Don't use VPN services.

vpn.md

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

• A Russian translation of this article can be found here, contributed by Timur Demin.
• A Turkish translation can be found here, contributed by agyild.
• There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

---

This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.

---

Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

A few comments:

• I think you are being to harsh on VPN services here. I understand that we cannot know for sure if a specific VPN provider is not logging you, but I wouldn't go so far as to say that none like that exist. It's a bit of a gamble, maybe, but sometimes that's better than nothing.
• Additionally, I use a free VPN service to access geo-blocked content and to bypass network restrictions. I don't really trust it's privacy value, given that it's free, but for my purposes I'm content with that. And also, being a free tier of an otherwise paid service, it has an nice-looking and intuitive UI, much more than can be said for many open source projects.

Overall, given that VPNs provide benefits outside of privacy, and that privacy may very well be also provided, I think VPNs, even paid ones, have their place. But I don't think that this should detract from your argument that with no verifiability, VPN privacy may often be false advertising.

I use VPN (OpenVPN with Pihole), with a private/ dedicated ip address, on a private VPS server, only to hide my traffic from my ISP (ISP's have the biggest share in selling data), to hide my true location for the websites I visit, to block ads and to block sites like facebook, google from tracking me... and to log my own network activities. In this way I have found a virus on my computer sending packages of information every hour to a certain host. Legally they could find out what websites I visit, but a VPN adds another threshold for them to find out. Don´t give them (legal agencies) any reason to track you down. Doing something illegal on the internet is extremely stupid, even with a VPN.

quite a lot of comments and discussions, apparently there is no complete solution.
Except acquiring a service from some server in a corner of Eastern Europe. XD

Mullvad VPN is easily the best

Hello everyone.

These same questions that can be asked here about the cloud's open source. It is contradictory that open software works in cloud like sass (software as a service) or baas (backend as a service) etc. Because, in theory, we do not have access to any source code and the control of this server.

Some people have created the software license as AGPL for this. Although the company distributes the software to AGPL, you can never check which function is being performed. First, because we have a feeling of arrest, because you don't have the money to execute the software with your own infrastructure (hosting, physical server). And second, because we have the feeling of not knowing the future direction of the cloud product or service.

Just as we cannot trust VPNs, I don't think we should trust cloud services that uses open license as AGPL, MIT, GPLv2, GPLv3 etc. Does these concerns of mine make sense?

This approach is parroted in various MSM articles but doesn't address all the potential concerns. I trust VPN providers more than my ISP. I see no evidence that I should trust my ISP by default even if they don't MITM me. They would know every single domain I connect to on all of my devices if I didn't tunnel my traffic. Why can't I find an explanation of how my data is used/stored on their site?
https://www.privacyguides.org/en/basics/vpn-overview/#should-i-use-a-vpn

Yeah, it's a list of defeatist, often false or easily refuted bullet points written in a style of total confidence, which to some impressionable people may look like competence. Some of the bullet points are actually strawmen that nobody who uses VPNs would argue.

Why can't I find an explanation of how my data is used/stored on their site?

Can you find something like that on the site of you favourite VPN service?
Have you actually read articles that short summary on privacyguides.org is referring to?

Mullvad is the only good VPN services
Either that or tor

Mullvad is the only good VPN services Either that or tor

ivpn is pretty good too
check out https://www.ivpn.net/blog/why-you-dont-need-a-vpn

A valid reason for VPN is by NOT want to hide your VPN but make sure you connect with a trusted one, IE if you have a dynamic IP and need to go to a firewalled site, this might be a very valid point. Another valid point can be Geolocation barriers, IE many content providers block based on your countries IP. The other points are pretty valid by the way. For real privacy use Tor and make sure that you don't login with accounts that you also use on your normal connection.

"A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be."

Can I see that statistic and your dataset?

^
I'm pretty sure this is why most people need a glorified proxy service.

^ I'm pretty sure this is why most people need a glorified proxy service.

Precisely. I cannot believe the idiocy of morons on the internet with the idea that there is some way to outsmart intelligence agencies with the smartest people on the planet working together stacked against them. That there are thus conversely certain activities that "expose" one to said agencies. We need legislation to fight this battle on the same scale that this violation of user privacy operates on.

Leaked NSA documents prove that they are powerless against TOR and have been since its inception.

Dumbest article ever. Completely glosses over the utmost mission to privacy Mulvad has, or the fact that Private Internet Access is court-tested.

utmost mission to privacy

Someone can type that unironically. Fascinating.

Someone can type that unironically. Fascinating.

Someone can be this dumb unironically. Fascinating.

You can pay for Mulvad by sending in a letter with cash money. All you get back (and what they know) is an account number.

Private Internet Access has been audited too, btw : )

Anyway, I'm done here. Anyone reading this will realize how moronic this article is and just sign up for a good VPN.

Byee

OK. For those who can read unlike that chap.
PIA is a US based company. It will obey US laws by definition no matter what. Furthermore the company still uses physical drives to store user data, and those drives can be ceased by authorities.

Mullvad is better in that regard. But Sweden is a member of 14 Eyes Alliance and not a completely safe jurisdiction for a VPN provider.

