Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active April 20, 2024 21:15
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@github-account1111
Copy link

Ok, but if you use TOR and VPN?

That's worse than using Tor alone.

@gabsoftware
Copy link

Another valid use case is to circumvent ISP applying QOS on specific ports or services. When something works better using a VPN, that's because your ISP was throttling your bandwidth. This is my main use of a VPN.

@jonas9105
Copy link

The post is fine but the headline is wrong. Especially since you clearly state valid use-cases for a VPN. So, yes, there are reasons to use a VPN. (Another use-case, probably covered in 2) is access to country-restricted services like netflix, bbc, etc). You just should never rely on a VPN to guarantee your anonymity.

That's illegal.

@drbonesaw
Copy link

Protecting you anonymity / privacy is not illegal asshole.

@jonas9105
Copy link

Protecting you anonymity / privacy is not illegal asshole.

You clearly didn't read the comment (or this post).

  1. No. A VPN does not protect your anonymity or your privacy.
  2. Yes, it is illegal to use a VPN service to exploit country restrictions on services like Netflix, Amazon Prime, etc.

Maybe next time, read and think before you comment.

Best,
Asshole

@Firsh
Copy link

Firsh commented Oct 2, 2021

Good writeup! I found the best use of VPN that was to set one up in my home network (Raspberry Pi). It's always on and whenever I'm on my phone and have a chance to use 3rd party Wi-Fi, I just connect to my free at-home VPN that I know is safe. I set this up from an airport in China where their great firewall blocked the sites I wanted, but not my home IP so I could SSH in and set it up :) When I actually needed one in a specific country I fired up a VPS and put OpenVPN on it. Depending on providers, shutting down the VPS and keeping it available on standby may not cost much, so there may not be a need to delete these in case they come in handy in the future. Some services offer regional pricing depending on the country of your IP, or restrict content. Car rentals, flight tickets, purchasing-power adjusted pricing, geolocation detection for VAT purposes, region-locked streaming, you name it. The last thing you want is send money-related traffic through a randomass VPN.

Copy link

ghost commented Oct 3, 2021

Do you combine it with Threema?

@atoponce
Copy link

atoponce commented Oct 3, 2021

Threema is already end-to-end encrypted, so a VPN isn't getting you much. However, it also supports a web interface backdoor.

Copy link

ghost commented Oct 3, 2021

Threema is already end-to-end encrypted, so a VPN isn't getting you much. However, it also supports a web interface backdoor.

Can you explain please 🤔

@atoponce
Copy link

atoponce commented Oct 3, 2021

Explain what?

Copy link

ghost commented Oct 3, 2021

However, it also supports a web interface backdoor. This, ofcourse

@atoponce
Copy link

atoponce commented Oct 3, 2021

Sure. This has been discussed at length by security experts and cryptographers. Here's some reading material:

The TL;DR boils down to this: unless you fully trust the web server and all of the administrators, or unless you are fully inspecting the source code on every page refresh, you cannot guarantee that the web client has not been compromised by malicious JavaScript. And even if you are inspecting the source code on every page refresh, the person you're chatting with might not be.

The solution of course is to not rely on JavaScript cryptography, but instead use local clients, but you can't guarantee that either with your contacts.

If I were a faceless government organization, and I wanted to compromise end-to-end encrypted communications, I would be interested in services with web clients.

@fredster33
Copy link

Thanks. This is really nice.

More info that I've found helpful:

Copy link

ghost commented Oct 3, 2021

Thank you @ atoponce & @ fredster33
Most helpfull.

@atoponce
Copy link

atoponce commented Oct 4, 2021

New article from Joseph Cox at Vice. The general advice to use a VPN service is outdated, and many are just actively dangerous (emphasis mine):

One risk is some VPN providers use self-signed root CAs, which allow the creator to read encrypted traffic coming from a computer. White said this is done in the pursuit of malware prevention, but that "is just a different way of saying 'intercepting your (otherwise) encrypted web and mail traffic.'"

https://www.vice.com/en/article/xgxnwk/you-probably-dont-need-a-vpn

Copy link

ghost commented Nov 15, 2021

In my life, I've never seen someone using VPN to protect their privacy. Afaik, it's mostly used to lift geo-restrictions to access international websites.

@Locutus64
Copy link

In my life, I've never seen someone using VPN to protect their privacy. Afaik, it's mostly used to lift geo-restrictions to access international websites.

You are a flat out liar.

Copy link

ghost commented Nov 15, 2021

In my life, I've never seen someone using VPN to protect their privacy. Afaik, it's mostly used to lift geo-restrictions to access international websites.

You are a flat out liar.

Excuse me? You think it's something I enjoy lying such thing? No one I've came across ever knew that privacy was even a thing.
Also HTTPS itself will encrypt the whole website data, means we're already pretty secure with your daily internet consumption.

@devasia2112
Copy link

devasia2112 commented Nov 18, 2021 via email

@Naleksuh
Copy link

Lol this disaster of a post is now on r/masterhacker https://www.reddit.com/r/masterhacker/comments/pz6hde/dont_use_a_vpn_guys/

@JimboUS
Copy link

JimboUS commented Dec 12, 2021

As I stated above:
"EXACTLY!
It all depends on what your threat model is and who is going to target you.
If your threat is the forum admin mentioned above, then you're 100% safe in posting your ramblings.
BUT remember: Tor, and also VPN, are pretty good as long as you're not a super government agency target.
A super government agency like the NSA/GCHQ/China MSS/etc., will find you in good time and no one will know about it.
The guys in the Suburbans dressed in black will show up at 4am in your place, put a hood over your head and take you away, and no one will know about where you'll be going.
BUT for that to occur you must represent a pretty huge threat to them!
BUT if you are that type of threat you wont be using VPNs or Tor, at least not in any set way, with any set equipment, in any set locations, and far away from any video surveillance cameras."

BUT:
There are a few VPN services, like Proton VPN, located in a privacy protected country, Switzerland, that do not log.
Using such a VPN (or two) to hide your IP identity along with an anonymous/encrypted email service like Proton Mail or tutanota will protect your identity, say in case you wish to stay untraceable if you write a politically incorrect letter to news publication like The Guardian or the New York Times, or the Washington Post, etc., and you do not want some woke editor or IT guy there tracing your IP and then calling their friend at your IP provider and the next thing you know you are identified and you are being fried alive on Twitter or Facebook, etc.

In that case a VPN can live up to its expectations.
Absolutely Avoid any VPN service servers located in any of the 5 eyes or the 9 eyes or the 14 eyes or the xx eyes, or Russia, China, etc.

Again, as I stated previously above, if you are a huge threat given enough time and resources you'll be ID'd, but for run of the mill anonymity a VPN service like that described above is fool proof.

For every day security HTTPS will suffice, as it has been stated by others above, but for anonymity a no-log VPN located in a safe jurisdiction is required.

Now, the problem is that some VPN services may be secretly run by the super government agencies like the NSA/GCHQ/China MSS/etc., and that you'll never know! BUT such VPN operations will be truly valuable assets with extremely strict security operations protocols and will be focused on really huge threats, not your politically incorrect letter to the editor!

@MeerKatDev
Copy link

This guy doesn't live in Europe obviously, where we use VPNs mostly to access Netflix US and Hulu. Really, a useless post.

@Naleksuh
Copy link

Yeah, we are all tired of joepie91's made up garbage. Pretty much all they have ever done is be a pain in the ass online

@eqn-group
This comment was marked as a violation of GitHub Acceptable Use Policies
@LokiFawkes
Copy link

LokiFawkes commented Jan 23, 2022

@hackers-terabit There is actually a distinction in the industry between a proxy and a VPN, and consumer VPN providers are just a glorified proxy.
First, you wrote as if encrypted proxies haven't existed. There are two kinds of consumer VPNs - Encrypted proxies that rebranded using the acronym, and proxies that have always been lying to you.
They may even use VPN protocols, but ultimately, they miss one important distinction. They're not private. They are by definition public. This is a case of "we use ['military'|'enterprise'] grade ['encryption'|'protocols'|other marketing woo] therefore you're getting some kind of advantage."
This is the way Microsoft hypes up its new consumer software or services. "This used to be only for enterprise, now you can have it too! You know, cause you aren't switching to free software which has been able to do the same thing without having to buy a million CALs all these years"
In businesses, military, and at Laevateinn, VPNs are used to tunnel into a private network, either to appear as originating from that location, or to access private resources. That's the P in VPN. If you're not going into a private network, there is no P. Additionally, a lot of "VPN" services aren't even using the right protocols. They're just proxies with an encrypted connection to you. Not only that but if they're sold by an antivirus peddler, you can be certain the VPN client replaces your root cert too, decrypting your TLS traffic for their viewing pleasure.

"configuring a VPN by default eliminates an entire class of security vulnerabilities"
No, no it does not. If you use a VPN to browse the clearnet, that traffic will reach the clearnet. In addition, if you browse to a malicious site, a VPN will provide zero protection unless it's blocking the entire site somehow. But for such a purpose, why not just use a blocker? On that same note, a VPN provider might block something you're trying to access, at which point you now have to exit the VPN. And if you don't have control, there is no P in VPN. Or I guess you could say in that case, the P is for Proxy instead of Private, because you're using it wrong.
Your traffic can easily be de-anonymized, too. A simple javascript, an HTML tag, a login, or a browser fingerprint can compromise the entire tunnel. I've even deanonymized some VPN connections by simply, programmatically, asking the VPN provider. Not only was I able to get the real IP, I got the user's IDENTITY. That's less secure than just going onto the clearnet without one, and I would have had no clue who it was if they had simply dropped the VPN and connected to a coffee shop. (This was part of an experiment, not for malicious purposes. No innocent bystanders were deanonymized)
And there's another thing. Most public Wifi networks today are using a WPA key or a captive network. Sometimes both. Combine that with HTTPS and DoT, nobody knows what the hell you're doing. Especially if they're using WPA3 (with or without a password). Sure, the router will see what IP you're connecting to, but this is that Web2.0 crap where everything is centralized because people for some reason thought that centralizing the Internet to some giant corpos wouldn't bite their ass. So like a million sites can be hosted in one datacenter, meaning you NEED the domain name to determine the real destination.

Consumer VPNs - Not even once. At least, not if you're doing anything more than watching TV shows banned in your country.

@eqn-group
Copy link

The thread was created in 2015, the comment section is still active.

@SilverPaladin
Copy link

SilverPaladin commented Jan 23, 2022 via email

@xdung24
Copy link

xdung24 commented Feb 2, 2022

I never trust any VPN service, I only use VPN of the company to WFH. When using it, I will be very cautious. If you want to do something in private, encryption is the most important. If you only want to change IP to bypass the country blocking, then a proxy is good enough. The whole point here is the a VPN is not proxy + encryption. It is just like a proxy

@madeitjustforthis
Copy link

Does this also apply to browsers like DuckDuckGo? If so what others?

