Slashdot Mirror
How Can You Decide Which VPN To Trust? (slate.com)
Slate's senior technology writer reports that his hunt for a reliable ISP "led me on a convoluted journey through accusations and counteraccusations, companies with shadowy leadership and those with conflicts of interest, and VPN ratings sites that might be even shadier than the companies they're reviewing."
Many VPNs appear to be outright scams. Others make internet browsing sluggish. Free versions bombard you with ads. It's a world so thicketed that the leading firms and experts can't agree on the basic criteria for what counts as "reputable," let alone which companies best meet that description. The CEO of one top VPN company, Silicon Valley-based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China -- which would raise a red flag for many privacy advocates because of the Chinese government's aggressive surveillance regime... [But] many VPN users consider offshore providers preferable to U.S.-based firms. AnchorFree, for its part, has been dinged by reviewers for running a free, ad-supported VPN, which some privacy experts consider a conflict of interest. (It also offers a paid VPN service.) The two companies point to dueling trust reports by outside groups, each of which appears to reflect well on the firm that's touting it, thanks to different methodologies. "It is fascinating the amount of sniping that goes on" between VPN companies, said Joseph Jerome, who has closely studied VPNs in his role as policy counsel for the Privacy and Data Project at the nonprofit Center for Democracy & Technology. "They are very quick to pull out knives and shiv each other...."
If it's so hard to assess the credibility of the industry's top names...you can imagine how difficult it might be to suss out the myriad lesser-known alternatives. A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government. When you use a VPN, you're trusting that VPN with the same deep level of access to your online activity that you'd normally give your ISP. In other words, now they can see what you're up to whenever you're using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.
"I just wanted internet privacy. I hadn't bargained on a knife fight..." the author writes, concluding that "Several weeks, dozens of calls, and thousands of words later, I can't say I'm much closer to a clear-cut answer... One of the only definitive takeaways, besides 'steer clear of free VPNs,' is that your choice of VPN should depend on what you're using it for.
"If you're just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that's clear about both who owns it and how it treats your data."
If it's so hard to assess the credibility of the industry's top names...you can imagine how difficult it might be to suss out the myriad lesser-known alternatives. A January investigation by the site Top10VPN found that more than half of the top 20 free VPN apps on the iOS and Android app stores either have Chinese ownership or are based in China. That's all the more suspicious given that China officially banned VPNs last year. The concern: If China is allowing them to continue operating, it could be because they're sharing data on their users with the Chinese government. When you use a VPN, you're trusting that VPN with the same deep level of access to your online activity that you'd normally give your ISP. In other words, now they can see what you're up to whenever you're using the internet. VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.
"I just wanted internet privacy. I hadn't bargained on a knife fight..." the author writes, concluding that "Several weeks, dozens of calls, and thousands of words later, I can't say I'm much closer to a clear-cut answer... One of the only definitive takeaways, besides 'steer clear of free VPNs,' is that your choice of VPN should depend on what you're using it for.
"If you're just trying to stay safe online, it may make sense to steer toward a larger, U.S.-based company that's clear about both who owns it and how it treats your data."
nt
setup, manage and monitor yourself!
;)
Just my 2 cents
... you shouldn't trust it.
... all states and their respective corporate elites fear the political awakening potential of the internet and mass communication technology. Privacy under a capitalist model is a fantasy when the state actor on behalf of the corporate elite will use the state against other businesses who enable resistance to their authority.
All states are preparing for the political awakening of the masses of the globe, they are expecting conflict. Zbigniew Brezinski former nationa security advisor of the united states:
https://www.youtube.com/watch?...
you insensitive clod!
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
You can't. You can not trust any third party VPN provider. If you need to trust it, you need to run and manage it yourself.
What a prescient game. You conduct all of your activities over a VPN to a server in a datacenter, rented anonymously and (optionally) rigged with motion sensors and a self-destruct device. The tagline of the game? "Trust is a weakness."
Others aren't worth trusting.
Regards your network engineer :)
Rob Braxman, an infosec, runs a VPN without any logs. 100% trustworthy.
There's so little objective information available to make an informed decision, and that absence is largely at the discretion of the VPN providers. Forcing people to choose randomly or base their decision on non-objective criteria serves the interests of the VPN providers. It's like voting for President these days, given how candidate campaigns are run.
I don't trust it against a state-level adversary. As long as the FBI or similar organizations aren't out to get me I'm fine. In particular, Big Media and Big Advertising won't know where I'm coming from other than it's a TOR exit node.
The only cost is it's a bit slow and you have to do your homework to keep from accidently doing something to compromise yourself.
As TFS notes, VPNs are not legal in China, so if you're using a VPN service based out of China, you are really blowing it on the conceptual level here.
If you have SSH on a server you can set up a proxy using SSH: ssh -D 8080 user@server -p 443 You can configure your browser to go to your local port 8080 using SOCKS. The remote server can be something at home, or on AWS, or on Cloudflare, etc. More info. Don't trust any proxy, build your own.
"First they came for the slanderers and i said nothing."
Can pay with bitcoin.
The freakin nerve of these people. Who the hell do they think they are? I'll take my business elsewhere that much I can gaurantee for sure as much as I can spell it.
"Free versions bombard you with ads." Opera Browser has a built in VPN without any ads whatsoever. *shrug-emoji*
You can also take a flier and trust someone who's done a bunch of the research and decided to put it up on the interwebs.
e.g. https://thatoneprivacysite.net...
It's still got a risk of being logged or intercepted, but combined with Tor you can be anonymous to everyone short of 5 Eyes.
It's run by a Japanese university as a way to provide both university funded and donated connections all over the world to circumvent censorship and surveillance. Maybe they are logging everything, but not having your cellphone id or credit card number tied to it goes a long way. Just be aware almost every IRC network has bans on the common vpn IP ranges thanks to griefers. Cloudflare and company however rarely do.
That's a single VPN endpoint in a single location. Obviously that doesn't meet the needs of people who want to be able to have "local" access in foreign countries.
https://thatoneprivacysite.net... is an attempted chart of jurisdictions, practices, etc. so reference away. I think torrentfreak or such also do a top-ten or something, every few (12?) months.
I went PIA (supposedly keeps no logs, has anonymous payment models) but for casual use, don't come to me if your drug/human trafficking gets busted. Service is mostly stable, occasionally sites are inaccessible (or just blacklisting). They got bonus points for calling out repu- er, congressmen voting on ISP tracking bills and such.
It's a sick joke that I have to pay two web-connecting services to connect to each other, but here we are.
The same people who gave us ProtonMail.
"High-speed Swiss VPN that safeguards your privacy."
https://protonvpn.com/
That isn't a VPN. It is just a proxy and it only works with stuff that supports SOCKS.
OpenSSH can make a VPN with ssh -w but it kinda sucks at it.
You are ON!! the internet.
There is more choice, and using a VPN adds a level of indirection. A VPN is not a perfect cloak, but if you know what to expect, you can still get a lot out of not showing your every server you contact on the internet your actual network location, with an IP address that only you use. You should still use end-to-end encryption whenever possible.
Isn't that obvious? The Chinese government doesn't want its citizens using a VPN, because they'd probably pick one hosted outside China and thus pierce the Great Firewall. But it's more than happy to let people from other countries pipe their traffic through Chinese VPN servers, so they can figure out who's visiting where..
Remember, with most of the web switching from http to https, most of your traffic is already encrypted. So a VPN doesn't help in that regard. What a VPN does is obfuscate you as the source/destination of that traffic, by making it appear as if the traffic is coming from the VPN server instead of your computer (acting as a proxy). But the company running the VPN obviously knows who you are, and has to know which traffic is yours in order to function properly. If the VPN provider is logging that info or handing it over to the government, that defeats the purpose of using a VPN.
Many of the 'free' ones don't just throw ads at you, but work by a reciprocal agreement -- your traffic has an exit point in a different country, and you become a random other user's exit point in return... So even if you are on the up-and-up yourself, who knows what shady shit other people are doing and which now appears to originate from your IP address.
with the new sharenoevile app you'll never have to guess if your clicking out of your bounds,, as if we don't know already?
Obviously that doesn't meet the needs of people who want to be able to have "local" access in foreign countries.
You can spin up an AWS in many different foreign countries.
"First they came for the slanderers and i said nothing."
You are right, but most of what people use a VPN service for is to act as a proxy. They don't want their country or their company to know what they are browsing to on the internet.
"First they came for the slanderers and i said nothing."
Public is not the same as Private. Most commercial "VPNs" are actually Virtual Public Networks. Rule of thumb:
- Any VPN in which a corporation or an untrusted individual is a participant node should be regarded as Public.
- Any VPN running code which you haven't compiled yourself from known-good sources should be regarded as Public.
- Any VPN using non-standard encryption or pre-generating keys for member nodes should be regarded as Public.
If you really need to trust a VPN then don't deceive yourself --- don't play Security Theater, ensure that Private really means Private. Convenience is the enemy of security, and trust is almost always inversely proportional to convenience because convenience tends to introduce untrusted elements.
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Your own government that's much more incentive to utilize your information against you. better that your information is stolen by China who doesn't give a f*** about you personally, then by your own government who may use it to take action against you.
CyberGhost works well for me and I've found a work-around to the slower speeds reported by reviewer sites. I kill the Cyber Ghost service manually each time with Task Manager (End Process) after each use. I've discovered if I leave the background service running the connection speeds over time with each use get slower. Manually ending the service after each use has stopped this from happening. Yes, it's a slight pain in the ASCII to have to do this each time but the overall speed increase is worth it. Also, the time to reconnect is a bit longer without the background service running, but again, the problem of slower connections pretty much disappeared for me by doing this.
privateinternetaccess.com is a good vpn.
Do it
Your endpoint is AWS. You think that isn't monitored lol.
You shouldn't trust any except the one you've set up on your own and then you still need to use TOR over VPN 'cause otherwise the company which is renting you a server will know all the IP addresses you ever connect to. And then the same company still has full access to your server, so consider yourself burnt.
In short, use TOR over VPN if you want to remain incognito, or/and chain several VPN providers and hope they are not under the same jurisdiction.
The CEO of one top VPN company, Silicon Valley-based AnchorFree, told me in a phone interview that he suspects one of his top rivals is secretly based in China ...
Uh-huh.
"Look, it's totally not that they're one of my *top rivals*, but ..."
It must have been something you assimilated. . . .
Your endpoint is AWS. You think that isn't monitored lol.
There is no endpoint that is not potentially monitored. VPNs are not effective at preventing that kind of monitoring, that is why TOR was invented. (Whether TOR is successful or not is another question).
"First they came for the slanderers and i said nothing."
You're also incompetent, trust a known traitor apologist and liar, and have no idea what handshake methodology is at all secure or even which that you're currently utilizing. FTFY. And since you didn't write your own compiler, it's pointless.
VPN where you don't control both endpoints is not a VPN, by definition.
What these companies are offering are only glorified traffic tunneling services and proxies, not a true private network. Good for bypassing region restrictions on stuff like Netflix but not for anything where privacy is actually required.
The internet is not private. VPN's are pretend security.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
VPNs may be more privacy-focused than big, corporate ISPs, but they're also smaller, more opaque, and less publicly accountable.
"All governments lie." -- I. F. Stone
VPNs are more accountable than the NSA, CIA, DEA, DHS, & FBI with their "National Security Letters." And those guys are just as untrustworthy as the Chinese security agencies. The main advantage is that the Chinese agencies have far less power over US citizens than the US ones.
How you hide your IP address depends on why you're doing it. If you don't want US corporations to monitor your web traffic, then a VPN in any country that is non-compliant with US corporations & has a privacy reputation to maintain, e.g. Switzerland, is probably a safe bet. If you think you might be interesting to a government security agency from any country, a VPN won't help you at all: You'll need a whole new level of evasive tactics to hide yourself & cover your tracks.
Debate is a form of harassment. Do not question my truth.
..and it's been untrustworthy since it's been accessible by the public-at-large -- and perhaps even before that.
Your only hope is to encrypt and safeguard everything you do as much as humanly possible, and if you don't, assume whatever it is you're doing is being spied on and collected by parties unknown. Keep your own data on your own devices instead of falling for the meme known as 'The Cloud'. Don't entrust the security of your home to 'Internet of Things' devices. Sensitive communications? Either keep them off the Internet entirely or encrypt them yourself, point-to-point, no corporate intermediary. Remember that even if you have a 'landline' phone it's still going to use the Internet at some point. Your cellphone uses the Internet for voice calls.
AWS IP is specifically extra monitored, as opposed to some nameless headless VPN endpoints you might otherwise use. I would trust any solution involving AWS less than I would any other competing solution in almost any case.
A DIY VPN in not really a solution, at least, not beyond the trivial case of dialing in to your home server. If you want an encrypted connection with an exit point in country X, are you going to buy and pay for a server in country X? What about country Y? How are you going to pay for and maintain those exit points anonymously? And anyway, if only you and maybe a few friends/family are using it, traffic analysis can make the VPN encryption pretty much useless.
The point of a commercial VPN service is not only the encryption, but also the anonymity that occurs when your traffic is mixed with thousands of other users.
Enjoy life! This is not a dress rehearsal.
I don't understand why many of the same people who would say "of course Facebook/Google sell your data, you're the product" are complaining about the "privacy" of free VPNs.
You are paying exactly nothing. You should expect the same in return.
I use PIA as well, and I am pretty happy with the service. It's generally fast, it's easy to pick an end-point in whatever country you want to be in. They do get blacklisted by some organizations (example: BBC), but that's life.
The only thing I don't like is that PIA is US-based, land of secret courts and secret warrants.
But then, I'm not doing anything illegal, I just don't particularly want my ISP nosing around in my browsing, and sometimes I want to access services that are geo-blocked for no good reason (like US sites that don't understand the GDPR). For all that, PIA is good...
Enjoy life! This is not a dress rehearsal.
VPN services seem to have seen a dramatic rise in popularity lately and it has resulted in the proliferation that we see. But, I want to know, what are people using them for? I see people in the U.S. that seemingly have no clue about security using VPNs for browsing?
What's the main use case for all these VPNs?
How do you know? I hope you're not making stuff up.
"First they came for the slanderers and i said nothing."
And since you didn't write your own compiler, it's pointless.
The diverse double-compiling construction described by David A. Wheeler reduces the probability of a meaningfully compromised compiler to a negligible level, so long as at least three independent compilers for the language exist and one of them is free software.
A SOCKS proxy is NOT safe if you want to hide your traffic from the network owner.
Use tor, instead.
GENERATION 26: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
Gloss-over the country that claims its laws apply everywhere (making everyone a criminal for having sex with a 17 year-old non-American) and whinge about the country that doesn't share its massive trove of surveillance data.
IMO the only useful metric is how the VPN provider responds to a request from MPAA about a clien't's torrent activity.
My use case doesn't consider Chinese govt' monitoring important. I would be curious to hear why non-Chinese slashdot readers would consider this a threat.
IMO the major threat is MPAA.
Yes, you are right. Most people have no idea that there is more to the internet than web sites and email. You start talking TCP vs UDP to them and they have never heard of either of them.
All I know is that if I were the NSA, one of the first things I'd do is set up a company, at an arm's length to me, with an inexpensive, stable and reliable VPN service and let as many people use it as I could get... Of course, I'd make it look legit and go on about protecting your privacy and not keeping logs...
Communist China has no problem finding many VPN users in real time.
The NSA and GCHQ have no problems working back from a VPN to a user.
The FBI is getting as good too?
Do VPN products stay secure in Ireland?
Domestic spying is now "Benign Information Gathering"
As a fan of Ken Thomson's famous identification of the Trusting Trust problem, I had to read your link. I followed his blowhard, conceited and ill-informed "facts" for as long as I could. Then just to understand who this guy is and why he's so serious about convincing himself that he's solved an unsolvable problem, I had to check out his book link. Then while I was trying to understand how he could be so smart and yet so irrational about computer security....there it was at the bottom of his book page. He's a Christian, and he has links to his Christianity info page. Where he asserts that Jesus was the son of God and died for our sins on the cross and we can be saved by believing.
Read enough of his footnotes and eventually you realize his lack of ability to think rationally about life and death is the same reason he is unable to think rationally about trusting compilers. There is no original trusted compiler, LET ALONE THREE. (sigh)
So instead of tracing to one thing you own they trace to another thing you own? Personally I'd rather use a big company knowing my data will be obfuscated by a mass of other shit going through the pipe which any trace is likely to write off as "too difficult" (at least if the provider doesn't keep logs as they claim).
From the site itself: "My data simply reflects what is officially and publicly avaiable[sic] for a given service on their own official website."
No attempt is made to independently verify claims of the VPN providers. But just because someone is running a shady VPN service doesn't mean they would LIE about running a shady VPN service, right?
Then go through AWS.
"First they came for the slanderers and i said nothing."
Isn't I2P a thing?
Isn't there a way to simply piggyback on the noise? You should be able to modulate it like any other radio signal.
The FBI, among other three letter agencies, has been known to operate end points in the TOR network. TOR is a useful, but not entirely sufficient way to stay anonymous on the internet. If that's your goal, you have to use TOR, a good VPN, and a dedicated operating system such as TAILS. And you have to properly configure each of these at all times. Anonymity on the internet is hard, and requires careful stagecraft. And even if you do everything perfectly every time, it still might not be good enough.
(Score: -1, Stupid)
Or I could do something orders of magnitude easier and achieve the same result with a complete VPN rather than a SOCKS proxy.
You need to be aware that if you are using your ISPs DNS server, your ISP will still be able to see and log where you go. You must setup another dns server on your machine or possibly use a dns server that says they don't log your dns request. CloudFlare promises to not keep track of your dns lookups. Their dns is 1.1.1.1 and 1.0.0.1.
Another site that gives a good explanation on using Putty to create a tunnel through a cheap VPS ($5/mo) is at:
https://github.com/inwtx/SSH-W...
Streisand covers more methods, including Tor and Wireguard. Algo is IPSEC for normal folks. While you may not trust cloud providers father than you can throw them, at least you have arranged for the relay yourself and have some measure of deployment control.
Or I could do something orders of magnitude easier
If you're computer illiterate, I guess it is orders of magnitude easier.
"First they came for the slanderers and i said nothing."
Is no one else concerned about another bill we now have to pay to fix a manufactured problem? PS, I see several people proclaiming "set up your own". Dosent that involve having a bunch of infrastructure all over the internet to do it right? Like, isn't that the point?