@BrodyDoggo I can explain this. The purpose of a VPN is to provide a tunneled connection into a private network. It's like a proxy, except you can traverse firewalls and connect to devices over any port or protocol through it. In a proper VPN, you even get your own IP address in the private network. However, this is not how clearnet VPN services like NordVPN or ExpressVPN work. Even when they use real VPN protocols, they're just putting you into a NAT network and hiding you behind one IP address, their IP address. Essentially, the same as a proxy. They can control what ports you get to use, what protocols you get to use. Essentially, the same as a proxy. At best, with no restrictions on ports and protocols, you'd be looking at something called a SOCKS proxy. In many actual VPN setups, you might even set your virtual network adapter that's connected to the VPN, as a SOCKS proxy to prevent direct access to the clearnet. But these VPN services you see out there range from web proxies to SOCKS proxies, advertised as being more private than a proxy, and often come with proprietary apps that strip SSL so they can collect and sell your browsing habits. They even advertise this SSL-stripping function as virus protection, when in reality, their VPN cannot protect you from viruses even by stripping SSL (though if they're honest they can try), but it can make them money by collecting data. By stripping SSL, typically by replacing your root certificate so your browsing happens in an encrypted form that they can read but outsiders still can't, they not only can get your browsing habits beyond just IP addresses and DNS requests, but they can also harvest metadata AND the payload of the connection, including passwords and other personally identifying information that would have otherwise been transmitted without a man in the middle. So really the difference between a VPN and a proxy is the P in VPN - private. If it doesn't provide a tunnel to a private network, it's not a VPN, regardless of what protocol it uses or what its name is. VPN - Virtual connection to private resources like company servers Also a VPN - Virtual connection to your company or home's private network, doubling as a proxy for the clearnet Not a VPN - A tunnel to a web proxy, branded as a VPN, meant to look like you're browsing from the server you connected to rather than from where you are

If you still want to call these VPNs, the distinction would then be between Virtual Private Networks and Virtual Public Networks.

Is there any difference to them on a local perspective, like isp traffic protection and such?

Overquoting should be punishable by death.

@maoydev Between not having a proxy and having one? Not really.
Without these services, most your ISP will know is what IP you're talking to, and currently between CDN centralization and Web2 "just trust the cloud" centralization, too many services share the same IP addresses with each other for it to really matter. Aside from that, if they're clever they may catch the SNI at the start of your connection. They still can't make anything of it if you have a bunch of ongoing sessions. Once ECH catches on (and browsers start supporting ECH while using a nameserver of your own choosing), that vulnerability will be dead too. You stand to lose more privacy than you stand to gain when trusting a Virtual Public Network.

Hmmm the lone vpn simp is still at it. Almost like she gets kickbacks for each service sold.

Thinking logically, do you genuinely believe that the government would allow a means of hiding your ISP they themselves couldn't track?

Can you keep unhinged conspiracy theories out of the thread? You're not making your side look sane

Do you believe the government would allow a product they couldn't track? Yes or no? The likes of Tom Clancy and Richard Marcinko discussed communications security and spying. I would side with the experts over a shill who decries any criticism of VPNs.

I visited IP vanish for coverage. I made it through paying for the first month then I was blocked because of Cloud flare and my email

VPNs are shared, VPSes themselves (not the host) are not, so your VPS gets tied to you - not great for privacy, is it? VPNs are great for bypassing censorship in countries like China with censorship problems and you don't need to setup your own to do that, it's kinda overkill.

Dumbest article ever. Completely glosses over the utmost mission to privacy Mulvad has, or the fact that Private Internet Access is court-tested.

It doesn't touch on bypassing censorship in restrictive countries either.

so your VPS gets tied to you - not great for privacy, is it?

You get an external IP or IPs from a pool of that VPS-provider. I don't see much difference.

VPNs are great for bypassing censorship in countries like China with censorship problems...

It can be done with limited success and the result is far from great.

You get an external IP or IPs from a pool of that VPS-provider. I don't see much difference.

Sure, I can explain with difference. With a VPS, that IP is specifically tied to you for as long as you are renting that VPS. With a VPN, there is a shared pool of IPs where any individual IP can be used by multiple people at the exact same time - that's the difference. IPs are shared, not dedicated/unique.

It can be done with limited success and the result is far from great.

I guess we just disagree on this, then. VPNs are very important to these types of countries.

IPs are shared, not dedicated/unique.

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

VPNs are very important to these types of countries.

I live in such country. The connection speed of VPN is tolerable most of the time but sometimes it slows to a crawl. And from time to time all VPN traffic, including wireguard protocol, is blocked for several hours for some reason. And there is nothing I can do on my end. Choosing another VPN provider doesn't make any difference. In these cases shadowsocks proxy with the server side on VPS works slightly better but not by much.

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

You aren't understanding my point. Two or more people can have the same IP address at the exact same time with a traditional VPN service, whereas rolling your own VPN via a VPS means that public IP address assigned to you is only used by you and not anybody else (since you are the only one using the VPN and you are also the one responsible for hosting the VPN). That's part of why traditional VPN services claim "anonymity", because multiple people can be using the same public IP address at the exact same time, you don't know "who" is really using it. In theory, with a traditional VPN service, you could have dozens or hundreds of people using the same public IP address at the exact same time.

Well, it's possible to choose another IP from the same pool after a while. I don't think a smaller pool compromises your identity that much but may be I'm wrong.

You aren't understanding my point. Two or more people can have the same IP address at the exact same time with a traditional VPN service, whereas rolling your own VPN via a VPS means that public IP address assigned to you is only used by you and not anybody else (since you are the only one using the VPN and you are also the one responsible for hosting the VPN). That's part of why traditional VPN services claim "anonymity", because multiple people can be using the same public IP address at the exact same time, you don't know "who" is really using it. In theory, with a traditional VPN service, you could have dozens or hundreds of people using the same public IP address at the exact same time.

Most hosting providers will sell you additional IPs for your VPS at €1/mo and you can rotate your IPS all you want (and get completely new ones every month). And you can share your VPN with as many people as you like. So for the cheapest €13/mo N**dVPN plan you can get a server with like 10+ IPs, share with all your friends and even sell it if you want.

When multiple people use 1 IP, the service you are connecting to doesn't know that. So if it tracks an IP, it tracks it the same way regardless if it's from a VPS or VPN. Your VPS could as well be a VPN host used by thousands of people. That's why no service identifies users by IP. Even your home network IP will change (unless you're paying for one that doesn't). I won't even start talking about mobile data IPs.

If you want 1000% anonymity, you can't get that with anything online. If someone really really wants to know who you are, they can. "No log" VPNs have proven to have logs in the past, and if you don't control the VPN yourself to know for sure, are you willing to risk your 1000% security requirement based on trust in a corporation? And if you have a VPS, authorities can always find who you are through the VPS hosting provider. You can't get a new internet subscription without the ISP knowing who you are, so that's out of the options as well.

Furthermore, any service that really wants to, can easily block access to all VPS or VPN etc IPs. How? Every IP belongs to an ASN and all ASNs are publicly registered. Is the ASN a residential ISP? Or is it an ISP for data centres?

Don't waste money on VPN. Waste significantly less money on VPS.

Except that many VPS providers are very stingy on IP allocations and will require you to provide justification before they sell you any more IPs. Linode for instance even calls out certain reasons like multiple website domains as not valid excuses because virtual servers and SNI allow multiple sites to share an IP.

They are a lot more generous with IPv6 but of course that cannot connect without a proxy to IPv4-only endpoints.

Most hosting providers will sell you additional IPs for your VPS at €1/mo and you can rotate your IPS all you want (and get completely new ones every month). And you can share your VPN with as many people as you like. So for the cheapest €13/mo N**dVPN plan you can get a server with like 10+ IPs, share with all your friends and even sell it if you want.

Hosting providers can be pretty strict about this actually, you'd be surprised.

When multiple people use 1 IP, the service you are connecting to doesn't know that. So if it tracks an IP, it tracks it the same way regardless if it's from a VPS or VPN. Your VPS could as well be a VPN host used by thousands of people. That's why no service identifies users by IP. Even your home network IP will change (unless you're paying for one that doesn't). I won't even start talking about mobile data IPs.

Sure, that's fair, but a VPS is much less likely to be used as a VPN host than an actual VPN host itself with it's own rented/purchased dedicated hardware. A VPS is much more likely to be a 1-to-1 type of situation.

"No log" VPNs have proven to have logs in the past

Except for the ones that have, you know, literally been tested in court. Of course, that's not to say that they won't change it in the future, but still better than having it not tested at all.

Furthermore, any service that really wants to, can easily block access to all VPS or VPN etc IPs. How? Every IP belongs to an ASN and all ASNs are publicly registered. Is the ASN a residential ISP? Or is it an ISP for data centres?

Sure, but a lot of companies will avoid this because they realize there are countries with horrible censorship and don't want to punish legitimate users from those countries.

One thing I agree with you 10000% on, if you want 1000% anonymity, don't go online - it really boils down to that, it's always possible to find out who you are if someone really wants to.

Ultimately, VPNs and VPSes have different use cases and provide different functionality. I feel like people want to hate on VPNs because it's cool to do so (although I admit there are legitimate criticisms of VPNs), but they actually do have legitimate uses like easily avoiding censorship in countries with heavy censorship and they can work pretty well for this because people do use them for this.

Hosting providers can be pretty strict about this actually, you'd be surprised.

No reasonable providers are. Especially if they don't give you port 25 by default (used for SMTP and sending mail). Hosting providers would only be hurt if you use their IPs to send spam mail and get them into blocklists and unusable for other clients for mail.

Sure, that's fair, but a VPS is much less likely to be used as a VPN host than an actual VPN host itself with it's own rented/purchased dedicated hardware. A VPS is much more likely to be a 1-to-1 type of situation.

That's true, but the target service doesn't know whether you're using a VPS or not. And I'd recommend sharing your VPS-installed VPN with friends who would rather trust you than a corporation.

Except for the ones that have, you know, literally been tested in court. Of course, that's not to say that they won't change it in the future, but still better than having it not tested at all.

The only objective of VPN companies, as all other companies, is to make money, forever if possible. You can never trust a company wants what's best for you. And if you truly want security/anonymity, you don't want any trust in the equation.

I agree with what you just said, with the caveat that if you are the owner of the VPS then you become responsible for what your friends do via that VPN, rather than the responsibility falling on the VPN host company itself when using a traditional VPN service. That's one way I would think traditional VPN services would still be superior (and also ease of use since with VPN services you just download an app vs setting up your own VPN server).

...they can work pretty well for this because people do use them for this.

People use them because they have no other choice, not because of their sheer greatness.

On a side note , have tried to use Linode for a week, hated everything about them. From at least 5 fucking minutes to restart a tiny server to their retarded political activism.

On a side note , have tried to use Linode for a week, hated everything about them. From at least 5 fucking minutes to restart a tiny server to their retarded political activism.