I was always suspect of VPN’s just not being trustworthy. The fact that they can be hacked but also the people running it can go free Willy on pretty much anything you do.

VPN’s are like the FBI and the interrogation room. These MF’s watching you from all angles but nobody know you in there just them 🤣

@LokiFawkes
Copy link

Search engines, like DuckDuckGo, should also be treated like they're vulnerable, but the difference is the attack vector is smaller. A glorified proxy will see everything. At worst, if DuckDuckGo breaks its promise, it'll have a record of search terms. With good enough opsec, that's not too much of a concern, unlike if you were using a massive data collector like Google.

@LokiFawkes
Copy link

@isaackielma Sounds like a proxy server list hosted on a blockchain and trying to sell itself to gullible zoomers as a "hip" alternative to Tor, paired with an Ethereum token scam.
In short, I smell Web3 all over it.

@joepie91
Copy link
Author

joepie91 commented Feb 9, 2022

Yep, blockchain bullshit gets a delete.

@isaackielma
Copy link

@LokiFawkes @joepie91 sorry, I'm just a gullible zoomer then. But please explain me how they would steal your private information if all the data is encrypted and users do not have an account? Please enlighten my gullible ass, cause I clearly need some education here. Please note that I am not trying to confront you guys. I respect your opinions and would love to learn more about privacy and better solutions!

From what I read on their legal T&C (If they are lying about that they would have to be pretty ballsy to be saying all this and then not respecting your privacy...) :

A. NO-LOGS PLEDGE

We will not collect any information or store any logs about your browsing activity (including queries, data destinations, IP addresses or timestamps). We are based in a jurisdiction (Panama) which laws do not require us to retain any of such data. The only information we collect in connection to your use of the Network is the information listed in this Privacy Policy below.
Additionally, as we provide the Network by creating virtual tunnels through one or more connections to other users of the Network (i.e. the Nodes, as defined in the ToU) and by using their equipment and resources to route you to your destination, it is not technically possible for us monitor your activities in the Network. In addition to our no-logs pledge this creates an additional layer of privacy for you.
Having said this we feel that it is our obligation to inform you that the Network cannot guarantee 100% privacy. We enter into binding legal agreements with our users who run the nodes in the Network to prevent them from logging and storing the traffic which passes their nodes, but we cannot promise they will not.
If the applicable law requires us to disclose your data, we will be forced to do so; however, as we collect and store just minimal data which does not allow to identify you (see below), the impact of such disclosure on your privacy will be minimal.

B. ANONYMOUS DATA

To use the Network you need to create a public / private key pair. Your public key will be passed to us to register you with the Network. Note, that this public key will not include any of your personal data and you cannot be identified by it.
When you use the Network we may collect minimal information on how the Network is used and whether the connection was successful. However, this information is anonymous and cannot identify you and we use it to develop and maintain the Network.

@joepie91
Copy link
Author

joepie91 commented Feb 9, 2022

Please read this. The bottom line is that the entire cryptocurrency industry is rife with lies and outright scams, and so anything built on top of it is automatically suspect. They don't get a good-faith assumption at all.

@LokiFawkes
Copy link

@isaackielma

But please explain me how they would steal your private information if all the data is encrypted and users do not have an account?

Nobody said that. But now that you mention it, any proxy (so-called "vpn") can be a bad actor. The connection is only encrypted from you to the server. Let's assume it works like Tor, which from what I gathered about Mysterium, it's less secure than Tor. But let's give it the benefit of the doubt.
The last node before your destination, the "exit node" if you will, will see the traffic exactly as if it were you, except if it's TLS traffic, it won't be able to read it, only pass it along. (Except attacks already exist to get around this and still become a MITM) If the data isn't encrypted or the exit node broke the encryption, it can get your data. Also, the service announcements from all nodes are on the blockchain. (Yeah, turns out having a ledger everyone has a copy of isn't very private.)
Also, assuming again that this works like Tor and isn't LESS secure, the exit node can deanonymize you.

A. NO-LOGS PLEDGE

Never, ever, EVER take these at face value. They can lie, and may even be protected by a gag order requiring them to lie. They can also be ordered at any time to start logging and will do so, not being allowed to tell you. Any node could also be logging, and if they're a malicious exit node, well... They have everything.

B. ANONYMOUS DATA

To use the Network you need to create a public / private key pair. Your public key will be passed to us to register you with the Network.

Congratulations. You just reached the "fingerprint".
A persistent key pair means you can be identified. If you are deanonymized even ONCE, you will be deanonymized EVERY TIME you use the network. This is essentially an account. In fact, many of my accounts online are key pairs.
Hell, even though there are tons of other ways to deanonymize you, one way to do so would be if an exit node were owned by a site you visited, and ESPECIALLY if you logged in. They would know the exit node you connected from, would know your public key, and they could associate your public key with your account, which may or may not be tied to your REAL NAME or other PII.

Proper opsec involves treating everything you don't control as being vulnerable or even hostile, and treating what you do control as potentially vulnerable, requiring you mitigate any vulnerability you can. Using a "VPN" for privacy, is not good opsec, whether it's your usual proxy, a supposed onion network of them, or a supposed decentralized network of them.

Also, Ethereum is ALWAYS suspect. That's just opsec 101.

@SilverPaladin
Copy link

@LokiFawkes I was just going to add what you already did. As soon as I saw that a public/private key is used to connect you, I wanted to add that is pretty much a guarantee that it was YOU that surfed and no one else. If they ever got ahold of your device and saw your private key, that would hold up in court that you and only you could have did whatever you did on that network.

@lydia307
Copy link

I live in Turkey and I have to use a VPN to access the outside network and international social media like FB, Twitter, and YouTube. I have been using pandavpn for a while. Wish it to be stable.

@Naleksuh
Copy link

Please read this. The bottom line is that the entire cryptocurrency industry is rife with lies and outright scams, and so anything built on top of it is automatically suspect. They don't get a good-faith assumption at all.

So you defend your own gists with other of your own gists you made? Can I just make a million gists and link them all to each other?

@130rne
Copy link

130rne commented Feb 22, 2022

@lydia307 Use Nord. They had a fire at one of their centers and recovered from it with no downtime. Or use Proton, their email is encrypted and they have decent speed, I'm on a free tier for basic stuff and have no complaints. Both Nord and Proton claim to be no log and Proton is extremely privacy focused as a whole. They're much better than a lot of the other ones out there. Tl;dr- don't use panda. There are better ones.

Definitely look into the 5 eyes/9 eyes/whatever. I didn't know it was a thing but for sure, a no log policy is only as good as the government that regulates the company. If they're mandated to track people, there's nothing you can do about it. I look for companies with a good track record and who have servers physically located in countries I prefer. A VPN is just a tool, know the limitations and use it appropriately.

@LokiFawkes
Copy link

LokiFawkes commented Feb 24, 2022

@130rne They're also famous for lying about not logging. Proton removed their no-logs policy from their mail service because it turned out they are still beholden to a government, which has forced them to collect logs on an activist. Nord is owned by a datamining company, and NordVPN users have gotten caught. Not to say these aren't useful to bypass geofilters or a nationstate firewall, but don't take their no-logs policies at face value, let alone advertise them without at least making them pay you for it.
(Edit: Earlier the whole message wasn't showing)
Okay now that the whole message is showing for me, most of what I said above still applies, but uh... Just thought I'd add this on to acknowledge that my response was a bit redundant.

@130rne
Copy link

130rne commented Feb 25, 2022

@LokiFawkes 👍 Impossible to exist in other countries without playing by their rules. Notice I said "claim to be" and "better than a lot of others" lol. Better doesn't necessarily mean good. It is what it is.

Lydia wanted something more stable and I expect Nord and Proton are a lot more stable than others. Also Surfshark from what I've seen. You can't trust anyone 100% so for me it's more about just getting the damn thing to work. Even outside of logging, there are only a few that I would use. A lot of them are a pain in the ass and have slow speeds and disconnects etc. Even Proton gave me issues on my desktop, on my phone it's been fine.

@LokiFawkes
Copy link

Everybody ignore @jakylala until someone with power can delete that post. It’s an ad and a phishing scam. The link is a fake storefront and will steal your card info. Report isn’t working.

@130rne
Copy link

130rne commented Mar 6, 2022

netlify.app 😂 gtfoh

@marsmonitor
Copy link

@130rne They're also famous for lying about not logging. Proton removed their no-logs policy from their mail service because it turned out they are still beholden to a government, which has forced them to collect logs on an activist. Nord is owned by a datamining company, and NordVPN users have gotten caught. Not to say these aren't useful to bypass geofilters or a nationstate firewall, but don't take their no-logs policies at face value, let alone advertise them without at least making them pay you for it. (Edit: Earlier the whole message wasn't showing) Okay now that the whole message is showing for me, most of what I said above still applies, but uh... Just thought I'd add this on to acknowledge that my response was a bit redundant.

Is Tutamail a more private option?

@130rne
Copy link

130rne commented Mar 9, 2022

Is Tutamail a more private option?

No clue. They're end to end encrypted? Proton mail is. What we're talking about is the originating IP, it's required for receiving any kind of data from the server. If you're only sending data out, the source IP doesn't matter. Even with VPNs the service needs to know your public IP address which means it has records of your IP and the server you connect to. Nothing can get around that. Encrypted is more private, yes, they don't see the data itself. But it's like a home mailing address, the post office needs to know where to send the mail.

@atoponce
Copy link

atoponce commented Mar 24, 2022

As a counterargument to this Gist by @joepie91, Consumer Reports published a report on popular VPN service providers (PDF, 48 pages). Covers security, privacy, and other issues such as logging and transparency reports. If people are going to use VPN service providers, such as at a coffee shop or other untrusted network, understanding how to grade a VPN service provider can be important. This PDF does that. Their final recommendation for users is:

Of the 16 VPNs we analyzed, Mullvad, PIA, IVPN, and Mozilla VPN (which runs on Mullvad’s servers)—in that order—were among the highest ranked in both privacy and security. However, PIA has never had a public third-party security audit. Additionally, in our opinion, only IVPN, Mozilla VPN, and Mullvad—along with one other VPN (TunnelBear)—accurately represent their services and technology without any broad, sweeping, or potentially misleading statements.

This report was presented at ShmooCon 2022 by Yael Grauer. Accompanies the following posts by Consumer Reports:

@LokiFawkes
Copy link

@atoponce If you're using a VPN because you don't trust a network you joined, maybe host your own VPN instead. People using VPN services are usually trying to hide entirely or to get around geofilters. The ones trying to prevent being snooped on in unsafe networks are better off using a self-hosted VPN, which will not only hide their traffic from the rest of the coffee shop (which was already encrypted in this day and age), but can also allow them access to network resources they have at home.
As some of your links have mentioned, there really is no need for a VPN service anymore for privacy or to prevent MITM attacks.

