Skip to content

Instantly share code, notes, and snippets.

@joepie91
Last active June 14, 2024 06:16
Show Gist options
  • Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Save joepie91/5a9909939e6ce7d09e29 to your computer and use it in GitHub Desktop.
Don't use VPN services.

Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.

  • A Russian translation of this article can be found here, contributed by Timur Demin.
  • A Turkish translation can be found here, contributed by agyild.
  • There's also this article about VPN services, which is honestly better written (and has more cat pictures!) than my article.

Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that every VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's coffee, so expect them to hand you over.

But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and this was widely publicized. The reality is that most of their customers will either not care or not even be aware of it.

But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

But I want more security!

VPNs don't provide security. They are just a glorified proxy.

But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is nothing you can do about that.

When using a VPN, the only encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, the VPN provider can see and mess with all your traffic.

But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of CGNAT and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a fingerprinting profile. A VPN cannot prevent this.

So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

  1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
  2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy specifically for that traffic - sending all of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, just don't use a VPN provider at all, even for these cases.

So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and set up your own (either using something like Streisand or manually - I recommend using Wireguard). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on LowEndTalk.

But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.


This post is licensed under the WTFPL or CC0, at your choice. You may distribute, use, modify, translate, and license it in any way.


Before you comment: Be aware that any non-constructive comments will be removed. This includes advertising for VPN providers (yes, even when you phrase the marketing claims like a question), trolling, harassment, insults towards other people, claims that have already been addressed in the article, and so on.

If your comment isn't a genuine question or a concrete counterargument supported by evidence, it probably doesn't belong here.

@Finoderi
Copy link

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

@dxgldotorg
Copy link

They sent me several e-mails about the importance of 'hearing black voices' or with similar cheap corporate bullshit.

And you decided to politicize it.

@nukeop
Copy link

nukeop commented Mar 25, 2024

Sounds like they did.

@Finoderi
Copy link

It looks like you are this ideologically captured. Well, my condolences.
First, I don't live in US and it's not my problem Americans can't figure out why Marxism is bad for everybody. I was born and raised in USSR and it's pretty obvious to me.
Second, the only voices I care about are the ones in my head. They have some interesting ideas.

@LokiFawkes
Copy link

I have a feeling Godwin's about to take over any moment now.

@nukeop
Copy link

nukeop commented Mar 25, 2024

Godwyn the Golden?

@Finoderi
Copy link

Godwin's law.

@jheagle
Copy link

jheagle commented May 14, 2024

Very good post, I found it as I become more and more disappointed with my VPN service. The main reason I use VPN was so I can do locale testing for web development. My secondary reason was for cafe, airport, and hotel WiFi networks I don't trust. I am finding more and more website block my VPN which is quite frustrating as my additional incentive was to use VPN when in foreign countries, it looks like this will be less and less possible with the current IP blacklisting going on.

@nukeop
Copy link

nukeop commented May 14, 2024

There's no reason not to trust wifi. All the internet uses HTTPS now. No matter who operates that wifi, they can't do anything to your traffic, and a VPN doesn't change that.

@sneer69
Copy link

sneer69 commented May 14, 2024

There's no reason not to trust wifi. All the internet uses HTTPS now. No matter who operates that wifi, they can't do anything to your traffic, and a VPN doesn't change that.

This is not true. There is a lot of metadata being sent unencrypted even with HTTPS with each session, that can easily provide profiling and identification means for bad actors. Cookies are often sent in plain text, which opens a way to session hijacking. Not all Internet uses HTTPS, HTTP is still in use and it is possible to intercept encrypted traffic by SSL stripping or by exploiting vulnerabilities in SSL/TLS protocol. Also, HTTPS does not protect from Cross-site Scripting (XSS). VPN protocol has it's own problems with recently discovered TunnelVision vulnerability, but Android is invulnerable to it, and that is how a lot of people use VPN. Besides, you could also use VPN to your home network where you have pi-hole and Unbound, which will cut out a lot of unwanted traffic. In my case unwanted DNS traffic makes up at least 66-75% of all, as per pi-hole blocked domains statistics. To summarize, a good VPN adds another layer of protection and security, but you still have to know what you are doing.

