Don't use VPN services.

vpn.md

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

• A Russian translation of this article can be found here, contributed by Timur Demin.
• A Turkish translation can be found here, contributed by agyild.
• There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

---

This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.

---

Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@aptblog Ad bot spotted. VPN services (glorified proxies) do not improve your security. In the age of HTTPS and DoT/DoH, your attack surface is on the client end and the server end. The attack surface is nowhere in the middle. At best, a man in the middle might get the hostname of a service you're connecting to at the handshake in the beginning of a TLS connection, a connection that could last from seconds to years, and that's if a method of encrypting the SNI (ESNI, ECH, etc) is not being implemented. Since the Web2 era, in which most sites are hosted on just a few servers, IP addresses are kinda useless for spying on users.

Things you can do to protect your browsing habits at home from being discovered by a MITM such as a hacker or your ISP:
Use DoT or DoH. DoT is superior for security and more lightweight, but browsers typically require DoH to implement ECH, the current encrypted SNI standard. Though currently they also hide this feature behind a config flag, too.
Enable ECH in your flags, even if you won't be able to use it due to your DNS configuration.
Set up a recursive resolver in your LAN, configure it to connect to other DNS servers via DoT. This server will cache your queries for a predefined length of time known as a Time To Live (TTL), either the TTL of the DNS record or the TTL the resolver has set globally, whichever is shorter. Hard mode: Use reverse-proxy software to implement DoH with this server as the DNS server, enabling you to use ECH on your favorite browser (they really should enable this for using DoT as well)

By encrypting your DNS queries and minimizing the amount of queries that reach WAN, all people see is you connecting to servers that usually host multiple domain names. By encrypting the Server Name Indicator, even the TLS handshake between you and a site will contain no usable data. At that point, only you and the site you connect to have any idea what's going on. From there, browser extensions that block ads and analytics further protect you. You can also blackhole certain hostnames on your resolver to minimize tracking where browser extensions aren't an option (mobile, for example) though that can come with its own set of functionality penalties.

Without the hostname, if a server hosts multiple sites, nobody knows what you're actually connecting to. They might be able to guess that yl-in-f101.1e100.net is probably an edge server for google.com, but they wouldn't be certain that the site is google.com and not, for example, just a site using Google's cloud services as a CDN.

@LokiFawkes Agreed. At least I hope. His primary arguement is directly addressed by OP.

@aptblog "(VPN) improves the security of your social media accounts by encrypting your internet connection and masking your IP address and location."

vs

@joepie91 " VPNs can't magically encrypt your traffic" & "Your IP address is a largely irrelevant metric in modern tracking systems."

also,

@joepie91 "claims that have already been addressed in the article... doesn't belong here."

Defense in depth approach for security and VPN & Social Media Account Security.

Defense in depth is a security strategy that involves implementing multiple layers of defense at different points within a system or network. The goal of defense in depth is to make it more difficult for attackers to compromise the security of the system or network by requiring them to bypass multiple layers of defense.

Defense in depth is needed now more than ever as more employees work from home and as organizations increasingly rely on cloud-based services and social media is a weak human link in security.

Some examples of different layers of defense that might be included in a defense in depth strategy include:

Physical security measures, such as locks and security guards, to protect against physical attacks.
Network security measures, such as firewalls and intrusion detection systems, to protect against network-based attacks.
Application security measures, such as input validation and authentication controls, to protect against attacks targeting specific applications or services.
Data security measures, such as encryption and access controls, to protect against unauthorized access to sensitive data.

A virtual private network (VPN) is a network technology that creates a secure, encrypted connection between a device and a VPN server.

This can provide several benefits, including:

Privacy: By routing traffic through the VPN server, a VPN can hide the device's IP address and make it more difficult for third parties to track the device's online activity.
Security: The encrypted connection provided by a VPN can help protect against various types of cyber threats, such as man-in-the-middle attacks and data leaks.
Geo-blocking: Some websites and services are only available in certain countries. By connecting to a VPN server in a different country, a user can "trick" these websites into thinking they are located in the allowed country, allowing them to access restricted content.

VPN is only one component of a defense in depth strategy, and it should be used in combination with other security measures to provide the greatest level of protection.

Defense in depth for a social media account:

Choose strong and unique passwords: Use a password manager to create strong, unique passwords for your social media accounts, and enable two-factor authentication (2FA) if it is available. This will help protect against password-based attacks, such as brute-force attacks or credential stuffing.

Be cautious with links and attachments: Be cautious when clicking on links or downloading attachments from unknown sources, as these can potentially be used to deliver malware or phishing attacks.

Use privacy settings: Use the privacy settings provided by the social media platform to control who can see your posts and personal information.

Be aware of scammers and impersonators: Be aware of scammers and impersonators who may try to trick you into giving away personal information or money.

Use antivirus software: Install antivirus software on your devices and keep it up to date to help protect against malware.

Avoid sharing sensitive information: Be mindful of what personal information you share on social media, as this information could potentially be used to target you with attacks.

@aptblog The application of VPN technology in a defense-in-depth strategy involves using an actual VPN, not a "VPN" service. VPNs are used in a defense in depth strategy to connect employees to a private network, not to serve as a proxy for their WAN traffic. When it does function as a proxy, this is to keep custody of that traffic until it goes to the WAN, not to dance around the globe via an untrustworthy third party. This way, if something leaks to WAN, it leaks through the company's private network, and is either stopped by the firewall or cannot be sniffed by the employee's home ISP.

If you are using a VPN service rather than a company VPN for your defense in depth strategy, you've defeated your whole security model.

The doctrine of defense in depth is also outdated.
For example, "strong" passwords are often short but use a wide character range instead of being long. They're not memorable, they're easy for machines to bruteforce, and they're plagued by the need to write down passwords or save them in a password manager. Passphrases are king.
For another example, antivirus software as we know it is ineffective. The most effective antivirus for Windows is Defender, with many commercial offerings actually spying on you, bypassing Defender (it disables itself if you have another AV installed) and leaving doors open for malware whose developer has bribed them for whitelisting to get through. The most effective antivirus for macOS is in fact is the Gatekeeper/Notarization/XProtect stack built in to macOS. As for Linux, there is no real AV offering (just about every offering you see for Linux is either a scam or a Windows AV scanning on Linux) and the method of defense is to patch out vulnerabilities and never give anyone but designated administrators administrative privileges. Just like macOS, a password is needed when escalating to admin power, and you must be in the admin wheel to escalate.

@LokiFawkes actual VPN and VPN as service discussion is similar to choosing "Private Cloud" vs "Public Cloud".

Windows Defender a built-in antivirus software for Windows operating systems is generally effective at detecting and protecting against viruses and other malware. However keeping your OS up to date with the latest security patches and updates, enabling virtualization-based security, and using cloud storage service to store your important files and documents adds extra layer to security.

The doctrine of defense in depth is a military strategy that involves positioning defensive forces at various levels or depths in an area in order to create multiple layers of defense. While the specific tactics and technologies used in defense in depth may change over time, the fundamental principles behind this strategy remains relevant.

The doctrine of "Defense in depth" can be applied in a variety of contexts, including military, cybersecurity, and critical infrastructure protection.

Doctrine of defense in depth can also be applied to emotional security or personal security.

Here are some ideas for how to build a defense in depth for emotional security:

Identify and address sources of stress: Identify the things that cause you stress, such as work, relationships, or financial issues, and take steps to address them. This might involve seeking support from friends and family, seeking therapy, counseling, finding ways to manage your workload more effectively.

Practice self-care: Take care of yourself physically and emotionally by getting enough sleep, eating well, exercising, and engaging in activities that bring you joy.

Build a support network: Surround yourself with people who are supportive and who you can turn to for help when you're feeling overwhelmed or distressed.

Develop coping skills: Learn techniques for managing your emotions and coping with stress, such as deep breathing, meditation, or journaling.

Seek professional help if needed: If you're struggling to cope with stress or negative emotions on your own, consider seeking help from a mental health professional or a health coach.

@aptblog No, actual VPN vs VPN service is similar to choosing self hosted vs public cloud.

Audits of antivirus software showed the best to be Defender, which also happens to be the one that comes with Windows. Currently, as OS developers put their money into providing an antivirus, they've proven to be the best to turn to when protecting the OS they develop. Virtualization-based security is typically not needed unless you're downloading shit from Softonic, and even then, most malware you'll be worrying about can break the hypervisor or simply get sufficient permissions from the user for the hypervisor not to be a threat to its goal.

Cloud storage is not a form of security. You're thinking of backup, but also, it's not a form of backup either. It's not an archival service, it's a centralized sync service. Centralizing your files to Muh Cloud can actually make it easier for malware to destroy your data thoroughly enough that without a real backup you'll be unable to retrieve it.

If the doctrine of defense in depth hasn't embraced long passwords, it's outdated. End of.

Is protonvpn trustworthy? There is no way to confirm it to be trustworthy but they seem so legit :( https://protonvpn.com/blog/is-protonvpn-trustworthy/

Is protonvpn trustworthy? There is no way to confirm it to be trustworthy but they seem so legit :( https://protonvpn.com/blog/is-protonvpn-trustworthy/

I would be curious to know if OP read anything especially convincing in their lists of reasons to trust them.

I vote for my all-time favourite VPN. StreamVPN is an excellent virtual private network (VPN) service that offers its users a fast, secure, and private internet browsing experience. The service is easy to use and has a user-friendly interface that makes it easy for even those new to VPNs to navigate.

One of the standout features of StreamVPN is its ability to bypass internet censorship and geo-restrictions. With servers in multiple locations, users can easily connect to a server in a different country and access content that may be restricted in their region. This makes it an ideal VPN for users who want to stream content from other countries or access websites that may be blocked.

Another great feature of StreamVPN is its strict no-logs policy, which ensures that user activity and connection logs are not stored. This means that users can enjoy a high level of privacy and security while browsing the internet.

StreamVPN also offers fast connection speeds, which is essential for users who want to stream high-quality content or engage in online gaming. Additionally, the service offers excellent customer support and has a dedicated support team available 24/7 to assist users with any issues they may encounter.

Overall, StreamVPN is an excellent VPN service that offers its users a great mix of privacy, security, and functionality. It is a reliable and efficient VPN that is well worth considering for anyone looking for a top-quality VPN service.

I vote for my all-time favourite VPN. StreamVPN is an excellent virtual private network (VPN) service that offers its users a fast, secure, and private internet browsing experience. The service is easy to use and has a user-friendly interface that makes it easy for even those new to VPNs to navigate.

One of the standout features of StreamVPN is its ability to bypass internet censorship and geo-restrictions. With servers in multiple locations, users can easily connect to a server in a different country and access content that may be restricted in their region. This makes it an ideal VPN for users who want to stream content from other countries or access websites that may be blocked.

Another great feature of StreamVPN is its strict no-logs policy, which ensures that user activity and connection logs are not stored. This means that users can enjoy a high level of privacy and security while browsing the internet.

StreamVPN also offers fast connection speeds, which is essential for users who want to stream high-quality content or engage in online gaming. Additionally, the service offers excellent customer support and has a dedicated support team available 24/7 to assist users with any issues they may encounter.

Overall, StreamVPN is an excellent VPN service that offers its users a great mix of privacy, security, and functionality. It is a reliable and efficient VPN that is well worth considering for anyone looking for a top-quality VPN service.

Says someone that just subscribed to Github. It seems more an advert/affiliate link.

I vote for my all-time favourite VPN. StreamVPN is an excellent virtual private network (VPN) service that offers its users a fast, secure, and private internet browsing experience. The service is easy to use and has a user-friendly interface that makes it easy for even those new to VPNs to navigate.

One of the standout features of StreamVPN is its ability to bypass internet censorship and geo-restrictions. With servers in multiple locations, users can easily connect to a server in a different country and access content that may be restricted in their region. This makes it an ideal VPN for users who want to stream content from other countries or access websites that may be blocked.

Another great feature of StreamVPN is its strict no-logs policy, which ensures that user activity and connection logs are not stored. This means that users can enjoy a high level of privacy and security while browsing the internet.

StreamVPN also offers fast connection speeds, which is essential for users who want to stream high-quality content or engage in online gaming. Additionally, the service offers excellent customer support and has a dedicated support team available 24/7 to assist users with any issues they may encounter.

Overall, StreamVPN is an excellent VPN service that offers its users a great mix of privacy, security, and functionality. It is a reliable and efficient VPN that is well worth considering for anyone looking for a top-quality VPN service.

Bot detected 1000000%

So, Mullvad isn't trustworthy?

Trust Mullvad as far as you can throw it. Don't expect it to keep your network traffic a secret any more than any other service, though it does have less data-broker baggage than many others.