@atoponce
Copy link

@LokiFawkes Hosting a VPN isn't a good general recommendation for most people. It works for system administrator types, if they stay on top of patching known vulnerabilities of the VPN software and the system it's running on.

@LokiFawkes
Copy link

@rafaelmazzer Pretty sure this has been brought up already and the posts advertising it have already been deleted in the past. No need to bring it back up, it's a scam. Just another goofy "tor alternative" that still owns your traffic when you connect.

@atoponce
Copy link

atoponce commented May 3, 2022

India is now requiring all VPN service providers operating in India to store customer logs for 5 years or more. This includes:

  • Validated customer names, physical address, email address and phone numbers.
  • The reason each customer is using the service, the dates they use it and their "ownership pattern."
  • The IP address and email address used by a customer to register for the service, along with a registration time-stamp.
  • All IP addresses issued to a customer by the VPN, and a list of IP address being used by its customer base generally.

https://www.cnet.com/news/privacy/india-orders-vpn-companies-to-collect-and-hand-over-user-data/

@MayMeow
Copy link

MayMeow commented May 6, 2022

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

Most webpages are now using SSL. Doesn't you need to install CA Certificate (of VPN provider) in Trusted certificates to approach MITM? Otherwise you will be noticed (each browser will notify you) you getting certificate which was signed by untrusted CAs. And you should never accept any untrusted connection. (or stop using this vpn provider). in this case tehy can log IP addresses but they cant se what you are doing there. (very simply said)

Some countires doing that but they concerning you to install their Root certificate.

@h1z1
Copy link

h1z1 commented May 10, 2022

@LokiFawkes @joepie91 sorry, I'm just a gullible zoomer then. But please explain me how they would steal your private information if all the data is encrypted and users do not have an account? Please enlighten my gullible ass, cause I clearly need some education here. Please note that I am not trying to confront you guys. I respect your opinions and would love to learn more about privacy and better solutions!

From what I read on their legal T&C (If they are lying about that they would have to be pretty ballsy to be saying all this and then not respecting your privacy...) :

It isn't technically a lie - THEY aren't (though if you read their own text you'll find they do). What their partners do or more likely, what the networks around them do are entirely different things. They somewhat acknowledge it too.

Think of it like literally living in a glass house. You have four walls, a roof, a door and likely a key with a lock. But you live in a glass house, anyone around you can see in. That is the state of most VPNs / hosting.

Think of security implementations themselves as somewhat like driving a car. You have tinted windows, may even be an armored truck. Point is there's enough information about the vehicle itself to infer who you are because the vehicle has to be registered. The company name will likely be on it. Where you were picked up, dropped off, times, etc. That is enough information to profile YOU.

The armor in the vehicle is no more at fault then the math behind encryption. Problem is how they're implemented. The armor could in fact be aluminum just as the random key bits could be predicable. Both are technically accurate.

@LokiFawkes
Copy link

Dude's a troll, don't feed him. He's just here to make the rest of the privacy-minded folk look like tinfoil hats.
I'll save you the trouble of waiting for his answer that'll make frogs gay. A half-wave 2.4ghz antenna would be 6.25cm, a quarter wave 3.125cm, nanoparticles wouldn't be able to put out a 2.4ghz signal far enough to penetrate your skin no matter how beefy the amp is, let alone if the particles are there by their lonesome.

@HeyJoplin
Copy link

HeyJoplin commented Jun 1, 2022

@qwikag

I like the way you challenge this post :)

Nevertheless, this post says "Don't use VPN services". Focus on the "services" thing. You can check the section "So, then... what?" and there's some info about setting up your own VPS. Setting up a VPS nowadays is easy even for non-tech users, and you can destroy it (or just power off) when you don't need it anymore, saving some money.

Regarding the "so we were all vulnerable" comment, maybe going a bit off-topic here, but: think on metadata. Metadata kills (not kidding, www.justsecurity.org/10311/michael-hayden-kill-people-based-metadata ). Tunneling our traffic won't help if we keep using the wrong OS, apps or protocols.

@LokiFawkes
Copy link

@qwikag I think you mean what if joepie put this article here to do that?
Well, he wouldn't gain much from you being on the clearnet. You already have a firewall on each device and your Internet gateway. You already are using encryption for just about everything, to the point a man in the middle can't hijack your traffic. At this point, hijacking your traffic has to be done at endpoints. Now, a VPN can do that by being an endpoint for one protocol from itself to you, and an endpoint for another protocol from itself to your destination.
It can also correlate your traffic even if it's not defeating your encryption. The possibilities are endless.

Making a VPN client open source doesn't mean the VPN service doesn't have secret sauce on its end, and if they release the source code to their server software, you can't exactly trust that's actually what's running on their servers and not just a cleaned up version for show. Ultimately it's the service that matters, and you can't verify they're not doing anything nefarious, even if you could verify the machine code on both sides. You can, however, verify that they are, or to be more precise, that they're legally required to, violate your privacy. PIA is based out of the US. Intercept laws require a method to monitor traffic in a way similar to wiretapping a phone. For digital services, this includes a requirement of short term logging at all times in case a user is labeled a person of interest, and long term logging once a user IS a person of interest. But that's minimum. Usually, in order to avoid punishment for not being thorough enough, companies will log perpetually. If they don't, their section 230 could be challenged, and they could be held responsible for enabling you.

@CoopTRUE
Copy link

CoopTRUE commented Jun 24, 2022

> connects to vpn so big tech can't see what I'm doing
> logs into Facebook

@LokiFawkes
Copy link

@gofukrself Enjoy your report for, let's see here, harassment, spam, threats of violence, and a bad attempt at phishing.
Also unlike you, I'm a user with a real name and proper 2FA.

@danielsalama2
Copy link

thanks for sharing

@LokiFawkes
Copy link

Nord is not owned by Tesonet.

Pretty sure you're the only one here mentioning Tesonet until now. NordVPN is, or should I say was (My use of present tense was outdated), owned by Tefincom SA, which used to be proudly displayed on their site despite being a known datamining company and having ties to Tesonet. NordVPN, later NordSec, was co-founded by Tesonet co-founder Tom Okman. Literally all roads lead to datamining. Again, VPN services are not privacy services.
The fact you so lazily made that argument without any research shows you're just here to post hot takes and shill for scams, so further engagement has been deemed unnecessary.

@LokiFawkes
Copy link

@eqn-group Better question. Why are you?

@eqn-group
Copy link

eqn-group commented Jul 26, 2022 via email

@LokiFawkes
Copy link

LokiFawkes commented Jul 30, 2022

@mahigill414 And that's why so many so-called VPNs use a proprietary client. Instead of installing the cert to your system, the cert's installed with the app and recognized while the app is installed and running. This is why, if I'm going to use a VPN for anything, I'm using OpenVPN. For OpenVPN, the only cert you might need is to validate the server identity. For proprietary, they can package a replacement root certificate with the program.
Also, would a mod kindly delete this? She's advertising her whore sites with all those bitly links.

@LokiFawkes
Copy link

@noorkaur66 Oh great. More whore site ads.

@LokiFawkes
Copy link

Seeing as we're no longer getting any constructive discourse, if it's possible to freeze this gist, I highly recommend it. It's just whore ads now.

@joepie91
Copy link
Author

Seeing as we're no longer getting any constructive discourse, if it's possible to freeze this gist

Unfortunately, it's not. I already reached out to Github about this a while ago. Would've closed comments a long time ago otherwise.

@BrodyDoggo
Copy link

What would be the difference between a vpn and a proxy?
You said a vpn is a "glorified proxy", I'm just curious as to what the difference is and learning more about vpns and proxies. just seems interesting to me.

@LokiFawkes
Copy link

@BrodyDoggo
I can explain this.
The purpose of a VPN is to provide a tunneled connection into a private network. It's like a proxy, except you can traverse firewalls and connect to devices over any port or protocol through it. In a proper VPN, you even get your own IP address in the private network.
However, this is not how clearnet VPN services like NordVPN or ExpressVPN work. Even when they use real VPN protocols, they're just putting you into a NAT network and hiding you behind one IP address, their IP address. Essentially, the same as a proxy. They can control what ports you get to use, what protocols you get to use. Essentially, the same as a proxy. At best, with no restrictions on ports and protocols, you'd be looking at something called a SOCKS proxy.
In many actual VPN setups, you might even set your virtual network adapter that's connected to the VPN, as a SOCKS proxy to prevent direct access to the clearnet.
But these VPN services you see out there range from web proxies to SOCKS proxies, advertised as being more private than a proxy, and often come with proprietary apps that strip SSL so they can collect and sell your browsing habits.
They even advertise this SSL-stripping function as virus protection, when in reality, their VPN cannot protect you from viruses even by stripping SSL (though if they're honest they can try), but it can make them money by collecting data.
By stripping SSL, typically by replacing your root certificate so your browsing happens in an encrypted form that they can read but outsiders still can't, they not only can get your browsing habits beyond just IP addresses and DNS requests, but they can also harvest metadata AND the payload of the connection, including passwords and other personally identifying information that would have otherwise been transmitted without a man in the middle.
So really the difference between a VPN and a proxy is the P in VPN - private. If it doesn't provide a tunnel to a private network, it's not a VPN, regardless of what protocol it uses or what its name is.
VPN - Virtual connection to private resources like company servers
Also a VPN - Virtual connection to your company or home's private network, doubling as a proxy for the clearnet
Not a VPN - A tunnel to a web proxy, branded as a VPN, meant to look like you're browsing from the server you connected to rather than from where you are

If you still want to call these VPNs, the distinction would then be between Virtual Private Networks and Virtual Public Networks.

@ivanjx
Copy link

ivanjx commented Sep 20, 2022

not a single word about censorship

@TruncatedDinoSour
Copy link

@BrodyDoggo none, VPNs are proxies

@Naleksuh
Copy link

@LokiFawkes
Copy link

LokiFawkes commented Oct 11, 2022

@BrodyDoggo none, VPNs are proxies

Uh, no? https://en.wikipedia.org/wiki/Virtual_private_network#Types

None of which describe the services sold as "VPNs" today by big tech.
They just took their proxy services, at MOST using protocols meant for VPNs, and slapped VPN in the product name. And that's what TruncatedDinosour was referring to. VPN services, which aren't even VPNs to begin with.

@Naleksuh
Copy link

@BrodyDoggo none, VPNs are proxies

Uh, no? https://en.wikipedia.org/wiki/Virtual_private_network#Types

None of which describe the services sold as "VPNs" today by big tech. They just took their proxy services, at MOST using protocols meant for VPNs, and slapped VPN in the product name. And that's what TruncatedDinosour was referring to. VPN services, which aren't even VPNs to begin with.