@nukeop
Copy link

nukeop commented May 14, 2024

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

@jheagle
Copy link

jheagle commented May 14, 2024

Well, there is also another weird perk I experienced with my VPN. When I connected my VPN on the Disney cruise I got free WiFi, you just have to disconnect to use their app for Disney stuff. Typically you have to pay for WiFi usage on the Disney cruise.

@sneer69
Copy link

sneer69 commented May 14, 2024

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

I have just visited nytimes website via HTTPS. Out of 12 cookies, 5 were without 'secure' flag, which means that they are being sent unencrypted, in clear text.

Vulnerabilities in all protocols are popping up all the time. SSL is not an exception. Check CVE database. CVE-2014-0160 is one of the most recent ones.

What XSS too? Are you sure that you know what are you talking about?

@nukeop
Copy link

nukeop commented May 14, 2024

Yeah, I am sure. Are you? What does this have to do with VPNs?

@sneer69
Copy link

sneer69 commented May 14, 2024

You said that HTTPS is an alternative to VPN on any wifi. It is not. With VPN all traffic is hidden from anybody on that wifi, even not web related. With HTTPS it is not. HTTPS only works within the application layer of TCP/IP protocol and that is not the only protocol your device uses on the network. It is just a portion of traffic.

You clearly have no idea what are you talking about, so come back to discuss when you learn a bit about networks and protocols and in the meantime, delete your misleading comments before anyone else reads them.

@nukeop
Copy link

nukeop commented May 14, 2024

Nice impotent rage

@sneer69
Copy link

sneer69 commented May 14, 2024

I can see that you are not burdened by the complexities or harsh realities of this conversation. Ignorance is bliss. Enjoy it.

@nukeop
Copy link

nukeop commented May 14, 2024

I can see that you're an internet tough guy know it all

@LokiFawkes
Copy link

Cookies are sent in plaintext? Is this 2004? Vulnerabilities in SSL? XSS too for some reason?

Tell me you don't know what you're talking about without saying you don't know what you're talking about.

Web is shitty like that. If you're not using your corporate overlords' preordained DoH servers, you can't even get Encrypted Client Hello, due to the way browsers want to shove this shit down our throats. Let alone cookies and other metadata. XSS on the other hand, is a constant cat and mouse game. Threats get better and better at Cross Site Scripting while we try to block it. Google for example really loves to skirt around XSS protection in browsers and extensions. The only real defense against XSS is running no scripts at all, and good luck getting anything done that way on the modern web. Plus even that isn't an absolute defense.

@nukeop
Copy link

nukeop commented May 15, 2024

This isn't a contest of who can copypaste the most buzzwords from wikipedia, and your little rant has nothing to do with VPNs.

@LokiFawkes
Copy link

This isn't a contest of who can copypaste the most buzzwords from wikipedia, and your little rant has nothing to do with VPNs.

You literally asked.

VPNs won't protect you from XSS, if you were wondering.

@vanderplancke
Copy link

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

@LokiFawkes
Copy link

nukeop is a vpn shill who repeatedly got into trouble with Github for the offensive content she posted. Ignore her and she will go away.

That thing's a girl? I thought it was a robot.

@Finoderi
Copy link

DNS traffic isn't encrypted either. You can see for yourself with 'ngrep port 53'. Just plain text.
But yeah, nukeop always has been like that.

@nukeop
Copy link

nukeop commented May 15, 2024

I accept your concession.

@vanderplancke
Copy link

Thought you said you were done. Can't believe a word you say.

@dxgldotorg
Copy link

DNS traffic isn't encrypted either. You can see for yourself with 'ngrep port 53'. Just plain text. But yeah, nukeop always has been like that.

However, sensitive info like passwords, credit card numbers, etc. is not passed via DNS, and one can use a DNS over HTTPS service to encrypt their queries.

