21

Do not use VPNs for privacy. gist.github.com

Submitted by lena in Privacy

Seriously, don't. People who recommend VPNs tend to do so based on a number of fallacies, the most terrible of which is that "VPN companies have to serve your interest."

Comments

You must log in or register to comment.

3

Naokotani wrote

This article would be of more use if there were a lot of better options. As it is, I think its better than nothing for the fairly minor price you pay.

6

quandyalaterreux wrote

This article would be of more use if there were a lot of better options.

The better option(s) is/are obvious: the Tor Browser.

As it is, I think its better than nothing for the fairly minor price you pay.

No, the point of the article was that VPNs are just "glorified proxies" and they're as worse as your typical ISP, if not more bad.

1

ergdj5 wrote

The better option(s) is/are obvious: the Tor Browser.

whynotboth

1

quandyalaterreux wrote

If VPNs are ineffective why do you even need it in the first place? Just use the Tor Browser.

1

ergdj5 wrote

Its useful for hiding the fact that you're using Tor from your ISP in the first place

1

quandyalaterreux wrote

Its useful for hiding the fact that you're using Tor from your ISP in the first place

Pluggable transports and bridges do exactly that, no need for a VPN (which doesn't hide the fact that you're using a VPN if it's a commercial one).

3

[deleted] wrote (edited )

7

lena wrote

The German intelligence "report" that got leaked indicating they didn't trust/"could break" Tor was the babbling of an infantile intelligence agency desperately trying to be noticed by the big boys.
If the NSA can't arbitrarily decloak Tor users (and by all accounts, Snowden's leaks suggest that), then I find it unlikely the Germans can. The NSA has better contacts, cryptographers, machines, and considerably greater resources.

1

[deleted] wrote (edited )

6

lena wrote

Why would a VPN minimize corporate surveillance? You're literally routing your traffic through an additional corporation. It doesn't anonymize you in any way.

0

[deleted] wrote (edited )

4

lena wrote

My apologies, you're correct about the anonymity thing. Still, though, how do VPNs protect you against corporate surveillance?

-1

[deleted] wrote (edited by a moderator )

3

lena wrote

A hostile network IS a valid use-case, but the vast majority of corporations outside on the internet will still be able to identify you. Facebook, for example, will likely know exactly who you are and what you're doing on the internet, VPN or no. Same with Google et al.
I apologize if it seems like I'm spreading FUD; I'm trying to get people to have a more accurate threat model. I see a lot of advice about using VPNs, and honestly, in general, it's not very helpful, mostly because it's just shifting the exit point for your traffic. They are not the silver bullet people assume. Also, in all honesty, a truly malicious ISP will likely be able to spy on you regardless of the VPN. The reason I recommend Tor is because of the layers of crypto, preventing the entry node from knowing anything about your traffic.

-5

TheNewKing wrote (edited )

I use the Tor browser a lot these days for certain information. I just hope certain individuals or groups don't hold a lot of guards and exit nodes. I think some of the arguments on that page also apply to Tor.

When I send and receive information over the regular web, I do not use a VPN for most of the reasons listed in that page.

8

49492093097198310931 wrote

I just hope certain individuals or groups don't hold a lot of guards and exit nodes.

Anyone can run relays that's why it's difficult and expensive for a single entity to have enough consensus on the Tor network to conduct such attack. Also, since the Tor Browser gives you a different circuit for each different website that means that at best they can de-anonymize a single circuit of yours, but with significantly higher consensus they may hit more of those. However, you can be sure that no single entity in a circuit controls both the guard node and the exit by running your very own relay or bridge and then connecting to it.

I think some of the arguments on that page also apply to Tor.

No they don't because of Tor's 3-hops (and in the case of normal onion services: 6-hops) design.

1

TheNewKing wrote

Anyone can run relays that's why it's difficult and expensive for a single entity to have enough consensus on the Tor network to conduct such attack.

This is a bit misleading. Anyone being able to run a relay is indeed a good thing, but it also enables bad actors to easily setup malicious nodes. The consensus you speak of is, as far as I can find, based on bandwidth. So setting up a high bandwidth node will make it easy to have enough consensus on the network. For agencies with big budgets it would be trivial to set up multiple nodes with high bandwidth. And because stable high bandwidth nodes are preferred, they see a lot of the traffic.

Good tip on running your own relay though, that would make it significantly difficult since you'd never rotate out your guard relay.

No they don't because of Tor's 3-hops (and in the case of normal onion services: 6-hops) design.

The page makes the argument that VPNs can mess with your traffic, which is definitely true for exit nodes. It is well documented that bad exit nodes have been caught and blocked by the network.

2

49492093097198310931 wrote

This is a bit misleading. Anyone being able to run a relay is indeed a good thing, but it also enables bad actors to easily setup malicious nodes.

There's simply no better alternatives.

The page makes the argument that VPNs can mess with your traffic, which is definitely true for exit nodes. It is well documented that bad exit nodes have been caught and blocked by the network.

Again here there's no alternative, with all networks you must pass through some "exit" and at that point, if there's no SSL, then you're not secure.