Jump to content
ARUBA

Don't use VPN services

Recommended Posts

Posted

https://gist.github.com/joepie91/5a9909939e6ce7d09e29

 

# Don't use VPN services.

No, seriously, don't. You're probably reading this because you've asked what VPN service to use, and this is the answer.

*Note: The content in this post does not apply to using VPN for their intended purpose; that is, as a virtual private (internal) network. It only applies to using it as a glorified proxy, which is what every third-party "VPN provider" does.*

(A Russian translation of this article can be found [here](https://tdemin.github.io/posts/2017-08-13-dont-use-vpn-services_ru), contributed by Timur Demin.)

## Why not?

Because a VPN in this sense is just a glorified proxy. The VPN provider can see all your traffic, and do with it what they want - including logging.

## But my provider doesn't log!

There is no way for you to verify that, and of course this is what a malicious VPN provider would claim as well. In short: the only safe assumption is that *every* VPN provider logs.

And remember that it is in a VPN provider's best interest to log their users - it lets them deflect blame to the customer, if they ever were to get into legal trouble. The $10/month that you're paying for your VPN service doesn't even pay for the lawyer's *coffee*, so expect them to hand you over.

## But a provider would lose business if they did that!

I'll believe that when HideMyAss goes out of business. They gave up their users years ago, and [this was widely publicized](http://www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy/). The reality is that most of their customers will either not care or not even be aware of it.

## But I pay anonymously, using Bitcoin/PaysafeCard/Cash/drugs!

Doesn't matter. You're still connecting to their service from your own IP, and they can log that.

## But I want more security!

VPNs don't provide security. They are just a glorified proxy.

## But I want more privacy!

VPNs don't provide privacy, with a few exceptions (detailed below). They are just a proxy. If somebody wants to tap your connection, they can still do so - they just have to do so at a different point (ie. when your traffic leaves the VPN server).

## But I want more encryption!

Use SSL/TLS and HTTPS (for centralized services), or end-to-end encryption (for social or P2P applications). VPNs can't magically encrypt your traffic - it's simply not technically possible. If the endpoint expects plaintext, there is *nothing* you can do about that.

When using a VPN, the *only* encrypted part of the connection is from you to the VPN provider. From the VPN provider onwards, it is the same as it would have been without a VPN. And remember, __the VPN provider can see and mess with all your traffic.__

## But I want to confuse trackers by sharing an IP address!

Your IP address is a largely irrelevant metric in modern tracking systems. Marketers have gotten wise to these kind of tactics, and combined with increased adoption of [CGNAT](https://en.wikipedia.org/wiki/Carrier-grade_NAT) and an ever-increasing amount of devices per household, it just isn't a reliable data point anymore.

Marketers will almost always use some kind of other metric to identify and distinguish you. That can be anything from a useragent to a [fingerprinting profile](https://panopticlick.eff.org/). A VPN cannot prevent this.

## So when should I use a VPN?

There are roughly two usecases where you might want to use a VPN:

1. You are on a known-hostile network (eg. a public airport WiFi access point, or an ISP that is known to use MITM), and you want to work around that.
2. You want to hide your IP from a very specific set of non-government-sanctioned adversaries - for example, circumventing a ban in a chatroom or preventing anti-piracy scareletters.

In the second case, you'd probably just want a regular proxy *specifically* for that traffic - sending *all* of your traffic over a VPN provider (like is the default with almost every VPN client) will still result in the provider being able to snoop on and mess with your traffic.

However, in practice, __just don't use a VPN provider at all, even for these cases.__

## So, then... what?

If you absolutely need a VPN, and you understand what its limitations are, purchase a VPS and [set up your own](https://github.com/Nyr/openvpn-install). I will not recommend any specific providers (diversity is good!), but there are plenty of cheap ones to be found on [LowEndBox](http://lowendbox.com/).

## But how is that any better than a VPN service?

A VPN provider *specifically seeks out* those who are looking for privacy, and who may thus have interesting traffic. Statistically speaking, it is more likely that a VPN provider will be malicious or a honeypot, than that an arbitrary generic VPS provider will be.

## So why do VPN services exist? Surely they must serve some purpose?

Because it's easy money. You just set up OpenVPN on a few servers, and essentially start reselling bandwidth with a markup. You can make every promise in the world, because nobody can verify them. You don't even have to know what you're doing, because again, nobody can verify what you say. It is 100% snake-oil.

So yes, VPN services do serve a purpose - it's just one that benefits the provider, not you.

 

Posted (edited)
7 hours ago, SynTAX said:

Eu mai folosesc din cand in cand NordVPN si nu cred nimic din ce scrie mai sus, sorry.

Nu trebuie nimic luat ca atare, fiecare trece informatia prin filtrul lui. Mi s-a parut interesant articolul.

Pot tine loguri de conectare sau loguri de trafic sau ambele :)

 

De luat in considerare mai este si DNS leak.

Edited by ARUBA
Posted

Sunt absolut sigur ca daca veti folosi diversi provideri VPN si veti face teste generand trafic foarte mare , majoritatea va vor bana/suspenda dupa 2-4 zile. Asta nu este posibil decat daca tin loguri. Multi trimit si pe e-mail "we do not allow", "your activity...". Cum stiu ei ca utilizatorul x cu IP-ul y foloseste e-mail-ul z, daca nu tin loguri? Sa fim seriosi, asta cu no logs e doar marketing.

Cum poate un sysadmin sa investigheze o problema fara loguri?

  • Upvote 1
Posted (edited)

Pe de o parte nu imi fac iluzii, nu sunt ageamiu sa imi inchipui ca daca vor sa sa puna mana pe o balena nu ar avea arsenalul la dispozitie pentru a o face si nu ar sta ei log-urile unui VPN provider. Dimpotriva. Pe de alta parte daca esti ceva guvid (peste mic) atunci ei stau dupa astfel de chestii ca nu au incotro; nu inteleg ce sunteti atat de piscati de pizda si sariti aici in sus - intrebam specific de NordVPN, ceva exemple concrete aveti cum ca ar incalca policy-ul de no-logs?

 

Spre exemplu, caz concret al altui provider: https://www.privateinternetaccess.com/ - in Mai anul acesta au primit sub-poena si au fost chemati la procesul unui dude (Ross Colby) care a folosit serviciile lor cand a hackuit o firma, sa bage marturie si s-au dus si au spus ca nu au loguri si ca printre altele au acceptat plati cu crypto. Au stocat doar adresa de mail care era ceva disposable pentru autentificare. Si asa i-a pupat FBI-ul in putza. Pana la urma l-au ingropat familia si altii pe dude, dar nu VPN providerul. 

 

Ceva caz concret unde NordVPN au ingropat vreun user la proces? Sau vorbiti doar piscati de pizda?

Edited by QuoVadis
  • Upvote 1
Posted (edited)
18 minutes ago, QuoVadis said:

Pe de o parte nu imi fac iluzii, nu sunt ageamiu sa imi inchipui ca daca vor sa sa puna mana pe o balena nu ar avea arsenalul la dispozitie pentru a o face si nu ar sta ei log-urile unui VPN provider. Dimpotriva. Pe de alta parte daca esti ceva guvid (peste mic) atunci ei stau dupa astfel de chestii ca nu au incotro; nu inteleg ce sunteti atat de piscati de pizda si sariti aici in sus - intrebam specific de NordVPN, ceva exemple concrete aveti cum ca ar incalca policy-ul de no-logs?

 

Spre exemplu, caz concret al altui provider: https://www.privateinternetaccess.com/ - in Mai anul acesta au primit sub-poena si au fost chemati la procesul unui dude (Ross Colby) care a folosit serviciile lor cand a hackuit o firma, sa bage marturie si s-au dus si au spus ca nu au loguri si ca printre altele au acceptat plati cu crypto. Au stocat doar adresa de mail care era ceva disposable pentru autentificare. Si asa i-a pupat FBI-ul in putza. Pana la urma l-au ingropat familia si altii pe dude, dar nu VPN providerul. 

 

Ceva caz concret unde NordVPN au ingropat vreun user la proces? Sau vorbiti doar piscati de pizda?

N-am sarit in sus. Nu cunosc nimic concret despre nord.

Cred ca pe reddit poti gasi mai multe dezbateri si poate cazuri concrete.

https://www.reddit.com/r/privacytoolsIO/comments/7kuzvr/regarding_nord_vpn_i_think_they_should_be_removed/

 

https://news.ycombinator.com/item?id=17258203

https://redlotusvpn.com/nordvpn-protonvpn-data-mining-scandal/

Edited by ARUBA
Posted

VPN este pentru lucru. Exemplu: Suntem 10 baieti care lucram la diverse proiecte intr-o retea si avem acces permis doar din VPN-ul nostru pentru a spori gradul de securitate. Acasa avem adrese ip dinamice, nu puteti da allow from all pe echipamente.

 

In rest, lasati-va de rahaturi si nu aveti nevoie de VPN si altele.

Nu arunc cu namol in vreo firma care furnizeaza chestii de genul. VPN-ul a fost gandit pentru altceva, nu sa bagati voi pupacei, acolade si apostroafe in fiecare input form futut. :)))

  • Like 1
  • Upvote 4

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...