@Finoderi
Copy link

Or just set up DNS over TLS in Unbound.

@nukeop
Copy link

nukeop commented May 15, 2024

Some VPN services even offer their own DNS solutions in addition to tunnels.

@LokiFawkes
Copy link

Some VPN services even offer their own DNS solutions in addition to tunnels.

Yeah that's standard, as a proper VPN connection for any amount of privacy can't have leaks and can't get by simply tunneling a query to a public dns through their tunnel, it'd increase latency noticeably. But also, that means the data broker running your Virtual Public Network sees the queries even if you manage to encrypt your metadata.

And let's not pretend proxies run by data brokers aren't viewing that data.

And of course, between fingerprinting, SSL stripping (standard VPN grift), and cross site scripting, your attack surface just isn't lessened by a public proxy.

@dxgldotorg
Copy link

And of course, between fingerprinting, SSL stripping (standard VPN grift), and cross site scripting, your attack surface just isn't lessened by a public proxy.

Yet nobody ever thinks as to what is in those VPN client apps or whether they reconfigure your clients to accept MITM keys.

@nukeop
Copy link

nukeop commented May 16, 2024

What "data broker"? We're not talking about public proxies here though.

@LokiFawkes
Copy link

What "data broker"? We're not talking about public proxies here though.

Unless you're talking about setting up a VPN back to your home network, and not a VPN service, you're talking about a public proxy marketed as a VPN, or as I like to call it, a Virtual Public Network.

@nukeop
Copy link

nukeop commented May 16, 2024

We're not talking about that, that's just you confusing nomenclature. A VPN is very different from a public proxy, don't be intentionally obtuse.

@LokiFawkes
Copy link

We're not talking about that, that's just you confusing nomenclature. A VPN is very different from a public proxy, don't be intentionally obtuse.

A VPN or a VPN service? There's a difference.

@nukeop
Copy link

nukeop commented May 16, 2024

Have fun with your sophistry

@LokiFawkes
Copy link

You just love shitting on yourself don't you nukeop

@Mikaela
Copy link

Mikaela commented May 17, 2024

I have just visited nytimes website via HTTPS. Out of 12 cookies, 5 were without 'secure' flag, which means that they are being sent unencrypted, in clear text.

The secure flag only means that the cookie won't be sent unless you are using secure/https connection. If you enable HTTPS-only mode in your browser (or its policy), even not-secure-flagged cookies won't be independently sent insecurely.

If you explicitly navigated to a http:// site and accepted the prompt about connection not being secure, then the not-secure-flagged cookies would be sent in plaintext alongside everything else. A VPN wouldn't encrypt them between the VPN server and the target domain either.

@Mikaela
Copy link

Mikaela commented May 17, 2024

Thank you for accidentally inspiring me to blog about browser policies to enforce HTTPS everywhere.

@nukeop
Copy link

nukeop commented May 17, 2024

The types of cookies that are sent without this flag don't matter anyway, they're usually simple user preferences.

@sneer69
Copy link

sneer69 commented May 17, 2024

@Mikaela
I read the blog, and thanks for clarifying about cookies. I just wanted to remind you that I responded in the context of nukeop claiming that HTTPS can be an alternative to a VPN on any WiFi network. I need to emphasize that HTTPS only encrypts web traffic, nothing else. A VPN encrypts the entire traffic between the user and the VPN server, so it does offer better security on a random WiFi network, provided the VPN server is trustworthy and configured correctly. Additionally, nothing stops anyone from using HTTPS-only over a VPN; these technologies are not mutually exclusive. Moreover, it is also possible to use a VPN inside another VPN with HTTPS-only.

@nukeop
User preferences are used for fingerprinting and tracking, so they do matter a lot.

@nukeop
Copy link

nukeop commented May 17, 2024

What's your threat model and what data that isn't encrypted by HTTPS is a vulnerability for you?

@sneer69
Copy link

sneer69 commented May 17, 2024

Not encrypted by HTTPS: text messages, voice and video calls, VOIP, instant messaging, file sharing (torrent), metadata (timestamps, location information, device identifiers), some media streaming like Twitch, emails.