Thank you for managing something factual, unlike TrunatedDinosaur who was lying. Yes, "VPN providers" are not using VPNs in the intended way. TruncatedDinosaur was implying all VPNs are inherently just a type of proxy

@TruncatedDinoSour
Copy link

@BrodyDoggo none, VPNs are proxies

Uh, no? https://en.wikipedia.org/wiki/Virtual_private_network#Types

None of which describe the services sold as "VPNs" today by big tech. They just took their proxy services, at MOST using protocols meant for VPNs, and slapped VPN in the product name. And that's what TruncatedDinosour was referring to. VPN services, which aren't even VPNs to begin with.

Thank you for managing something factual, unlike TrunatedDinosaur who was lying. Yes, "VPN providers" are not using VPNs in the intended way. TruncatedDinosaur was implying all VPNs are inherently just a type of proxy

https://us.norton.com/blog/privacy/proxy-vs-vpn VPNs and proxies are still very similar

@TruncatedDinoSour
Copy link

@BrodyDoggo none, VPNs are proxies

Uh, no? https://en.wikipedia.org/wiki/Virtual_private_network#Types

None of which describe the services sold as "VPNs" today by big tech. They just took their proxy services, at MOST using protocols meant for VPNs, and slapped VPN in the product name. And that's what TruncatedDinosour was referring to. VPN services, which aren't even VPNs to begin with.

anyway thx lol

@TruncatedDinoSour
Copy link

@Naleksuh and you should learn how to be less angry lol

@MinionArcane
Copy link

MinionArcane commented Oct 13, 2022

Don't tell us why we should not use VPN.
If you're saying VPNs offer no proper privacy, at least what it does isn't as heavy as what bigger enterprises do. Google especially is the largest snoop in the world. If Google does a lot blocking via vpn access for users, then you can say that VPNs are doing the exact right job against them.
If it was about ads, i don't think that's quite harmful really but to block users because they need to know where you're from, what you do and where you've been and all that, you got a whole lotta questions about the motives of Google than the VPNs.
Seriously, you can't hide the fact that the purpose of VPNs is to hide your location so that your data isn't being snooped by others especially by location! Who appointed Google or any other large enterprises as the Internet police anyway?

@carepack
Copy link

carepack commented Oct 13, 2022

At least you have to trust, some company, some software, some providers. With vpn you switch the trust to the vpn provider instead of the internet provider. So think about who you gonna trust and keep in mind about the country laws. If you want to bypass ip restrictions vpn is a good way for that.

@LokiFawkes
Copy link

@MinionArcane The problem is this does NOT circumvent any actual tracking and snooping. This stuff happens at endpoints, using accounts, browser fingerprinting, javascript, you name it. It's in the interest of these enterprises to block VPNs when it pertains to bypassing geofilters, because some of their services are designed to let you access certain content in certain locations despite the location of your account. But for tracking, snooping, ads, and so much more, your IP address is worthless.

Back in the days of unencrypted net traffic, this was more of a concern. People had to trust proxies to encrypt their data to keep neighbors and ISPs from snooping, but then they had to trust the proxy services and the numerous stops on the way from the proxy to the destination not to snoop on them. It was a bandaid for a bigger problem.

The rush to trust a "VPN" service comes from the days when proxies were relevant, and these so-called VPNs are often JUST encrypted proxies. Most of these services also practice SSL stripping by routing your traffic through a proprietary app that replaces your SSL certificate during use, allowing them to read your traffic and collect the data for sale. They picked up this practice from antivirus programs that try to detect viruses in your network traffic by doing exactly this but on a local proxy. By doing this on their proxy server instead of a local proxy program, they get to see it for themselves instead of just letting a program on your computer scan it.

@MinionArcane
Copy link

MinionArcane commented Oct 16, 2022

It's not to trust VPNs for sure. It's a tool to tunnel through blocked gateways. Not all is guaranteed however so.
Certainly corps would not accept VPN access through their domains. It's always about identifying the user with their accounts by their true location via their recorded IP ADDRESSES in their registration with them. Any other change that diverts from what was recorded and the user gets 'questioned' before acceptance. Any server connected IP tunnels recorded/registered to be false or deceptive would easily be blocked.
It's not something of an unknown that these are some of the security measures they take to ensure users connect the 'right way'. CGNAT and whatnot.... they all started from IP adds. Then they developed 'fingerprints'. Excuse me, your f'ingerprints' come from the codes used from your device programs. Your device has addresses. Though you may think it's no more important, that IS the basic identification to begin with still.
However, an experienced user will know better what, how, why, when and where to use a VPN, so it could give a less punishing deal to mole about. (I said "less".)
A little debate over the statements:
Why should one worry about traffic when they don't have a website? Not everyone has to survey their own traffic. That's an overreation and biased look to say VPNs can't encrypt your traffic. That's only for those who want it done. That's a business want. Users will need to know what they could get before jumping in to something they're not sure what could be offered. That's their risk but is not from everyone's needs that describe here what bad VPNs give instead.
For godsakes, it's not trackers as people who want to identify you right away. They have the machine for their work. They're called programs. People only want to track you when you have information they need and then they use the programs they have. So if you have less valuables to share out in the open, do you need to worry about trackers?
Why buy or subscribe to VPN premiums when you could choose the free ones? (knowing first how you fare in terms of what valuables you have with you in your system and knowing how destructible the VPN you chose is.)

Which VPN you choose is by your own risk. How you keep monitor of the processes for personal security purposes within your system or device is on your skill and knowledge when you use VPNs. What you use the VPNs for is also up to you. If you could bear with offering your data over for perhaps sale to another party, you should at first also know how secure your system is or how well you could maintain your focus over any suspicious processes within and as well as knowing how secure your personal data is from being read by outsiders. Also, you need to know why you intend to offer them your data and what benefit you may receive by doing so. Without those precautionary know hows, of course you'd be opening yourself to fall victim in various ways.
Why should beginners find a reason to use VPNs? Because they just read stuff over the internet or through their friends and thought it was just cool to use?
No. You'll find that those who learned what a VPN is and uses it, has that reason to dwell into it further and balance the risks before taking the step to engage. If a wayward beginner were to just hop into VPNs, there'd be no safety and there'd be no proper reason for them to use it either.
Sound childish for a layman's explanation?

Now, back to WHY VPN to me.
Because there is such a tool that gives us enough freedom these days. I don't have to talk about what was from the past because the past was where I learned lessons too to eventually land into HAVE to use VPNs now.
Because we can't just keep saying we should trust some company, some providers and such with our data for a long time. If you're like of my age, you'd know how those companies were before when you surfed. They were bad. They're 'professionally' bad this time. There's no space for them to brainwash me into trusting them for one. They've paid huge fines for breaching rules on privacy policies. Yet they're still huge. I'm not one to keep up with their 'legacies' even.
Why should I keep supporting them when they start fixing up walls when I refuse to provide them my data by force? Why should i allow them to monopolize the internet by owning our data? Why should i help them eliminate their competition?
Because I weighed the risks taken and did tests over various VPNs to see how efficient and professional each were before acceptance. So you see, I took the exact but basic precautionary measures corps take against users to attain some freedom.
Because the internet hasn't much thrills as before. It has become less to communicate than viewing ads, more products on sale, more useless past documents, there's just way too much of unnecessaries, worthless points that required your verification/authentication/identification and you're told to be just gated at one location and do your stuff on your seat. That's not for me. I want to open more doors and be accepted too when i throw out no harm to another system/user.
Because the sole purpose of the Internet was for communication. Not businesses. If it was business thrown out on me, it will be another door i show them out.

@danielsalama2
Copy link

danielsalama2 commented Oct 17, 2022 via email

@LokiFawkes
Copy link

LokiFawkes commented Oct 18, 2022

@MinionArcane Where do I start with this?
Firstly, trackers don't need your IP. That's a myth, and was only ever true in the old days of the Internet when other methods to track you hadn't been developed. By using cookies, JavaScript, Fingerprinting, and various browser exploits, they can track you just fine without your IP, which by the way is prone to changing if you ever have an Internet outage for a moment. If you're not doing anything against browser fingerprinting, you're being tracked no matter what IP you connect from. If you're not blocking cookies, you're being tracked no matter what IP you connect from. If you login to an account, you're being tracked no matter what IP you connect from. If Javascript is enabled, you could very well be tracked no matter what IP you connect from. This is why people limit cookies, block tracking cookies, install ad and tracker blockers, and mask their browser fingerprints. Because the one thing that is useless to track you with anymore, is an IP address. Netflix knows it's you. Google knows it's you. Facefuck knows it's you.
Second, you seem to think VPN services can protect you from ads, or from those verification/authentication/identification processes. They can't. They don't even try to. At best you might connect to a proxy that has completely blocked some servers from being accessed, but that doesn't fight against trackers when the big guns are on the same servers as the content.
I could go on and go after every incoherent detail in your message, but long story short, if you think your VPN provider is playing ANY part in protecting your privacy, you're objectively and eternally wrong. It's not even a VPN.

@MinionArcane
Copy link

MinionArcane commented Oct 19, 2022

@LokiFawkes
You're a joke.
Google and all the corps you mentioned already knows your IP and your location when you've first registered your account with them. You verify your identity by the codes or pins sent to your email and that is all that's needed for them to keep you in their record. Whatever else they muster on you with new codes and new developmenets later is from what they already have on you. Those rest technology or findings that they develop to track you after is by scripts and codes to make things easier comparing your data and detecting your identity faster. I did agree on that but you thought me otherwise.
Yes, IP detection is old but that was and still is the basis.
Never have i said that VPNs can protect you from ads or protect you from your privacy. Where'd you read that from?
You assume of what i think. I have not said VPNs can protect you much. My 2nd line already said that clear of what VPN is, as you too know what it is. So where did that come from too?
You also took my context wrong about what i said on the verification and etc. I didn't say that VPNs can help you bypass that. I meant that the Internet lost its lustre when corps snoop much on users with all of that hassle of keeping you in exactly where you're from. That statement had nothing direct involving what VPN's potential is. It's a ridiculous assumption because if you read me right, I needn't have to repeat to you to read my 2nd line of my message you initially referred from. Those hassles are merely a cause why VPN is being used in a different way and that different way is certainly something i will not reveal how.
So, I'd like you to read my message line by line at your own pace again and tell me where i went incoherent, eh?

And uhh, what makes you think that sites don't track you through your IP address to date? How are you surfing about huh? Hahahaaaa.

@MinionArcane
Copy link

@danielsalama2
As Jules Winnfield asks you what you didn't understand and your answer goes, "what?" .... you'll know my reply after from that same following famous line too.
You wanna say something, say it.

