> Providers claim that your IP address leaks tons of private information, even your physical location, and they also claim that IP addresses are used for tracking. I call that fearmongering and deliberate misinformation.<p>Well heck, I guess we can tell the TOR project to shut down then.<p>Everybody can go home, IP addresses don't leak private information and they aren't used as a fingerprinting vector. Apple's going to be so embarrassed when they find out that their private relay service is completely useless. Egg is gonna be on their face for launching such a misguided privacy initiative.<p>I don't mean to be too dismissive or sarcastic, but I don't understand why people are still linking to this article. It is such a wildly dismissive, deceptive claim to say that IP addresses don't matter. We're coming out of a controversy where the OS community literally called Audacity spyware because it uploaded user's IP addresses as part of telemetry. But in your web browser, suddenly that doesn't matter? Be serious.<p>> Generally speaking, DNS is unencrypted, which means that everyone between you and the DNS server can read your DNS queries. There is nothing too private in there, as the query is basically a simple “Hey, can you tell me the IP for overengineer.dev?”<p>Ugh. The domains I visit <i>are</i> private information. Obviously they are. And on public networks, DNS sniffing isn't restricted to just an ISP, there are lots of ways you can get your DNS compromised before Comcast gets involved. And while DoH is a very good idea and it is good that it is being rolled out by default in multiple browsers, at the time this article was written it had not been widely rolled out, and in fact it still is not universally rolled out today, and even when it is rolled out to everyone we still will have a long way to go on eSNI and TLSv1.3.<p>So minimizing the domains you visit as if they aren't personal information, and telling people not to worry about DNS leaking because of a technology that might mitigate the problem in the future -- I feel like that is just a very irresponsible thing to write. It doesn't accurately describe the state of security for browsers today.<p>> With a VPN, all you end up doing is shifting the trust from one party to another. You are not gaining anything.<p>The entire "shifting trust" argument is probably doing more harm than good at this point. People have gone from saying "a trustless system should be preferred" to saying that all systems that involve trust are equally insecure, a gross misinterpretation of how trust works.<p>In the real world, 90% of my security is "moving trust". I choose who has a key to my house. I choose which payment services I'm willing to give my credit card number to. I choose which programs to install on my computer based on which authors I trust. I choose which email host to use. I choose what search engine to use.<p>Some people and things are more trustworthy than other people and things, and it is beneficial to make educated decisions about which entities you trust with your data.<p>The big problem with VPNs is not moving trust, the problem is that it is fundamentally difficult to determine whether any given VPN provider is trustworthy. Yes, the better solution here is stuff like relays, we are starting to see from companies like Apple that at least semi-trustless IP address masking is possible in some contexts. And we should move in that direction. But "shifting trust" is not the slam-dunk argument that people think it is, shifting trust is a completely normal way to increase security.<p>----<p>The author starts with some legitimate, accurate points: that many VPN companies are scuzzy, that ordinary users attribute more privacy to VPNs than they should, that VPNs are not a protection against Javascript fingerprinting, and that many VPN companies misrepresent their products. But the author undermines those points by being extremely cavalier about privacy and security risks that we generally understand are real threats.<p>In doing so, the author robs themself of their credibility.<p>It is actually really important to talk about the harm that misinformation about VPNs can do to ordinary users, and to talk about alternatives that people can use depending on their situation and threat model. So acting like IP addresses aren't personal information, making these kinds of dismissive claims that are trivially provable as false -- it does the the author no favors; it makes it harder to have conversations about real flaws in the VPN ecosystem. We know that DNS leaks matter because otherwise we wouldn't be building DoH. We know that IP addresses matter, because otherwise Tor wouldn't have onion routing. We know that public networks are not trustworthy, otherwise we wouldn't be talking about stuff like router security and regulation for ISPs if they were.<p>So what's the value in acting like the problems VPNs solve aren't real? They are real. That doesn't mean VPNs don't have problems, that doesn't mean they're not deceptive, but downplaying real privacy problems is not the way to talk about that.