hckrnws

Note that all of these companies are also under the umbrella of Tesonet, a Lithuanian VC firm also headed by Tomas Okmanas (Tom Okman in TFA). Their flagship investments are Nord Security, Hostinger, Oxylabs, Surfshark, Decodo, Mediatech, and nexos.ai - all closely related business models around proxying.

They don't seem to have Russian ties: "In 2022, CyberCare opened an office in Lviv, Ukraine. Although planning for the move started before the war, according to Dainius Vanagas, CEO of CyberCare, one of the reasons why it was followed through was a desire to help Ukraine rebuild."[0]

They also donated money to help arm Ukraine.

0: https://en.wikipedia.org/wiki/Tesonet

Don't forget ProtonVPN links to Tesonet, which they're trying hard to "debunk" (though no clue why, I have nothing against Tesonet). They only shared employees and accidentally signed apps with the same certificates, but are "totally unrelated". Their PR people are already on this thread.

If they didn't try so hard to fight it, people might care less.

"Links to" is doing a lot of work in that sentence. ProtonVPN is owned by Proton, which has no legal ownership ties with Tesonet. During Proton's expansion into Eastern Europe, Tesonet initially assisted Proton with HR, payroll, and local regulation, so for a period of time, people working for Proton were employed by Tesonet, since Proton had no local subsidiary that could hire them. These were not "shared employees", they worked exclusively for Proton.

In 2016, Proton created its own subsidiary, and these people are now employed by Proton. But for this historical reason, the ProtonVPN keystore on Android still lists Tesonet as the organization name, even though it is fully controlled by Proton.

None of this is "debunking"; these are just the facts. You can make of them what you will, but you should be honest about what actually happened when you talk about it.

> Tesonet initially assisted Proton with HR, payroll, and local regulation

Entirely normal behaviour for a competitor to provide “HR assistance”.

I've been part of a European startup that added offices in Asia and the US, and we initially always partnered with local companies to do this. It's mutually beneficial. It allowed us to grow more quickly, and it allowed them to make relatively easy money (and, in our case, to dump some of their shittier employees on us without us knowing).

In Proton's case, they already knew each other because Tesonet had previously offered to provide infrastructure during a DDoS attack against Proton.

So maybe it's a conspiracy, or maybe it's just how things go. You can make up your own mind, but you should provide the facts when you make sinister insinuations.

You know an awful lot of detail about the inner workings of two separate private companies though.

Is it really that shocking that someone on HN would have worked at as many as 2 private companies?

Nor is it shocking that a company with a PR issue would be astroturfing our forum.

The point is: we don't know.

I would assume that if they were astroturfing, they would be smart enough to use more than one account. Given that, I'm inclined to believe that you are part of an astroturfing campaign.

The summary is: if you use someone’s VPN, Tor, etc. you’re just setting yourself up. There is no privacy, and if you act like you want privacy, they’re going to pay more attention to you.

That's what they want you to think.

LOL, now I'm part of the conspiracy. This is all public knowledge.

Then you could provide sources, please?

Here you go: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...

Here's the Handelsregisterauszug for Proton, which shows ownership: https://www.zefix.admin.ch/en/search/entity/list/firm/118926...

Proton's peering relationships: https://bgp.tools/as/62371#asinfo

I'm not sure what exactly you're looking for.

> Here's the Handelsregisterauszug for Proton, which shows ownership

It doesn‘t. It’s a joint-stock corporation and while the shareholders are registered, the register is not public.

Proton discloses shareholder information here: https://proton.me/support/who-owns-protonmail

But I guess they could be lying.

Them providing information isn't the same as publicly verifiable information.

> "Links to" is doing a lot of work in that sentence.

How? it is obvious.

> During Proton's expansion into Eastern Europe, Tesonet initially assisted Proton with HR, payroll, and local regulation, so for a period of time, people working for Proton were employed by Tesonet, since Proton had no local subsidiary that could hire them. These were not "shared employees", they worked exclusively for Proton.

So basically same people managed teams, same people paid the employes, but my "Links to" is doing heavy lifting and in the previous sentence you say "ProtonVPN is owned by Proton, which has no legal ownership ties with Tesonet."? Who is doing the heavy lifting here?

How much is Tesonet or Proton paying you to post in here?

> How much is Tesonet or Proton paying you to post in here?

Sadly, they're not paying me anything, but I would suggest that any belief system in which information contradictory to your belief reinforces your belief is inherently problematic.

So how much is Nord paying you to post here?

> so for a period of time, people working for Proton were employed by Tesonet, since Proton had no local subsidiary that could hire them. These were not "shared employees", they worked exclusively for Proton. In 2016, Proton created its own subsidiary, and these people are now employed by Proton. But for this historical reason, the ProtonVPN keystore on Android still lists Tesonet as the organization name, even though it is fully controlled by Proton.

So either:

1. Tesonet/Nord are loose with their private keys.

2. Proton isn’t being truthful.

Anyone who understands crypto and key management knows “not your keys, not your _____.”

If those staffers worked for Proton and not Nord, why did they have Nord’s key?

This level of negligence with private key management really can’t be explained away.

Proton explains this here:

https://redlib.catsarch.com/r/ProtonVPN/comments/8ww4h2/prot...

I suppose you're free not to believe them, but I'm unsure what exactly you believe is happening here and what exactly Proton is lying about. Tesonet secretly owns them and has been running a decades-long misinformation campaign to trick you into thinking they don't? To what end? It's not like Tesonet is some nefarious company we should all be afraid of. What would they gain from lying about this if it were true?

And how can they make such an obvious mistake with their certs and then not make another one for the next decade? It's just not plausible.

At some point, you've gotta use some common sense.

My comment still applies regardless of any level of “explaining” [1]:

1. Either Nord/Teso are loose with keys (horrible)

Or

2. Proton isn’t being truthful.

I don’t think it’s a conspiracy or anything that it is Tesonet/Nord. Rather, the problem is you cannot trust someone with your privacy if they can’t even manage their own keys.

[1] The explanation is poor at best and doesn’t explain why they worked so hard to try to delete all of the evidence (all of which was archived already). Additionally, nothing can explain away the lack of security with key management across these two orgs.

The people who couldn't handle their keys were at Nord. The people you trust are at Proton.

> worked so hard to try to delete all of the evidence

The cert is still there. Apparently, they didn't work nearly hard enough.

They worked pretty hard as detailed in an archived article changing names and any records they could [1], but you're right - not good enough [2].

As pointed out on this reddit post [3], Proton's appears to contradict itself a number of times.

It's a good thing trust based VPN's are obsolete. After all, trust isn't constant [4] as seen in this article showing how Proton supplied IP addresses to "authorities."

[1] https://archive.ph/wG8t8

[2] https://archive.ph/4bzBm

[3] https://www.reddit.com/r/technology/comments/8x9aik/protonvp...

[4] https://techcrunch.com/2021/09/06/protonmail-logged-ip-addre...

> Created by supposed MIT and CERN scientists

This is a hilarious way to start an ostensibly serious investigation. It's not as if you could easily figure out the answer to that.

At some point, you have to acknowledge that you're a clown.

[flagged]

>You're devoting a lot of emotional energy

You're on the Internet. How are you surprised that someone is repeatedly responding in a thread about a very obscure topic, especially when people are posting conspiracy theories?

It's interesting to have these discussions. But it is funny that people's conspiratorial thinking now makes me a part of the conspiracy merely for pointing out easily verifiable facts.

>What is your relationship to either company?

I subscribe to Proton's services, so I was originally interested in finding out what actually happened. Now I'm interested in pointing out people's flawed reasoning because I think Proton is doing something valuable, and I don't want these attacks against them to go unanswered.

Since we're now part of this thread, as the attack on Proton was orchestrated initially by a competitor and seemed to use bot accounts on Twitter, how much do they pay you to try to discredit me?

Just kidding, see above. You and I, we are the same. We do it because it is interesting.

How is thinking that a company might be doing PR work in a hacker news tread a conspiracy theory?

It isn't, it's common sense and common practice.

That's not the conspiracy theory. The conspiracy theory is painting every single commenter as part of said company/PR agency.

Did they sign things with the wrong keys?

Back when I was running PIA, they threatened me a significant amount just for pointing these facts out.

Now that I launched a verifiable VPN, they are once again sending legal threats [1].

[1] https://vp.net/l/en-US/blog/Verified-Privacy-vs-Trust

The same PIA which is now part of Kape Technologies which under its former name of Crossrider was known for malware?

https://cyberinsider.com/private-internet-access-kape-crossr...

If you cant trust VPNs sold to dodgy Israeli spyware firms who can you trust?

Freenode, never forget.

what makes your vpn verifiable? can i verify you run specific oss on your servers? secure enclave is just management's idea of implementing crypto. everyone out here knows that it is highly flawed and intel with their management engine bullshit can't be trusted at all.

You might find this helpful: https://youtu.be/sz7NAe0G1_Y?si=focPEWli8xv7NCDi

Re verifiability: the point isn’t trust us, it’s that you don’t have to.

We built it so anyone can independently confirm what’s running.

1. All server and client code is published.

2. Builds are reproducible.

3. Each node provides cryptographic attestations of its runtime and routing identity.

4. Enclaves are used for verifiable isolation.

You can peruse the code yourself to see exactly why the transparency we bring makes legacy “trust based” VPNs obsolete: https://github.com/vpdotnet/vpnetd-sgx

It looks like this boils down to 'check the magic number in the code against the magic number our server gives you. It matches!!!'

Is there some indication the user has that your server isn't simply hard coded to return the right magic number? I don't understand how this provides any assurance of anything.

The SGX certificate is signed by intel and includes a certification of the hash of the code loaded in the secure enclave ("MRENCLAVE").

When the client connects to the server, the server presents a tls certificate that includes an attestation (with OID 1.3.6.1.4.1.311.105.1) which certifies a number of things:

- the TLS certificate's own public key (to make sure the connection is secure) - The enclave hash

It is signed by Intel with a chain of custody going to intel's CA root. It's not "just a magic number" but "a magic number certified by Intel", of course it's up to you to choose to trust Intel or not, but it goes a much longer way than any other VPN.

So did you sell pia? Why won’t you sell your next venture ?

I did not sell PIA. I entered into a merger agreement to create a publicly owned privacy company. Without getting into detail, I left the company on principle receiving only 1/3rd of the value for the shares.

Btw I used to love pia, I think I’ll check your new one out!

Used to love? What changed? PIA hasn't always had the best performance but they are on the list of VPNs who were subpoenaed and had no data to give the court.

my $.02 : I tried them, but found their "we support Wireguard" a bit misleading. They only did so via their app. No way to get a stable configuration for a router (other than run a python script to get one from the app, without any guarantee how long is that config valid for).

But that has not happened since PIA was acquired by Kape. All that proves is that the previous owner was trustworthy.

But, that happened since they were acquired by Kape. All that proves is the previous owner was trustworthy.

Why?

"Without getting into detail"

[flagged]

I appreciate the engagement, but it’s become clear that this particular user has been repeatedly following my posts to respond negatively - a stalker if you will [1]. I’d prefer to keep the discussion focused on facts, not personalities.

The key point, you don’t have to trust us, and we don’t want you to. Trust code, not people. That’s the foundation of the entire effort.

As for the Freenode situation, the popular narrative has been repeatedly misrepresented. The core claims were debunked and the receipts are here: http://techrights.org/wp-content/uploads/2021/05/lee-side.pd....

To clarify a few historical points:

1. The so-called “takeover” was being organized long before my involvement, as shown by domain registration dates and internal meeting notes. I was a more convenient target than Christel, which might explain why she asked me to buy it from her.

2. False narratives were already being circulated to open source projects before any administrative changes occurred. The subsequent channel topic changes were a reaction to those actions, though I’ve acknowledged those decisions weren’t ideal in hindsight.

On broader context, much of what’s now called “funding FOSS” doesn’t reach active developers. It tends to reward organizers and promoters rather than those writing meaningful code. Supporting individual developers directly remains a better way to sustain real innovation.

Ironically, several of the ex-staff I defended for years against serious allegations (search “OldCoder” if you’re unfamiliar) went on to form Libera, attempted to seize the freenode IRC domain, and created a false narrative about events. It’s disappointing, but not surprising given the leftist politics at play.

If you want to understand the larger trends affecting open source today, I recommend Lunduke’s Journal and similar analyses. Most major FOSS projects are no longer developer run… just look at Mozilla for an example.

[1] https://news.ycombinator.com/item?id=44921771

It might help your goal of a PSA if you source your claims, so this doesn't become inflammatory.

https://en.wikipedia.org/wiki/Freenode

Too late, already flagged.

There is no mention of proton whatsoever, even more sending legal threats to your vpn, in the link though?

Ah yes, the King of Joseon Cybernation is a trustworthy source.

Proton are pretty shady. The Radware ties, the blocking of two journalists, etc. etc.

For anyone else who wondered what the radware thing was.

https://proton.me/support/protonmail-israel-radware

How much did proton pay you to post that link again?

The streisend effect. Although, personally I am interested in this topic, as everyone using these VPNs is one ToU change away from being data mined at all time.

I used to work at Tesonet (as software engineer) and I'm not familiar with corporate politics / ownerships but they're lovely people that would 100% walk out if there were some real Russian ties involved.

Lithuania is a really small country and IT has been a huge economic strategy since early 00s as a way to become economically independent specifically because of Russia and it worked out really well.

I have a good friend from Lithuania, who has told me so many amazing/wonderful/superlative things about the country he grew up in and loves very dearly, as well as its people. I can't wait to visit someday. Unfortunately, he only has Russian and American citizenship, so he can't purchase real estate there currently, but luckily most of Lithuania's restrictions have been very common-sense (applying only to people who frequently travel between Russia and Lithuania).

From what I can tell, Tesonet seems like a very patriotic group (as much as a corporation can be personified at all), and genuinely puts resources, both human and financial, towards raising up the local communities.

It's interesting to me that Tesonet has concentrated the most popular VPNs under one roof and is involved in so many companies that could be described as "dual-use" (white hat/black hat) such as residential/mobile proxies, ai-powered scraping, etc. It tells me that Tesonet has a very sharp understanding of gray-hat landscapes. It does seem like their portfolio could be leveraged as a valuable asset to any powerful interest, regardless if they are benevolent or malicious or misguided.

I mentioned Tesonet's stance towards Ukraine because Lithuania has a number of wealthy ex-soviet/Russian citizens and business-owners with differing politics, and wanted to clarify that for any readers who might wonder.

Additionally, I've always been very impressed with Estonia's digital infrastructure and Ukrainian software engineering - not just JetBrains but also other vendors that I've worked with personally. Seems like there are a lot of highly skilled people concentrated in your region.

I couldn't really get that segue from Lithuania to Estonia. Did you mean to type "Lithuania" in the last paragraph as well?

Here..

> Additionally, I've always been very impressed with Estonia's …

Before that you were talking about Lithuania exclusively.

And then:

> … Estonia's digital infrastructure and Ukrainian software engineering - not just JetBrains …

I think it was founded in CZ and is now HQed in NL. Right?

A typo? Or there's some relation between the two countries and whether JetBrains has some history with these two that is missing here?

(I am not trying to nitpick, really interested in knowing whether there's some angle/twist here, since the post itself is about hidden connections and what not).

> (I am not trying to nitpick, really interested in knowing whether there's some angle/twist here, since the post itself is about hidden connections and what not).

Honestly that shone through even from the first sentence.

I mentioned Estonia because Lithuania/Latvia/Estonia have a bit of shared identity, kind of similar to Sweden/Norway/Finland or USA/Canada.

> I think it was founded in CZ and is now HQed in NL. Right?

Yes I was just wrong. I was convinced it was Ukrainian for some reason.

I agree that the combination of those two points made my post particularly confusing.

JetBrains was russian (as in were most people initially actually worked). They were smart enough (like any business in russia not wanting to be trapped) to have registration outside of the country.

Some part of management were in CZ. Most of the technical team were in three buildings in St.Petersburg.

Wow. Didn’t know. As an Android developer I find it specially interesting. Not for any nefarious reasons, for I so far believe that JetBrains is one of those companies that has been a net positive on tech ecosystem in general (touchwood!) — be their dev tools or the Kotlin itself. I also follow these people and tools, partly out of professional needs/curiosities.

FYI Kotlin language is named after https://en.wikipedia.org/wiki/Kotlin_Island

Aha. I see that it was also called "Kotling". I guess they missed this opportunity, or maybe KotLang, in which case people would have started calling it just Kot.

Also the place seems to have quite a few rebellions under its belt.

They're neighboring small countries with similar (centuries' long) histories of tension with Russia, in its various guises. They're often considered en bloc:

https://en.wikipedia.org/wiki/Baltic_states

> most of Lithuania's restrictions have been very common-sense (applying only to people who frequently travel between Russia and Lithuania).

Common-sense like a complete ban for entering the country for red passport holders.

Lithuania is a wonderful, beautiful country and I understand the need to push the hardliner stance in the EU, but their decisions during the conflict have been strictly political, not in the slightest "common-sense".

Isn't Lithuanian passport red ? or the context here is communism ?

Turns out it's indeed red, but it's been green for a long time.

Context here is Russian Federation.

[flagged]

> Now please repeat the sentence, but use Jews, Muslims, or PoC instead of Russians.

Why? OP decided to use Russians, as they're free to do so. No need to bring your objections to personal feelings here.

[flagged]

You've just pissed off the entire eastern Europe and are still acting like you've any moral with this. It's the Russian state (and their elites) that's been an abuser to neighboring countries and they're still doing it. It has nothing to with race at all, Russians are slavic people as well. We don't really have a problem with them, beyond them supporting their government

[flagged]

> How are all Russians in Lithuania or Estonia responsible for the deeds of the Russian government? Or Russians in England?

It's not about Russian people, you assumed that. There are well known connections between any company doing business in or with Russia who are basically extorted to hand over all information about customers or financials to the government. This is no secret.

If any company is working from or with Russian ties, you can assume the government will have access to that data. Given the sensitive nature of VPN's, antivirus software, deployed software in general, its completely fair to say you don't want to work with people with ties in Russia. I'm the same. You're conflating things, and then throwing in some 'what-about-ism' for good measure. Nothing but an argument will come from this discussion so it's not welcome here. You could try your hand on Twitter.

> It's not about Russian people, you assumed that.

I assumed that because it's what has been said.

>> ... but they're lovely people that would 100% walk out if there were some real Russian ties involved.

> If any company is working from or with Russian ties, you can assume the government will have access to that data. Given the sensitive nature of VPN's, antivirus software, deployed software in general, its completely fair to say you don't want to work with people with ties in Russia.

Many major VPN companies have Israeli ties. Now, tell me, how is that better than having Russian ties? You trust Netanyahu's government more than Putin's?

> You're conflating things, and then throwing in some 'what-about-ism' for good measure.

No, I'm just exposing your hatred of Russians and your double standards.

> Nothing but an argument will come from this discussion so it's not welcome here.

Who are you to say that? You started with the racist remarks and got called out. If you don't want to discuss it anymore, you are free to stop, but I won't let your racism go unanswered.

> You could try your hand on Twitter.

Not sure about Twitter, but there are many platforms that would welcome your racism and your hatred. You would have a much better time somewhere else, so feel free to act upon your advice.

> No, I'm just exposing your hatred of Russians and your double standards

We're talking business connections here not personal friendships. Russian businesses and business people are not to be trusted as Kremlin retains full control over them and Kremlin is an enemy of Lithuania. It's basic safety and risk assestment to not integrate compromised systems and every russian system is compromised. Same applies to any other actor but guess what, no other actor is threatening invasion of Lithuania so the math adds up here, no?

Calling Tesonet a VC firm isn't really an accurate description of their history. They started as an IT services company (which they still do), then split out internal services into effectively separate companies (e.g. CyberCare was originally built to manage customer support for NordVPN).

Now they have got more money than they know what to do with so are making VC investments.

"all of these companies" are you sure? Did you check the VPN relationships diagram that is within the article? Tesonet is listed and linked.

[flagged]

Our last President was haunted by completely unverified claims of business ties with Ukraine. Someone in UKR clearly tried to buy influence via his son, but all the force of Fox News and the GOP together couldn't produce one single sticky-note worth of evidence tying it to any success.

Painting "armed invasion" as "Russian presence" is like calling "stabbing someone in an alley" a "medical procedure".

We get it; you love Mother Russia.

Russiagate was not a "fictional narrative," as a cursory amount of research will reveal.

> The Republican-led Senate Intelligence Committee investigation released their report in five volumes between July 2019 and August 2020. The committee concluded that the intelligence community assessment alleging Russian interference was "coherent and well-constructed", and that the assessment was "proper", learning from analysts that there was "no politically motivated pressure to reach specific conclusions".[11][12] The report found that the Russian government had engaged in an "extensive campaign" to sabotage the election in favor of Trump, which included assistance from some of Trump's own advisers.

After seeing the front end and the tiniest bit of backend on CrowdStrike and why they’re in Ukraine… I wouldn’t say any company with offices there makes me feel at ease. It’s not better.

We should really be moving towards a world of Multi-Party Relays rather than Single-Party VPN operators: https://www.privacyguides.org/articles/2024/11/17/where-are-...

With Multi-Party Relays you no longer have a trust a single entity not being malicious or compromised.

Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.

Hey Carl! This is the first I'm hearing of Obscura. After doing a deep dive into your product, it looks to be a very fascinating privacy tool. However, I'm concerned with your operating under US jurisdiction, as detailed by others here:

https://discuss.grapheneos.org/d/20059-obscura-vpn-and-mullv...

While I understand potentially not wanting to incorporate in the EU (with Chat Control on the horizon) nor Switzerland (due to their own non-EU-related privacy backslide), why still select the US, which historically other privacy tools have largely avoided? It feels like you're already shooting yourself in the foot, whereas you'd be good in the EU should Chat Control not pass. While it's great that you verifiably can't see a user's internet traffic, you're one US court order away from a forced compromising of the service for a user (or at least, giving up the connecting IP). Historically, EU court orders have been easier and more transparently fought by privacy tools.

Non sequitur, it would be great if you prioritized accepting Monero as payment, like your exit hop Mullvad. Also, how much control do we have over the features Mullvad offers (e.g. DAITA, quantum resistance, DNS filters, IPv6, integration with Mullvad Browser)?

> should Chat Control not pass

Unfortunately in the world we live in no single jurisdiction is good enough anymore, laws can always change and Chat Control can be re-proposed over and over again.

Luckily, an MPR like Obscura with hops across different jurisdictions (Obscura in US, and Mullvad in EU) give you a much better scenario than just being in one jurisdiction.

> it would be great if you prioritized accepting Monero as payment

Definitely prioritized, one of our engineers is working on it right now.

> Also, how much control do we have over the features Mullvad offers (e.g. DAITA, quantum resistance, DNS filters, IPv6, integration with Mullvad Browser)?

We're limited by the Partner API that Mullvad offers right now, but we'll be looking into many of these soon. For example, we're implementing DNS filtering as we speak!

Can you control the geography of the exit node? I really like Private Relay but it doesn't get around geo restrictions because the IP is still in the same country you are.

Yes, you can with Obscura. That limitation of Private Relay is just an arbitrary limitation made by Apple.

And so by design.

Hey,

This is is what i wrote my master thesis on. I ended up not turning it into something proper. Thank you! i love that you did this!

Its awesome! OMG good job!

Ah that's excellent! Do you have a link to the thesis?

Does obscura work in China? Doe you have a free tier option for me to test?

We've had many reports that it works. In fact, one of our users told us he took an hour video call over Obscura in China and things worked smoothly!

Unfortunately, because we don't identify users we cannot offer a free tier (since that would allow anyone to use it freely indefinitely).

However, you can always just top-up for 1 month to see how it works for you! Would love to hear your experience.

Hypothetically, could tor switch to using QUIC?

You could probably implement a pluggable transport for it?

At this point, the VPN industry is so rife with shady dealings, suspicious ownership structures, weird exits, questionable marketing/PR practices/pushes, and rumours that waters have been muddied sufficiently for every provider out there. It might have been by design as well. Who knows.

I now believe that you know your use case and use VPN only for that, and decide whether you really need to pay with parts of your kidneys for a service that claims to be the "uber privacy bulwark of the season" (until proven otherwise, as it happens), and get done with it, and make sure "anonymity and privacy" are not the expectations unless you have gone to great lengths to ensure these two, and if that's the case, you won't be in the market for "list most private VPNs providers" at a search or LLM input box.

If your needs are anonymity, a VPN is not going to solve it— in fact, relying on one might endanger you. Even for privacy, I'd be very careful in trusting a VPN (any VPN).

So if you need a VPN for streaming content from other geographies, just get the one at the best cost that does the job well in your geography, without going through the rabbit hole of cryptographic verification, reputation spiral, etc.

A VPN is always a risk. Still, there is a difference between using Mulvad or PrivateInternetAccess. The difference between risking that the service might do bad things with your data, and having high certainty that it does. And this article gives pretty good indications which category each service belongs to

You’d put private internet access in the really bad category?

Yes. Very much so. PIA was purchased by a British-Israeli corporation called Kape Inc. which has been a known bad-actor in the past and is a giant red flag when looking for VPN options. (edited away the brevity)

Not saying that this is what I do, but a VPN is useful for things that are illegal but not serious.

For example, France is spying torrent downloads of copyrighted content but they only look at the domestic consumer ISP IP addresses. They ignore all foreign IPs, so if you're using a VPN it doesn't matter if the VPN keeps all the logs they won't bother.

Of course if you're doing things that will get you personally targeted by the police, like cyber-bullying or CSAM, a VPN won't protect you.

>it doesn't matter if the VPN keeps all the logs they won't bother

For now. The surveillance apparatus must feed from time to time.

> If your needs are anonymity, a VPN is not going to solve it— in fact, relying on one might endanger you.

Why?

Yeah, agreed. Most VPNs just move the trust boundary from your ISP to another opaque network and call it privacy. There’s no way to verify what’s running, who controls it, or what happens to your data once it leaves your machine.

We solve this with vp.net, by making the service verifiable. The code can be reviewed, the builds are reproducible, and each node can prove what software it’s running and where your traffic actually goes [1].

It doesn’t turn a VPN into an anonymity tool, but it makes trust measurable instead of blind. That’s the part the industry should have fixed a long time ago.

[1] https://youtu.be/sz7NAe0G1_Y

“We're sorry but vp.net doesn't work properly without JavaScript enabled. Please enable it to continue.”

This link displays just the map, freed from it's painfully small frame.

https://kumu.io/embed/9ced55e897e74fd807be51990b26b415#vpn-c...

Anyone got this as a regular single image infographic or (better yet) a text-only bulleted outline?

There is an export button. Maybe it does what you want.

Don't use the embed link from above, use this one: https://kumu.io/Windscribe/vpn-relationships

I have to admit that discovering that ProtonVPN was actually just owned by Proton Technologies feels underwhelming.

Idk what's the official status, but it's Tesonet.

Some fake debunking in the comments of this thread that is factually almost correct: https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/protonvpn...

EDIT: ProtonVPN app was "accidentally" signet by Tesonet. How do you think this could happen?

It’s not Tesonet, Proton is wholly self-owned and managed. Proton VPN was briefly sharing employees with Tesonet during initial app bringup, and that partnership is long over. Naturally due to competition and the huge importance of privacy in this space, people still bring this up, but Proton VPN does not and never will sell or share your data with anyone.

Source: I am a Proton VPN employee.

So, why were the employees shared?

EDIT: I'm not saying being related to Tesonet is bad, but it is a fact that you cannot run away from.

> Proton VPN was briefly sharing employees with Tesonet during initial app bringup

I assume they needed the experience in how to run a VPN company, so that initial partnership was needed.

But why would tesonet spend resources to help a competitor to start? I'd be surprised if there wasn't at least an equity deal.

> But why would tesonet spend resources to help a competitor to start?

I thought tesonet is venture / seed fund?

Then the question becomes why would they help a company that competes with their portfolio companies. And even stronger case that they got some shares in return.

One reason is that helping contributors that you know will survive (as proton was already well known) grows the market. Basically give the competitor of piece of the cake because they will enlarge the cake for everyone.

What the hell is employee sharing?

It's when your director goes and tells you not to tell anyone but to report to another building to another team for a month or three, and help them with whatever they ask, because you have a very specific set of skills. (In this case, setting up VPN backend infra.)

Proton's response in the thread:

Hi everybody, this is Andy here. I'm one of the original researchers from CERN behind ProtonMail and ProtonVPN. There's some false info out there about ProtonVPN, and these stories were first fabricated by Private Internet Access, a competitor who has been feeling pressure from ProtonVPN lately.

The stories are false, but we have always been very open with the community, so I would like to provide some background anyways. As many of you know, Proton has many partners (Radware, F5 Networks, Equinix, Radix, Farice, LeaseWeb, Dell, Supermicro, etc). Tesonet Lithuania is indeed a partner within our long list of partners, but it's a huge stretch to claim ProtonVPN is run by Tesonet.

We first met Tesonet back in 2015 when they offered to provide us with internet infrastructure (we received many offers after the infamous 2015 DDoS attacks - we never bought infrastructure from Tesonet). During this period, Google was suppressing ProtonMail in search results, and we were financially suffering. To address this challenge, we needed to hire staff outside of Switzerland where costs are lower. This is how our Skopje, Prague, and Vilnius offices got started.

Prague happened because two of ProtonMail's early hires from CERN were Czech. Skopje and Vilnius happened because we knew local partners there (it would not have been possible to source local candidates, handle HR and payroll, understand local regulations, etc, without outside assistance). We worked with Radix (Macedonia) and Tesonet (Lithuania) to accomplish this. Tesonet in particular was selected since they are one of Lithuania's largest tech companies (and we already knew them).

While our early hires in both Vilnius and Skopje were always working fully for Proton, they were formally employed by our local partners because we did not have a local entity that could employ them. In the early days of Proton, this was not an uncommon arrangement since our team is spread across over 10 countries.

In mid-2016, Google finally halted the suppression of ProtonMail in search results and we experienced strong growth. This gave us the resources to create our own corporate entities in Macedonia and Lithuania, and we engaged Radix and Tesonet to do this. We used the same legal address and nominee directors as our local partners because we still did not have our own office yet. For contractual reasons, these moves took some time. For example, ProtonLabs Skopje, our newest entity, only moved in November 2017.

For historical reasons, some connections to our past local partners remain. Some of the IPs we use in ProtonVPN's global network might be acquired or leased from Radix (we have never, and do not currently use IPs from Tesonet - most IPs are from LeaseWeb or are our own IPs). Similarly, the ProtonVPN Android keystore mistakenly lists Tesonet as the organization name, since our Android developer was at that time formally employed through Tesonet. Due to the way the Android Play store works, this keystore can unfortunately never be changed, but it remains under our sole control.

The entities we use today in Skopje and Vilnius are both subsidiaries of our corporate entities in Switzerland. While we no longer employ team members through third parties (except for in the United States where don't do direct employment), we do continue to share expertise and work on projects together with various partners. For example, our two new Swiss datacenters are being built together with Radix in order to share some of the fixed costs.

Going forward, we will need to continue working with partners around the world as we grow (unless you're Google, you can't do everything yourself). This is not the first time one of our partnerships has been inaccurately portrayed (the other incident is so ridiculous I'm not going to mention it here). The truth however, is less interesting than the conspiracy theories might have you believe.

--------

Further comments on the smear campaign against us:

    The false allegations were originally spread by US-based VPN provider, Private Internet Access (PIA), who also happens to be a major competitor. We think it says a lot about them to be engaged in shady marketing tactics.

    ProtonVPN/ProtonMail does not, and has never used any IPs or servers from Tesonet (this can be publicly verified)

    Proton does not share any employees (or company directors) with Tesonet. This is also a verifiable fact.

    Proton has not used Tesonet for HR since 2016.

    There is little actual evidence that Tesonet does data-mining (in any case we have never used infrastructure from them).

    Proton has many suppliers (Dell, Juniper, Radware, etc). If you dig enough, you can find dirt on all of them and create a false narrative. We do business with other tech companies - this is not a secret or abnormal.

I love Proton’s stuff and use all their products — maybe I’m just being paranoid, but even though the explanation makes sense, I still wonder about those old connections. Would be nice to see more official proofs

> Due to the way the Android Play store works, this keystore can unfortunately never be changed, but it remains under our sole control.

Out of curiosity, why not release the new version as a separate app under a new package name. I realise that’s not an ideal solution since it would mean starting fresh with installs and reviews, but it could allow you to move forward without being locked into the old key.

> it would not have been possible to source local candidates, handle HR and payroll, understand local regulations, etc, without outside assistance

I have no dog in this fight, but I agree with the "smear campaign" that this is 100% bullshit. I work for a fully remote company with employees from all over the world, including Eastern Europe, and we didn't need to partner with any local company, let alone a competitor. Plus even if we need local HR assistance there are plenty of global/local HR services to choose from that focus on HR, no "employee sharing" needed.

I don't know if any other claims are false, but this kind of bullshit obvious to anyone who has been in a similar position undermines everything else they claim. Plus it was never mentioned what these "local partners" get in return, which seems to be the most interesting thing if there's no secret ownership, which is the thing they set out to debunk.

> I work for a fully remote company with employees from all over the world, including Eastern Europe, and we didn't need to partner with any local company

Because your company already has considerable experience in working remotely in another territory, of course they didn't need any help. Or potentially, they were already contracting a firm for local bureaucratic matters.

> Plus it was never mentioned what these "local partners" get in return

Money? They could sell these bureaucratic services at a markup, where they have experience with the paperwork etc. part of expanding internationally.

Additionally, another commenter said they offloaded some worse talent on them[1], so that's another possible benefit to them.

1: https://news.ycombinator.com/item?id=45500737

And to cover the astroturfing allegations in this thread: no, I don't work for or have any relationship with ProtonVPN, other than being a user.

> Because your company already has considerable experience in working remotely in another territory, of course they didn't need any help.

What are you talking about, my company was fully remote with global employees from day one. And no, our CEO/CFO haven’t founded or worked for another fully remote company before that. This is not a radical concept at all, especially not here on HN.

A company operating fully remote with global employees still has to do some bureaucratic work with the countries of their employees for payroll purposes. That's what I meant by the experience they had with this.

> The false allegations were originally spread by US-based VPN provider, Private Internet Access (PIA)

While such comments may be okay in other forums, please note that the HN guidelines forbid such:

> Please don't post insinuations about astroturfing, shilling, brigading, foreign agents, and the like. It degrades discussion and is usually mistaken. If you're worried about abuse, email hn@ycombinator.com and we'll look at the data.

thanks, this reddit thread doesn't inspire confidence in proton's story :/ at all

[dead]

Are we allowed to discuss (edit: if it's not too political?) if Kape Technologies has any connections to Israeli security services, given the nature of VPNs and given the amount of data that can be trivially collected, and:

"Being from Israel, Teddy Sagi had connections with the Israeli military intelligence sphere and was able to procure himself a real-life cyber spy [his co-founder] from the famed Unit 8200 (kinda like Israel’s version of the NSA)" [0]

?

[0] https://windscribe.com/blog/what-is-kape-technologies/

Unit 8200 is the premier software development track in the Israeli military.

Every Israeli tech company likely has multiple developers from Unit 8200 in it. Whether it's building e-commerce shops or making video games.

While 8200 definitely falls under the military intelligence wing, I don't think describing people in it as Cyber Spies is anywhere near accurate. And unless that guy was very high ranking it is a stretch to imply that's an indication that IL military intelligence is involved in the company.

That is not to say that the military isn't involved with the company - that might very well be true, just that someone being from Unit 8200 isn't an indication of it.

Makes perfect cover though? "He was only a conscript changing printer cartridges"

People who don't live in countries with mandatory conscription for all don't really understand: everyone is connected to the military but it means nothing.

Judging an Israeli citizen on their IDF ties is like judging a US citizen on the fact that they went to public school.

> everyone is connected to the military but it means nothing.

No, people who live in tiny countries with mandatory conscription don't really understand that it means that their entire country is militarized. It's not surprising that fish can't see water.

> is like judging a US citizen on the fact that they went to public school.

It's exactly like that. If public school in the US trained people to kill and spy, it would be entirely safe to assume that the US was full of killer spies. For example, if you know that US public school taught a view of world history that was distorted in particular ways, and had very little emphasis in foreign languages, it would be safe to assume that Americans have a distorted view of the world, and largely don't speak foreign languages.

I don't know, this seems basic to me.

According to google, 87% of Americans go to a state-funded school, so yes judging an American based on the fact that they could afford to be in the top 13% and go to a public school instead is legitimate. This doesn't seem to match what you're trying to say.

You’re using the British definition of “public school” here, which is a “private school” in the US. US public schools are equivalent to UK state schools, in that both are run by the state.

It doesn't matter if it's accurate or not, such judgements are made by most people every day. Someone who was professionally formed somewhere has a higher probability of ties to them later on. Being intelligence services this might be even more true.

In today's political climate where people around the world see Israel judging (and sentencing, and carrying out the punishment) every Palestinian as terrorists, I think this wide brush of judging Israelis on their ties with the IDF is probably widely accepted as "only fair". When it comes to Unit 8200 the implications are even stronger.

But I don't get the US public school system reference. You have to start with a baseline and if you see a private Ivy League school on someone's CV and a random public school on someone else's I'm sure you'll probably make the obvious assumption about which one is better, even if sometimes the obvious is wrong.

Cover to do what? Insert malicious code and hope no one else notices? Or coerce everyone in the company to look the other way?

If an intelligence agency wants to compromise a service, they have much more discreet, powerful, and deniable ways to accomplish this.

>Teddy Sagi had connections with the Israeli military intelligence sphere

Does this mean much given that israel has mandatory military service? Unlike in the US where you have to make a conscious choice (eg. patriotism or desperation) to join the CIA/NSA/military, that's not really the case in israel. "has ties to unit 8200" might as well mean "has ties to stanford/MIT/caltech" or "has ties to big tech".

If I was running an intelligence agency and was given my choice of conscripts,

I wouldn't hand my intelligence secrets to people who resented being forced to be there; or to mouthy people I thought might blab about it after the end of their service; or to people with an anti-authority streak or at risk of a Snowden-style attack of conscience about civil liberties.

I would select for people with a deep love of their country; and a sense of loyalty that would extend well beyond the end of their service. The rest I'd send elsewhere - plenty of other units need tech folks, that drone/radio/printer isn't going to fix itself.

On the other hand, if as an aspiring software engineer I was forced to do military service and had the option to do it as part of a military cybersecurity unit, I'd pick that over running around with weapons without blinking an eye.

> I wouldn't hand my intelligence secrets to people who resented being forced to be there; or to mouthy people I thought might blab about it after the end of their service; or to people with an anti-authority streak or at risk of a Snowden-style attack of conscience about civil liberties.

Well, I know people there from all groups you mentioned. Especially the "resented being forced to be there", which is very common in all parts of the army, with people counting down the days until their 2-3 years are over. It didn't feel like the unit selected against this, choosing to accept it because of the technical skills of who they accepted.

(And yes, this is a new account. I've been on Hacker News for years, this is just for privacy reasons.)

Unit 8200 is a cyberwarfare and spy unit. They were responsible for the Lebanon pager supply chain terror attack. I definitely want to know if they are involved with any tech I'm using so I can avoid it.

I don't see how that addresses my point that enlistment is mandatory in israel. You can make similar claims about other israeli military units. If anything, given the current war in Gaza whatever the other IDF branches/units are doing are probably worse than hacking a few phones.

Unit 8200 is part of the IDF and contributing to those war crimes. I as a consumer only need to consider my own risk profile, not the politics of an entity that's committing acts I consider to be terrorism.

[flagged]

> I definitely want to know if they are involved with any tech I'm using so I can avoid it

Are you going to stop using Linux because the NSA is a major code contributor?

Huawei is too, and they were founded by a guy from the PLA.

Linux is not operated by NSA and is open for inspection. Can you say the same about VPN services in question?

It would be naive to think Huawei is isn’t influenced by CCP, specially if it is found, by presumably someone from PLA intelligence unit by your suggestion.

this is not a helpful argument. this isn't about not using Israeli OSS software but services that feed data into the surveillance grid of quasi rogue state.

[flagged]

yes. they are involved in tech that you are using. they are working in apple, google, microsoft, nvidia, intel, amd, arm, qualcomm, cisco, etc that have presence in Israel and even expand it.

https://www.timesofisrael.com/nvidia-plans-to-boost-presence...

Talking about the breath of which Israel has compromised our technology is actually helping to make my point. They're operating a comprehensive surveillance network and have the ability to literally plant explosives in our consumer devices.

[flagged]

https://en.wikipedia.org/wiki/2024_Lebanon_electronic_device...

> the attack killed 42 people, including 12 civilians, and injured 4,000 civilians

[flagged]

[flagged]

A better analogy would be: would you use Nazi technology? There were roughly 8.5 million Nazis.

No, a better analogy would be Germany. You can't count the entirety of Israel on one hand and ~10% of 1940s Germany on the other.

But that's beside the point and still doesn't match what you said, as you considered any company with an Israeli employee to be compromised, essentially.

Do you consider companies with Chinese employees just as "compromised"? We've known of Chinese state surveillance for decades.

I don't see China as my adversary so that's not an issue for me. If anything they provide a much welcome alternative to both Israeli spy tech and US spy tech.

do you use israeli technology ? or medicine ?

I avoid it whenever possible, especially when we're talking about VPNs of all things. It's funny that you mention medicine because we all use Nazi technology and medical advancements too. Having zero ethical boundaries does indeed mean you can make technological progress.

did you switch to state of art chinese products in order to avoid using israeli tech ? or you just avoid things that you don't use anyway

This is exactly what I've done when possible. I have no problem with China.

> Does this mean much given that israel has mandatory military service?

Yes. Mandatory military service is still military service. It's still following government orders at an impressionable age in a culture that deliberately inculcates a mentality of following orders even when they go against your every human instinct. It still means working for an organisation that knows its job is killing people, even if you're not the one pulling the trigger yourself. And Israeli military intelligence specifically has a long history of keeping supposedly retired civilians on as sleeper agents who infiltrate supposedly neutral companies.

(Does that mean this guy specifically is definitely one of them? Of course not. But to anyone with reason to be using a VPN at all it's probably too much of a risk)

Kape was Crossrider which was linked to malware (per link)

https://cyberinsider.com/private-internet-access-kape-crossr...

Just cancelled my Cyberghost subscription for exactly this reason.

[flagged]

The second part of your comment seems like a non sequitur

I'm a pragmatist

Calling out Israeli conspiracy isn't Jew hating.

This is the whole issue. No one can question what Israel is doing for fear of anti semitimtism.

If everyone is "anti-semitic" then you allow real antisemitism to foster unabated.

> No one can question what Israel is doing

I literally said "it certainly should be allowed"

but it goes both ways. no one can question what Jew haters are doing for fear of anti-anti-semitism. If no one is a "Jew hater" then you allow real antisemitism to foster unabated.

[flagged]

[flagged]

[flagged]

I specifically put the OP in the second-chance pool (https://news.ycombinator.com/item?id=26998308), which is why it got re-upped (https://hnrankings.info/45469376/). Rather an odd way to suppress discussion, no?

The post is not about Israel but the comment is about Israel. Comments and posts about Israel are typically flagged to death very quickly.

That comment is https://news.ycombinator.com/item?id=45496427 (same subthread as this). Anyone can look and see that it's a counterexample.

Similarly: https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

We do see your comments, you know?

https://news.ycombinator.com/item?id=45476243

etc etc etc etc.

As you yourself put it there, you are happy to have moderation abuse pointed out but when I do, you just ban me.

Such a wasted potential and time to move on.

We don't ban people for criticizing moderation. It's common, though, for people to make grand claims about being banned for that reason, when in fact we banned them for breaking the site guidelines or otherwise abusing the site.

Since your account isn't banned, you must be talking about a different account. Why not link to it so readers can make up their own minds?

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

Israeli crypto ag

I liked Express VPN

[flagged]

https://hn.algolia.com/?dateRange=all&page=0&prefix=true&que...

https://news.ycombinator.com/item?id=45496427

I think VPNs are one of the clearest cases of tech/politics intersection, it's not just OT for tech but also for hacker culture.

What do you think @dang ?

If you’re worried about your VPN provider but you can trust your VPS provider, try an SSH Tunnel.

https://joeldare.com/ssh-tunnels-my-vpn-alternative-for-priv...

This is the way: SOCKS5 via SSH

You do need some minimal technical understanding and some scripting.

Pick any cloud provider that can give you a VM with SSH access.

Read up on doing this on your local device or another device on your LAN:

    ssh -NT -g -D 10001 -o UserKnownHostsFile=/dev/null -o ConnectTimeout=5 -i your_ssh_private_key your_cloud_login@any_cloud_provider_ip

Now read up on how your browser points to a SOCKS5 proxy. For Firefox, I create a separate profile. For chromium based, I use the command line.

You are now virtually located to whatever region you chose for your VM.

I mentioned some scripting. It's simple enough that I have a /bin/sh script to spin up the VM, set up the SSH SOCKS5 proxy, launch the browser, then spin the VM down when the browser exits.

> For Firefox, I create a separate profile.

Firefox supports per-container (and as such per-tab) SOCKS proxies, which I find really useful.

So useful, in fact, that I've come full circle and I am now running a userspace Wireguard to SOCKS proxy [1] in order to have that convenience for a VPN which does not have any host I could SSH to.

[1] https://github.com/whyvl/wireproxy

If you're using Tailscale you can install it on your Apple TV (if you also happen to have one of those devices).

Now you can use your home connection as a proxy through wireguard when traveling.

Tailscale is great, but by itself is the wrong tool for the task of routing traffic over some host only for a single browser tab (but to all destinations for that browser tab), as it seems to be "all or nothing" when it comes to using a remote exit node.

It's probably possible to set up a local SOCKS proxy that knows to use some Tailscale non-exit-node for egress, and to manually allow that traffic within Tailscale and on the remote node, but not out of the box as far as I can tell.

Installing a SOCKS proxy on the remote node, reachable only over Tailscale, would be an alternative, but that doesn't work on an Apple TV.

Major issue I faced in this method is the network egress costs the cloud providers charge. I had to remind myself not to accidentally land on YouTube or some other video streaming sites.

Are there any cloud providers who don’t charge for network egress?

> Major issue I faced in this method

Biggest issue regular user might find with this is that basically all the VPS host' IP ranges are known, and plenty of websites give you a different (worse) experience compared to when using residential addresses, or straight up block you.

Personally I found the hassle to great, compared to using existing VPN services.

Exact same experience here. In the 2010s I ran my own VPN exit node on a dirt cheap VPS so I could access streaming content in my country of birth. Worked great for years, but nowadays so many sites simply block non-residential IP ranges that I gave up ages ago now.

It's a shame because deploying WireGuard was a simple two command process: git checkout followed by a `docker compose up -d` for me etc on a fresh VPS instance.

Yes, but search for "VPS" instead of "Cloud". "Cloud" is a marketing buzzword used to make people pay 10x-500x more than they have to. Although VPS providers are catching on, and starting to label their VPS services as "cloud" now.

Many! OVH has unmetered plans, for example.

Has anyone benchmarked this against running e.g. Wireguard and how it is, performance wise? I'd expect Wireguard to be faster, but don't really know.

VPS tunnels have their place, but they have one major downside: Your outward-facing IP address will (most likely) be static. And because you are the only one using that VPS, it is easy to link your internet activity across different sites. If you want to use this method to protect your privacy, then you need to frequently discard your VPS and pick a new one.

I like to use dsvpn: https://github.com/jedisct1/dsvpn

Seems to have triggered the netsec community on reddit though.

This, and FoxyProxy for domain-based proxy settings is my go to when connecting to some websites (self-hosted bit bucket/confluence, etc) behind Corp intranet boundaries.

Thanks for the link. How does this work on the server side? It gets packets on 8080 and then what? The article needs to explain the server config, even if it is just how to install ssh-server.

I have tried setting up OpenVPN on my own VPS and I didn't get very far with it. I have also had to use OpenVPN in the day job and I much prefer just using ssh without some extravagant OpenVPN layer.

My experience of failing to configure a VPN of my own (primarily for testing GeoIP) led me to try a few VPNs and the amount of junk adverts and whatnot made me wonder if it was time to fdisk my computer and start over due to the virus-vibes I was getting from a VPN. This was in the days before VPN adverts on lame YouTube channels, so I presume the product has improved since then.

In theory, someone smarter than me can rent a VPS and get OpenVPN on there, or, better still, a remote desktop so that only the screen image goes over the internet from the VPS to the PC, X-Window style but better. This could be further obfuscated by using 443 and one's own special ROT13 'encryption'.

Presumably a skilled person that knows what they are doing could get it all setup in an hour, to write concise instructions that 'civilians' can work through in pretty much the same time.

If you were highly invested in porn, watching Netflix in foreign countries and with even worse stuff to hide, you would think that some investment in getting a proper VPN with your own VPS would be the way to go, but no. Cost isn't the problem if you are deeply into something worth hiding, so why do so few people roll their own VPN?

The reality is that the typical product is marketed with FUD and the goal is to turn you into a 'sleeping giant'. A 'sleeping giant' is a customer that has a standing order or other payment arrangement that is for a service that is not used, and for that to not be noticed on bank statements. Everyone wants you to be a 'sleeping giant', including some 'worthy' charities, dating websites and every software subscription service. They aren't using FUD marketing though.

The commercial VPNs have mastered the art of selling a product that deserves technical knowledge to understand to the masses, so you have got to respect the hustle.

VPS's that you can easily spin up for an hour or two tend to charge $$$$ for egress bandwidth, which makes them an unattractive option for streaming video over.

There are very simple options to selfhost a VPN nowadays. For example, Amnezia allows you to just type your server ssh credentials into their mobile app, and it will automatically set up AmneziaWG on your server and add it to the app. You can then create Amnezia or plain WireGuard config files from extra devices right from there.

That sounds like I'm putting a lot of trust in an app. Also giving it control over my server, which I guess is not a big deal if the server is a disposable VPS

It's all open source though, so you can verify the scripts it's using, which are all here

https://github.com/amnezia-vpn/amnezia-client/tree/dev/clien...

But even without that, there are solutions like wg-easy that let you spin up a WireGuard server with a single Docker container

it's very easy to setup your own VPN on your own server. I'm using AWS Lightsail because of virtually unlimited bandwidth and the locations I like, but any VPS would work well. I used to have my own scripts but I found this lately which is doing this much better than what I was doing https://github.com/angristan/wireguard-install

The only advantage of professional VPN is the ability to use obfuscation, so to bypass VPN restrictions in countries like Egypt or others.

That is brilliant, many thanks for that and the Lightsail suggestion. Now I just need a legitimate use case, which will probably be a locked down origin server with even more security than what I had before with ssh things.

I too recently tried to set up OpenVPN on a VPS and it was a huge pain in the @ss, even while following a (very long) tutorial. If I figure out an easier way to do this I'll message you in this thread

OpenVPN is just really complicated, which makes sense because of the context and history. But even me who've done plenty of OpenVPN setups through the years, found Wireguard a lot simpler and easier to both learn and use effectively. So if you haven't tried Wireguard, give it a go, the simplicity is pretty nice.

Note: Wireguard is good because it's simple. It makes point-to-point tunnels, it does that well, and that's all it does. You're on your own for the rest.

> British-Israeli security software company Kape Technologies

That doesn't sound good for privacy.

I only ever use a VPN to access region blocked content and the occasional "linux iso" torrent..I tried Mullvad first, but they just don't play the game of cat and mouse with the streaming providers and all their IPs are pretty much blocked. I have about a 95% success rate with NordVPN (except for Amazon Prime video which have some sort of wizardry and always are able to detect VPNs).

It's a shame because Mullvad has a deal with Tailscale where you can sign up for Mullvad through Tailscale and use any of their servers as a Tailscale exit node. It's super slick and nice since Tailscale has really decent apps for nearly everything (even Apple TV, etc) and I already have a decently sized Tailnet of all my devices / ssh accessible things.

I use ProtonVPN for bypassing media geoblocking, and they're fairly good, with some exceptions (BBC iPlayer works via browser but not the Apple TV app, local IPTV doesn't work on any Proton local servers).

They have an Apple TV app so I just switch it on as needed, and it's restricted to just that Apple TV. (Without having to fiddle with a separate WiFi network etc.) IKEv2, OpenVPN and Wireguard work without their apps so I don't have to install their apps on non-sandboxed platforms (Windows, macOS).

But you can connect any machine to any vpn and have it be a tailscale exit node?

Well, yes, but being able to designate a VPN node as a Tailscale exit node directly means you don't need a random server in the middle for it. (Which is beneficial if you use it as an exit node for road warrior devices)

You can, but the issue is usability..when I'm watching TV, I want to just be able to flip open an app and say "I'm in London!" and watch BBC, then the same for Canada and etc. I don't want to be fiddling with a VPN and switching routes on some separate device / switching the entire wifi network or etc.

VPNs will become illegal or backdoored, because privacy is becoming illegal.

This is not really a technology problem, it's a social and legislative one. Many of us are afraid of (other people's) privacy, so we vote for legislators that will make it illegal. The legislators stoke this fear of privacy because they want an excuse to deepen their control of discourse, and their own citizens.

So really, everybody wins!

Is there any other real world usecases for VPN nowadays other than:

1. Getting access to geolocked data

2. Torrenting "Linux ISOs"

?

In Germany (and probably in the UK too), you now have to be very careful about what you write online. There is actually a section 188 that makes insulting, defaming, or slandering people in political life a criminal offense. You can now face heavy fines for minor insults (“idiot”) or even have your home searched. A VPN can be useful here.

If anyone wants some background info on the "idiot" comment:

A Bavarian man captioned an image of Robert Habeck (the vice chancellor of Germany at the time) with "Schwachkopf Professional" - "Professional Idiot". It was styled after the Schwarzkopf ad campaign. For this, Habeck filed a criminal complaint "to stop hate crime" against the man and the man's apartment was searched by the police and a tablet confiscated. Oh, and he was arrested over it as well. [0]

(The man was also accused of posting some nazi imagery earlier in the year, but the order to search his house seems to be related only to the insult. [1])

Imagine if you could be arrested for calling your (vice) president an idiot.

[0] https://www.dw.com/en/germany-greens-habeck-presses-charges-...

[1] https://www.tagesspiegel.de/politik/falschaussage-im-fall-sc... (it's in German)

You don't treasure your freedom of speech until you lose it.

> Imagine if you could be arrested for calling your (vice) president an idiot.

You must not set foot in the USA, India, China, et cetera, then.

Imagine you say? Getting arrested might be the least of your worries in today's world if you decide to call a president (or the immediate underling) an idiot in many countries :D

What idiot signed that bullshit into law?

That law has existed since 1951 and is based on an executive order from 1931 by Hindenburg.

This is actually not uncommon in most of the world. American 1A is actually an extremely novel concept most other countries still haven't caught up on.

American 1A is as strong as it's proving to be right now and increasingly proving to be stronger and stronger by the day, since January this year!

Many other countries have protections like that, "on paper" (!!!) - but the point is in how it is used or misused, or rather completely ignored - directly or indirectly, like in the USA currently and many other countries in the world.

Novel in what sense? Are you familiar with the hisory of free speech in e.g. the UK, Sweden, and France?

The UK, where the government has literally smashed printing presses in the newspaper age when magazines were thought to be publishing embarrassing news about the Crown? Where the government's legal authority to do so is still intact? That UK?

3. Avoiding government-mandated record keeping by ISPs in a country like the UK, where all ISPs have to keep a year of your browsing history and it can be accessed warrant free by 17 different agencies(including DEFRA, the agriculture agency).

And yes, I'm aware that you're most likely trading one surveilence for another - but honestly at this point I'd much rather trust my paid VPN provider with my browsing data than my ISP and ultimately the government.

Given that most of the web has TLS and you can easily do DNS over TLS - that's very very high level metadata, where I personally just don't see much ROI vs to giving that metadata to random company with no regulations whatsoever.

Many TLS deployments still leak the hostname in plain text as part of SNI

> but honestly at this point I'd much rather trust my paid VPN provider with my browsing data than my ISP and ultimately the government.

Your ISP will need to comply with local laws and regulations, and you'll have some recourse if broken. A third-party VPN operating in an overseas jurisdiction could be doing anything with your data.

Unless it's selling the data back to my own government, I'd rather a foreign commercial VPN provider have that information rather than my own domestic ISP or my own domestic government.

My government can do parallel construction, can send teams of armed gunmen to my house, and otherwise find far more methods to persecute me than the intelligence services of Russia or China can.

Being innocent of any kind of crime does not necessarily remove one from the crosshairs of law enforcement organizations, particularly the FBI, who have an extensive, well-documented history of violating citizens' constitutional rights, conducting partisan witch hunts against political opponents, being a lawless menace to civil rights activists, anti-war activists, gay rights activists, both pro-abortion and anti-abortion activists, and is probably busy right now planning on being a menace to trans inclusivity activists.

There is no such thing as a friendly government, but I'd much rather have my data in the hands of a government 10,000 miles away than in the hands of my own government. My own government hunts, injures, stalks, harasses, socially ostracizes, and even kills my fellow citizens far more than any foreign government ever has.

> Your ISP will need to comply with local laws and regulations,

I think you've managed to exactly describe the problem with them, and yet you phrase it as a positive.

The original use for a VPN - getting access to private resources - is still very much in play.

I don't just mean being able to access some private web interface you have on a private server in your at home, I mean connecting a satellite office to the main corporate office.

But for all of these consumer marketed VPNs, I think your list has 90%+ covered...

Interesting that we use the same word to describe both technologies, but semantically and technically they are very different.

Perhaps we use the same word to describe them because initially they did use the same technologies, but they have branched out ever since? Maybe IPSec would be a common tech used. But the algorithms are not the same anymore since they serve different purposes (Personal privacy vs corporate/sysadmin security)

In the corporate world VPNs were usually a lower level abstraction security mechanism or a redundant security mechanism to either complement application layer_security, or to hot-patch modern security unto legacy LAN systems. VPN encryption is usually provided by the local router. Common algorithms are IPSec/IKev2.

In the personal privacy world, we are talking about a proxy that hides identification such as IP addresses, and pools connections to provide privacy. The actual encryption is not the main security mechanism even, as it only covers the transit between consumer to proxy, leaving (a potentially longer transit) between the proxy to the actual destination.

In terms of purpose and architecture it's closer to bitcoin tumblers, or Tor or Freenet, or money laundering placement. The fact that they call it VPNs seems to me more of a marketing scheme or political play to avoid association with all of the above, than an actual technical or academical description. If someone were to analyse these technologies, I'm sure a neutral or critical approach would avoid uncritically calling them VPNs in the same way that research is published not about Viagra, but on Sildenafil.

> Interesting that we use the same word to describe both technologies, but semantically and technically they are very different.

That's where my head was at. When i hear my colleagues talk about a VPN, i'm thinking about an IPSEC tunnel and an afternoon of swearing at ios on some outdated ASA. When I hear regular people talking about a VPN, my mind immediately goes to "oh, so you want to watch rick and morty on netflix and don't know anybody hosting a jellyfin/plex server".

When do we coin a new term? Or do we? Does "vpn" turn into a word like "truck" where it's only the context that tells you if we're talking about a 2 axle pickup truck in a home depot parking lot or something pulling a 40ft container unit?

How do authoritarian regimes differentiate business and consumer network traffic, for the purpose of inspection and decryption, censorship of specific content, or blocking of specific protocols? This also overlaps with net neutrality and dump pipes vs. content-centric metering.

Company VPN most likely goes to set IP address associated with a business. And this is most likely a rather static thing. So tracking data going there is most likely legitimate. And well on other side they can make whatever comes out from business IP a problem for business.

As you've written, the proxy services are called VPN because they used the same technology, e.g. OpenVPN.

"Crypto" in the 90s meant secret keys and message encryption, nowadays it's the term for the numerous ponzi scheme "investments"...

A ton of ISPs use deep packet inspection for various kinds of filtering (and other shenanigans). When they get it wrong it manifests to the user as certain websites or access patterns being inaccessible and the ISPs customer support agreeing that you should have access and being able to do fuck all to fix it. A VPN in the middle usually solves the issue.

Wait, I think an ISP cannot inspect the content of packets that are encrypted, say, with HTTPs. In order to inspect TLS encrypted packets you need access to the end-device, controlling the end-router is not sufficient since you would not have access to the device certificates.

If you can prove that an ISP can inspect packets, it would be major news.

You don't need fully broken encryption to gain useful information. Knowing how much data is transferred, to which servers, and when (especially with details like how various endpoints will inadvertently chunk up HTTPS requests based on the details about the content or how interactive sessions will have certain back-and-forth transmit patterns) is sufficent to generate a traffic "fingerprint" which you can correlate to other users, to automated traces crawling those same servers, and otherwise get a very good sense of what a user is up to online even above and beyond just knowing which IP is being queried.

Toss that into any sort of "anomaly detection" or other such nonsense, and it's easy to create rare edge cases at an ISP level.

It's somewhat analogous to how you can sometimes "reverse" hashes like SHA256. E.g., suppose the thing you're hashing is an IPV4 address. There are only 4 billion of those, so a pre-image attack just iterating through all of them and checking the forward direction of the hash is extremely effective. TLS makes that a little more complicated since the content itself is actually hidden, but time and space side-channels give you a lot of stochastic information. You might not be able to deduce somebody's bank password, but you can probably figure out where in the bank's login flow they are and approximately what they did once they logged in.

It may have been fixed since, but I saw a decent talk about this (defcon, IIRC) using Tinder as an example.

Using timing, amounts of data, and what was being connected to, you could recreate what someone was looking at and swiping direction. (left/right sent different amounts of data)

ip addresses are not encrypted, they are part of the header, not the body. The mailman needs to know the address.

Yes. What I'm saying is that the pattern of data entering the mailbox lets you infer more about the contents than just the sender, especially when you can pattern match against known behavior for that sender.

They may not need the contents, seeing you're connecting to a netflix IP and having a lot of data transfer may be a good reason to throttle, for example.

Are you confusing DPI with MITM or something?

DPI does not require any decryption of payload. Even cheap consumer devices can perform DPI on encrypted traffic. ISPs absolutely use DPI as a part of standard practice, and have been for decades. It is a basic network traffic management tool.

* Russia

* Kazakhstan

* China

* Belarus

* Iran

* Mayanmar

- list of countries that are known or suspected to MITM traffic, including SSL

how so they supposedly do it?

SSL certificates have a centralized hierarchy. Many browsers trust a long list of root certificate authorities from multiple countries.

https://cyberscoop.com/russia-tls-security-certificate-autho...

https://jpgamboa.com/china-ssl-authority-revoked-by-browsers...

Do some countries force the browser companies to add their root cert, despite abuse?

I imagine so. I understand that Opera GX, for example, provides a specialized version to Russian IPs that locks down the search engines that can be used.

There are always rumours. And some countries simply openly require computers sold in their country to have their root cert.

Including the US right? And I don't mean in a conspiratorial sense. Just in the sense that they wouldn't deny it because it's their home country (Say Windows certs or Google certs), and at the very least they can issue warrants, gag orders, or triple letter agency bypasses.

Now it only sounds weird when a country exherts their national sovereignity because the US doesn't need to perform any additional steps to install any of their Certs, they have hundreds of them by design.

> Including the US right? And I don't mean in a conspiratorial sense. Just in the sense that they wouldn't deny it because it's their home country (Say Windows certs or Google certs), and at the very least they can issue warrants, gag orders, or triple letter agency bypasses.

Yeah. I don't think the US explicitly requires it but they don't have to, there are more than enough US-based entities with root certificates who they could send a National Security Letter to if they ever wanted one. (Also the US FKPI root certificate is at least shipped by some vendors, although it seems to be disabled by default)

is there oss that will scour and identify iffy certs on a box?

One attempt I know of: https://en.wikipedia.org/wiki/Kazakhstan_man-in-the-middle_a... There might be others.

Accessing services from the UK without handing over your personal ID to a service that will inevitably get hacked.

This happened to discord literally a few days ago.

"Hacked" will be "left the data on a public S3 bucket until someone noticed" or similar.

Underrated comment. And why do we need to justify privacy? Justify our non-privacy!

Australian ISPs are legally required to retain metadata for two years.

That's one of the best reasons to use a VPN if you're in Australia. Give up as little as possible.

I have found, however, lots of sites block or Captcha-restrict IP addresses that are (somehow determined as) non-residential, and Netflix restricts its content as well.

Won't TOR browser block metadata collection?

Probably, yes. TOR can be problematic for other reasons, primarily that it can be significantly slower than 'clear' internet or VPN-internet.

It's all a game of who do you trust most / least versus convenience in the end.

> Getting access to geolocked data

I use VPNs when I'm trying to ferret out the scope of an outage. I have VPN servers on local ISP which moves me around different routing. I use a commercial service to move me further out and to other countries.

So you are doing a manual version of what uptime monitors do.

Sort of. I suppose the difference is that I don't need to know in advance where the fault is. ex: An upstream, 3rd party service provider appears offline.

3. Creating multiple accounts with platforms to break their ToS without getting chainbanned.

4. Perform DDoS

5. brute force passwords

6. try out leaked passwords

7. exploit vulns.

8. CSAM

9. Phish

10. Spam

11. Evade taxes with crypto

12. Sell drugs

13. Terrorism

Lots of malicious uses for VPNs, or was your question about legitimate usecases? In which case:

14. Sending emails about cryptography

15. Pornography

16. activism

17. Journalism/Whistleblowing

18. Military

Although some of the legitimate/ilegitimate categories might be subjective, which is precisely why it's a grey legal area at all.

One others seem to have missed 3. ad blocking on your phone away from home. Almost all VPNs have a block ads / known malicious traffic function. This can be done with just a DNS but often mobile carriers will block using your own DNS.

3. When you know/suspect your ISP is more shady than the VPN you're using. This applies particularly when you're doing something your government doesn't like.

VPNs don't increase privacy, they just change who has the opportunity to spy on your traffic. Sometimes, it's much better if it's some foreign random ISP instead of your local government, who can send law enforcement agents where you live.

It's probably more that a lot of people have been convinced that they need a VPN, but they don't. There are use cases, like I trust Mullvad more than I trust some random hotels WiFi. When traveling it can provide a slightly higher base layer of trust.

If you live in a country that restricts your internet access, which to be fair is most these days, a VPN can help. Most of us just don't care about those restrictions or they are more easily circumvented using a 3rd. party DNS. Also if you're in country like Iran or Russia, you really need to trust your VPN provider and strange corporate structures and staff sharing really isn't helping in that respect.

For the average person, no you don't need a VPN. You might need one for a few days or week per year, if you travel and need to access your bank or corporate infrastructure (in that case your employer most likely have their own VPN). VPNs are a niche business, but online influencers have convinced a lot of people that they need a VPN for everything, which simply isn't the case for the vast majority of us.

> I trust Mullvad more than I trust some random hotels WiFi

For what exactly? All sites are HTTPS now anyway, so the only thing you're leaking is the hostnames / IPs you visit. I don't exactly see how the whole "hotel WIFI" thing is relevant at all, except as a dishonest marketing strategy by VPN salesmen

...and the IPs you connect from, which tend to correlate with where you live, work, and so on.

You connect to hotel WIFI from home and work?

I plead the fifth.

3. Not revealing your IP/location with every outgoing web request.

Another one is getting around content filters / service-specific throttling (think college dorms and campuses, hotels, public hotspots etc).

3. Hosting websites with DDNS (though the abuse from that caused Mullvad and IVPN to drop port forwarding)

4. Though it hurts anonymity, and is relatively rare: I2P or Hyphanet, because some websites block known P2P nodes[1]. Important if your bank or work is being a jerk about it.

5. As ThatMedicIsASpy notes, ISP issues: some routers soil the bed from P2P, some ISP's throttle P2P traffic regardless of legality, etc.

[1] https://old.reddit.com/r/i2p/comments/tc3bhs/is_anybody_else...

Those two are pretty big already to be honest. I guess a third one would be avoiding eavesdropping on public wi-fis.

With TLS being everywhere, and just few clicks away from having DNS over TLS, I really don't get eavesdropping on public wifi prop value.

1. example.com is not on the HSTS preload list

2. Because you normally visit example.com using an incognito window, your browser hasn't cached the redirect to SSL, or the address bar suggestion, and you haven't bookmarked the site.

3. You key in example.com, the browser connects over http, and the evil wifi MITMs your unencrypted connection - removing the redirect to SSL and messing with the page however the evildoer wants.

Obviously a VPN provider can also do this, but you might hope they're less likely to.

"Obviously a VPN provider can also do this, but you might hope they're less likely to."

So you have identified some marginal privacy issue, and have identified that a VPN doesn't solve it, but rather that it moves the risk to a third party actor you subjectively feel is better. Well I feel that, subjectively, introducing a third party generally decreases security.

I believe that not all privacy and security considerations can or should be solved technically, but rather we have extra-technical mechanisms like law and social norms that provide some protection on the edge cases. For example, an employee cannot lookup information for personal reasons on a system they are entrusted to in a professional capacity. I'm no expert, but you probably have first laws that prohibit that, second corporate policy that prohibits that, and thirdly social pressure that prohibits that to some extent. Are they perfect? Not necessarily which is why for the most part we rely on technical encryption and security mechanisms.

But at some point these examples become so contrived and the medicine becomes the poison, so you enter into territory that is pretty standard in other industries, what's to stop a waiter from spitting into a cup? There's no spit filter in place of McDonalds, there's other mechanisms protecting us.

On a similar note, logic and debate is not the only way to convey this phenomenon, so here's some more artistic retort to privacy schizophrenia.

https://www.youtube.com/watch?v=jf9I04Oa-hU

Using a VPN means you have to trust one company instead of every wifi you connect to, and also makes that an entity that's an expert at privacy instead of working off a half-forgotten router in the back.

How is any of this "medicine becoming the poison" or "schizophrenic"?

No, you have to trust the one company, as well as everyone you were trusting before. You are still using the router, and now you are also trusting the VPN provider, as well as the nodes in between the VPN provider and your original destination.

Also, you are just switching up the "unprotected stretch" between your local wifi, and, say, Google's servers, whereas now that "unprotected stretch" lies between the VPN provider servers in Latvia or British Virgin Islands or Panama, or whatever dubious jurisdiction, and, say, Google. Sure, you added a layer of protection against the random hacker sitting in your Starbucks, but you have added many more vectors.

It becomes the poison because the solution you are introducing brings more issues. And it's schizophrenic because the issue to begin with, was minuscule (a hacker stepping into MacDonalds, breaking the network encryption and then also the application encryption.

Maybe if this were 2010 and websites still used HTTP, or you are using a local email client without TLS configured. But it's 2025, everything has HTTPs and you are using an HTTPs email client.

VPNs to protect corporate networks is sensible. Consumer VPNs are a different thing entirely and they do not provide increased security at best, decrease security at worst, and usually cater to schizoid threat models, where the threat actor is the state, rather than more realistic threat scenarios.

> No, you have to trust the one company, as well as everyone you were trusting before. You are still using the router, and now you are also trusting the VPN provider, as well as the nodes in between the VPN provider and your original destination.

As long as the VPN is up, the worst the wifi can do is cut you off. It can't alter your connections.

It's far fewer trust points.

> Also, you are just switching up the "unprotected stretch" between your local wifi, and, say, Google's servers, whereas now that "unprotected stretch" lies between the VPN provider servers in Latvia or British Virgin Islands or Panama, or whatever dubious jurisdiction, and, say, Google. Sure, you added a layer of protection against the random hacker sitting in your Starbucks, but you have added many more vectors.

When I use a VPN for protection, the server is in the US too.

And if it's for netflix I'm going to some major country, not dubious-land.

(Also I'd say datacenter and internet core routers are less likely to attack some random person's traffic, but that's not core to my argument.)

> It becomes the poison because the solution you are introducing brings more issues. And it's schizophrenic because the issue to begin with, was minuscule (a hacker stepping into MacDonalds, breaking the network encryption and then also the application encryption.

For most wifi networks, there is no encryption between users. And it's quite likely that the neglected router got hacked over the internet and is part of a botnet.

> Maybe if this were 2010 and websites still used HTTP, or you are using a local email client without TLS configured. But it's 2025, everything has HTTPs and you are using an HTTPs email client.

Until you type in a URL and HSTS isn't set.

>For most wifi networks, there is no encryption between users. And it's quite likely that the neglected router got hacked over the internet and is part of a botnet.

WPA2? Sure it can be broken, but you still would have to break HTTPS on top of that.

I don't deny that a third layer adds security in that scenario, as 3 layers is more than 2 layers. But you necessarily weaken some other stretch in a zero-sum fashion, as mentioned. I'll concede that the server can be in your own country if you so choose to. But these datacenters are not necessarily controlled by the VPN provider, and they may be highly heterogeneous, in addition there will be many routers in the VPN DC to destination stretch that can still be hacked. Although again I'll grant that endpoint routers are probably weaker targets than ISP routers.

> WPA2? Sure it can be broken, but you still would have to break HTTPS on top of that.

If you're on a WPA2 network you just have to observe a device connecting and you can crack their session key. It's very easy. Not that you need to do that, you could ARP spoof. Or the router could be hacked.

And you don't have to break HTTPS to have a good chance of attacking someone. There's enough HTTP around.

So it's easy to fall through both of those layers.

If you're on a WPA2 network you just have to observe a device connecting and you can crack their session key. It's very easy.

Is it that easy? I'm not sure if you are a genius hacker or just somewhat misinformed.

My understanding was that observing the initial connection is a requirement for the typical exploit. The attack itself is considerably more complex. Additionally WPA2 is a sort of envelope protocol, the actual encryption cipher can vary and so will the attacks.

I'm not an expert, but I looked into this stuff 7 years ago when I was broke, and I apt installed aircrack-ng from a starbucks so I could try siphoning off my neighbour's wifi, I wasn't able to. Skill Issue sure, but it wasn't as trivial as "just observing a device connecting".

I personally don't see much HTTP, I think a more reasonable attack would be hoping that the user clicks on "continue anyway" whenever a TLS error pops up.

On another note, this would relate to local attackers only right? If a router has been pwned remotely, it wouldn't matter whether the last mile is a twisted pair or air.

https://textbook.cs161.org/network/wpa.html

> In the WPA2 handshake, everything except the GTK is sent unencrypted. Recall that the PTK is derived with the two nonces, the PSK, and the MAC addresses of both the access point and the client. This means that an on-path attacker who eavesdrops on the entire handshake can learn the nonces and the MAC addresses. If the attacker is part of the WiFi network (i.e. they know the WiFi password and generated the PSK), then they know everything necessary to derive the PTK. This attacker can decrypt all messages and eavesdrop on communications, and encrypt and inject messages.

No genius hacker, no misinformation. WPA2 in the normal password mode does not protect clients from each other. It's not part of the design.

https://wiki.wireshark.org/HowToDecrypt802.11

Here's a page about how you can use wireshark to decrypt WPA2 if you capture the handshake, but you can't do it on WPA3. (Also it's not hard to force new handshakes.)

> I'm not an expert, but I looked into this stuff 7 years ago when I was broke, and I apt installed aircrack-ng from a starbucks so I could try siphoning off my neighbour's wifi, I wasn't able to. Skill Issue sure, but it wasn't as trivial as "just observing a device connecting".

Trying to get a password is a completely different thing from trying to attack someone else on the same network as you. You did not fulfill the "If you're on a WPA2 network" part of the sentence.

There was a password-finding attack called KRACK that came out in 2017 but it's fussy and there are ways to defend against it. And you can still brute force WPS sometimes but I guess their device didn't allow it.

> On another note, this would relate to local attackers only right? If a router has been pwned remotely, it wouldn't matter whether the last mile is a twisted pair or air.

Yes, "someone sharing the network" and "hacked router" are two different ways you could be attacked.

> If an attacker knows the WPA2 password, they can intercept traffic.

Oh yes, of course, this is not unlike the capacity of computers in my LAN being able to see my packets, for example if my roommate was a hacker, they would be able to intercept packets while on their way to the router.

Now an interesting thing I've seen in public networks like say Starbucks or McDonalds, they usually don't rely on WPA2 password default security mechanism. I'm not sure what mechanism they use, but they have me log through a browser first.

It's like your roommate being able to splice into your cable without touching it, which seems to me silly to allow, but basically yeah.

WPA3 uses a better calculation where listening in doesn't tell you the key.

I'm not 100% sure, but I don't think splicing the cable is necessary, you can capture broadcast packets and advertise as having a local ip address and capture the packets, whether in a LAN (a residence connected to the same router as the target.) or a WAN (Reading your neighbour's packets).

At least from a blue team perspective that's what I assume can happen. The power lines outside my home have the network cables all spliced together anyways, it's not like you'd have to make a new connection.

You connect to an access point, and your browser/OS tries to open one of http://detectportal.firefox.com/canonical.html, http://www.msftconnecttest.com/connecttest.txt, http://connectivitycheck.gstatic.com/generate_204, https://captive.apple.com/hotspot-detect.html and loads/displays whatever unencrypted web page is served.

Getting someone to open an unencrypted webpage is almost trivial. It's often one of the only web pages you can open on a device.

The problem isn't getting you to open a page, it's putting that page behind a known legitimate URL.

Will Chromium generate a "Your connection is not private" warning in this scenario, that the user has to click through to proceed? And the user would have to type example.com in the browser bar; https://example.com would also trigger a warning, correct?

VPN unifies all destination IPs to server.ip.addr.ess. IP reverse lookups tells some stories if you are to be so paranoid

Additionally, if ConsumerVPNs provide encryption, don't they provide encryption from the stretch between the consumer to the proxy? The stretch between the proxy to the destination would not have additional encryption, and there is no reason to believe that the second transit would be shorter.

TLS doesn't hide which websites (hostnames) you visit

It does if you do DNS over TLS or HTTPS, although I guess that information would still be knowable to your DNS provider if they terminate your TLS behind the scenes

Not quite. In order to make TLS certs work on a per-site basis, requests sent over HTTPS also include a virtual host indicator in cleartext that shows the hostname of the site you’re trying to connect to, so if the IP on the other end is hosting multiple domains it can find the right cert. For this reason some people feel that DNS over TLS is pretty pointless as a privacy measure.

SNI leakage is what encrypted client hello (ECH) tries to solve: https://blog.cloudflare.com/announcing-encrypted-client-hell...

It's still not perfect since you're still leaking information about the privacy set implied by the outer ClientHello, but this possibly isn't much worse than the destination IP address you're leaking anyway.

I think this is only true if SNI is disabled. Otherwise you really only get the IP of SRC and DEST.

SNI relies on the client specifying the host name in the unencrypted ClientHello message that initiates a TLS handshake. Encrypted Client Hello involves extra configuration that most websites don't implement.

Which is more likely, your barista collecting this data for nefarious purposes, or your ISP?

Or that dude in the black hoodie in the corner who always seems to be camped at whatever cafe you and your cow orkers are using as your startup "office"?

I VPN into my home network for added privacy in public wifis, and to access private services.

I work from home and use a VPN service to get a bunch of IP:s I can easily switch between.

Recently a SaaS supplier blocked my IP because I was logging in programmatically every thirty seconds to collect data on batch processing in a customer project, basically two HTTP requests to get an access key and then the data, and I was lazy so I just put those in a script and dumped the second response to a log file and put that in a scheduler. Turned out that another customer of the SaaS supplier somehow could see the traffic on my customer's SaaS instance and panicked because in their mind it was obviously the russians attacking or something, and when they brought this to the supplier they also panicked.

So to keep doing this I had to move over to checking whether the previous access key was still valid and reuse it if so, as well as moving my 'location' to another country. Apparently this is fine but logging in two times a minute is not. It also happens that I need to do research on network services and cloud environments, where having the ability to just hit a couple of terminal incantations to switch 'where' I am helps out quite a bit sometimes.

> another customer of the SaaS supplier somehow could see the traffic on my customer's SaaS instance

Is this common?

I'm not sure, but it definitely shouldn't be.

It was surprising in a way I don't hesitate to call bad, but this supplier is an enterprise style organisation so of course they've only ranted at me and don't plan to alter their infrastructure.

ISPs bad routing and peering

Protection from IP tracking, especially if your ISP doesn't do CGNAT. Of course there's a trade-off here between

a) your ISP (who knows your billing information) knowing which sites you visit, and any site you visit can correlate internet activity back to your household

b) your VPN provider knowing all the sites you visit

CGNAT won't save you in a world where everything is fingerprinted to within an inch of it's life.

But a VPN, commercial or self-hosed, also won't stop fingerprinting. It changes your apparent IP address, but the rest of the characteristics of your device and browser stay the same.

3. Watching porn without your ISP knowing you are into furry sharks wearing banana costumes

Free wifi hotspots

Nowadays most traffic is tls encrypted, but there are still metadata that can be collected.

>but there are still metadata that can be collected.

That logic is questionable given how poorly "spying on public wifi users" scales. You either need to put a bunch of eavesdropping radios in a bunch of public places or somehow convince a bunch of small businesses to use your "free wifi" solution. Even if you do have access, it's hard to monetize the data, given that nearly every device does MAC randomization (so you can't track across different SSIDs) and iOS/windows rotates mac addresses for open/public networks. OTOH setting up metadata capture on a commercial VPN service is pretty straightforward, because you control all the servers.

Doesn't pretty much every Starbucks location in the United States use a nationwide provider?

Despite the randomized Mac address, you can still fingerprint devices using all the usual tricks when they connect to the authentication and authorization page before you allow them to access the broader internet.

If the receipt had a passcode on it, you've got a link between all of your browser fingerprint, radio fingerprint and payment detail fingerprint and possibly customer loyalty provided at time of payment.

>Despite the randomized Mac address, you can still fingerprint devices using all the usual tricks when they connect to the authentication and authorization page before you allow them to access the broader internet.

Fingerprinting is overrated given that every iPhone 17 is identical to any other iPhone 17. If you leave system settings at stock, which most people do, there's very little to fingerprint.

>Doesn't pretty much every Starbucks location in the United States use a nationwide provider?

True, although mobile data is cheap and plentiful enough that I rarely bother using wifi at cafes or fast food places. The only time I use public wifi is if I'm staying long term, which basically only encompasses trains, airports, and hotels. Those are diverse enough that it's tough to build a complete profile.

>If the receipt had a passcode on it, you've got a link between all of your browser fingerprint, radio fingerprint and payment detail fingerprint and possibly customer loyalty provided at time of payment.

I don't think I ever saw a place that was that guarded about their wifi. The closest I've seen is hotels requiring your room/last name, which would allow them to identify you, but at the same time I'm not sure how much information they can glean, other than that I'm logging into gmail or airbnb. Persistent monitoring that ISPs can do is far more useful.

> Those are diverse enough that it's tough to build a complete profile.

Debatable; i promise you that somebody out there is willing to buy the info and will attempt to combine it with $otherInfo such that it becomes valuable enough for somebody else to buy. Lots of adtech/survalence-tech operates with thin margins at _massive scale_.

> I don't think I ever saw a place that was that guarded about their wifi.

It's rare; i'd run into it only a few times a year. Typically PoS systems and WiFi are not integrated. I also haven't really been paying attention since LTE is good now :).

Testing your app/website when it has different behaviour depending on locale

Real, but pretty minimal usage.

Way too many services in Mexico only work from Mexican IPs, from paying your electricity or internet bills to topping up highway toll accounts and even ordering food from a supermarket

Access sites the government has blocked in your state/country

I would put that in the "geolocked data" category

Sharing corporate info with your employees and not everyone else. You know, the "go to work" thing some people do.

Just because something is called with the same name, doesn't mean it's the same thing. Especially if the naming is done on a product by a company that wants to sell the product, and especially if the name is not a protected trademark.

Express VPN, NordVPN and Surfshark belong to another category of software than the VPNs used by companies.

Some differences are:

1- One is used by consumers, the other is used by businesses.

2- One protects communications to a client-controlled Local area network. The other protects communications with third party services.

3- One provides encryption, the other provides anonymization.

1- If we both use a hammer, and you use it for business while I use it for DIY, the tool is still the same thing.

2- The hammer doesn't care where the nail is; local carpentry or third-party furniture still require the same tool.

3- Both sides of the VPN are encrypted to each other, and anonymous to anyone else. No difference that I can see.

I don't think it's a great metaphor.

First, a hammer is a build (compile time) tool, while VPN is a runtime tech. Closer to a nail if you will.

Additionally, millions of products use hammers, while there's two product categories that use VPNs.

The product distribution of VPN products is bimodal, there's no inbetweens it's either a privacy oriented consumer VPN, or it's a security oriented corporate product.

Regarding the specific technology, there is no technical definition of what a VPN is, it's not an industry term, it's a marketing term. Similar to "Web", it's not HTTP, it's not TCP. This is in stark contrast to Internet (as in Internet Protocol).

Related technologies are IPSec, IKev2, WireGuard, but VPN is one of those trademarkless industry buzzword terms that companies are can latch onto for free and participate of a commodity market.

On an unrelated note, this is not unlike the term AI, which can somehow apply to fake images and conversational software. And coincidentally, modern AI is also bimodal, it's either text or syntethic images, the common ancestor might have been that the textual product originally was also synthetic generated text, but with agents and text as thought (in a Sappir-Whorf fashion) have since greatly diverged.

Accessing "the internet" while visiting your family in China/Russia/Iran/Thailand/...

I use a VPN for 3 main reasons:

1) I need to come out of a particular country for some systems access. If I'm travelling it's easier than having IT team change permissions.

2) I use dedicated IPs for some systems.

3) Testing websites where I want to appear local to a particular country.

Why torrentingn Linux isos?

It's the classic "legal" use for torrenting, as many Linux orgs send users to torrents for updates.

If someone also accidentally downloads a TB of movies and music on the way to the latest Mint upgrade, oops.

My vpn bypasses the paywall on the public xfinitywifi hotspots making internet essentially free because I would likely being paying for Mullvad regardless.

I mean the EU has completely given up on free speech so if you want to say anything you better be hiding who you are.

Strange that this is a blog post by windscribe which follows many of the same practices as the VPN providers they criticize here.

Were VPNs ever really providing privacy? The underlying business model is selling user data.

I'm curious to learn more about Windscribe. Do you have any more info you can share about their practices?

Can anyone give info on who owns Trust.Zone VPN? The company saves all credentials and doesn't allow the user to generate anything, such as Wireguard private keys. The service is very likely logging everything, and already admits to logging bandwidth, which is severe enough.

Wouldn't be surprised if this was a honeypot for logging Russian internet users, as it appears to cater to Eastern users.

They hide who they are. If you look at their privacy policy:

https://trust.zone/privacy

Then you'll notice that it does not tell you what entity they are or where it is incorporated.

Elsewhere they claim to be incorporated as Trusted Solutions Ltd in Mahé in the Seychelles.

https://trust.zone/tr/post/trust.zone-vpn-reviewed-by-the-to...

And this review claims they are an LLC.

https://thebestvpn.com/reviews/trust-zone/

But when I search for this name in the local registry I get no results.

https://www.registry.gov.sc/BizRegistration/WebSearchBusines...

The Seychelles kind of belong to the 'non-aligned' group of countries, and maintains decent relations with Russia, India, China and so on. They also advocate for a diminished US presence in the Indian Ocean. On the other hand, they're a member of the british Commonwealth and only got independence in 1976.

Trust.Zone sure looks fishy but I can't tell from this whether they are surveillance for the UK, traffic to hide in for russian authorities and cyber crime groups or something else entirely. I'd avoid them unless I was already into grey or directly criminal activities and already had layers of protection and indirection in place.

The analysis is spot on.

What in particular concerns me is the lack of any type of registration seemingly anywhere. I don't mind if a privacy focused VPN said they don't register at all in any country and stated the reasons as to why, but this company seems to have lied.

"The Seychelles kind of belong to the 'non-aligned' group of countries, and maintains decent relations with Russia, India, China and so on. They also advocate for a diminished US presence in the Indian Ocean. On the other hand, they're a member of the british Commonwealth and only got independence in 1976."

Seychelles is a great place to register for a privacy focused service but I agree with you that being a member state of the British commonwealth is concerning. Could you possibly recommend any place that would be better to register such as service?

"Trust.Zone sure looks fishy but I can't tell from this whether they are surveillance for the UK, traffic to hide in for russian authorities and cyber crime groups or something else entirely. I'd avoid them unless I was already into grey or directly criminal activities and already had layers of protection and indirection in place."

It gives the worst vibes possible for a supposed security service.

Trust.Zone offers a free trial which I signed up for to test with a disposable VM. This is where I learned how they keep user credentials and other major privacy issues, such as the logging I mentioned in my last comment. The support also sent a very questionable reply to a ticket where they wanted to do screen sharing and run an arbitrary script on my server to "diagnose" the issue.

So anyone else besides Airvpn and Mullvad is even worth considering?

You can setup a private VPN with Digital Ocean and a PiHole droplet. I guess it's a little bit less likely to be a honeypot. It also seems cheaper than any public VPN offering.

ProtonVPN

Isn't it entirely unsurprising that those running a highly privacy-oriented service would themselves be rather mysterious?

All it takes is an unattended machine for someone to boot another os on and grab the file

If you're going to the trouble of using a VPN, that is not a very likely scenario, and ditto for other users(!) on your machine.

Um, is it some intelligence agencies?

> ExpressVPN was founded in 2009 by Peter Burchhardt and Dan Pomerantzwe who later sold it to British-Israeli security software company Kape Technologies

Close enough.

Mullvad nuff said

They don't support port forwarding anymore though.

Ohh cool, we made that map (I'm from Windscribe). If you spot any errors, let me know.

I tried Proton but their VPN wasnt as good as NordVPNs…

But if Nord is sketchy, what is the recommended one?

You will have to be a lot more specific than "wasn't as good as", to get a response that is helpful to you. What are you looking for in a VPN provider?

I wanted to watch some football world cup highlights video from a japanese TV channel site, which didnt work with Proton, but did with Nord, so I have been with them since then.

This was during the 2022 WC though, so maybe Proton is better nowadays.

I think they got better, I'm watching geofenced Japanese content all the time with Proton.

In the past I occasionally had to select a different server from whatever it picks by default but I've always been able to watch my content.

Mullvad, Proton, IVPN and sometimes Windscribe are generally considered the most trusted

Depends on what you mean by "good".

Fast/low latency is to some extent diagrammatically opposed to high quality privacy. The fastest route is always you to source. The more hops/mixers/proxies/things you add the worse the experience gets

That's actually interesting. My yearly Proton subscription ended several months ago and I tried both NordVPN and ExpressVPN before switching back to Proton. The other two options had limited server locations and I wasn't a fan of the software/setup. There's also a weird shady vibe with how they do their advertising compared to Proton, can't quite put my finger on it though. Proton's software also seems to be more intuitive (although a bit clunky).

I’m not a big expert on the VPN tech side, but it always seemed to me that the most logical option for those that actually understand about VPN is Proton, or am I missing something here?

Im a happy Proton user myself but if someone wanted the absolute most secure and private and reputable VPN I would point them to Mullvad. The main reason I use Proton is because I use the other apps in their suite as well and I get the VPN in the package deal. The threat model is good enough for my use cases

I am also a relatively happy proton user (now, but wasn't always this way). I second this. Based off the site, it looks like Mullvad passed a real world test too, Proton has not. I haven't tried Mullvad in a couple of years, but they were always reliable and fast. The only issue I had with Mullvad was getting connected to enough peers when torrenting, especially on older torrents where the pool of users is small. Proton's port forwarding feature did noticeably help with that. I do enjoy being able to pay a discounted yearly subscription price with Proton and their user interface is nice. There are some minor problems with split-tunneling in Proton though, sometimes it doesn't work and I haven't figured out why.

Mullvad doesn't support port forwarding [1] for users that need it unlike proton vpn [2].

Although I have never needed it myself, which in that case Mullvad might be better since they require minimal registration details.

[1]: https://mullvad.net/en/blog/removing-the-support-for-forward...

[2]: https://protonvpn.com/support/port-forwarding

unless you have a specific use case where you need to run a server through your vpn this isn't as much of a problem as you think it is.

torrents for example have hole punching functionality built into uTP where reachable peers help unreachable peers connect to each other.

The companies to trust are the ones that don’t run ads. I’ve used mullvad for a decade, before that airvpn.

I was a Mullvad user but needed forwarded ports so went back to AirVPN.

No issues so far.

Company who's blog post this is ain't bad either if you're looking for a non-ecosystem VPN. Proton is trying to be Nord and create an ecosystem of products that store all your most private data, all under the umbrella of 1 company which defeats the whole point of a VPN who should have no data on you (not even an email).

PS. I'm from the company who's blog post this is.

> Proton is trying to be Nord

I feel like it's Nord who's trying to be Proton but worse, no? Nord had just the VPN until recently, unlike Proton which was already trying to build an ecosystem (although they did speed up the new product drops significantly in the past few years). And unlike Nord, at least Proton actually has proper zero-access encryption and stuff, and they seem to know what they're talking about rather than just relying on influencer marketing.

Proton used to have mail, they they launched a VPN. Then cloud storage, then password manager, then docs + calendar, then wallet, now also AI and MFA app. They're following literally in Nord's footsteps, all Nord needs to do is launch a mail service and the circle is complete.

Proton is doing influencer marketing now too btw. Parallels are uncanny. All this while claiming to fight Google/big tech, but essentially offering the same products that store the same personal data.

But it is not a US company.

At least uh they sponsor a lot of great video entertainment content

Why you probably don't need a VPN: https://stevesrantsnraves.blogspot.com/2024/09/why-you-proba...

Glad to see more zero trust confidential computing happening....but keep in mind its still vulnerable to attacks like Battering RAM which can fully breaks cutting-edge Intel SGX and AMD SEV-SNP confidential computing processor security technologies.

Battering RAM has been demonstrated to work well against Intel's "Scalable SGX" which is also known as SGX 2, and uses static encryption key to allow SGX to use more of the system's memory.

For example at VP.NET we're using SGX 1, which uses AES-CTR for memory encryption which is not susceptible to memory reply attack, and comes with a limit of 512MB of ram. It's a lot of pain working with a very small memory allocation (especially nowadays where most machines come with 128GB+). batteringram.eu calls that "Client SGX" with a checkmark on "Read", but reading the actual paper it only mentions being able to know which areas of memory were written to (see 7.1). There might be applications where memory access pattern gives detail on the underlying work performed, but this is likely coarse (encryption is likely per page) and unlikely to yield to anything useful.

This said we are also exploring other TEEs including Intel TDX, and having a wider array of options will give us the ability to instantly disable any technology for which we know security has been compromised.

Intel TDX unfortunately suffers from the exact same vulnerability as Scalable SGX. The underlying root cause is the lack of randomized encryption; using a static-adversary encryption scheme (XTS) rather than a dynamic-adversary one. The result is that plaintext-ciphertext mappings are unchanged at a fixed memory address. While the choice of scheme might initially seem puzzling, it is due to a randomized encryption scheme requiring counters for each memory block, which has a prohibitive on-chip memory cost when scaling to hundreds of GBs of memory.

How is confidential computing applied to VPNs?

A long time ago, I have difficulty removing payment card information from ExpressVPN.

Managed to contact support to remove it but they merely zeroed out (it shows 0 for the visible fields) the card details rather than truly removing payment information.

Handy that while connected via ExpressVPN, this is blocked

what server are you connected to? Switzerland works just fine for me

it was one of the UK servers

Can someone explain to me why should I use a VPN when Tor is out there?

It just seems to me odd that one would pipe their communications through a private company, that operates over a jurisdiction when said jurisdiction can compel the company in actions that may compromise my anonymity.

From my perspective, its like shifting my trust from my ISP (an entity with way more oversight) to a pvt ltd.

Isn't Tor as safe as it can get when surfing the web?

VPNs are for when you want to obfuscate your traffic from your ISP, not the government. By passing your traffic through a private company _somewhere else_ to another private entity that has some vested interest in not reselling your data, you can prevent it from being easily mapped back to you.

Also VPN is generally much faster and higher bandwidth than TOR.

From my understanding, they have different purposes. VPNs aren’t really about safety or anonymity, Tor is the way to go for those. VPNs are for if you don’t want your ISP specifically to see your traffic for some reason, or if you want your traffic to appear like it’s coming from a different geographical location with minimal latency hit.

Edit: I should say, VPNs as a technology have far more applications than this, e.g. for accessing a secure intranet, but these are just the reasons you’d theoretically want to use a VPN service like Nord/Mullvad/etc.

Tor is unbearably slow for daily general use.

because i ll get added to a "hidden list" as soon as I even attempt to download tor, let alone use it

> [VPN] shifting my trust from my ISP (an entity with way more oversight) to a pvt ltd

Who do you trust when using Tor?

If anything, Tor Browser is much safer.

vpns are marketed as hiding you from less trustworthy companies or accessing region locked content.

just use mullvad

Using a VPN for regular users is like jumping from one fire pit to another. The real way to escape censorship and privacy leaks is to increase your cognition, avoid blindly following KOLs, think independently when choosing tools

TL;DR: you shouldn't assume your data or activity is in any way anonymous when using these services. These VPNs are useful for changing your region for streaming and not much else. Otherwise, the traffic being routed through these VPNs is basically much more likely to involve "questionable" activity than ordinary traffic - and when you send your traffic through it, you are basically highlighting it as such - and all of this is well-known and of extreme interest to anyone interested in snooping on or analyzing such "questionable" activity.

Despite all the shenanigans related to their corporate structure, does someone really trust in those services in terms of real privacy?

It's hard to believe that for USD 10/month you can have a high-trust VPN so that your ISP will never know who you are, and you can surf the internet untraceable from the IP perspective.

I mean, that kind of infrastructure costs money, and the mechanics to make it happen must be very expensive, and it is hard to believe that this is very commoditized.

It sometimes sounds like someone is selling a 2-cent pizza in Zürich: If you're paying that, maybe you're not ready to know what is inside.

Just pay for and use Mullvad.

By mailing cash, if you like. They don't care if they know who you are or not. They don't ask for your email address, you just log in with a randomly-assigned account number and a password.

Just spin up a server with wireguard.

This is the way (or Tailscale). Easier to move around between datacenters to find one with an ASN/IP that isn't blocked by the apps/websites you use. If you do want a more off-the-shelf solution, Mullvad is probably the best choice. All of the consumer VPNs (including Mullvad) get blocked by various services - I get degraded/intermittent connection to Google Maps on them. GCC countries block most of the well-known VPNs as well, if you ever travel to the Arabian/Persian Gulf region. My private datacenter VPN gets blocked only very, very rarely.

That defeats the entire purpose of anonymously mingling your data with others’

or with Tailscale (and configure the server as an exit node).

WireGuard/udp commonly gets blocked on public wifi

I did until they killed port forwarding.

OOC what's your current favored provider? AirVPN? Proton?

I tried Airvpn but the MacOS client is beyond trash.

And the website just gives 2005 amateur PHP coder vibes. Not just the design. The session expiry is seems very long - I hadn't visited for a few days and I'm still logged in. I'd be surprised if it wasn't infinite.

AirVPNs main proposition isn't "we have a nice app / UX". It's "we give you the most configs / options". AFAIK they're currently one of very few that allow you to configure both port forwards and give you a stable config (keys) to run your own wireguard instance

On Mac you can just use OpenVPN/Wireguard and import one of the profiles you can generate through their website.

Not for feature parity.

And I find there's a good correlation between the quality of the apps and the overall quality of the company. No surprise that the Mullvad VPN app is excellent

For multiple reasons it's better and safer to avoid using official provider client in the first place, regardless of provider, and connect with a good wireguard/openvpn/whatever client.

Not universally true. The Mullvad client has lots of additional features to enhance privacy. Killswitch, split tunnelling (you might otherwise disconnect the VPN to use a certain app, so it can overall improve privacy), Shadowsocks, Lockdown mode etc

It's extremely high quality on MacOS in my experience. It's never crashed for example whereas Airvpn's crashes daily. It connects almost instantly. I don't think I've ever seen it give an error

Proton right now. It's okay but it causes some network issues even when it's set to split tunnel default-exclude.

Proton for me.

Yep.

And I was on Proton for 3y, until the CEO were backing Trump and Vance on Reddit and other places. Their port forwarding was also painful as well, but it worked.

Cancelled. PIA does the port forwarding nicely and stabily. No jank scripts to run every 60 seconds.

Now evidently PIA is a bunch of scum capitalists. But in reality, who isn't?

Mullvad? But they killed port forwarding for "abuse".

> the CEO were backing Trump and Vance on Reddit and other places

Something happened, but THAT didn't.

https://medium.com/@ovenplayer/does-proton-really-support-tr...

> Given Proton’s outstanding track record and reputation thus far as a free, open-source, crowdfunded organization, owned by a non-profit and based in Switzerland (a country known for its neutrality), this topic is worth a deep dive.

Either it was someone paid to write this, or if author really believes this, they are not someone I trust.

Maybe the organization is non-profit (which I do not believe is practically true), it does not explain them sharing so much with Tesonet.

The Proton CEO is not "backing Trump and Vance." He wrote something positive about a narrow policy Trump supported that's favorable to little tech over big tech. That's it. It's certainly possible that someone you detest can still occasionally support a particular policy you think is good.

Particularly when dealing with someone like Trump, who has, on occasion, backed both sides of an issue, depending on the day of the week! ;P

I do and I like them, but Cloudflare blocks their ips aggressively.

Reddit too, I wished they offered residential or dedicated and/or unlisted ips. But most of the time you just have to cycle through different ips to unblock.

At this point in the cat/mouse game, wouldn't any set of IPs used by a VPN eventually be able to be sussed out by anyone interested?

Some vpn services offer dedicated residential IP addresses, meaning you get an IP from just a regular private ISP in some other country. It's admittedly a bit shady though, and more expensive ofc but that will unblock everything

There was a bumpy ride with CF a while ago but they seem fine now (still plenty of captchas, of course)

They dont port forward unfortunately

[dead]

[dead]

[dead]

scary AF

[flagged]

NSA presumably?

Been saying it for YEARS: 95% of VPNs sell your data. It's where they make their money. It's absolutely insane the push-back I get when I say this online. I get downvoted to hell and back.

Source: I bought this data from VPN companies... Hell, you can inject ads and surveys if you want!

> 95% of VPNs sell your data

This is believable.

> It's where they make their money.

I'm much more skeptical of this. I know linus tech tips is not exactly an expert organization, but I believe the discussions they've had about almost starting a VPN and backing out for ethical reasons, and they made it clear that the core VPN product would have huge profit margins. You can always do greedy things to make more money, but for a paid VPN I'd need some solid evidence to believe that data sales are a huge line item or especially that they're the main source of money.

If you're including the swaths of free VPNs then that makes your number a lot harder to use.

> Source: I bought this data from VPN companies

I'm more interested in this part - how does that work? Do you just reach out to them directly and ask "hey, let me buy your user data"? Or is there some sort of service they offer?

I wouldn't be surprised if a lot of them have like a Crypto AG thing going on and have the capability to use paying customers as exit nodes as a way to launder consent-manufacturing bot bullshit through legitimate-looking residential and mobile connections.

Fun fact: I once interviewed for a company offering a free VPN, which was actually using other users as endpoints for the VPN. Some kind of P2P VPN if you will.

How did they make money? Easy: there were also selling a botnet! So if you used their "free VPN", you could be part of a botnet for DDOS or to create fake reviews/upvotes from thousands of "legit" IP addresses.

Yes, I've heard of bad VPN companies that sell your data. I would like to learn more about how it is done exactly.

In your later comment you said "DNS is very useful, and unencrypted. OpenDNS makes its money on this same info." Is the VPN company only openly selling DNS info or are they selling more, such as connection logs?

How did you approach the VPN provider to ask to buy this info?

> Hell, you can inject ads and surveys if you want!

So am I right in saying that the data that's encrypted by VPNS is only in transit? It then sits on a server in plain text, ready to be queried by third parties for money.

Yes, VPNs add encryption only between you and the VPN servers.

How were they able to convince anyone that that matters?

People seem to use VPNs to avoid IP based issues, like Netflix or ip bans/associations, not sure anyone would use it for actual privacy -- at best its obsfucation.

Isn't Netflix pretty good at detecting VPNs at this point?

How does that work with HTTPS being practically ubiquitous?

HTTPS spills what services you are communicating with, but not the content…

…except approximate content sizes and timing patterns.

The GP claimed they can inject ads though

They sell metadata. DNS queries, locations, apps using data, device info. Usually anonymized, but both unscrupulous and "better" providers do have access to your account and payment info.

GP claimed they can inject ads. How does that work with HTTPS?

They can't inject to the http response, but ad servers that work with the VPN or their data brokers can better identify the requester and serve better targeted ads.

I reckon that if HTTPS was sufficient to hide your online activity, then you wouldn't need a VPN to hide it in the first place.

If HTTPS were for privacy it would be called HTTPP. Security features tend to make things less Private, like how opening apps on a Mac makes it phone home for OCSP check.

what VPN companies?

And what types of data?

> 95% of VPNs sell your data. It's where they make their money. It's absolutely insane the push-back I get when I say this online.

People love to stick to what they irrationally believe in. I would give you push back as well by saying 95% is a very conservative number. I would say 98-99%

But hey, they say they don't sell my data isn't it?

And look! I am downvoted again!

How does this work? They harvest your DNS! They inject surveys into your YouTube packets. They tabulate just how much traffic goes to which specific games on Twitch. How? The provider is the endpoint, not you.

It's not the whole picture, but it's enough to sell to marketers.

This is what happens EVERY time I say this! Look again! It happened, I have 1 upvote... It's almost as if the VPN companies don't want you to believe this is true!

Story time! I have been cashed out of three startups. $600 total, across them all. It's the people in the Valley who've struck out over and over who know the truth, not the successes.

One of those startups was about tracking the games played on Twitch, and selling that info to Esports entities, marketing firms, etc. The company did not succeed because, honestly, it's not hard data to scrape yourself. BUT, we tried. And where did we get our data? VPN providers. Major VPN providers. We don't care about your personal data. We care about whether you watched a Twitch stream of GTA or Madden.

And for a time, yes, we could buy injected surveys. Packets, literally injected into your streams of data. This was expensive, iffy, and controversial, but it was on the rate cards.

DNS is very useful, and unencrypted. OpenDNS makes its money on this same info. Stop putting your heads in the sand. Ya'll have seriously lost the path.

https://embed.kumu.io/9ced55e897e74fd807be51990b26b415#map-J...

Mulvad connected to malwarebytes ups

I thought mullvad was clean

seems like malwarebytes uses mullvad for its vpn service.

Yes and they’re very transparent about it.

https://mullvad.net/en/help/partnerships-and-resellers