@jimthedj65
Copy link

This is an excellent summary of proxy services passed off as VPNs. As a result of knowing some of what was posted here, I decided to build a zerotier (I chose zerotier over wireguard for its tighter security, i.e. no header exposure) VPN on my raspberry pi to view the LAN and local security cameras and TV from my home base when I travel to Eastern Europe. Cost = cost of a pi3 and some of my time. It also allows me to access my router as if I was local, anytime, anywhere. gives me about 25 Mbps throughput between eastern Europe and UK, which is perfect and uses my home IP address to boot.

I will set up a similar pi in the US with my family. I am now looking at encapsulating/routing over the blockchain but need to accelerate due to performance and high encryption tax as well as possible curve issues on secp25k1.

Thanks for the post it's an excellent write-up on snake oil services, and this industry needs a good disruptor to shake it out..

@Berrik
Copy link

Berrik commented Oct 24, 2022

I looking to hide internet traffic from my snoopy neighbours who have nothing better to do than watch my activity on the internet. Additionally, if I am in a hotel or hostel, connecting to an open Wifi network and then using an encrypted connection to bypass the build in payment options would be beneficial.

Any help with information of a good provider and steps in which to connect using the built in Windows 11 systems found here would be great.

All the best!

@LokiFawkes
Copy link

@Berrik Your neighbors shouldn't be able to see your traffic, and if they could, they can't read it.

If your neighbors are seeing your traffic, you're probably on an open wi-fi network or they know your WPA password (WPA 1 or 2, PSK). They still shouldn't be able to read it.

With WPA-Enterprise or WPA3-SAE, they shouldn't be able to see your traffic at all. (Unless you're connecting to their router), and if they could, they can't read it if you're connecting over TLS (such as HTTPS).

Bypassing hotel paywalls is a futile effort. Any hotel that wants you to pay for wifi is going to put you in a blocked VLAN til you pay up. If you can't ping 8.8.8.8, for example, you ain't gonna connect to a proxy. If you really want to try to bypass paywalls, though, you could always try hosting your own VPN so if they don't know what they're doing you're more likely to connect than if you tried connecting to a well-known glorified proxy.

@Berrik
Copy link

Berrik commented Oct 24, 2022

@LokiFawkes I am well aware of what people can and can't see via network traffic.

You comment is not an answer, but your comment is an agressive use of communication and I don't care much for you.

@LokiFawkes
Copy link

@Berrik 1) Ask your question somewhere someone gives a shit
2) Bite my shiny metal ass. I gave you the straightest answer you'll ever get.

@Berrik
Copy link

Berrik commented Oct 24, 2022

@LokiFawkes You didn't answer the fucking question, you fucking avoided the question all together and gave me your opinion. I do not give a shit about your opinion; I give a shit about the question in a github file comment section about VPNs.

People that actually do not give a shit do not even make a comment explaining that they do not give a shit, so keep telling me how less of a shit you give about a response to a question that didn't help or inform anyone and was akin to uploading a piece of propaganda in the form of a comment response (why I referred to it as aggressive).

@LokiFawkes
Copy link

@Berrik Oh yes and you totally didn't expect this response in a discussion on VPN scams.

All this was intentional, dickweed.

Everything I said there was factual. It was the straightest factual answer you're going to get.

Anyone answering the last line of the question would be ignoring the premise. Anyone answering only the premise would be ignoring the question. I answered both. Now go crawl in a hole.

Wanna hide your Internet traffic from neighbors? Don't use their access point nor give them the password to yours. Want to bypass hotel wifi paywalls? You generally CAN'T. Aside from some exceptions where the paywall is more of a paysuggestion, it's impossible. And if you're just trying to mask your traffic while out in public, host your own ACTUAL VPN.

I will not entertain your decision to enter this conversation as a shill. I will not entertain your fallacies. I will not entertain your diametrically opposed "question" and premise. And nobody else here will either.

This conversation was closed long ago, but Github won't let it be frozen.

So next time you want to ask "What VPN service should I use"

Try not asking it in a gist titled "Don't Use VPN Services", you filthy troll.

@Berrik
Copy link

Berrik commented Oct 24, 2022

@LokiFawkes Using a VPN to block communication interceptions from your obsessive neighbours is a completely different VPN issue to "not needing a vpn, use a proxy bro" thread...

For whatever reason, me looking for the issue in the comment resulted in your github blog being linked, suggesting a very specific use of VPN for personal use vs business use, when 99% of internet businesses make use of things and monopolise services that you should be able to do from a personal computer.

I think you work for the CCP.

@LokiFawkes
Copy link

@Berrik Your discourse here is off-topic. Your question was an insult to the thread to begin with.

Want to block communication interception? You're already doing so in the best way available to you, on this site, RIGHT NOW. It's called encryption. Using TLS, you're able to verify the server you're connecting to and speak to it in a way that nobody in the middle can read.

Want to mask your traffic from other people in the network snooping? Set up your own VPN at home, connect to it from wherever the hell you are.

And if you think I work for the CCP, you don't know the difference between for and against.

If you don't like services being monopolized that you should be able to use from your personal computer, build your own like they do.

Do you think Google or Apple employees use NordVPN to connect to HQ? No. They use an internal VPN, an actual VPN, for that. Want what they have? Your router probably offers it, and if it doesn't, an old computer or a Raspberry Pi is a cheap option. IP address keeps changing? Dynamic DNS is cheap these days.

Troll somewhere else, all of your comments have been reported.

@Berrik
Copy link

Berrik commented Oct 24, 2022

@LokiFawkes It's literally a question about VPNs for a specific purpose in a thread containing people who are knowledgeable about VPNs.
Meds.

@LokiFawkes
Copy link

@Berrik AHEM.

Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

This isn't a place to shill a VPN service nor to ask for VPN service recommendations. Take it elsewhere.

@Berrik
Copy link

Berrik commented Oct 24, 2022

Well my VPN service that is coming out of your buttcheeks is my original statements: "I looking to hide internet traffic from my snoopy neighbours" and "connect using the built in Windows 11 systems found here "

If anything, I am promoting the proper use of VPN functions instead of asking people to download and subscribe to the latest VPN bloatware/backdoor.

@LokiFawkes
Copy link

@Berrik Again, wrong pasture for that bullshit. This isn't the place to shill a VPN service nor to ask for VPN service recommendations.

@birdwatcher1
Copy link

This article is poorly written and directed toward the same group of people who believe the marketing BS from VPN providers. From a technical standpoint however, the point of this article is written with as much disinformation as the marketing structure it criticizes from such VPN providers. There is very little, real technical information used in the article, and absolutely no evidence for the author's claim. This is not a technical article about VPN providers but, more of an opinion on the issue of trust with providers.

It would have been a lot easier and less confusing to educate people on how VPN do not help you beat tracking methods that use device ID, fingerprinting, app identifiers.

@szepeviktor
Copy link

Anyone can set up a "Viktor VPN" with 1 hour of learning.
OpenSSH on the server, PuTTY "dynamic" port forward and a browser with SOCKS proxy capability.

Copy link

ghost commented Nov 5, 2022

Tor, & the self hosted VPS, are the only real "virtual private networks". Everything else, are just proxies that pretend to be a vpn.

@xNeonHD
Copy link

xNeonHD commented Nov 5, 2022

I'm sorry but what the actual fuck even is this comment thread?

Literally just received a email notification where the last email of this thread I got was from January 2020 from a guy who replied to me "you truly are an ignore arrogant mother fucker that has no fuckin clue what the hell he's talking about [sic]"

HUH????

I have two burning questions:

  1. Why am I just receiving emails for this now...?
  2. Why are people still commenting on this?

P.S. For anyone with the intent on replying "read the OP" followed by a useless ad hominem attack, kindly shove a giant dildo up your ass. Thank you.

P.P.S. After reading just 1% of this thread it's honestly hilarious how people are getting so worked up by this 🤣this ain't left/right politics you fuckin goofs. Reminds me of the equally hilarious "skill based matchmaking" controversy that triggers people nowadays.

@birdwatcher1
Copy link

I have two burning questions:

  1. Why am I just receiving emails for this now...?

Because, you have Notifications on. You can remove them on the settings tab.

  1. Why are people still commenting on this?

Why are you still commenting on this?

@jcanfield
Copy link

@xNeonHD 👍 Yup. You took the damn words right out of my mouth. Why... why did i get this notification? lol

@birdwatcher1
Copy link

@xNeonHD

P.P.S. After reading just 1% of this thread it's honestly hilarious how people are getting so worked up by this 🤣this ain't left/right politics you fuckin goofs

I was just going to say the same thing. 🤣

@xNeonHD
Copy link

xNeonHD commented Nov 5, 2022

Because, you have Notifications on. You can remove them on the settings tab.

Thanks captain obvious!

@birdwatcher1
Copy link

Because, you have Notifications on. You can remove them on the settings tab.

Thanks captain obvious!

Happy to help. 😆

@jasperweiss
Copy link

jasperweiss commented Nov 5, 2022

Hi everyone who left their email notifications on 👋

Tor, & the self hosted VPS, are the only real "virtual private networks". Everything else, are just proxies that pretend to be a vpn.

If you’re going for a semantic discussion, I’d like to argue that a real “virtual private network” is an actual “private network” (meaning traffic is invisible to anyone not part of it and IP addresses are not routable to anyone not part of it.) that is created “virtually” on top of an existing real network.
e.g by bridging your personal devices together with wireguard, tailscale or something along those lines. That way each device has an additional ip address that is only routable by your own devices and all traffic to and from said devices is opaque to the underlying real network.

VPN’s (whether it be hosted by someone else, yourself or someone else still in the form of an VPS which I’d argue defeats the entire purpose) and Tor, in the way they are commonly used, are just proxying your traffic. There’s no private network to speak of. It’s not a different network. You’re attempting to hide the origin.

Copy link

ghost commented Nov 5, 2022

@jasperweiss I'm not much of an intelligent conversationer. But what you said is 100% true. Whether it's a VPN, or VPS, or any public proxy service like TOR, at the end of the day, all you want is to hide yourself from your actual IP, as well as your vpn. But where the problem arises, is the collection of your network traffic usage such as logging. We should always believe that it's impossible to achieve this because transparency from providers & a hiding user never go well together.