And it's expensive. For under €4 Hetzner cloud gives you a better server with 20TB transfer. OVH currently has a promo at $1/mo for a year (but only 100 Mbps bandwidth, but I think it's unmetered). For around €5 Contabo has 4 core 6GB RAM and 32TB traffic in case you want to put something more on it. Atlantic.Net gives you a free VPS for 1 year (3 TB transfer).

This is not an endorsement for any of the companies or their services.

What political activism?

What political activism?

Probably not supporting hate/discrimination or something like that.

What political activism?

Probably not supporting hate/discrimination or something like that.

And without a passive aggressive tone that translates to...?

What political activism?

Probably not supporting hate/discrimination or something like that.

And without a passive aggressive tone that translates to...?

I do look at their TOS and it could be this clause that is grounds for termination:

be excessively violent, incite violence, threaten violence, or contains harassing content or hate speech;

Of course many hosting providers have had something similar for ages.

That doesn't mean it's desirable. IMO that clause is there just to give them grounds to ban anyone they want if there's pressure on them. "Hate speech" is meaningless and arbitrary.

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

And you decided to politicize it.

Sounds like they did.

It looks like you are this ideologically captured. Well, my condolences.
First, I don't live in US and it's not my problem Americans can't figure out why Marxism is bad for everybody. I was born and raised in USSR and it's pretty obvious to me.
Second, the only voices I care about are the ones in my head. They have some interesting ideas.

I have a feeling Godwin's about to take over any moment now.

Godwyn the Golden?

Godwin's law.

Very good post, I found it as I become more and more disappointed with my VPN service. The main reason I use VPN was so I can do locale testing for web development. My secondary reason was for cafe, airport, and hotel WiFi networks I don't trust. I am finding more and more website block my VPN which is quite frustrating as my additional incentive was to use VPN when in foreign countries, it looks like this will be less and less possible with the current IP blacklisting going on.

There's no reason not to trust wifi. All the internet uses HTTPS now. No matter who operates that wifi, they can't do anything to your traffic, and a VPN doesn't change that.

There's no reason not to trust wifi. All the internet uses HTTPS now. No matter who operates that wifi, they can't do anything to your traffic, and a VPN doesn't change that.

This is not true. There is a lot of metadata being sent unencrypted even with HTTPS with each session, that can easily provide profiling and identification means for bad actors. Cookies are often sent in plain text, which opens a way to session hijacking. Not all Internet uses HTTPS, HTTP is still in use and it is possible to intercept encrypted traffic by SSL stripping or by exploiting vulnerabilities in SSL/TLS protocol. Also, HTTPS does not protect from Cross-site Scripting (XSS). VPN protocol has it's own problems with recently discovered TunnelVision vulnerability, but Android is invulnerable to it, and that is how a lot of people use VPN. Besides, you could also use VPN to your home network where you have pi-hole and Unbound, which will cut out a lot of unwanted traffic. In my case unwanted DNS traffic makes up at least 66-75% of all, as per pi-hole blocked domains statistics. To summarize, a good VPN adds another layer of protection and security, but you still have to know what you are doing.

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

Well, there is also another weird perk I experienced with my VPN. When I connected my VPN on the Disney cruise I got free WiFi, you just have to disconnect to use their app for Disney stuff. Typically you have to pay for WiFi usage on the Disney cruise.

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

I have just visited nytimes website via HTTPS. Out of 12 cookies, 5 were without 'secure' flag, which means that they are being sent unencrypted, in clear text.

Vulnerabilities in all protocols are popping up all the time. SSL is not an exception. Check CVE database. CVE-2014-0160 is one of the most recent ones.

What XSS too? Are you sure that you know what are you talking about?

Yeah, I am sure. Are you? What does this have to do with VPNs?

You said that HTTPS is an alternative to VPN on any wifi. It is not. With VPN all traffic is hidden from anybody on that wifi, even not web related. With HTTPS it is not. HTTPS only works within the application layer of TCP/IP protocol and that is not the only protocol your device uses on the network. It is just a portion of traffic.

You clearly have no idea what are you talking about, so come back to discuss when you learn a bit about networks and protocols and in the meantime, delete your misleading comments before anyone else reads them.

Nice impotent rage

I can see that you are not burdened by the complexities or harsh realities of this conversation. Ignorance is bliss. Enjoy it.

I can see that you're an internet tough guy know it all

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

Tell me you don't know what you're talking about without saying you don't know what you're talking about.

Web is shitty like that. If you're not using your corporate overlords' preordained DoH servers, you can't even get Encrypted Client Hello, due to the way browsers want to shove this shit down our throats. Let alone cookies and other metadata. XSS on the other hand, is a constant cat and mouse game. Threats get better and better at Cross Site Scripting while we try to block it. Google for example really loves to skirt around XSS protection in browsers and extensions. The only real defense against XSS is running no scripts at all, and good luck getting anything done that way on the modern web. Plus even that isn't an absolute defense.

This isn't a contest of who can copypaste the most buzzwords from wikipedia, and your little rant has nothing to do with VPNs.

This isn't a contest of who can copypaste the most buzzwords from wikipedia, and your little rant has nothing to do with VPNs.

You literally asked.

VPNs won't protect you from XSS, if you were wondering.

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

That thing's a girl? I thought it was a robot.

DNS traffic isn't encrypted either. You can see for yourself with 'ngrep port 53'. Just plain text.
But yeah, nukeop always has been like that.

I accept your concession.

Thought you said you were done. Can't believe a word you say.

DNS traffic isn't encrypted either. You can see for yourself with 'ngrep port 53'. Just plain text. But yeah, nukeop always has been like that.

However, sensitive info like passwords, credit card numbers, etc. is not passed via DNS, and one can use a DNS over HTTPS service to encrypt their queries.

Or just set up DNS over TLS in Unbound.

Some VPN services even offer their own DNS solutions in addition to tunnels.

Some VPN services even offer their own DNS solutions in addition to tunnels.

Yeah that's standard, as a proper VPN connection for any amount of privacy can't have leaks and can't get by simply tunneling a query to a public dns through their tunnel, it'd increase latency noticeably. But also, that means the data broker running your Virtual Public Network sees the queries even if you manage to encrypt your metadata.

And let's not pretend proxies run by data brokers aren't viewing that data.

And of course, between fingerprinting, SSL stripping (standard VPN grift), and cross site scripting, your attack surface just isn't lessened by a public proxy.

And of course, between fingerprinting, SSL stripping (standard VPN grift), and cross site scripting, your attack surface just isn't lessened by a public proxy.

Yet nobody ever thinks as to what is in those VPN client apps or whether they reconfigure your clients to accept MITM keys.

What "data broker"? We're not talking about public proxies here though.

What "data broker"? We're not talking about public proxies here though.

Unless you're talking about setting up a VPN back to your home network, and not a VPN service, you're talking about a public proxy marketed as a VPN, or as I like to call it, a Virtual Public Network.

We're not talking about that, that's just you confusing nomenclature. A VPN is very different from a public proxy, don't be intentionally obtuse.

We're not talking about that, that's just you confusing nomenclature. A VPN is very different from a public proxy, don't be intentionally obtuse.

A VPN or a VPN service? There's a difference.

Have fun with your sophistry

You just love shitting on yourself don't you nukeop

I have just visited nytimes website via HTTPS. Out of 12 cookies, 5 were without 'secure' flag, which means that they are being sent unencrypted, in clear text.

The secure flag only means that the cookie won't be sent unless you are using secure/https connection. If you enable HTTPS-only mode in your browser (or its policy), even not-secure-flagged cookies won't be independently sent insecurely.

If you explicitly navigated to a http:// site and accepted the prompt about connection not being secure, then the not-secure-flagged cookies would be sent in plaintext alongside everything else. A VPN wouldn't encrypt them between the VPN server and the target domain either.

Thank you for accidentally inspiring me to blog about browser policies to enforce HTTPS everywhere.

• https://aminda.eu/blog/english/2024/05/17/https-everywhere.html

The types of cookies that are sent without this flag don't matter anyway, they're usually simple user preferences.

@Mikaela
I read the blog, and thanks for clarifying about cookies. I just wanted to remind you that I responded in the context of nukeop claiming that HTTPS can be an alternative to a VPN on any WiFi network. I need to emphasize that HTTPS only encrypts web traffic, nothing else. A VPN encrypts the entire traffic between the user and the VPN server, so it does offer better security on a random WiFi network, provided the VPN server is trustworthy and configured correctly. Additionally, nothing stops anyone from using HTTPS-only over a VPN; these technologies are not mutually exclusive. Moreover, it is also possible to use a VPN inside another VPN with HTTPS-only.

@nukeop
User preferences are used for fingerprinting and tracking, so they do matter a lot.

What's your threat model and what data that isn't encrypted by HTTPS is a vulnerability for you?

Not encrypted by HTTPS: text messages, voice and video calls, VOIP, instant messaging, file sharing (torrent), metadata (timestamps, location information, device identifiers), some media streaming like Twitch, emails.

Ok, let's consider this point by point:

• Text messages: SMS protocol is not affected by VPN. SMS messages are not sent over the internet, so they don't touch wifi.
• Voice, video calls, VOIP, media streaming (Twitch): this is commonly realized by web sockets, and WSS lets you encrypt traffic with TLS as you do with HTTPS
• Instant messaging: usually realized via HTTPS
• File sharing (torrent): BitTorrent supports protocol encryption
• Metadata: there are many different kinds but those you named are parts of data sent over HTTPS
• Emails: depending on your client, will be secured by HTTPS between you and your email server, and the connection between your email server and the destination server is not affected by your VPN. GPG can be used to encrypt email

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

And you're free to fuck right the hell off. If reporting worked, you wouldn't be here.

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.

Pretty sure Twitch, TeamSpeak, and Discord wrap their protocols in HTTPS.

When used in a browser, secure protocols are pretty much mandatory for the browser not to complain.

Thanks for the info. I rest my case with Twitch, TeamSpeak and Discord then.

https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/
This is funny.

That article doesn't seem to be supported by facts. One such sentence I found funny

They are run either by Chinese nationals or located in China. It means user data is likely open to Chinese authorities.

That's pure speculation, or rather, a made up accusation based on nothing. Most people are concerned with their browsing metadata being shared with the five eyes countries.

https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/
The article contains this link among many others.
But you need a basic education to read more than just 'key takeaways' obviously.

Still, a Chinese company may own several VPN brands, but there's nothing factual to suggest that they are sharing any nebulously defined "data" with any government.

Apart from the fact that TLC is literally a state-owned enterprise.
'The lady doth protest too much, methinks'.

What's that supposed to mean and what is TLC?

Exactly.

Okay, once you want to support what you're saying with arguments you can come back to the thread any time.

He meant TCL, and if you don't know what TCL is, maybe try reading the source or looking them up instead of playing incredulity.

It does not support the claim that "It means user data is likely open to Chinese authorities" which that article made. It's simply a Chinese company.

It's a red herring; not an argument against VPNs in particular, it's just a vague anti-China sentiment masquerading as reason. The same kind of handwaving can be used against pretty much any Chinese product; or any product where there are several brands owned by larger companies. Yes you need to do your homework and figure out which ones are trustworthy.

Wholly state-owned company, Batman. You don't think Nukeop could be a CCP shill do you?

VPNs, Virtual Private Networks, are useful for securing the path of a connection to a private resource.
Virtual Public Networks, or VPN services, are proxies usually owned by nationstates and databrokers. That's what you should not trust any farther than you can throw, and it's kinda hard to throw someone else's datacenter very far at all.

Okay, once you want to support what you're saying with arguments...

Everything you asked about is already in those two articles. If you can't read, it's your personal tragedy. If you don't know what a state-owned enterprise means and cannot be bothered to learn, you can try to live with it I guess. I see no other options.

There are wholly state-owned companies in every country.

As I said, this isn't even an argument against VPNs in general. You can distrust state-owned companies, but there are VPNs not owned by them. There are many provably secure ones to choose from.

Even then, they're pretending an SOE is something suspicious or odd and don't offer any additional arguments, counting on pre-established anti-Chinese sentiment because this kind of propaganda is prevalent in American media lately.

they're pretending an SOE is something suspicious or odd...

I know perfectly well how this works under totalitarian regime because I fucking live in such a country, as I've already said. This level of naivete you demonstrate here is beyond good and evil.

I prefer to base arguments on things that are objective and provable.

You prefer to flood any discussion with 'what ifs?' and 'whys?' and ignore any arguments that don't fit your narrative.

What is an article with a vague reference to the fact that some VPNs are owned by some company connected to a government of some country if not a "what if"? That's not an argument for or against any properties or characteristics of the VPN technology, it doesn't mean anything for the principles of this technology, etc.

Why we shouldn't trust companies infecting our devices with malware? I have no idea...
And the fact I found cute is that you try to discredit the whole article based on that claims about Chinese companies. But they are just a small part of the whole story about a few companies owning the majority of available VPN services.

By itself it doesn't mean anything. It's a common business practice for companies to own dozens of brands. Look at Unilever. I'd rather focus on actual objectively provable downsides.

That's a well known propagandistic tool. Nothing is objectively good or bad, nothing is certain, it's all relative, evidence are insufficient etc.

Once you find something real to get mad about, feel free to let me know. Until then...

Is it possible to add that link I posted to the article above? Because nukeop did a good job burying it under the two screens of irrelevant crap.

You're gonna have to do better than SEO content farm.

Spend the most of my life here like you?

I prefer to base arguments on things that are objective and provable.

Great. Now prove your trust in these entities is warranted beyond a shadow of a doubt. Objectively, of course. Not something subjective like "They've yet to fuck me" or uncertain like "They claim to have a no logs policy". Surely you're not taking an unprovable position.

So you just distrust everyone until proven otherwise. Ok, but that's not an argument against VPN technology.

So you just distrust everyone until proven otherwise. Ok, but that's not an argument against VPN technology.

You're still continuing that red herring, eh? Nobody's arguing against VPN technology. We're arguing against trusting VPN services, which half the time are BARELY or even NOT using VPN technology, and even when they are, are usually spying on you, using tactics like traffic logs, SSL stripping, and DNS logs.

That's also not an argument, because there are many trustworthy services that don't do any of these things.

That's also not an argument, because there are many trustworthy services that don't do any of these things.

Still awaiting definitive proof of that, since your argument is essentially that we shouldn't doubt any of them.

Jaysus, can you stop trolling?

In my experience only 3 VPN providers are OK to trust with normal daily activities: Mullvad, Proton & IVPN. Mullvad and IVPN can be paid for with cash. Mullvad does not require a registration, they only supply an account number. Proton can be used for free* in a limited fashion. Each have pros and cons, but generally I think that they are usable.

• They say that it is not free, but paid for by paying subscribers.

Any valid and based reasons why not to trust them? Not conspiracy theories, or principle VPN dissing.

Jaysus, can you two stop trolling?

In my experience only 3 VPN providers are OK to trust with normal daily activities: Mullvad, Proton & IVPN. Mullvad and IVPN can be paid for with cash. Mullvad does not require a registration, they only supply an account number. Proton can be used for free* in a limited fashion. Each have pros and cons, but generally I think that they are usable.

* They say that it is not free, but paid for by paying subscribers.

Any valid and based reasons why not to trust them? Not conspiracy theories, or principle VPN dissing.

As with anything you cannot verify, trust it as far as you can throw it. They're still a proxy, they're still capable of logging, and in the case of Mullvad and others that you can pay for in cash or monero, that only means they have less to identify you with. Proton has complied to identify a target in the past, so that's probable cause not to use Proton. Mullvad is the only one I'd touch with a 10 foot pole and I still treat it with zero trust. And that's kinda the point here. None of these services can ultimately be trusted to protect your privacy. They could fuck you at any time, and you wouldn't know til it's too late. This is why practicing proper opsec is more important than trusting a service. If you'd... Read the article, you'd know the point of this discussion.

My point in this discussion is that you should doubt anything you cannot verify. Nukeop is arguing that you shouldn't doubt what you can't verify, or at least that's what he appears to be arguing.

They're still a proxy

A VPN is not a proxy and insisting on that so far into the conversation means you are being willfully ignorant. That doesn't make your arguments any better, in fact the opposite.

Proton has complied to identify a target in the past, so that's probable cause not to use Proton.

AFAIK that was an IP and browser fingerprinting for Proton Mail (which can be accessed via TOR) in a case in 2021 and recovery email from Apple given to Proton Mail upon registration (unnecessarily) from last month. There was no ProtonVPN related cases, were they?

Of course, a proper opsec is the most important, but for daily (legal) use, with just privacy in mind, on a public WiFi for example, the three services I mentioned are the only ones I'd use.

I read the article, and there is a bunch of generalizations and consipracy theories in it. It has its merits, but it does not apply to all VPN services equally, at this point in time, in my opinion.

For critical endeavours total distrust is crucial, but for day to day activities some VPN providers may be valid.

Any business will comply with lawful orders if they want to continue operating. It's unreasonable to expect anything else, especially in clearly criminal cases. You just need to think how to limit what information you give them, and they have to think how to limit what information they store. In that case, that person has willingly saved that email, so they dug their own grave.

Any business will comply with lawful orders if they want to continue operating. It's unreasonable to expect anything else, especially in clearly criminal cases. You just need to think how to limit what information you give them, and they have to think how to limit what information they store. In that case, that person has willingly saved that email, so they dug their own grave.

So... Don't trust VPN services. Possibly only use actual VPNs for actual VPN things.
Like the article is about.

read the article, and there is a bunch of generalizations and consipracy theories in it.

What conspiracy theories? Can you give an example?

Any business will comply with lawful orders if they want to continue operating.

That's why the jurisdiction of the VPN provider is important. Yet another thing you could've learned if you had an ability to read the sources provided to you.

You're doing a huge leap, much bigger than warranted. Any business you interact with will comply with legal orders. That doesn't mean they can't be trusted at all, for any purpose. And I prefer to act on actual, real information, not on paranoid delusions thinking everyone's out to get me. If your goal is to deal drugs on the internet, etc. then yeah sure lol you better be careful who you do business with. Doesn't apply to regular VPN users though, for whom no legal orders will be issued and won't be investigated by Interpol.

That's why the jurisdiction of the VPN provider is important. Yet another thing you could've learned if you had an ability to read the sources provided to you.

You linked an SEO content farm. That's about as poor a source as it gets.

What conspiracy theories? Can you give an example?

Two examples below. Also, that "statistically speaking" phrase. Please provide statistics for this claim.

"But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.
So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you."

You're doing a huge leap, much bigger than warranted. Any business you interact with will comply with legal orders. That doesn't mean they can't be trusted at all, for any purpose. And I prefer to act on actual, real information, not on paranoid delusions thinking everyone's out to get me. If your goal is to deal drugs on the internet, etc. then yeah sure lol you better be careful who you do business with. Doesn't apply to regular VPN users though, for whom no legal orders will be issued and won't be investigated by Interpol.

Yeah cause a protestor exercising their right to protest, something that is internationally recognized these days, not just in the US, is dealing drugs.
Your average VPN service user doesn't need one at all. It doesn't help their privacy at all. They're just being shilled the service by social media ads and sponsor segments. Most of these services are owned by data brokers and nationstates, and many make outlandish promises such as virus protection, which is a huge red flag. They're not just trying to catch people doing something naughty, they're harvesting you for data and making money from that data. They sell it as a solution to hide from ISPs and data brokers only to be the data brokers themselves. They sell it as a way to protect your logins, protect your online accounts, when really you should never login to an account when using one of these services unless you're just skirting Netflix's region blocks.

You linked an SEO content farm. That's about as poor a source as it gets.

Genetic fallacy much? You can't just dismiss an article because of where it's from. If it dissatisfies you, you always have the option to search for articles elsewhere that could confirm or deny its validity. Remember, you're the one saying to trust what you can't verify. You're the one who has a bar to reach. The argument against using these VPN services is simple: You don't need it, and if you do need it, you need a real VPN, not a tunnel to redirect clearnet traffic to a third party. There are reasons not to trust them, based on jurisdiction, affiliation, and simple probable cause.

I would call it speculations. Conspiracy theory is something different. But yeah, I agree they should've provided that statistics.

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup.

When I tried to find a cheap VPS provider for my tiny server I've stumbled upon an actual fraudster from UK. And I've stopped receiving spam from him only recently after more than four years I deleted my account on one of his over9000 sites. There was no way to unsubscribe from it.
You can say it's not the same as selling a VPN service but rather similar.

You linked an SEO content farm. That's about as poor a source as it gets.

You've been leaving comments for quite a while under the article you've never read. Same goes for articles I posted links to.

Genetic fallacy much? You can't just dismiss an article because of where it's from

I can, and I just did. Those kinds of "sources" don't do you any favors. They don't bring anything interesting to the discussion, they're based on the weakest possible evidence, and they don't bother to support what they're saying with any facts either. This is because an SEO content farm article is meant to bump the website's position in Google, not to be read by humans.

I can, and I just did. Those kinds of "sources" don't do you any favors. They don't bring anything interesting to the discussion, they're based on the weakest possible evidence, and they don't bother to support what they're saying with any facts either. This is because an SEO content farm article is meant to bump the website's position in Google, not to be read by humans.

Okay so you claim that there's no evidence supporting the claim that TCL is a state-owned entity based on... The genetic fallacy of one article that mentions it.

Guess what? Every Chinese company is state-owned. It's the CCP's policy. So your argument is literally invalid here. In fact, you accepted this and pulled the "yeah but that's a good thing actually" argument, so what are you arguing against?

That is a huge oversimplification and not really accurate; it is also completely not what I said, so you're once again trying to derail the conversation with false claims.

There are many state-owned enterprises in China, just as there are in any country. it's normal for some companies in sensitive sectors like energy to be state-owned. China also has a significant number of private companies, e.g. Alibaba, Tencent, Huawei, and many others. These companies operate independently but are subject to government regulations and policies, just like in any country. Some enterprises have mixed ownership, where both the state and private entities hold stakes.

China also has a significant number of private companies, e.g. Alibaba, Tencent, Huawei, and many others. These companies operate independently but are subject to government regulations and policies, just like in any country. Some enterprises have mixed ownership, where both the state and private entities hold stakes.

Flaunting your ignorance. CCP holds a stake in every company over there. Confirmed CCP shill.

Can you back that with any sources or is it fantasy-land as always with you?

Had to unsubscribe. Spam chat bots.

Can you back that with any sources or is it fantasy-land as always with you?

Which do you want first? Huawei? https://2017-2021.state.gov/wp-content/uploads/2020/12/5G-Myth_Fact3-508.pdf
https://en.wikipedia.org/wiki/Criticism_of_Huawei

How about Alibaba? https://www.bloomberg.com/news/articles/2024-02-26/alibaba-discloses-state-ownership-in-more-than-12-business-units
https://markets.businessinsider.com/news/stocks/chinese-government-alibaba-tencent-stock-purchases-communist-party-tiktok-bytedance-2023-1
And that last link covers Tencent too. Which of course exists simply to be an arm of the CCP to begin with.

Not to mention even when the CCP doesn't "officially" or publicly have shares in a company, they have influence on all companies in China, which is exactly why international companies from outside of China segregate their Chinese operations from the rest of the company. If they didn't, companies like Google and Apple would have to give CCP influence on their entire operations or pull out of China. It's why some movies don't even make it to Chinese Disney but can still release worldwide or why the Chinese version would be censored. Even when the CCP doesn't own your company in China, the CCP owns your company in China.

No, I want information backing up that

CCP holds a stake in every company over there

It doesn't matter anyway for the sake of any argument so you are allowed to stop humiliating yourself

To hold a stake means to hold a share or otherwise exert influence on a company. This would of course be beyond the simple "regulations" like we have here in the US, but instead actual government censorship. But fun fact, any company with a CCP member as an employee (that pretty much encompasses anyone in China who doesn't want to be a slave forever, even if they end up being a slave forever regardless, so most companies fall under this) has to have an in-firm committee or branch of the CCP. That is a stake.

The CCP is buying up "golden shares" of every company in China. That is a stake.

The CCP censors all companies in China to the point of making them all propaganda outlets for the CCP. That is a stake.

Therefore,
The CCP holds a stake in every company over there.

https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police
https://www.youtube.com/watch?v=hPrMtIXUh1s
Don't be a paranoid and touch some grass @LokiFawkes

Mental outlaw made a full video on mullvad vpn raid and what happened.

Have you watched this video of his: https://www.youtube.com/watch?v=GxVIa3eDdnM ?
And kids using cliche about grass spend too much time on Twitter.

To hold a stake means to hold a share or otherwise exert influence on a company. This would of course be beyond the simple "regulations" like we have here in the US, but instead actual government censorship. But fun fact, any company with a CCP member as an employee (that pretty much encompasses anyone in China who doesn't want to be a slave forever, even if they end up being a slave forever regardless, so most companies fall under this) has to have an in-firm committee or branch of the CCP. That is a stake.

The CCP is buying up "golden shares" of every company in China. That is a stake.

The CCP censors all companies in China to the point of making them all propaganda outlets for the CCP. That is a stake.

Therefore, The CCP holds a stake in every company over there.

It's a big fat lie that the government owns a stake in every company in China, there's just no distracting us from the fact that you got caught repeating lies you believed yourself. No amount of handwaving is going to change that. Just like with many other factual matters in this thread.

You really like flaunting your willful ignorance, don't you, Nukeop
I can lead you to water but I can't make you drink, and honestly, you're probably not a real horse anyway.

You were exposed and you have no facts to back that up. Just admit you were wrong and move on.

Proton has complied to identify a target in the past, so that's probable cause not to use Proton.

AFAIK that was an IP and browser fingerprinting for Proton Mail (which can be accessed via TOR) in a case in 2021 and recovery email from Apple given to Proton Mail upon registration (unnecessarily) from last month. There was no ProtonVPN related cases, were they?

Of course, a proper opsec is the most important, but for daily (legal) use, with just privacy in mind, on a public WiFi for example, the three services I mentioned are the only ones I'd use.

I read the article, and there is a bunch of generalizations and consipracy theories in it. It has its merits, but it does not apply to all VPN services equally, at this point in time, in my opinion.

For critical endeavours total distrust is crucial, but for day to day activities some VPN providers may be valid.

You’re real smart. Sincerely.