@nukeop
Copy link

nukeop commented May 17, 2024

Ok, let's consider this point by point:

  • Text messages: SMS protocol is not affected by VPN. SMS messages are not sent over the internet, so they don't touch wifi.
  • Voice, video calls, VOIP, media streaming (Twitch): this is commonly realized by web sockets, and WSS lets you encrypt traffic with TLS as you do with HTTPS
  • Instant messaging: usually realized via HTTPS
  • File sharing (torrent): BitTorrent supports protocol encryption
  • Metadata: there are many different kinds but those you named are parts of data sent over HTTPS
  • Emails: depending on your client, will be secured by HTTPS between you and your email server, and the connection between your email server and the destination server is not affected by your VPN. GPG can be used to encrypt email

@nukeop
Copy link

nukeop commented May 17, 2024

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

@sneer69
Copy link

sneer69 commented May 17, 2024

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.

@LokiFawkes
Copy link

You're free to unsubscribe and stop spreading made up false claims. I will also report posts with unhinged, fabricated information about me.

And you're free to fuck right the hell off. If reporting worked, you wouldn't be here.

@dxgldotorg
Copy link

dxgldotorg commented May 18, 2024

SMS messages these days are sent via the internet, not GSM. I'm just not sure if it's from the BTS or the local device.

Twitch sends streams via RTMP with low security.

TeamSpeak and Discord are also unencrypted by default, using proprietary protocols.

Most torrent clients send data unencrypted and share IP addresses.

Even if clients and protocols support encryption, it does not mean it is used for all traffic.

Overall, you are relying on each application you use to correctly implement encryption and take care of your privacy and security on a random Wi-Fi network, when their priority is delivery. This creates a significant attack surface.

Pretty sure Twitch, TeamSpeak, and Discord wrap their protocols in HTTPS.

When used in a browser, secure protocols are pretty much mandatory for the browser not to complain.

@sneer69
Copy link

sneer69 commented May 18, 2024

Thanks for the info. I rest my case with Twitch, TeamSpeak and Discord then.

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

@nukeop
Copy link

nukeop commented Jun 1, 2024

That article doesn't seem to be supported by facts. One such sentence I found funny

They are run either by Chinese nationals or located in China. It means user data is likely open to Chinese authorities.

That's pure speculation, or rather, a made up accusation based on nothing. Most people are concerned with their browsing metadata being shared with the five eyes countries.

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

https://vpnpro.com/blog/chinese-company-secretly-behind-popular-apps-seeking-dangerous-permissions/
The article contains this link among many others.
But you need a basic education to read more than just 'key takeaways' obviously.

@nukeop
Copy link

nukeop commented Jun 1, 2024

Still, a Chinese company may own several VPN brands, but there's nothing factual to suggest that they are sharing any nebulously defined "data" with any government.

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

Apart from the fact that TLC is literally a state-owned enterprise.
'The lady doth protest too much, methinks'.

@nukeop
Copy link

nukeop commented Jun 1, 2024

What's that supposed to mean and what is TLC?

@Finoderi
Copy link

Finoderi commented Jun 1, 2024

Exactly.

@nukeop
Copy link

nukeop commented Jun 1, 2024

Okay, once you want to support what you're saying with arguments you can come back to the thread any time.

@LokiFawkes
Copy link

He meant TCL, and if you don't know what TCL is, maybe try reading the source or looking them up instead of playing incredulity.

@nukeop
Copy link

nukeop commented Jun 2, 2024

It does not support the claim that "It means user data is likely open to Chinese authorities" which that article made. It's simply a Chinese company.

It's a red herring; not an argument against VPNs in particular, it's just a vague anti-China sentiment masquerading as reason. The same kind of handwaving can be used against pretty much any Chinese product; or any product where there are several brands owned by larger companies. Yes you need to do your homework and figure out which ones are trustworthy.

@LokiFawkes
Copy link

LokiFawkes commented Jun 2, 2024

Wholly state-owned company, Batman. You don't think Nukeop could be a CCP shill do you?

@LokiFawkes
Copy link

VPNs, Virtual Private Networks, are useful for securing the path of a connection to a private resource.
Virtual Public Networks, or VPN services, are proxies usually owned by nationstates and databrokers. That's what you should not trust any farther than you can throw, and it's kinda hard to throw someone else's datacenter very far at all.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

Okay, once you want to support what you're saying with arguments...

Everything you asked about is already in those two articles. If you can't read, it's your personal tragedy. If you don't know what a state-owned enterprise means and cannot be bothered to learn, you can try to live with it I guess. I see no other options.

@nukeop
Copy link

nukeop commented Jun 2, 2024

There are wholly state-owned companies in every country.

@nukeop
Copy link

nukeop commented Jun 2, 2024

As I said, this isn't even an argument against VPNs in general. You can distrust state-owned companies, but there are VPNs not owned by them. There are many provably secure ones to choose from.

Even then, they're pretending an SOE is something suspicious or odd and don't offer any additional arguments, counting on pre-established anti-Chinese sentiment because this kind of propaganda is prevalent in American media lately.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

they're pretending an SOE is something suspicious or odd...

I know perfectly well how this works under totalitarian regime because I fucking live in such a country, as I've already said. This level of naivete you demonstrate here is beyond good and evil.

@nukeop
Copy link

nukeop commented Jun 2, 2024

I prefer to base arguments on things that are objective and provable.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

You prefer to flood any discussion with 'what ifs?' and 'whys?' and ignore any arguments that don't fit your narrative.

@nukeop
Copy link

nukeop commented Jun 2, 2024

What is an article with a vague reference to the fact that some VPNs are owned by some company connected to a government of some country if not a "what if"? That's not an argument for or against any properties or characteristics of the VPN technology, it doesn't mean anything for the principles of this technology, etc.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

Why we shouldn't trust companies infecting our devices with malware? I have no idea...
And the fact I found cute is that you try to discredit the whole article based on that claims about Chinese companies. But they are just a small part of the whole story about a few companies owning the majority of available VPN services.

@nukeop
Copy link

nukeop commented Jun 2, 2024

By itself it doesn't mean anything. It's a common business practice for companies to own dozens of brands. Look at Unilever. I'd rather focus on actual objectively provable downsides.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

That's a well known propagandistic tool. Nothing is objectively good or bad, nothing is certain, it's all relative, evidence are insufficient etc.

@nukeop
Copy link

nukeop commented Jun 2, 2024

Once you find something real to get mad about, feel free to let me know. Until then...

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

Is it possible to add that link I posted to the article above? Because nukeop did a good job burying it under the two screens of irrelevant crap.

@nukeop
Copy link

nukeop commented Jun 2, 2024

You're gonna have to do better than SEO content farm.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

Spend the most of my life here like you?

@LokiFawkes
Copy link

I prefer to base arguments on things that are objective and provable.

Great. Now prove your trust in these entities is warranted beyond a shadow of a doubt. Objectively, of course. Not something subjective like "They've yet to fuck me" or uncertain like "They claim to have a no logs policy". Surely you're not taking an unprovable position.

@nukeop
Copy link

nukeop commented Jun 2, 2024

So you just distrust everyone until proven otherwise. Ok, but that's not an argument against VPN technology.

@LokiFawkes
Copy link

So you just distrust everyone until proven otherwise. Ok, but that's not an argument against VPN technology.

You're still continuing that red herring, eh? Nobody's arguing against VPN technology. We're arguing against trusting VPN services, which half the time are BARELY or even NOT using VPN technology, and even when they are, are usually spying on you, using tactics like traffic logs, SSL stripping, and DNS logs.

@nukeop
Copy link

nukeop commented Jun 2, 2024

That's also not an argument, because there are many trustworthy services that don't do any of these things.

@LokiFawkes
Copy link

That's also not an argument, because there are many trustworthy services that don't do any of these things.

Still awaiting definitive proof of that, since your argument is essentially that we shouldn't doubt any of them.

@sneer69
Copy link

sneer69 commented Jun 2, 2024

Jaysus, can you stop trolling?

In my experience only 3 VPN providers are OK to trust with normal daily activities: Mullvad, Proton & IVPN. Mullvad and IVPN can be paid for with cash. Mullvad does not require a registration, they only supply an account number. Proton can be used for free* in a limited fashion. Each have pros and cons, but generally I think that they are usable.

  • They say that it is not free, but paid for by paying subscribers.

Any valid and based reasons why not to trust them? Not conspiracy theories, or principle VPN dissing.

@LokiFawkes
Copy link

Jaysus, can you two stop trolling?

In my experience only 3 VPN providers are OK to trust with normal daily activities: Mullvad, Proton & IVPN. Mullvad and IVPN can be paid for with cash. Mullvad does not require a registration, they only supply an account number. Proton can be used for free* in a limited fashion. Each have pros and cons, but generally I think that they are usable.

* They say that it is not free, but paid for by paying subscribers.

Any valid and based reasons why not to trust them? Not conspiracy theories, or principle VPN dissing.

As with anything you cannot verify, trust it as far as you can throw it. They're still a proxy, they're still capable of logging, and in the case of Mullvad and others that you can pay for in cash or monero, that only means they have less to identify you with. Proton has complied to identify a target in the past, so that's probable cause not to use Proton. Mullvad is the only one I'd touch with a 10 foot pole and I still treat it with zero trust. And that's kinda the point here. None of these services can ultimately be trusted to protect your privacy. They could fuck you at any time, and you wouldn't know til it's too late. This is why practicing proper opsec is more important than trusting a service. If you'd... Read the article, you'd know the point of this discussion.

My point in this discussion is that you should doubt anything you cannot verify. Nukeop is arguing that you shouldn't doubt what you can't verify, or at least that's what he appears to be arguing.

@nukeop
Copy link

nukeop commented Jun 2, 2024

They're still a proxy

A VPN is not a proxy and insisting on that so far into the conversation means you are being willfully ignorant. That doesn't make your arguments any better, in fact the opposite.

@sneer69
Copy link

sneer69 commented Jun 2, 2024

Proton has complied to identify a target in the past, so that's probable cause not to use Proton.

AFAIK that was an IP and browser fingerprinting for Proton Mail (which can be accessed via TOR) in a case in 2021 and recovery email from Apple given to Proton Mail upon registration (unnecessarily) from last month. There was no ProtonVPN related cases, were they?

Of course, a proper opsec is the most important, but for daily (legal) use, with just privacy in mind, on a public WiFi for example, the three services I mentioned are the only ones I'd use.

I read the article, and there is a bunch of generalizations and consipracy theories in it. It has its merits, but it does not apply to all VPN services equally, at this point in time, in my opinion.

For critical endeavours total distrust is crucial, but for day to day activities some VPN providers may be valid.

@nukeop
Copy link

nukeop commented Jun 2, 2024

Any business will comply with lawful orders if they want to continue operating. It's unreasonable to expect anything else, especially in clearly criminal cases. You just need to think how to limit what information you give them, and they have to think how to limit what information they store. In that case, that person has willingly saved that email, so they dug their own grave.

@LokiFawkes
Copy link

Any business will comply with lawful orders if they want to continue operating. It's unreasonable to expect anything else, especially in clearly criminal cases. You just need to think how to limit what information you give them, and they have to think how to limit what information they store. In that case, that person has willingly saved that email, so they dug their own grave.

So... Don't trust VPN services. Possibly only use actual VPNs for actual VPN things.
Like the article is about.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

read the article, and there is a bunch of generalizations and consipracy theories in it.

What conspiracy theories? Can you give an example?

Any business will comply with lawful orders if they want to continue operating.

That's why the jurisdiction of the VPN provider is important. Yet another thing you could've learned if you had an ability to read the sources provided to you.