@ClarkFieseln
Copy link

Wow, lots of energy right there. Love it!
That means you all really care about this topic. And that is great.
In the following article, a data-diode implements a kind of proxy that really protects also one of the most critical things in this area: the end node:
https://www.codeproject.com/Articles/5295970/Audio-Chat-for-Quite-Good-Privacy-AC4QGP
This in turn eliminates the need to trust providers...of course, as usual, what you do is moving the issue one hop behind...but maybe that is actually the solution (?). See Figure 3 here:
https://www.codeproject.com/Articles/5161775/Audio-Chat-for-Pretty-Good-Concealing-AC4PGC-Part
The data comes out encrypted and there is no way to know who is behind. Yes, you can still figure out the IP of the proxy, so what?...the guy can be thousands kilometers away.
I am also not an expert, but I am also really convinced of this idea. Here some other related articles:
https://www.codeproject.com/Articles/ClarkFieseln#Article

@jasperweiss
Copy link

jasperweiss commented Nov 6, 2022

@jasperweiss I'm not much of an intelligent conversationer. But what you said is 100% true. Whether it's a VPN, or VPS, or any public proxy service like TOR, at the end of the day, all you want is to hide yourself from your actual IP, as well as your vpn. But where the problem arises, is the collection of your network traffic usage such as logging. We should always believe that it's impossible to achieve this because transparency from providers & a hiding user never go well together.

@pc00per I’ve always found the focus on logging a bit odd when talking about proxying. When we talk about encryption, we don’t want there to be a backdoor of any kind. It’s not about trusting whether they will use it unjustly, it is about the technical ability being there for them to do so. It shouldn’t exist.

As far as logging is concerned; it should be assumed that whatever can be logged is logged. It makes no sense to me to have a heightened sense of privacy purely based on the assumption that someone who has insight into something is trusted to turn a blind eye.

Even if everything going through a proxy is assumed to be recorded fully, they provide some benefits. Namely that the service that is the receiving end of your encrypted TLS connection can not see its origin. It sees the actual data, such as search queries, but not the origin. Our malevolent proxy (that records everything as well) can see the connection from you to the service, but not the contents.

Arguably, in most cases, hiding yourself as the origin in order to decouple your identity from the data, suffices. The services you connect to, from the point of view of the proxy, is usually some big name datacenter anyway. So the proxy sees you’re connecting to google, Amazon, cloudflare, microsoft, OVH cloud or whatever. They learn very little from that about you. (This is assuming the use of TLS 1.3 where the SNI is properly hidden. But even if that wasn’t the case, the services you connect to most likely aren’t all that interesting by themselves)

If you wanted to hide the services to which you connect, rather than trusting on a “no logging” policy, an additional proxy should be introduced. This is what Tor does (but with 3 hops to be on the safe side).
The first node only knows that you’re connecting to another node, the other node knows someone coming through the first node is connecting to some service and none of the 2 know anything about the contents. Problem solved.

@hswopeams
Copy link

hswopeams commented Nov 7, 2022

@joepie91 Regarding your advice in the So when Should I use a VPN section,
would that allow me to get an IP from a specific country? My issue is that I am from one country but live in another. I have a small business and property in my country of origin. My mortgage lender has recently decided to block any IPs not in that country, as has the municipality my small business is registered in. Some of the national government websites of my country of origin also block based on IP. That means I can't access my mortgage information or file documents I'm legally required to file without an IP from that country. That's the main reason I occasionally use a VPN -- to get an IP from a specific country. I'm not doing anything nefarious -- just trying to do basic life things. What's the best solution for this situation?

@EdRoxter
Copy link

EdRoxter commented Nov 7, 2022

@xNeonHD +1 Yup. You took the damn words right out of my mouth. Why... why did i get this notification? lol

Same here, I'm not even sure I've ever subscribed to this topi...

@nukeop
Copy link

nukeop commented Nov 7, 2022

I just want to evade bans, a cheap VPN gives me a million IPs to do so.

@birdwatcher1
Copy link

Just let it die, people.

Yeah, just let it die. I did, and it is liberating.

😂

@xNeonHD
Copy link

xNeonHD commented Nov 23, 2022

Okay, but still not found any info about that the things were turned. Any info about leaks or cooperating with law enforcement? The main problem with all that whining, hysterical like "no-logs policy is just a bullshit" posts is they never have any proofs actually. I always see such posts in the way kind of the author just wanted attention by writing on such an exciting topic. He got it 😉

This gist became just like a some kind 4chan thread 😁

For what it's worth, you've got to at least admire the amount of chutzpah this article exudes.

@Alchemist98
Copy link

I found this post because I downloaded express VPN on my samsung phone and it showed me a message saying "Express VPN wants to set up a VPN connection that allows it to monitor network traffic. Only accept if you trust the source." I copy and pasted the message on google and ended up here. I already have Express VPN on my PC but not on my phone yet because the message appeared on my phone only and not my PC. So my whole concern is privacy. From what I read here, its possible that they can see what I browse online right? So my question is if Im on my PC, turn on Expess VPN, then open "Oracle VM Virtual Box" and run "Whonix Gateway" will they still be able to see what I browse on the "Whonix Wworstation"?

@aedicted
Copy link

Since most for sure has been discussed in this endless seeming thread already, to cut it short - if you never worried about using there service on your PC, you are a bit late to start doing so now, just because you're on a different platform which is programmed to state the obvious.

Another question would be: do you trust your internet service provider? By using a VPN provider like ExpressVPN, you're effectively outsourcing that point of trust by comparison, not less and not more. When in doubt, the usual VPN providers selling off their side product of cascaded interent access probably will give out personal data less likely than the usual ISPs.

@Alchemist98
Copy link

Thanks for your reply. I think I understand what youre saying. So can a VPN provider access any of my data or browsing history even if Im browsing the internet through the TOR browser from the Whonix Worstation on the Oracle virtual machine?

@LokiFawkes
Copy link

@Alchemist98 If you're going from Tor to VPN, yes, they're seeing it all. And seeing as that's usually the only direction that will work, that's probably what you mean.
Going from VPN -> Tor, you compromise the connection from you to the entry node. Going from Tor -> VPN, you compromise your exit traffic by associating it with your identity and passing it through their network which you now have to trust not to misuse that.
A few things to consider.
If it's free, it's mining your traffic.
If it requires a proprietary app, it's mining your traffic.
If it claims to protect you from malware or trackers, it's mining your traffic.
Not only that, most VPNs are owned by a few companies and even further, often whitelabel from a service called WL-VPN, in which the WL of course stands for WhiteLabel.
https://www.youtube.com/watch?v=8MHBMdTBlok
https://digital-lab-wp.consumerreports.org/wp-content/uploads/2021/12/VPN-White-Paper.pdf

Mullvad seems to be the top for privacy in the above, especially given you can connect to it using a regular OpenVPN client, but then again, ExpressVPN gets first place in a lot of those categories in that whitepaper, so take it with a grain of salt and don't trust "VPN" proxy services with anything sensitive

@DiscordGregory
Copy link

This seems like "I don't trust them, you shouldn't trust them either"

@LokiFawkes
Copy link

@DiscordGregory Hi, Strawman. How's Oz these days?

As we can see in this thread, we've established that "VPN" services are not a true VPN, many are just classic web proxies rebranded as "VPN", with or without encryption, and all of them lack the P in VPN. We've established reasons to doubt the safety of a given VPN, as their proprietary apps that are usually required to connect are a good sign that your computer's own encryption is being stripped, and some, like NordVPN, literally feed your traffic data into Google Analytics.

When using any tool to try to anonymize yourself, it's wise to practice some basic OpSec. Don't sign in to anything that could reveal your identity (if you need to, create a fictitious identity consisting of pseudonymous accounts meant only for your "anonymized" traffic), make sure you know the risks of the tool or service you're using, and make sure your activities on the clearnet and on your proxy are completely segregated from each other.

If you think that's too much work, don't use these services, or just use them to pirate Netflix from other countries.

@aedicted
Copy link

As we can see in this thread, we've established that "VPN" services are not a true VPN, many are just classic web proxies rebranded as "VPN", with or without encryption, and all of them lack the P in VPN.

That might be true on a political level (although still debatable), but isn't correct from a technical point of view.

It is a common misconception that the "P" for "private" would refer to privacy in terms of data protection. It doesn't, it only refers to a virtualised private network address space, tunnelled through another network which can be encrypted or unencrypted.

A common example for an often unencrypted VPN type by the way is the popular MPLS for business customers.

In that way, it isn't a false claim that the usual VPN operators advertise their products as VPN which they technically are, however, what they actually promote and offer as a service is the effective proxy functionality where the VPN attribute is just a side product for an internet-internet coupling.

@LokiFawkes
Copy link

LokiFawkes commented Nov 27, 2022

@aedicted The "P" is for "private" as in "private network". As in, using VPN protocols (which is rarely even the case with so-called VPN services) to make traffic appear to come from another IP on the clearnet is NOT the proper use case. It can be a consequence, and even a desired one, of one of the proper use cases (example, work-from-home jobs that handle PII typically put both private and clearnet traffic through the company's VPN, so that they hold custody of both types of traffic when you're on the clock), but these services are just false advertising, especially when a lot of them are just HTTP proxies or SOCKS proxies, with or without any encryption, and typically strip encryption to mine your traffic (cert replacement, can't believe I have to mention this again and again and AGAIN)

MPLS is a VPN in the same sense that VLAN tagging is a VPN. That is to say, it's not. It can be used in conjunction with other tools to create a VPN, but isn't a VPN in and of itself.

@aedicted
Copy link

aedicted commented Nov 27, 2022

@LokoFawkes:

"MPLS is a VPN in the same sense that VLAN tagging is a VPN"

In this context of the advertised VPN-services discussed here, that probably would be the wrong comparison anyway as VLAN tagging is happening on layer 2 whereas here, the concept of a VPN is to have a (private) address space routed through another one. Since it is a very generic term, many different concepts indeed can form such a VPN, apparently including layer 2/3 techniques such as the labelling used with MPLS:

https://en.wikipedia.org/wiki/Layer_2_MPLS_VPN

Encryption for instance cannot be a requirement for a VPN as if you take one which is broadly accepted to be one and turn off the encryption, nothing changes for the concept of having a tunnel and routing a different network (space) through another one which was supposed to me point thrown in here.

Consequently, Deutsche Telekom calls their Cisco-based now encrypted MPLS variant "GetVPN" and Versatel the regular one MPLS VPN.

At the end, we might mean the same and actually agree. It is of course important to distinguish between the technical definition from the advertisement based - mostly bullshit - one presented by the usual suspects e.g. NordVPN, Cyberghost with their alledged "privacy" nonsense for the absolute laymen.

@LokiFawkes
Copy link

@aedicted MPLS is not a VPN. You're conflating MPLS (which isn't a VPN, it's more akin to VLANs) with a VPN used to place you in an MPLS network, or "MPLS VPN"

@aedicted
Copy link

Please elaborate on what parts enable access to the MPLS by the means of a VPN then. Also, I'd appreciate your detailed definition of a VPN then - which, I think here we agree - doesn't necessarily involve any encryption.

@LokiFawkes
Copy link

@aedicted MPLS is an alternate protocol to Ethernet, and to some extent, TCP. It rests in the middle of layers 2 and 3, able to operate at both layers. MPLS is not a VPN or a conceptual network that has to be emulated by one. An MPLS VPN is typically used to bridge MPLS and Ethernet networks.

As for encryption, I do hold that a functional network tunnel must employ encryption or the idea that it's a tunnel is merely a suggestion and not a rule. This is also why I consider VLANs not to be VPNs. VLAN tagging is just a suggestion and switches that don't support it could route packets anywhere, which is how VLAN traffic leaking occurs. MPLS operates a bit similarly to VLAN tagging but also serves as an alternative layer 2 protocol to Ethernet, which is why I compared the two. It's why, despite MPLS not being a VLAN so much as just a protocol with a lot more rules than Ethernet, I still called it more akin to VLANs than a VPN.

I never really agreed with you that a VPN does not need encryption. I simply ignored your claim because it's wildly absurd. A tunnel with no encryption isn't a tunnel, and a VPN with no tunnel is a plaintext proxy.

@aedicted
Copy link

"I never really agreed with you that a VPN does not need encryption. I simply ignored your claim because it's wildly absurd."

Very lovely, I guess ignorance even based on a questionable, a bit narrow view must be bliss then. Let's see.

Of course, it fundamentally all depends on the definition of the terms and whether the privacy in "VPN" refers to the encapsulated (private) network address range or the potential data protection.

As for VPNs require encryption, even Cisco literature, referred to here, seems to disagree:

https://en.wikipedia.org/wiki/Virtual_private_network

"Encryption is common, although not an inherent part of a VPN connection.[2]"

[2] referring to Mason, Andrew G. (2002). Cisco Secure Virtual Private Network. Cisco Press. p. 7

As for the term "tunnel", at least when used more or less synonymously for "encapsulation", the argument of tunnels without encryption wouldn't be tunnels, doesn't hold either, as GRE for instance doesn't include encryption by default as otherwise, one wouldn't optionally wrap IPSec or other stuff around.

If for instance someone encapsulates something in a UDP session end-to-end to overcome NAT transversals, one could also call that a "tunnel" with maybe totally different IP endpoints on the application level, being encrypted or not. A tunnel is more a concept of encapsulation/wrapping rather than a manifestation of protection.

As stated, of course one could define the term "tunnel" or "VPN" to require encryption per se, however, the strongest technical counter-argument is that for any given encrypted, acknowledged VPN, one could turn off the encryption without any behavioural change for the endpoints. One example would be Cisco's DMVPN with the tunnel protection simply not configured:

https://community.cisco.com/t5/routing/dmvpn-without-ipsec-encryption/td-p/735716

Also, on a broader thought - taking key exchange procedures aside - there is no real conceptual difference between encrypted traffic one happens to know the key for and traffic which hasn't been encrypted in the first place.

"and a VPN with no tunnel is a plaintext proxy"

Well, a "proxy", taking the original term's meaning, is also a very generic term which can effectively include VPN connections as data is gathered "as a proxy" which is exactly the side-effect which the operators normally advertise when they sell their oh so great VPNs but a VPN still may encapsulate and connect private networks over public ones without encryption.

@peterjosvai
Copy link

I'm convinced, thank you. Not gonna use VPN services.

Copy link

ghost commented Dec 1, 2022

I installed express VPN on my laptop because I was living in a hotel while I was working out of state. It literally screwed up my laptop network (my laptop said I didn't have a NIC) after I uninstalled the program. I had to have an IT tech remove it. He told me that basically all VPN services for the general public are snake oil and he said what had happened is the VPN had infiltrated in parts of my network and that it wasn't removed. It totally messed up my laptop network and he spent about 2 hours working on it to get it backup so where I had a network again.

@CrazycatASG
Copy link

This article is just bullshit with no proof. It's the only thing what the article actually is. For now, I'll just leave it here: https://www.expressvpn.com/blog/expressvpn-statement-andrey-karlov-investigation

This article is also old as FUCK. What made you think his hot take is still relevant? No, more importantly, how did you even find this article? Do lots of websites just have a permanent link to this article or smth? I refuse to believe people just so happen to randomly stumble upon this 7 year old "article" whose last edit was in 2020. Just let it die, people.

Many, actually. I was about to reply, but then I realized that it's kind of pointless. The comments are an absolute cesspool.

@mehditlili
Copy link

mehditlili commented Dec 6, 2022

I installed express VPN on my laptop because I was living in a hotel while I was working out of state. It literally screwed up my laptop network (my laptop said I didn't have a NIC) after I uninstalled the program. I had to have an IT tech remove it. He told me that basically all VPN services for the general public are snake oil and he said what had happened is the VPN had infiltrated in parts of my network and that it wasn't removed. It totally messed up my laptop network and he spent about 2 hours working on it to get it backup so where I had a network again.

Lol dude you completely got ripped off, I hope you didn't pay that guy much to fix your laptop... You'd expect people using Github to have some basic understanding of computers... but that is obviously wrong now...

@dxgldotorg
Copy link

Perhaps the reason ExpressVPN messed up the user's network connection is due to a proprietary client modifying network settings to try to prevent the OS network stack from bypassing their tunnel.

Copy link

ghost commented Dec 11, 2022

I don't see the point of VPNs. Like what's the difference between a VPN & a free public proxy ? VPNs are just a glorified paid proxy that pretends to be private. Caz you don't run the VPS by yourself & donno whether the service really doesn't keep logs.

You wanna bypass geo restriction ? Just use public proxies man. If you're using VPNs to hide yourself, good luck with that.

@dxgldotorg
Copy link

If I need anonymity, I use Tor. Either the Tor Browser, or the Tails OS, both of which forget everything when closed.

For geo-restrictions, proxies might only be good enough for static websites, as they may not allow streaming media or other high bandwidth loads.

Copy link

ghost commented Dec 12, 2022

There are lot of proxies that can allow js too. It's just that the limitations are in bandwidth.

@LokiFawkes
Copy link

@madgoat It's kinda hard to believe you when you're shilling for the lowest ranked so-called VPN for privacy and security.
Firstly, they've never had a truly independent audit. Parent companies often own auditors or pay them for a good score. Second, Nord is a literal data broker. The entirety of your VPN traffic, data collected from your device about location, bluetooth, wifi, any type of data the app can wrestle permission out of you for, any data the app can wrestle from the OS behind your back, including pictures, videos, or even your whole filesystem, is all sent through Google Analytics. At BEST, Nord isn't keeping logs on their end, which by the way, they have to keep short term logs and then keep them long term upon government request, to comply with the laws of the countries they operate in. But regardless, Nord as a company is a data broker. Their parent company, a data broker. The fact you can ONLY connect through a PROPRIETARY app and, unlike almost every other supposedly safe VPN, you ABSOLUTELY cannot connect using a standard protocol, is a sure sign that they're using key replacement to decrypt.
PIA, Express, and Ghost are an example of one company owning multiple VPN services, AND their parent company owns the review sites and auditors. Ya know, sites like VPN Mentor and WizCase - Those are owned by the parent company of Express, PIA, and Ghost. The sites that Nord owns are harder to pin down, but it's clear that Nord and Kape (Express/PIA/Ghost) own review sites and auditors.

@TruncatedDinoSour
Copy link

this is the most annoying thread on github, my email is being spammed by it and every time i take a look here i lose another braincell, im in the negatives already, jesus fucking crist, get a life

@xNeonHD
Copy link

xNeonHD commented Dec 24, 2022

this is the most annoying thread on github, my email is being spammed by it and every time i take a look here i lose another braincell, im in the negatives already, jesus fucking crist, get a life

Dude fucking same. And on top of that every time I click on this email thread I am always forced to read a 3 year old email from a guy who called me "an arrogant mother fucker", because that's apparently the first email I got from this thread, LMFAO!

(FYI gmail doesn't collapse the first email of a thread, a feature that is handy in many scenarios, but is now annoying as fuck only thanks to this cesspool of a thread 🤣)

@xNeonHD
Copy link

xNeonHD commented Dec 24, 2022

OMFG!!!! why are you fucking ners so fucking retarted. of course they do that was the entire reason freevpn are made u fucking idiot. to male money. hey everybody the nerd figured out that companies like to make money. they wanted to make a very usful and attractive peice of software that a lot of ppl would want use then they would offer usage of the software for free in exchange they gain our permission to collect our data which they then sell to to hundreds of companies and marketing firms which is all perfectly ok and not nefarious or even immorall and if u werent so busy trying to soumd like a super smart fucking nerd fucking nerd you would have realized that vpn have a very specific and usefull purpose and that is to protect ur traffic and location ishidden from your modem u idiot cause if you didnt hide what ur doing on the internet from modem cause if you dont and you doing something less than legal totally can have and will shut ur internet off forever and because ur internet company is lickely a local bussiness and now have the evidence to prove that while u were both in the same town the intenet company saw u comitting illigLL ACTIVITIES ALONG WITH UR LOCATION AND THE DEVICE IDENTIVACTION DATA THAT THEY HAVE PROVEN WITH OUT A DOUBT THAT THAT DEVICE IS BEING USE BY YOU THEN THEY CALL THE COPS GIVE THEM THE EVIDENCE AND LOCATION AND THE COPS BEING SUMMONED IN THEI JURISDICTION BY A LOCAL TO BE GIVEN TETOMNY AND SIGNIFIGANT EVIDENCE PUT OUT A DOJ WARRANT FOR ARREST FOR UR ASS AND FORCE THERE WAY INTO UR HOUSE TACKLE YOU CYFF U AND THROW U IN JAIL WHICH IS VERY VERY VERY VERY LKELY TO HAPPEN IF U DECIDE NOT TO USE A VPN JUST BECAUSE IT COLLECTS YOUR DATA. U IGNORANT STUPID LITTLE MAN I HOPE U READ ALL OF THIS AND FEEL LITTERALY RETARTED ENOUGH FOR SPECIAL ED U FUCK EVER NERD EVER THAT HAS BEEN BEATEN DOWN FOR BEING A NERD TOTALLY DESERVS IT. @joepie91

Not sure if trolling or just batshit insane. Either way I'm making this into a copypasta and posting it to the subreddit. Thanks for the comedy dude 🤣😂🤣

@TruncatedDinoSour
Copy link

this is the most annoying thread on github, my email is being spammed by it and every time i take a look here i lose another braincell, im in the negatives already, jesus fucking crist, get a life

Dude fucking same. And on top of that every time I click on this email thread I am always forced to read a 3 year old email from a guy who called me "an arrogant mother fucker", because that's apparently the first email I got from this thread, LMFAO!

(FYI gmail doesn't collapse the first email of a thread, a feature that is handy in many scenarios, but is now annoying as fuck only thanks to this cesspool of a thread rofl)

lmaoooooooo

@eqn-group
Copy link

eqn-group commented Dec 25, 2022 via email

@TruncatedDinoSour
Copy link

unsubscribe!

do you now think i havent thought of that ? i dont think theres a way to ubsubscribe from singular threads, unless, idk

@eqn-group
Copy link

eqn-group commented Dec 25, 2022 via email

@GetAHat
Copy link

GetAHat commented Dec 25, 2022

I think the best use case for consumer VPNs is accessing region-locked content\websites etc. In case of Russia you literally can't even pay in some websites even if you have European or American credit card and\or you are European citizen, and you've set the region to any European one. Just because of the fact that you're connecting from Russian IP.

To be honest, I use whatever seems working but only turning VPN on for specific usecases, and turning off immediately after I'm done. Everything else - yep, it's just stupid. You just giving the data to some shady unregulated VPN company instead of shady and barely regulated ISP.

@TruncatedDinoSour
Copy link

look at the bottom your your email, there is an unsubscribe link

------ Original Message ------ From "TruncatedDinosour" @.> To "TruncatedDinosour" @.> Cc "Comment" @.***> Date 25/12/2022 16:46:15 Subject Re: joepie91/vpn.md
@TruncatedDinoSour commented on this gist. -------------------------------------------------------------------------------- >unsubscribe! >… <#> > do you now think i havent thought of that ? i dont think theres a way to ubsubscribe from singular threads, unless, idk — Reply to this email directly, view it on GitHub https://gist.github.com/5a9909939e6ce7d09e29#gistcomment-4413152 or unsubscribe https://github.com/notifications/unsubscribe-auth/ATM2XBBN6UQZR4HYOT7BM6TWPAUIBBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVAZDQNJSGY3DMNNHORZGSZ3HMVZKMY3SMVQXIZI. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

hm. is it for singular threads though ? im scared to get unsubscribed from all notifications

@LupusMichaelis
Copy link

hm. is it for singular threads though ? im scared to get unsubscribed from all notifications

How do you achieve breathing? Unbelievable. I'd like to point out that there is an “unsubscribe” button at the top of this very page.
image

@TruncatedDinoSour
Copy link

hm. is it for singular threads though ? im scared to get unsubscribed from all notifications

How do you achieve breathing? Unbelievable. I'd like to point out that there is an “unsubscribe” button at the top of this very page. image

didnt look at the top, anyway, thank god, finally i can begin braincell recovery

@madgoat
Copy link

madgoat commented Dec 27, 2022

@LokiFawkes

The fact you can ONLY connect through a PROPRIETARY app and, unlike almost every other supposedly safe VPN, you ABSOLUTELY cannot connect using a standard protocol

You might want to revise your information, or lack thereof.

  • Nord allows you to connect however you want (OpenVPN, IPSec, IKEv2, etc...), you don't need their software.

they've never had a truly independent audit. Parent companies often own auditors or pay them for a good score.

  • So you're telling me that PricewaterhouseCoopers is owned by Nord, and that they were paid off to make them pass? Man, if that exclusive information ever got out, that would be bad news for PWC.

Next time look into things before spewing falsities. Sure, you might not like certain companies, but there's no need to lie about them.

@LokiFawkes
Copy link

@madgoat Assuming their instructions even WORK (last I had even touched their site, such instructions didn't even exist because the app was REQUIRED so they could pass your traffic to their GoogleAnalytics account), there's still the fact that they lie about data handling.
There's also the fact that not entirely having to use their app does not mean they don't collect data, only that the proprietary app GUARANTEES maximum data collection. Even a company that does allow connection over open protocols can be collecting data, just likely less data than when you use their proprietary app.
As mentioned, owning an auditor is not the only way to have a conflict of interest. Money can change hands behind closed doors, and the dissonance between reality and the score given makes that clear that PWC is either dumb or paid for. Pick your poison.
For privacy, data collection, and data collection disclosure, Nord is among the worst rated for a reason. It's run by, say it again, a data broker.

@aptblog
Copy link

aptblog commented Jan 3, 2023

Using a virtual private network (VPN) improves the security of your social media accounts by encrypting your internet connection and masking your IP address and location. This can make it more difficult for hackers to access your sensitive information and can protect your privacy when using social media. However, you should not relay on VPNs alone are for social media security, you need to be aware of many other security tips for securing your social media accounts.

@LupusMichaelis
Copy link

No. Pretend VPN do not improve security in any way. Please read the article you're commenting about that explains why they are not security tools at all, and stop puking marketing dump from those snakeoil vendors.

@LokiFawkes
Copy link

@aptblog Ad bot spotted. VPN services (glorified proxies) do not improve your security. In the age of HTTPS and DoT/DoH, your attack surface is on the client end and the server end. The attack surface is nowhere in the middle. At best, a man in the middle might get the hostname of a service you're connecting to at the handshake in the beginning of a TLS connection, a connection that could last from seconds to years, and that's if a method of encrypting the SNI (ESNI, ECH, etc) is not being implemented. Since the Web2 era, in which most sites are hosted on just a few servers, IP addresses are kinda useless for spying on users.

Things you can do to protect your browsing habits at home from being discovered by a MITM such as a hacker or your ISP:
Use DoT or DoH. DoT is superior for security and more lightweight, but browsers typically require DoH to implement ECH, the current encrypted SNI standard. Though currently they also hide this feature behind a config flag, too.
Enable ECH in your flags, even if you won't be able to use it due to your DNS configuration.
Set up a recursive resolver in your LAN, configure it to connect to other DNS servers via DoT. This server will cache your queries for a predefined length of time known as a Time To Live (TTL), either the TTL of the DNS record or the TTL the resolver has set globally, whichever is shorter. Hard mode: Use reverse-proxy software to implement DoH with this server as the DNS server, enabling you to use ECH on your favorite browser (they really should enable this for using DoT as well)

By encrypting your DNS queries and minimizing the amount of queries that reach WAN, all people see is you connecting to servers that usually host multiple domain names. By encrypting the Server Name Indicator, even the TLS handshake between you and a site will contain no usable data. At that point, only you and the site you connect to have any idea what's going on. From there, browser extensions that block ads and analytics further protect you. You can also blackhole certain hostnames on your resolver to minimize tracking where browser extensions aren't an option (mobile, for example) though that can come with its own set of functionality penalties.

Without the hostname, if a server hosts multiple sites, nobody knows what you're actually connecting to. They might be able to guess that yl-in-f101.1e100.net is probably an edge server for google.com, but they wouldn't be certain that the site is google.com and not, for example, just a site using Google's cloud services as a CDN.

@arkbg1
Copy link

arkbg1 commented Jan 3, 2023

@LokiFawkes Agreed. At least I hope. His primary arguement is directly addressed by OP.

@aptblog "(VPN) improves the security of your social media accounts by encrypting your internet connection and masking your IP address and location."

vs

@joepie91 " VPNs can't magically encrypt your traffic" & "Your IP address is a largely irrelevant metric in modern tracking systems."

also,

@joepie91 "claims that have already been addressed in the article... doesn't belong here."

@aptblog
Copy link

aptblog commented Jan 4, 2023

Defense in depth approach for security and VPN & Social Media Account Security.

Defense in depth is a security strategy that involves implementing multiple layers of defense at different points within a system or network. The goal of defense in depth is to make it more difficult for attackers to compromise the security of the system or network by requiring them to bypass multiple layers of defense.

Defense in depth is needed now more than ever as more employees work from home and as organizations increasingly rely on cloud-based services and social media is a weak human link in security.

Some examples of different layers of defense that might be included in a defense in depth strategy include:

Physical security measures, such as locks and security guards, to protect against physical attacks.
Network security measures, such as firewalls and intrusion detection systems, to protect against network-based attacks.
Application security measures, such as input validation and authentication controls, to protect against attacks targeting specific applications or services.
Data security measures, such as encryption and access controls, to protect against unauthorized access to sensitive data.

A virtual private network (VPN) is a network technology that creates a secure, encrypted connection between a device and a VPN server.

This can provide several benefits, including:

Privacy: By routing traffic through the VPN server, a VPN can hide the device's IP address and make it more difficult for third parties to track the device's online activity.
Security: The encrypted connection provided by a VPN can help protect against various types of cyber threats, such as man-in-the-middle attacks and data leaks.
Geo-blocking: Some websites and services are only available in certain countries. By connecting to a VPN server in a different country, a user can "trick" these websites into thinking they are located in the allowed country, allowing them to access restricted content.

VPN is only one component of a defense in depth strategy, and it should be used in combination with other security measures to provide the greatest level of protection.

Defense in depth for a social media account:

Choose strong and unique passwords: Use a password manager to create strong, unique passwords for your social media accounts, and enable two-factor authentication (2FA) if it is available. This will help protect against password-based attacks, such as brute-force attacks or credential stuffing.

Be cautious with links and attachments: Be cautious when clicking on links or downloading attachments from unknown sources, as these can potentially be used to deliver malware or phishing attacks.

Use privacy settings: Use the privacy settings provided by the social media platform to control who can see your posts and personal information.

Be aware of scammers and impersonators: Be aware of scammers and impersonators who may try to trick you into giving away personal information or money.

Use antivirus software: Install antivirus software on your devices and keep it up to date to help protect against malware.

Avoid sharing sensitive information: Be mindful of what personal information you share on social media, as this information could potentially be used to target you with attacks.

@LokiFawkes
Copy link

LokiFawkes commented Jan 4, 2023

@aptblog The application of VPN technology in a defense-in-depth strategy involves using an actual VPN, not a "VPN" service. VPNs are used in a defense in depth strategy to connect employees to a private network, not to serve as a proxy for their WAN traffic. When it does function as a proxy, this is to keep custody of that traffic until it goes to the WAN, not to dance around the globe via an untrustworthy third party. This way, if something leaks to WAN, it leaks through the company's private network, and is either stopped by the firewall or cannot be sniffed by the employee's home ISP.

If you are using a VPN service rather than a company VPN for your defense in depth strategy, you've defeated your whole security model.

The doctrine of defense in depth is also outdated.
For example, "strong" passwords are often short but use a wide character range instead of being long. They're not memorable, they're easy for machines to bruteforce, and they're plagued by the need to write down passwords or save them in a password manager. Passphrases are king.
For another example, antivirus software as we know it is ineffective. The most effective antivirus for Windows is Defender, with many commercial offerings actually spying on you, bypassing Defender (it disables itself if you have another AV installed) and leaving doors open for malware whose developer has bribed them for whitelisting to get through. The most effective antivirus for macOS is in fact is the Gatekeeper/Notarization/XProtect stack built in to macOS. As for Linux, there is no real AV offering (just about every offering you see for Linux is either a scam or a Windows AV scanning on Linux) and the method of defense is to patch out vulnerabilities and never give anyone but designated administrators administrative privileges. Just like macOS, a password is needed when escalating to admin power, and you must be in the admin wheel to escalate.

@aptblog
Copy link

aptblog commented Jan 5, 2023