKS proxy. Firefox is set to use it.

Benefits:

  • continuous connection - don't have to wait for TCP to build up
  • datacenter networking and DNS resolvers
  • IPv6 access
  • fixed IP address

@1n1r2 https://gist.github.com/joepie91/5a9909939e6ce7d09e29#gistcomment-1827407

Yes: VPN builds a secure tunnel
No: It does not protect my private communication
It's a giant keylogger on the net that I have given permission to steal my keystrokes.
It merely funnels the secure keystrokes through a proxy that can log them.

While this is true for proxies (HTTP[S] proxies) because they have to "break" TLS encryption by design, it's not true for VPN software that configures a routing set on your PC to route all traffic over the VPN provider's servers. This happens on another OSI level than classic proxying, so with a VPN connection your traffic to the site you're logging into (Apple ID, Microsoft Account, whatever) is still end-to-end encrypted. You can validate this by looking at the TLS certificate when you're visiting the website.

muzikman commented Jul 12, 2017

How do I avoid the automated emails after I download torrents that are being watched? That's the only reason I wanted to use a VPN. I don't want to get busted downloading torrents directly.

I have been doing a lot of research on VPN's the past month. I tried a few out for free. Tried to trick some services to see if it worked and it did. I read some interesting information from PIA about DNS Leaking, etc..... Yes, of course they will tell you want you want to hear. It's a business.

If a VPN isn't what I am looking for to download torrents safely, is there anything that will?

Also - Is it true that ISPs will throttle your bandwidth based on the source/content? If so, wouldn't a VPN prevent this?

Thanks,
Matt

f1r4s commented Aug 6, 2017

Personally, i would love to be a bot in this fucking world and be one of Fast-flux network!

I think if Fast-flux techniques lead us to be using it as our proxy we will be in safe place... !

Then
How Do you trust your vps server provider,.
And What's more how about the ISP for your vps server provider.

kamilla commented Aug 21, 2017

The post is interesting and does raise many valuable points and issues, but I still agree on more with touya-akira, atoponce, Rich700000000000 and other well reasoned arguments.

I wasn't so interested in my privacy before. I always thought that I wasn't doing anything that I wouldn't mind anyone to know. And if I did do something that I wanted to keep in private, I used TOR and other countermeasures to hide my online actions. I never thought that those anti-piracy letters that were already been sent in the US could be threat at all here in Finland. And as you can guess, I was wrong. Anti-piracy-letter-blackmailers landed in Finland about 2-3 years ago in big way. Lawsuits began to appear and even then I thought that those charges would never hold. I was wrong again. I was stunned to see the Finnish District Court gave a verdict where the defendant was sentenced as guilty and ordered to pay enormous amounts of compensation. (800 euros / one TV episode that he was downloading (or missclicked, the sentence based on still capture and no proofs of complete downloads or even sharing 1 byte were made at all)). Just few weeks after that I got my first blackmail-letter from Hedman & Partners (the legal battle is still ongoing).

After the incident I started to search VPN providers and found very promising one, NordVPN (this is not a commercial! make your own decisions!), that at least promised to not log anything and offered other nice features, so I decided to try that. Now it's been almost 2 years without a single blackmail-letter. My friends with no VPN have got those letters and few of them even have had to pay the amount in court decision (or they didn't want to start a big legal battle against evil blackmailing companies, in which they couldn't be sure to have won here in Finland). So yes, VPN has done a great job for me and I keep trusting them way more than I would for example my ISP, that initially was the one who gave thousands and thousands of IP addresses and personal information to blackmailing companies like Hedman Partners. Thank god it was decided now year ago, that it is illegal to hand over thousands of IPs and identified data based only on IP address logs on the wiretapping-tool (that itself did and does share way more data than any individual as they have to join to torrent swarm to get any data).

I definitely trust more to my VPN than I trust for my government for example. And what comes to VPS and other self hosted systems, why on the earth would you trust them more to not give your private information than VPN provider that allows anonymous registration and payments? And even if you could get VPS anonymously. The glorified proxy as you see the VPN as, offers more security because of its shared IP. And at least I haven't read any story about VPN company (at least here in Europe) that would have given its customers personal data and connection logs (if they even exist) to government officials or blackmailing companies. There are also some legal battles concerning the logging and they have all dried out to see that there were no logs, as others have already mentioned.

Of course VPN is not a magic tool to hide you or anything. You need to know what it is and what are you doing with it. Same goes for TOR and other privacy offering services. They are next to nothing when used incorrectly. But not all VPN:s are evil, even if some of the free ones are. (Who even uses free VPN and thinks that they are not trying to exploit you? I know, money is not a guarantee to make service better, but still)

g33klord commented Sep 8, 2017

Here by VPN you mean "third party VPN service provider". What if I have set up my own VPN servers. With projects like Algo (https://github.com/trailofbits/algo) It has become very easy to setup your own VPN server.

I don't want my ISP to see what I am browsing.

tdemin commented Sep 10, 2017

@g33klord the article mentions this as a preferred way to do things if you still have to use a VPN. So, the article has got you covered. 😉

Nice article. I assume that there's really no such thing as anonymity on the world wide web. That being said i do use a vpn so that i stop getting those warnings from my isp.

I disagree. Using a VPN is safe especially when you use free wi-fi in public places and can be easily hacked. Here is an article which explains how VPN works https://vpnclientapp.com/blog/what-is-vpn/

I use OpenVPN for several years, but now I think softether is the best encrypted VPN protocol, here is a post discuss about it,
https://privatevpnservice.com/softether-vpn/
And set up a VPN by yourself on vps is easy, but i dont want to take my time to do it :)

notjoe commented Sep 30, 2017

Hey there,

VPNs are probably even worse than your ISP assuming you're not using a trusted VPN. Think about it for a minute. Your ISP has less to gain by stealing your packetz than a rogue VPN Provider.

I complete disagree with this article because after reading this article https://www.reviewsdir.com/why-use-a-vpn/ I become a lifetime user of VPN.

I'm in China and I wouldn't be able to survive without my VPN provider!!! It fully bypasses the Great Chinese Firewall, plus I can stream US Netflix et al. A lifesaver service! http://bit.ly/bestvpnchina

nf3 commented Nov 9, 2017

I wrote an article in this same vein on what are the important criteria in choosing (or not choosing a VPN as this original gist would recommend). My article address many of the points that this gist touch upon.
https://www.magnumvpn.com/vpn-providers.html

And like many of the commentors, I agree and recommend that TOR plus a VPN is the the current best privacy practice in order to shield yourself from 3rd party eyes.

nukeop commented Nov 11, 2017

Article sponsored by the NSA

moti-safer commented Dec 3, 2017

Just to protect your WIFI connection is a good enough reason why to use a VPN,
about the logs - it's company interest that users will be private, secured and happy.

Klinsen commented Dec 10, 2017

For me, a VPN is an important tool. In my country there are always restrictions to sensitive content which isn't all the time sensitive. If you want freedom on the net then a VPN is for you. on the other hand, it can even protect you from Hackers Yeah hackers https://www.bestvpndeals.com/can-vpn-protect-from-hackers/

emilyanncr commented Dec 11, 2017

There's quite a few analytical inaccuracies in this article but my primary issue is the statement that all VPN providers log traffic. That is simply not true. Recently, IP Vanish, Private Internet Access and other VPNs have suspended operations in Russia because Russian laws conflict with their no-log policy. In a case in March of last year, the FBI subpoenaed Private Internet Access for their logs and PIA refused stating:
“Our company was subpoenaed by the FBI for user activity logs relating to this matter,” London Trust Media Executive Chairman Andrew Lee informs TorrentFreak.

“After scrutinizing the validity of the subpoena and confirming it, we restated as we always do the content of our privacy policy and then we notified the agent that we do not log any user activity. The agent confirmed his understanding of our company’s policy and position and then pursued alternative leads.

“This report makes it clear that PIA does not log user activity and we continue to stand by our commitment to our users.” (https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-fbi-case-160312/)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment