Slashdot Mirror
Will VPNs Protect Your Privacy? It's Complicated
From a CNET report: A VPN redirects your internet traffic, disguising where your computer, phone or other device is when it makes contact with websites. It also encrypts information you send across the internet, making it unreadable to anyone who intercepts your traffic. That includes your internet service provider. Ha! Problem solved -- right? Well, sort of. The big catch is, now the VPN has your internet traffic and browsing history, instead of your ISP. What's to stop the VPN from selling your information to the highest bidder? Of course, there are reputable VPN services out there, but it's incumbent on you the user to "do your homework," Ajay Arora, CEO of cybersecurity company Vera said. In addition to making sure the VPN will actually keep your data private, you'll want to make sure there's nothing shady in the terms and conditions. Shady how? Well, in 2015, a group of security-minded coders discovered that free VPN service Hola was selling its users' bandwidth to the paying customers of its Luminati service. That meant some random person could have been using your internet connection to do something illegal. So, shady like that. "I would recommend you do some cursory level research in terms of reputation [and] how long they've been around," Arora said, "And when you sign up, read the fine print." From a report on Wired: Christian Haschek, an Austria-based security researcher, wrote a script that analyzed 443 open proxies, which route web traffic through an alternate, often pseudo-anonymous, computer network. The script tested the proxies to see if they modified site content or allowed users to browse sites while using encryption. According to Haschek's research, just 21 percent of the tested proxies weren't "shady." Haschek found that the other 79 percent of surveyed proxy services forbid secure, HTTPS traffic.
With ISPs, you can't really choose who gives you the pipe to your home or school. You may have a telco, and a cable company, if that.
With VPNs, if one is found to be selling data, you can switch in a heartbeat.
Then, there are the privacy policies. A VPN having a privacy policy of not handing your traffic over will get in a lot more trouble if they sell that data than an ISP that has a privacy policy of "if it goes through our fiber, we can do what we please with it."
VPNs are not perfect... but they do help significantly. It is sad that things have come down to this, as it makes police work a lot harder once the bad guys "go dark", but people are tired of having their data sold, or advertising IDs added to non-encrypted traffic.
Sure, a VPN proxy could monitor my traffic as much as my ISP can. Using https they might see where I'm going, but not the contents. The thing is, I can easily switch VPNs if I don't like the service, whereas in the US, I don't have that choice so much with my ISP, short of physically moving to another location. If I'm lucky, I might live in an area with two viable choices. In my current case, I can choose between Verizon and Comcast, which is like being asked to choose between gonorrhea and syphilis.*
And now thanks to the f*ckwit Republicans in control of Congress, my ISP can now sell everything it knows about me to anyone they like, without any recourse on my part, short of using some sort of proxy. At least with VPN proxies, there's no real barrier to entry, save for bandwidth capacity, and I can choose from any number of options, that I'm going to now have to start looking at.
*Apologies to gonorrhea and syphilis for comparing them to the likes of Verizon and Comcast.
If you don't use a VPN, your data is vulnerable to your ISP. If you do use a VPN, your data is vulnerable to your VPN provider *and* to *their* ISP.
Maybe they've got a better (in terms of privacy) ISP than you do. But be aware that that is also a concern.
Pound! Bang! Bin! Bash! is this a shell script or a Batman comic?
What's to stop the VPN from selling your information to the highest bidder? The fact that my VPN of choice, Mullvad, collects no information.
You click "create account," they give you an account number, and that's the end. They don't ask for your name, address, phone number, or anything. I pay via Bitcoin, so they don't even have my credit card info.
VPN's may only protect you from your own ISP, but what about the biggest spyware organisations, such as Google/Facebook?
They all rely on browser fingerprinting more than anything else these days, and subtly transmitting information back in an encoded form, including mouse movement patterns to learn about the individual.
Cookies/HTML5 storage are so last decade, as I've seen a growing number of companies (Cyberfend / iovation / iesnare / "cformanalytics", browser.id (navigator.io), etc) provide services specialising in tracking and individually identifying users - even surprisingly across devices, somehow.
As far as I can tell, only Mozilla is attempting to reduce/fight this with their browser, especially as they recently removed the Battery status API, added disconnect.me to blacklist known trackers in v43, Font fingerprinting, etc.
Sure, you can use addons like adblockplus, noscript, decentraleyes, etc to some degree, but many times they break websites as more and more sites are utilising javascript exclusively for a website to function, including third-party scripts, such as GoogleTagManager, etc.
Just recently discovered that the popular London travel website TfL also contains a third-party tracker, without which their journey planner doesn't work, thus the website doesn't work with Firefox's disconnect.me privacy list.
ThatOnePrivacyGuy on /r/privacy manages That One Privacy Site, including a handy VPN section. Unlike the vast majority of VPN provider reviews you'll find in web searches, this one encourages community discussion and appears to be impartial. Next time I need a new VPN provider, I expect I'll be turning to that site.
I've been running an openvpn link from my home to our colo for years. I also have it set up on all my devices so I can use it while traveling. Some of our DFly devs also use it when they are traveling. Here's my cumulative wisdom on the matter:
Generally speaking it works quite well. I use a medium-numbered port but I also have a server running on port 443 because the many weird networks one runs through when traveling often block most parts, but usually leave the https port open.
* Use UDP for the transport when running openvpn over a broadband link. This provides the most consistent experience.
* Use TCP for the transport for connections from mobile devices. This provides the most consistent experience. There are several reasons for this not the least of which being that the telco infrastructure seems to devalue UDP by a lot verses other traffic. TCP is also a lot easier to run on the server-side if you potentially have many devices connecting in, because you can run one server instance.
* Configure a smaller mss, I use 1300, so the encapsulation doesn't get fragmented by the transport. This is very important.
* Configure a relatively frequent keepalive in openvpn over a WAN link (I use 1sec/10sec), but a less frequent one over mobile (I use 20sec/120sec). This is particularly important on mobile because cell tower switches can cause long disruptions. You don't want to drop the VPN link in such circumstances if you can help it. DO NOT DISABLE THE KEEPALIVE. Always have an openvpn keepalive setup, particularly over TCP, because the TCP connection backoff can prevent your sessions from recovering or cause them to take a long time to recover if one or the other direction is not actively sending data (such as with most web connections, downloads, streaming, etc).
I personally like 'OpenVPN Connect' on IOS (which I use to connect to our project colo). And of course I run openvpn on all the DragonFly boxes including my laptop.
--
Reliability of the VPN depends entirely on the path between your location and the VPN server. The packet must travel this path in addition to the path from the VPN server to the nominal destination, and even in the best of circumstances it will double the chances of something going wrong.
I've had a number outages at home where my cable link is still operational but the cable company's path to the VPN server is having problems. Also, recovery times are longer because not only does the dead network have to revive, but the openvpn setup has to reconnect and renegotiate.
--
Commercial services are going to be hit or miss. VPN'ing your broadband link might be problematic and you have no real visibility into what the commercial service is doing with your data. That said, they are probably going to be a lot better than trusting your data to the telco and wifi hot-spots you connect from when you are mobile.
Netflix and other video streaming providers will often block-out commercial VPN IPs from the service. Generally speaking, using a commercial service for high-bandwidth connections is really hit-or-miss. You are using their bandwidth as well as your own.
When using a VPN, you are bypassing any special deals your broadband provider has made with the likes of YouTube, Netflix, etc. Remember that if the cell bandwidth is supposed to be free, because it won't be over the VPN.
--
In terms of security, its a mixed bag. The VPN will secure your traffic from your immediately ISP/Telco (aka Comcast, AT&T), and that's actually very important. However, you are not anonymous and once your traffic reaches the egress point its up for grabs by any network it flows through and, in particular, the target web page or whatever might be doing its own data collection.
But the telco data collection is MUCH more valuable to third parties than target data collection, and the VPN link at least protects you from that.
The VPN will not do a whole lot for your internal network security. If someone bre