@nukeop
Copy link

nukeop commented Jun 2, 2024

You're doing a huge leap, much bigger than warranted. Any business you interact with will comply with legal orders. That doesn't mean they can't be trusted at all, for any purpose. And I prefer to act on actual, real information, not on paranoid delusions thinking everyone's out to get me. If your goal is to deal drugs on the internet, etc. then yeah sure lol you better be careful who you do business with. Doesn't apply to regular VPN users though, for whom no legal orders will be issued and won't be investigated by Interpol.

@nukeop
Copy link

nukeop commented Jun 2, 2024

That's why the jurisdiction of the VPN provider is important. Yet another thing you could've learned if you had an ability to read the sources provided to you.

You linked an SEO content farm. That's about as poor a source as it gets.

@sneer69
Copy link

sneer69 commented Jun 2, 2024

What conspiracy theories? Can you give an example?

Two examples below. Also, that "statistically speaking" phrase. Please provide statistics for this claim.

"But how is that any better than a VPN service?

A VPN provider specifically seeks out those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.
So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you."

@LokiFawkes
Copy link

You're doing a huge leap, much bigger than warranted. Any business you interact with will comply with legal orders. That doesn't mean they can't be trusted at all, for any purpose. And I prefer to act on actual, real information, not on paranoid delusions thinking everyone's out to get me. If your goal is to deal drugs on the internet, etc. then yeah sure lol you better be careful who you do business with. Doesn't apply to regular VPN users though, for whom no legal orders will be issued and won't be investigated by Interpol.

Yeah cause a protestor exercising their right to protest, something that is internationally recognized these days, not just in the US, is dealing drugs.
Your average VPN service user doesn't need one at all. It doesn't help their privacy at all. They're just being shilled the service by social media ads and sponsor segments. Most of these services are owned by data brokers and nationstates, and many make outlandish promises such as virus protection, which is a huge red flag. They're not just trying to catch people doing something naughty, they're harvesting you for data and making money from that data. They sell it as a solution to hide from ISPs and data brokers only to be the data brokers themselves. They sell it as a way to protect your logins, protect your online accounts, when really you should never login to an account when using one of these services unless you're just skirting Netflix's region blocks.

You linked an SEO content farm. That's about as poor a source as it gets.

Genetic fallacy much? You can't just dismiss an article because of where it's from. If it dissatisfies you, you always have the option to search for articles elsewhere that could confirm or deny its validity. Remember, you're the one saying to trust what you can't verify. You're the one who has a bar to reach. The argument against using these VPN services is simple: You don't need it, and if you do need it, you need a real VPN, not a tunnel to redirect clearnet traffic to a third party. There are reasons not to trust them, based on jurisdiction, affiliation, and simple probable cause.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

I would call it speculations. Conspiracy theory is something different. But yeah, I agree they should've provided that statistics.

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup.

When I tried to find a cheap VPS provider for my tiny server I've stumbled upon an actual fraudster from UK. And I've stopped receiving spam from him only recently after more than four years I deleted my account on one of his over9000 sites. There was no way to unsubscribe from it.
You can say it's not the same as selling a VPN service but rather similar.

@Finoderi
Copy link

Finoderi commented Jun 2, 2024

You linked an SEO content farm. That's about as poor a source as it gets.

You've been leaving comments for quite a while under the article you've never read. Same goes for articles I posted links to.

@nukeop
Copy link

nukeop commented Jun 2, 2024

Genetic fallacy much? You can't just dismiss an article because of where it's from

I can, and I just did. Those kinds of "sources" don't do you any favors. They don't bring anything interesting to the discussion, they're based on the weakest possible evidence, and they don't bother to support what they're saying with any facts either. This is because an SEO content farm article is meant to bump the website's position in Google, not to be read by humans.

@LokiFawkes
Copy link

I can, and I just did. Those kinds of "sources" don't do you any favors. They don't bring anything interesting to the discussion, they're based on the weakest possible evidence, and they don't bother to support what they're saying with any facts either. This is because an SEO content farm article is meant to bump the website's position in Google, not to be read by humans.

Okay so you claim that there's no evidence supporting the claim that TCL is a state-owned entity based on... The genetic fallacy of one article that mentions it.

Guess what? Every Chinese company is state-owned. It's the CCP's policy. So your argument is literally invalid here. In fact, you accepted this and pulled the "yeah but that's a good thing actually" argument, so what are you arguing against?

@nukeop
Copy link

nukeop commented Jun 2, 2024

That is a huge oversimplification and not really accurate; it is also completely not what I said, so you're once again trying to derail the conversation with false claims.

There are many state-owned enterprises in China, just as there are in any country. it's normal for some companies in sensitive sectors like energy to be state-owned. China also has a significant number of private companies, e.g. Alibaba, Tencent, Huawei, and many others. These companies operate independently but are subject to government regulations and policies, just like in any country. Some enterprises have mixed ownership, where both the state and private entities hold stakes.

@LokiFawkes
Copy link

China also has a significant number of private companies, e.g. Alibaba, Tencent, Huawei, and many others. These companies operate independently but are subject to government regulations and policies, just like in any country. Some enterprises have mixed ownership, where both the state and private entities hold stakes.

Flaunting your ignorance. CCP holds a stake in every company over there. Confirmed CCP shill.

@nukeop
Copy link

nukeop commented Jun 2, 2024

Can you back that with any sources or is it fantasy-land as always with you?

@sneer69
Copy link

sneer69 commented Jun 2, 2024

Had to unsubscribe. Spam chat bots.

@LokiFawkes
Copy link

Can you back that with any sources or is it fantasy-land as always with you?

Which do you want first? Huawei? https://2017-2021.state.gov/wp-content/uploads/2020/12/5G-Myth_Fact3-508.pdf
https://en.wikipedia.org/wiki/Criticism_of_Huawei

How about Alibaba? https://www.bloomberg.com/news/articles/2024-02-26/alibaba-discloses-state-ownership-in-more-than-12-business-units
https://markets.businessinsider.com/news/stocks/chinese-government-alibaba-tencent-stock-purchases-communist-party-tiktok-bytedance-2023-1
And that last link covers Tencent too. Which of course exists simply to be an arm of the CCP to begin with.

Not to mention even when the CCP doesn't "officially" or publicly have shares in a company, they have influence on all companies in China, which is exactly why international companies from outside of China segregate their Chinese operations from the rest of the company. If they didn't, companies like Google and Apple would have to give CCP influence on their entire operations or pull out of China. It's why some movies don't even make it to Chinese Disney but can still release worldwide or why the Chinese version would be censored. Even when the CCP doesn't own your company in China, the CCP owns your company in China.

@nukeop
Copy link

nukeop commented Jun 3, 2024

No, I want information backing up that

CCP holds a stake in every company over there

It doesn't matter anyway for the sake of any argument so you are allowed to stop humiliating yourself

@LokiFawkes
Copy link

To hold a stake means to hold a share or otherwise exert influence on a company. This would of course be beyond the simple "regulations" like we have here in the US, but instead actual government censorship. But fun fact, any company with a CCP member as an employee (that pretty much encompasses anyone in China who doesn't want to be a slave forever, even if they end up being a slave forever regardless, so most companies fall under this) has to have an in-firm committee or branch of the CCP. That is a stake.

The CCP is buying up "golden shares" of every company in China. That is a stake.

The CCP censors all companies in China to the point of making them all propaganda outlets for the CCP. That is a stake.

Therefore,
The CCP holds a stake in every company over there.

@MrDisguised
Copy link

MrDisguised commented Jun 13, 2024

https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police
https://www.youtube.com/watch?v=hPrMtIXUh1s
Don't be a paranoid and touch some grass @LokiFawkes

Mental outlaw made a full video on mullvad vpn raid and what happened.

@Finoderi
Copy link

Have you watched this video of his: https://www.youtube.com/watch?v=GxVIa3eDdnM ?
And kids using cliche about grass spend too much time on Twitter.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment