Don't use VPN services.

vpn.md

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

• A Russian translation of this article can be found here, contributed by Timur Demin.
• A Turkish translation can be found here, contributed by agyild.
• There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

---

This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.

---

Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

"pretty secure" I would not be so sure. please read it up https://github.com/IBM/tls-vuln-cheatsheet https://www.acunetix.com/blog/articles/tls-vulnerabilities-attacks-final-part/ (a more detailed article) SSL 1.0 to 3.0 is wrecked and must not be used anymore, though many websites still using. TLS are also vulnerable to attacks, use only TLS >=1.3 ,  any lower version are at risk. Search for "Basic TLS handshake" to understand more about this issue.

…

On 15/11/2021 17:38, Prince Cooper wrote: ***@***.**** commented on this gist. ------------------------------------------------------------------------ In my life, I've never seen someone using VPN to protect their privacy. Afaik, it's mostly used to lift geo-restrictions to access international websites. You are a flat out liar. Excuse me? You think it's something I enjoy lying such thing? No one I've came across ever knew that privacy was even a thing. Also HTTPS itself will encrypt the whole website data, means we're already pretty secure with your daily internet consumption. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <https://gist.github.com/5a9909939e6ce7d09e29#gistcomment-3963215>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADQ54F4VOVDOTV3EXLD4TLUMFAR5ANCNFSM4HILFQFA>. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Lol this disaster of a post is now on r/masterhacker https://www.reddit.com/r/masterhacker/comments/pz6hde/dont_use_a_vpn_guys/

As I stated above:
"EXACTLY!
It all depends on what your threat model is and who is going to target you.
If your threat is the forum admin mentioned above, then you're 100% safe in posting your ramblings.
BUT remember: Tor, and also VPN, are pretty good as long as you're not a super government agency target.
A super government agency like the NSA/GCHQ/China MSS/etc., will find you in good time and no one will know about it.
The guys in the Suburbans dressed in black will show up at 4am in your place, put a hood over your head and take you away, and no one will know about where you'll be going.
BUT for that to occur you must represent a pretty huge threat to them!
BUT if you are that type of threat you wont be using VPNs or Tor, at least not in any set way, with any set equipment, in any set locations, and far away from any video surveillance cameras."

BUT:
There are a few VPN services, like Proton VPN, located in a privacy protected country, Switzerland, that do not log.
Using such a VPN (or two) to hide your IP identity along with an anonymous/encrypted email service like Proton Mail or tutanota will protect your identity, say in case you wish to stay untraceable if you write a politically incorrect letter to news publication like The Guardian or the New York Times, or the Washington Post, etc., and you do not want some woke editor or IT guy there tracing your IP and then calling their friend at your IP provider and the next thing you know you are identified and you are being fried alive on Twitter or Facebook, etc.

In that case a VPN can live up to its expectations.
Absolutely Avoid any VPN service servers located in any of the 5 eyes or the 9 eyes or the 14 eyes or the xx eyes, or Russia, China, etc.

Again, as I stated previously above, if you are a huge threat given enough time and resources you'll be ID'd, but for run of the mill anonymity a VPN service like that described above is fool proof.

For every day security HTTPS will suffice, as it has been stated by others above, but for anonymity a no-log VPN located in a safe jurisdiction is required.

Now, the problem is that some VPN services may be secretly run by the super government agencies like the NSA/GCHQ/China MSS/etc., and that you'll never know! BUT such VPN operations will be truly valuable assets with extremely strict security operations protocols and will be focused on really huge threats, not your politically incorrect letter to the editor!

This guy doesn't live in Europe obviously, where we use VPNs mostly to access Netflix US and Hulu. Really, a useless post.

Yeah, we are all tired of joepie91's made up garbage. Pretty much all they have ever done is be a pain in the ass online

@hackers-terabit There is actually a distinction in the industry between a proxy and a VPN, and consumer VPN providers are just a glorified proxy.
First, you wrote as if encrypted proxies haven't existed. There are two kinds of consumer VPNs - Encrypted proxies that rebranded using the acronym, and proxies that have always been lying to you.
They may even use VPN protocols, but ultimately, they miss one important distinction. They're not private. They are by definition public. This is a case of "we use ['military'|'enterprise'] grade ['encryption'|'protocols'|other marketing woo] therefore you're getting some kind of advantage."
This is the way Microsoft hypes up its new consumer software or services. "This used to be only for enterprise, now you can have it too! You know, cause you aren't switching to free software which has been able to do the same thing without having to buy a million CALs all these years"
In businesses, military, and at Laevateinn, VPNs are used to tunnel into a private network, either to appear as originating from that location, or to access private resources. That's the P in VPN. If you're not going into a private network, there is no P. Additionally, a lot of "VPN" services aren't even using the right protocols. They're just proxies with an encrypted connection to you. Not only that but if they're sold by an antivirus peddler, you can be certain the VPN client replaces your root cert too, decrypting your TLS traffic for their viewing pleasure.

"configuring a VPN by default eliminates an entire class of security vulnerabilities"
No, no it does not. If you use a VPN to browse the clearnet, that traffic will reach the clearnet. In addition, if you browse to a malicious site, a VPN will provide zero protection unless it's blocking the entire site somehow. But for such a purpose, why not just use a blocker? On that same note, a VPN provider might block something you're trying to access, at which point you now have to exit the VPN. And if you don't have control, there is no P in VPN. Or I guess you could say in that case, the P is for Proxy instead of Private, because you're using it wrong.
Your traffic can easily be de-anonymized, too. A simple javascript, an HTML tag, a login, or a browser fingerprint can compromise the entire tunnel. I've even deanonymized some VPN connections by simply, programmatically, asking the VPN provider. Not only was I able to get the real IP, I got the user's IDENTITY. That's less secure than just going onto the clearnet without one, and I would have had no clue who it was if they had simply dropped the VPN and connected to a coffee shop. (This was part of an experiment, not for malicious purposes. No innocent bystanders were deanonymized)
And there's another thing. Most public Wifi networks today are using a WPA key or a captive network. Sometimes both. Combine that with HTTPS and DoT, nobody knows what the hell you're doing. Especially if they're using WPA3 (with or without a password). Sure, the router will see what IP you're connecting to, but this is that Web2.0 crap where everything is centralized because people for some reason thought that centralizing the Internet to some giant corpos wouldn't bite their ass. So like a million sites can be hosted in one datacenter, meaning you NEED the domain name to determine the real destination.

Consumer VPNs - Not even once. At least, not if you're doing anything more than watching TV shows banned in your country.

The thread was created in 2015, the comment section is still active.

It is a good thread. The opinions here reinforce my inherent distrust of VPN services as a privacy provider.

I never trust any VPN service, I only use VPN of the company to WFH. When using it, I will be very cautious. If you want to do something in private, encryption is the most important. If you only want to change IP to bypass the country blocking, then a proxy is good enough. The whole point here is the a VPN is not proxy + encryption. It is just like a proxy

Does this also apply to browsers like DuckDuckGo? If so what others?

I was always suspect of VPN’s just not being trustworthy. The fact that they can be hacked but also the people running it can go free Willy on pretty much anything you do.

VPN’s are like the FBI and the interrogation room. These MF’s watching you from all angles but nobody know you in there just them 🤣

Search engines, like DuckDuckGo, should also be treated like they're vulnerable, but the difference is the attack vector is smaller. A glorified proxy will see everything. At worst, if DuckDuckGo breaks its promise, it'll have a record of search terms. With good enough opsec, that's not too much of a concern, unlike if you were using a massive data collector like Google.

@isaackielma Sounds like a proxy server list hosted on a blockchain and trying to sell itself to gullible zoomers as a "hip" alternative to Tor, paired with an Ethereum token scam.
In short, I smell Web3 all over it.

Yep, blockchain bullshit gets a delete.

@LokiFawkes @joepie91 sorry, I'm just a gullible zoomer then. But please explain me how they would steal your private information if all the data is encrypted and users do not have an account? Please enlighten my gullible ass, cause I clearly need some education here. Please note that I am not trying to confront you guys. I respect your opinions and would love to learn more about privacy and better solutions!

From what I read on their legal T&C (If they are lying about that they would have to be pretty ballsy to be saying all this and then not respecting your privacy...) :

A. NO-LOGS PLEDGE

We will not collect any information or store any logs about your browsing activity (including queries, data destinations, IP addresses or timestamps). We are based in a jurisdiction (Panama) which laws do not require us to retain any of such data. The only information we collect in connection to your use of the Network is the information listed in this Privacy Policy below.
Additionally, as we provide the Network by creating virtual tunnels through one or more connections to other users of the Network (i.e. the Nodes, as defined in the ToU) and by using their equipment and resources to route you to your destination, it is not technically possible for us monitor your activities in the Network. In addition to our no-logs pledge this creates an additional layer of privacy for you.
Having said this we feel that it is our obligation to inform you that the Network cannot guarantee 100% privacy. We enter into binding legal agreements with our users who run the nodes in the Network to prevent them from logging and storing the traffic which passes their nodes, but we cannot promise they will not.
If the applicable law requires us to disclose your data, we will be forced to do so; however, as we collect and store just minimal data which does not allow to identify you (see below), the impact of such disclosure on your privacy will be minimal.

B. ANONYMOUS DATA

To use the Network you need to create a public / private key pair. Your public key will be passed to us to register you with the Network. Note, that this public key will not include any of your personal data and you cannot be identified by it.
When you use the Network we may collect minimal information on how the Network is used and whether the connection was successful. However, this information is anonymous and cannot identify you and we use it to develop and maintain the Network.

Please read this. The bottom line is that the entire cryptocurrency industry is rife with lies and outright scams, and so anything built on top of it is automatically suspect. They don't get a good-faith assumption at all.

@isaackielma

But please explain me how they would steal your private information if all the data is encrypted and users do not have an account?

Nobody said that. But now that you mention it, any proxy (so-called "vpn") can be a bad actor. The connection is only encrypted from you to the server. Let's assume it works like Tor, which from what I gathered about Mysterium, it's less secure than Tor. But let's give it the benefit of the doubt.
The last node before your destination, the "exit node" if you will, will see the traffic exactly as if it were you, except if it's TLS traffic, it won't be able to read it, only pass it along. (Except attacks already exist to get around this and still become a MITM) If the data isn't encrypted or the exit node broke the encryption, it can get your data. Also, the service announcements from all nodes are on the blockchain. (Yeah, turns out having a ledger everyone has a copy of isn't very private.)
Also, assuming again that this works like Tor and isn't LESS secure, the exit node can deanonymize you.

A. NO-LOGS PLEDGE

Never, ever, EVER take these at face value. They can lie, and may even be protected by a gag order requiring them to lie. They can also be ordered at any time to start logging and will do so, not being allowed to tell you. Any node could also be logging, and if they're a malicious exit node, well... They have everything.

B. ANONYMOUS DATA

To use the Network you need to create a public / private key pair. Your public key will be passed to us to register you with the Network.

Congratulations. You just reached the "fingerprint".
A persistent key pair means you can be identified. If you are deanonymized even ONCE, you will be deanonymized EVERY TIME you use the network. This is essentially an account. In fact, many of my accounts online are key pairs.
Hell, even though there are tons of other ways to deanonymize you, one way to do so would be if an exit node were owned by a site you visited, and ESPECIALLY if you logged in. They would know the exit node you connected from, would know your public key, and they could associate your public key with your account, which may or may not be tied to your REAL NAME or other PII.

Proper opsec involves treating everything you don't control as being vulnerable or even hostile, and treating what you do control as potentially vulnerable, requiring you mitigate any vulnerability you can. Using a "VPN" for privacy, is not good opsec, whether it's your usual proxy, a supposed onion network of them, or a supposed decentralized network of them.

Also, Ethereum is ALWAYS suspect. That's just opsec 101.

@LokiFawkes I was just going to add what you already did. As soon as I saw that a public/private key is used to connect you, I wanted to add that is pretty much a guarantee that it was YOU that surfed and no one else. If they ever got ahold of your device and saw your private key, that would hold up in court that you and only you could have did whatever you did on that network.

I live in Turkey and I have to use a VPN to access the outside network and international social media like FB, Twitter, and YouTube. I have been using pandavpn for a while. Wish it to be stable.

Please read this. The bottom line is that the entire cryptocurrency industry is rife with lies and outright scams, and so anything built on top of it is automatically suspect. They don't get a good-faith assumption at all.

So you defend your own gists with other of your own gists you made? Can I just make a million gists and link them all to each other?

@lydia307 Use Nord. They had a fire at one of their centers and recovered from it with no downtime. Or use Proton, their email is encrypted and they have decent speed, I'm on a free tier for basic stuff and have no complaints. Both Nord and Proton claim to be no log and Proton is extremely privacy focused as a whole. They're much better than a lot of the other ones out there. Tl;dr- don't use panda. There are better ones.

Definitely look into the 5 eyes/9 eyes/whatever. I didn't know it was a thing but for sure, a no log policy is only as good as the government that regulates the company. If they're mandated to track people, there's nothing you can do about it. I look for companies with a good track record and who have servers physically located in countries I prefer. A VPN is just a tool, know the limitations and use it appropriately.

@130rne They're also famous for lying about not logging. Proton removed their no-logs policy from their mail service because it turned out they are still beholden to a government, which has forced them to collect logs on an activist. Nord is owned by a datamining company, and NordVPN users have gotten caught. Not to say these aren't useful to bypass geofilters or a nationstate firewall, but don't take their no-logs policies at face value, let alone advertise them without at least making them pay you for it.
(Edit: Earlier the whole message wasn't showing)
Okay now that the whole message is showing for me, most of what I said above still applies, but uh... Just thought I'd add this on to acknowledge that my response was a bit redundant.

@LokiFawkes 👍 Impossible to exist in other countries without playing by their rules. Notice I said "claim to be" and "better than a lot of others" lol. Better doesn't necessarily mean good. It is what it is.

Lydia wanted something more stable and I expect Nord and Proton are a lot more stable than others. Also Surfshark from what I've seen. You can't trust anyone 100% so for me it's more about just getting the damn thing to work. Even outside of logging, there are only a few that I would use. A lot of them are a pain in the ass and have slow speeds and disconnects etc. Even Proton gave me issues on my desktop, on my phone it's been fine.

Everybody ignore @jakylala until someone with power can delete that post. It’s an ad and a phishing scam. The link is a fake storefront and will steal your card info. Report isn’t working.

netlify.app 😂 gtfoh

@130rne They're also famous for lying about not logging. Proton removed their no-logs policy from their mail service because it turned out they are still beholden to a government, which has forced them to collect logs on an activist. Nord is owned by a datamining company, and NordVPN users have gotten caught. Not to say these aren't useful to bypass geofilters or a nationstate firewall, but don't take their no-logs policies at face value, let alone advertise them without at least making them pay you for it. (Edit: Earlier the whole message wasn't showing) Okay now that the whole message is showing for me, most of what I said above still applies, but uh... Just thought I'd add this on to acknowledge that my response was a bit redundant.

Is Tutamail a more private option?

Is Tutamail a more private option?

No clue. They're end to end encrypted? Proton mail is. What we're talking about is the originating IP, it's required for receiving any kind of data from the server. If you're only sending data out, the source IP doesn't matter. Even with VPNs the service needs to know your public IP address which means it has records of your IP and the server you connect to. Nothing can get around that. Encrypted is more private, yes, they don't see the data itself. But it's like a home mailing address, the post office needs to know where to send the mail.

As a counterargument to this Gist by @joepie91, Consumer Reports published a report on popular VPN service providers (PDF, 48 pages). Covers security, privacy, and other issues such as logging and transparency reports. If people are going to use VPN service providers, such as at a coffee shop or other untrusted network, understanding how to grade a VPN service provider can be important. This PDF does that. Their final recommendation for users is:

Of the 16 VPNs we analyzed, Mullvad, PIA, IVPN, and Mozilla VPN (which runs on Mullvad’s servers)—in that order—were among the highest ranked in both privacy and security. However, PIA has never had a public third-party security audit. Additionally, in our opinion, only IVPN, Mozilla VPN, and Mullvad—along with one other VPN (TunnelBear)—accurately represent their services and technology without any broad, sweeping, or potentially misleading statements.

This report was presented at ShmooCon 2022 by Yael Grauer. Accompanies the following posts by Consumer Reports:

• https://www.consumerreports.org/vpn-services/should-you-use-a-vpn-a5562069524/
• https://www.consumerreports.org/vpn-services/vpn-testing-poor-privacy-security-hyperbolic-claims-a1103787639/
• https://www.consumerreports.org/vpn-services/mullvad-ivpn-mozilla-vpn-top-consumer-reports-vpn-testing-a9588707317/
• https://digital-lab-wp.consumerreports.org/2021/12/07/consumer-reports-digital-lab-evaluates-the-security-and-privacy-of-vpns-running-on-windows-10/

@atoponce If you're using a VPN because you don't trust a network you joined, maybe host your own VPN instead. People using VPN services are usually trying to hide entirely or to get around geofilters. The ones trying to prevent being snooped on in unsafe networks are better off using a self-hosted VPN, which will not only hide their traffic from the rest of the coffee shop (which was already encrypted in this day and age), but can also allow them access to network resources they have at home.
As some of your links have mentioned, there really is no need for a VPN service anymore for privacy or to prevent MITM attacks.

@LokiFawkes Hosting a VPN isn't a good general recommendation for most people. It works for system administrator types, if they stay on top of patching known vulnerabilities of the VPN software and the system it's running on.