Personal VPN services are snake oil

The problem is that they are sold as a security&#x2F;privacy product, because they can’t mention the more illicit uses (which the author mentions under “when to use a VPN”), which are the real use cases people buy them for.<p>It’s kind of like when shops selling bongs would market them as “tobacco accessories”, but there was a wink-and-nudge understanding about how they would really be used.

&gt; When to use a personal VPN?<p>&gt; - Geofence bypass<p>&gt; - Piracy<p>&gt; - Soft network block&#x2F;censorship<p>Among all the people I know who use the kind of VPN services talked about here, these are exactly their reasons for using them. Obviously advertisements are going to shy away from these angles.

I&#x27;d add:<p>4. Making all your traffic look &quot;neutral&quot; to your ISP, in places (think corporate &#x2F; college campuses, cellular data, hotels and boarding schools, not countries) where net neutrality isn&#x27;t enforced and certain traffic (most often torrenting, video streaming and&#x2F;or gaming is deprioritized. I guess this could be classified as blocking or censorship, but deserves a separate category IMO.<p>5. Places where the networking hardware messes about with your data. I&#x27;ve seen places that would add their own iframes to unencrypted HTML content, which broke some software because their algorithms to detect what was HTML weren&#x27;t very good.

There is a fourth use case for VPNs: evading traffic shaping and censorship on public wifi hotspots. Many hotels block not just porn sites but also legitimate news pages (e.g. Torrentfreak), and most drastically throttle YouTube, Netflix and other streaming-heavy sites.<p>A fifth use case is related: evading bad peering. Deutsche Telekom was infamous for years to &quot;double dip&quot;, i.e. requiring that other (backbone&#x2F;regional) ISPs pay them for peering, and so DTAG customers that tried to access Hetzner servers were throttled as the Hetzner-Telekom link got saturated in the peak traffic times.<p>[1] <a href="https:&#x2F;&#x2F;www.golem.de&#x2F;news&#x2F;hetzner-und-netzneutralitaet-extrakosten-fuer-bessere-anbindung-an-telekom-kunden-1511-117711.html" rel="nofollow">https:&#x2F;&#x2F;www.golem.de&#x2F;news&#x2F;hetzner-und-netzneutralitaet-extra...</a>

The article appears to be written by a technical person who doesn&#x27;t understand (or want to acknowledge) how bad end-users can be at security. We&#x27;re still trying to get users to not reuse passwords on multiple sites and not click on links in SMS messages. Meanwhile, the author is suggesting you contact every website you use and ask them to add HSTS.<p>Some end-users need straight forward advice like &quot;Use a password manager&quot; or &quot;Use a non-free VPN on open WiFi connections&quot;. The rest is going to get thrown out with the bathwater.

In general I agree about it not providing security benefit, but they can reduce the exposure of eavesdropping like DNS leaking browsing patterns, and so on. Sure, you’re now leaking your DNS traffic to the VPN server, but in my opinion it’s better to leak that to somewhere external than somewhere close by (e.g. to companies or individuals directly related to your network that will use it for monitoring and monetisation)<p>https downgrade attacks and the like (html injection on http pages) can also be thwarted (unless they are done on the vpn-&gt;service path ofc),

An issue is that they&#x27;re sold as a way to stop your ISP tracking what you&#x27;re doing.<p>But why would I trust a random company with this information over an ISP, who yes aren&#x27;t always angels, but at least are somewhat accountable.

Author linked to privacytools.io.<p>&gt;even better, a browser built with privacy in mind<p>which is full of VPN ads <a href="https:&#x2F;&#x2F;www.privacytools.io&#x2F;privacy-vpn" rel="nofollow">https:&#x2F;&#x2F;www.privacytools.io&#x2F;privacy-vpn</a>. Browse <a href="https:&#x2F;&#x2F;www.privacyguides.org&#x2F;en&#x2F;vpn&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.privacyguides.org&#x2F;en&#x2F;vpn&#x2F;</a> better.

URL would be funnier if owner also owned the actual URL, but redirected everything to the extra one.<p>And it&#x27;s unregistered!<p><a href="https:&#x2F;&#x2F;www.namecheap.com&#x2F;domains&#x2F;registration&#x2F;results&#x2F;?domain=dotzoltanbalazs.com" rel="nofollow">https:&#x2F;&#x2F;www.namecheap.com&#x2F;domains&#x2F;registration&#x2F;results&#x2F;?doma...</a><p><i>Edit:</i> Per below, missed the last dot. zoltanbalazs is registered. <a href="https:&#x2F;&#x2F;www.namecheap.com&#x2F;domains&#x2F;registration&#x2F;results&#x2F;?domain=zoltanbalazs.com" rel="nofollow">https:&#x2F;&#x2F;www.namecheap.com&#x2F;domains&#x2F;registration&#x2F;results&#x2F;?doma...</a><p>Also, what would be more interesting: a financial breakdown of how an average <i>free</i> VPN provider makes money.<p>I assume ad injection + selling traffic data, but does that make enough to offset the cost?

I&#x27;ve never seen a whole lot of value in personal VPNs; it&#x27;s basically trading one network that can observe you for another. Often with unverifiable claims about not observing you.<p>But, it can be helpful to trade one network&#x27;s routes for another, in cases where direct routing between you and your desired peers is poor for whatever reason. And it&#x27;s clearly useful for circumventing geographic restrictions (as long as those imposing the restrictions dont&#x27; care to identify and restrict access through VPNs)

Plex does not work for me on my AT&amp;T fiber - some peering issue (or intentional throttling?!) that makes movies fail to playback 50% of the time as if I&#x27;m on dialup or something.<p>Got a cheap VPN to get around the issue and it works perfectly.

A lot of people have VPNs for single temporary reasons.<p>* In the Bible Belt (a.k.a. Chistianstan) and some Muslim countries it is to access porn.<p>* In Canada and Mexico is about accessing what Netflix doesn&#x27;t provide to their countries.<p>* In hybrid offices it is about the second job that they do remote and hidden.<p>They want something simple for a couple of months and then just discard it. VPNs are good for that.

The author calls it snake oil then lists legitimate reasons to use a VPN at the end

Some college campuses (like the University of Texas system) block tiktok on wifi, so people are using VPN. (They could use cellular data instead, but that is often slower than campus wifi with VPN).

In my country ISPs are legally required to store metadata for all traffic so using a VPN protects me from that

It’s true that their privacy promises are dubious…but they’re great for IP switching.<p>I run a low-volume scraper which benefits a ton from keeping the IP address fresh.<p>So I guess, in a sense, I’m grateful that enough people are paying for ~nothing to make the service pretty great.

Author is correct that TOR has better privacy than a better VPN because TOR means you are truly anonymous (assuming the network is not majority compromised).<p>However, bandwidth and latency on TOR suck, and in many cases the endpoint IPs are blacklisted to hell due to abuse. A VPN is a nice middle ground where your can put another entity between yourself and your traffic, which is valuable against most opportunist adversaries. If a TLA wants me and can get a warrant, not even TOR will save me, but a VPN keeps the ISP from selling my traffic and the media trolls from sending me grumpy letters because the neighbors keep using my wifi to watch free content.

I need a VPN to do a lot of stuff with crypto now because websites are blocking Americans. $5 a month and having to use it is annoying, but I&#x27;d have missed out on thousands of dollars of income if I wasn&#x27;t using one.

Although i agree with the overall message, there are privacy concerns with OCSP[1] which are mitigated by using a VPN. When trying to use the web privacy conscious, it might actually be beneficial to your privacy. This is a very edge case though.<p>[1] <a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Online_Certificate_Status_Protocol#Privacy_concerns" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;Online_Certificate_Status_Prot...</a>

I don&#x27;t necessarily disagree that there&#x27;s a lot of people being sold a VPN that probably don&#x27;t need it, but VPNs still can be a legitimate tool. Even outside of the &quot;well known&quot; VPN uses like piracy, privacy (in a &#x27;I trust it more then my ISP&#x27; fashion), and getting around geo-fences there&#x27;s still uses for them. A couple of quick examples:<p>Getting around blocks or monitoring on networks like work WiFi. No need to tell my work I&#x27;m on Indeed, and for a little while they seemed to block my email provider (Proton) and reading my email is handy to be able to do.<p>For use as a network tool. For example, I was recently helping my brother set up a website, and with port forwarding he was able to really easily VNC into my VM I was working on it with.<p>VPNs can also be handy for the &#x27;slightly suspicious stuff&#x27; that&#x27;s not illegal. You know, things like an internet search about something you saw on TV or were just curious about that&#x27;s not illegal to research, but you&#x27;re worried it could be a suspicious search. Or maybe I want to use wget to grab an offline archive of a website, but don&#x27;t want to raise alarms and get my IP banned.

In terms of privacy, there is one aspect you can gain:<p>Privacy from your ISP and government. Even the UK now mandates ISPs collect data on user behaviour &quot;just in-case&quot; (snoopers charter), and it has been confirmed one of the big three mobile networks has implemented this, but not which. It&#x27;s bad enough trying to put up with big tech.

I run a commercial VPN service (Windscribe). Here are my thoughts on this.<p>At its core, a basic VPN is a trust shift service, nothing more. Do you trust your ISP less than an some anonymous shell company owned by Siberian forest dwellers? In many cases, the answer is no.<p>That being said, depending on where you are and if you choose the &quot;right&quot; VPN, the answer could be yes. Here are some reasons why you may want to use a good commercial VPN, which goes beyond just the ability to tunnel your traffic through a remote endpoint:<p>- You are in Russia, China, Iran or other countries with heavily censored Internet. Over 3 billion people live in such places, or nearly 50% of the world&#x27;s population.<p>- If you don&#x27;t live in such places, laws in certain US states criminalize certain behaviors. This will only get worse, even in &quot;western democracies&quot;. Using a quality VPN service is much better than barebacking the Internet.<p>- You want your traffic to be &quot;lost in the crowd&quot;, something you cannot achieve with your Digital Ocean droplet, no matter how well you configure it. Changing your IP does absolutely nothing, safe a few exceptions (piracy, or keeping an alter ego if your opsec is good)<p>- Additional features: server side DNS filtering &#x2F; blocking. Yes you can use uBlock origin, but not on mobile, and not outside the browser. Yes you can run Pi-Hole, and setup WG tunnels to your homelab. 99% of people won&#x27;t.<p>- Advanced features: Companion browser extensions that block ads, trackers, malicious domains, mess with your browser settings to reduce chances of fingerprinting. Yes you can install 5+ different extensions to do that. Most people won&#x27;t.<p>TLDR; If you&#x27;re an elite haxor, you can do everything yourself. You will spend time, and money doing so. Most people will not bother or not be able to do these things, and a quality commercial VPN service can check a lot of the boxes I mentioned above. Just avoid the ones that advertise heavily, those are marketing &#x2F; snakeoil sales companies, as the author suggested.

Wouldn’t a VPN help protect against a targeted attack? Like an attacker could push bad JavaScript or app update to the user of a particular IP address. On DNS, it’s plaintext by default, and almost always not signed via DNSSEC. Such user could slightly benefit from a VPN from a security perspective.<p>VPNs also usually do ad blocking, and some limited malware scanning.<p>On privacy, there are many situations where a private IP address may be desirable, some of which mentioned in this post. VPN hides the traffic from the ISP, but also the user from the destination. On the latter, for instance, the websites could log IPs and that information could be sold or leak in the future.

&quot;Also, as Encrypted Client Hello is about to start soon, it will be exponentially harder for eavesdroppers to figure out which sites you are trying to visit.&quot;<p>Exponentially? Can we see the data on that. Perhaps this word as used here is just a figure of speech.<p>&quot;Tor Browser uses uncountable techniques that prevent tracking your browser.&quot;<p>Tor Browser has a number of popular browser &quot;features&quot; removed&#x2F;disabled by default. As such the browser user does not need to do anything, no fiddling with poorly-documented options via about:config, user.js or whatever. IMHO, modifications like these would be useful even when not submitting requests through the Tor network. The question I have is why is there not a Firefox version that is like Tor Browser but without the Tor integration.<p>Perhaps the answer is because Mozilla is trying to perpetuate online ads, i.e., surveillance, data collection and tracking, as a &quot;business model&quot;, such as the model adopted by Google. Mozilla is wholly dependant on financial support from Google. If Google&#x27;s online ads business fails, Mozilla is out of options.<p>NB. I would never use Tor Browser. I am a text-only browser user and I prefer netcat and other TCP clients through one or more localhost-bound proxies for making HTTP requests. When I experiment with Tor, I use tor binary I compiled myself without relay module. In front of the tor SOCKS proxy, I use socat for requests to .onion sites that use HTTPS and tinyproxy for requests to .onion sites that use HTTP.^1<p>1. If anyone can explain why some .onion sites use HTTPS instead of HTTP, I would be interested to know the anwser. AFAICT, most .onion sites use HTTP.<p>Tor reminds me of the early public internet. Submitting a request like an Archie search and having to wait seconds for a response. Also the number of .onion sites is relatively small. I like the uniformity of .onion addresses and the general absence of &quot;vanity&quot; names. And the search engine for it reminds me of the web pre-Google: like AltaVista, thousands of results are accessible. That&#x27;s the way I like it. None of this collecting data from searches and trying to &quot;guess&quot; what someone is searching for (as Google does).

My use case:<p>- In Hotel, Airport. VPN can be used to bypass DNS based captive portal. - Yes true hopefully all website are encrypted with ssl, but still an attacker can easily fingerprint me through my internet usage, even though everything is ssl, there are still a lot of plain-text data flying around. So yeah, ProtonVPN, ftw.

The thing I never hear mentioned is when your home ISP (or say your favorite cafe&#x27;s) is known to use your traffic data for marketing purposes or sell it outright. I trust Mullvad farther than I trust my ISP. I could switch ISPs, but my only option is Comcast and they&#x27;re even sleazier.

Cannot use Torrent on my ISP.<p>Can use Torrent on VPN.

The article itself refutes the claim in it&#x27;s title. VPNs have legitimate use, where they are the most attractive option to complete a certain goal. The article itself is listing thse use cases.<p>But yes, VPN advertising preys on people&#x27;s unfounded fears.

I wanted to use one to watch Gardener&#x27;s World from the BBC and it doesn&#x27;t even work (I&#x27;m in France and the program is UK-only for a reason that no one really understands)<p>same goes for watching Netflix from other countries, VPN are badically useless

nobody going to point out that using a vpn for region bypass gets you blocked on Wikipedia, banned on your banking, shown captcha left and right by cloud flare... but Netflix and Disney+ all works perfectly?<p>:pondering emoji face

Everyone is pointing out that the article shoots itself in the foot by giving three very good reasons for VPNs and dismissing them. But I think there&#x27;s a fourth reason that isn&#x27;t mentioned:<p>The US doesn&#x27;t have reasonable privacy laws and I don&#x27;t trust my VPN to not sell my browsing history to anybody with two pennies to rub together.<p>Yeah, I can (and do) use DNS over HTTP, but the ISP still knows what IPs I am connecting too. It&#x27;s trivial to find out what domains are hosted there.

I use speedify to channel bond wifi and mobile when the wifi is not super reliable. It works great when walking around outside and eduroam works for 20m at a time.

There&#x27;s a fourth use-case: occasionally, gaming.<p>I play Final Fantasy XIV, an MMORPG - apparently, supposedly, the peering connection between AT&amp;T and FFXIV&#x27;s US ISP (NTT) was particularly bad. [1]<p>This manifested as pretty severe connection issues for AT&amp;T customers playing FFXIV. Except, it was a chronic issue that would only flare up when that particular connection point was stressed.<p>One of the easiest workarounds? Hop on a VPN.<p>That&#x27;s one example. Anecdotally, I have a few friends that toggle VPNs on and off when they encounter &quot;network weather&quot; in games. Personally, I&#x27;m a bit skeptical they&#x27;re truly so often mitigating problems by toggling a VPN (instead of, say, just waiting a couple minutes), but hey, they swear by it.<p>[1]: <a href="https:&#x2F;&#x2F;forum.square-enix.com&#x2F;ffxiv&#x2F;threads&#x2F;482155-Bad-lag-again-with-NTT-s-NA-server-network&#x2F;page2" rel="nofollow">https:&#x2F;&#x2F;forum.square-enix.com&#x2F;ffxiv&#x2F;threads&#x2F;482155-Bad-lag-a...</a>

Yeah, no.<p>&gt; OK, but what about my DNS and TLS records being exposed to everyone so they can follow what I am doing? In a public place, anyone can look at your display already. Or, if you are worried about your ISP selling your traffic data, there are better options for you. Use DNS over HTTPS, for example. You have to use a VPN provider you trust better than your ISP&#x2F;Wi-Fi provider. Also, as Encrypted Client Hello is about to start soon, it will be exponentially harder for eavesdroppers to figure out which sites you are trying to visit.<p>Encrypting DNS is a nice start, but the ISP can still see the IPs you&#x27;re connecting to, which is enough for a lot of sites, and Encrypted Client Hello is <i>about to start soon</i> is a lot of words to say &quot;today, your ISP can see the domain on every HTTPS connection you make&quot;. So no, distrusting my ISP is <i>absolutely</i> a compelling reason to use a VPN. (And lest you say &quot;but do they actually spy on you?&quot;, I literally got a letter from AT&amp;T informing me that they were going to start monetizing information mined from my connections.)<p>&gt; But if you care about privacy, the answer is always ToR, ToR browser or Tails, and never VPN. Except in cases where you first have to hide your ToR usage using a VPN, which is a rare exception among users. If you don’t understand why you would need that, you probably don’t need that complexity. Tor Browser uses uncountable techniques that prevent tracking your browser. And if your privacy is essential against local Wi-Fi attackers, your ISP, why is the ad industry not in scope? Adblockers are only half the solution against tracking.<p>I mean, yeah I also use uBlock, but TOR makes harsher tradeoffs than are necessarily needed (multiple hops is really safe but also really slow). I&#x27;m <i>just</i> hiding from my ISP&#x27;s prying eyes; I explicitly don&#x27;t include the NSA in my threat models and lesser methods are Good Enough™ for websites tracking me.

I view it as more moving the problem.<p>Instead of police kicking down ISP doors they kick down VPN runners doors.<p>Sorta ambivalent towards them overall. Just don’t have a big use for them

I thought many people used VPNs so that they could connect to a host in Canada or Mexico to use BitTorrent to download videos in the US.

Heartened to see that porn consumption is one of the few recommended use cases for a personal VPN

Digital Ocean droplet and Tailscale?

&quot;One massive problem with personal VPN services is that they are working to fail open. If the connection fails, your connection is not “protected” anymore. Some premium VPN providers sell “kill switch” functionality, but I am sure less than 1% of the users use this properly.&quot;<p>There&#x27;s a very, very easy way to solve this problem:<p><pre><code> vpn_command ; ip link set ens160 down </code></pre> ... or whatever ... this way, if the VPN exits you are immediately bringing your network down. Very simple and robust.<p>A &#x27;network slug&#x27;[1] is an even more robust - and network-wide - mechanism for enforcing your VPN. If you are serious about avoiding misconfiguration or opsec failures you should have a network slug as a physical choke in your PHY.<p>[1] A &quot;slug&quot; is a layer-2 bridge, with no IP address configured, that still enforces a TCP&#x2F;IP whitelist. So it does not &quot;use&quot; a hop on the network route, and you can&#x27;t see the device, but as it bridges traffic it enforces a (very simple) ruleset:<p><a href="https:&#x2F;&#x2F;john.kozubik.com&#x2F;pub&#x2F;NetworkSlug&#x2F;tip.html" rel="nofollow">https:&#x2F;&#x2F;john.kozubik.com&#x2F;pub&#x2F;NetworkSlug&#x2F;tip.html</a>

Try to travel the world and access financial or governmental institutions, then tell me about usefulness &#x2F; uselessness of VPN.

This is generally true. These VPN services are security theater as tracking has moved beyond IP address. They are likely masking other more nefarious use cases; and in many cases, deliberately and willfully aiding and abetting therein (for example forwarding BitTorrent traffic to other &quot;Non-Copyright&#x2F;DMCA Participant&quot; countries, forwarding users through faux residential IPs for &#x27;streaming&#x27;, etc.).

baby&#x27;s first regex! oh so cute, here let me feed you more periods

Another interesting point is that VPN providers have access to server-side keys and, obviously, the processes. This just makes the VPN provider the new ISP.<p>There&#x27;s no guarantee that VPN traffic isn&#x27;t being decrypted and inspected<p>&quot;just trust us, bro. look at our popsec influencer approvals, bro.&quot;

It’s not that deep. People want to download shit and watch Netflix

Fuck that is a good domain name

Argument is based on the assumption that &quot;probably only one percent of users correctly use a kill switch&quot;, and in general shows a low level of understanding of threat models and the swiss cheese security model. Author assumes to know the intentions of VPN users and asserts users are dumb, also throwing unnecessary barbs at &quot;wannabe hackers&quot;. Unprofessional article, bad advice, no differentiation between nonlogging services and services like nordvpn that bundle google analytics and tracking into their application.<p>My take? Do a threat assessment, build a threat model, know your adversary be it your own ISP selling your data or protection against hostile state entities when traveling overseas. There are many valid uses for the various types of commercial VPN and instead of an objective look at these services the author walks in with an assumption that they are all the same and never provide value to their customers, then bends over backwards to attempt to make weak arguments against a vast category of service.

VPN or not, the biggest MiTM threat to privacy on the web is Google. They may not be actively malicious and steal your bank info, or do other nefarious stuff, but they will always oppose end-end encryption. Google&#x27;s stance is to lock out the competition under the guise of &quot;protecting&quot; users, so only they can spy on user data.