Author Topic: rant about so-called VPN services  (Read 1516 times)

0 Members and 1 Guest are viewing this topic.

Offline madiresTopic starter

  • Super Contributor
  • ***
  • Posts: 7673
  • Country: de
  • A qualified hobbyist ;)
rant about so-called VPN services
« on: January 17, 2023, 04:17:50 pm »
Many video channels are promoting so-called VPN services to get some extra bucks. What annoys me is all that nonsense they claim, the services and the promoters.

What are the so-called VPN services? They are actually a NAT service, i.e. you establish an encrypted tunnel to a selectable NAT server and your actual IP address will be hidden behind the NAT server's address. Does it sound familiar? Your router at home does NAT too, just without the VPN and without the option to select the router.

What is it good for? One feature is to hide your IP address or to pretend to be somewhere else. This helps with circumventing geolocation based blocking of clients, like watching content licensed for a specific region. Or if you are a bad guy, making it harder for law enforcement to catch you. Another feature is to defeat state-sponsered filtering and blocking of internet services.

What it doesn't provide is privacy or protection against security threats. Besides web cookies there are several ways to identify users. Simply changing your IP address doesn't help in any way without applying additional measures. If you enter your credentials on a phishing web page or click on 'install me' the NAT service won't protect you either. Though, there can be benefits, like the NAT server taking a DOS attack meant for you.

Be aware that some of the so-called VPN services keep logs for law enforcement and other purposes. A few were cought saving logs despite claiming otherwise. So much for privacy. Also, restrictive content platforms are mapping the NAT servers and add them to their ACLs. And the Great Firewalls try to block them too. A game of cat and mouse.
 
The following users thanked this post: ve7xen, SL4P

Online dobsonr741

  • Frequent Contributor
  • **
  • Posts: 643
  • Country: us
Re: rant about so-called VPN services
« Reply #1 on: April 19, 2023, 02:54:46 pm »
Not happy with the big name VPN providers? Then check out doveip.com. The business model is worthy of a discussion.
 

Offline bitwelder

  • Frequent Contributor
  • **
  • Posts: 962
  • Country: fi
Re: rant about so-called VPN services
« Reply #2 on: April 20, 2023, 12:38:05 pm »
Be aware that some of the so-called VPN services keep logs for law enforcement and other purposes.
Yep. Also, it depends on how a VPN is used, but if e.g. somebody is travelling and it uses the VPN to have a 'secure' tunnel to escape the doubtful hotel wifi, in that case probably all network traffic will go though the VPN and so even without storing the logs the VPN owner has a good chance to build a list of all the services accessed by the user.
In addition, often those VPN services require to install a custom VPN client application (sometimes after luring the user with some extra security-related features), which means granting them full trust to access the device in use.
 

Online David Hess

  • Super Contributor
  • ***
  • Posts: 16510
  • Country: us
  • DavidH
Re: rant about so-called VPN services
« Reply #3 on: April 20, 2023, 04:01:46 pm »
What are the so-called VPN services? They are actually a NAT service, i.e. you establish an encrypted tunnel to a selectable NAT server and your actual IP address will be hidden behind the NAT server's address. Does it sound familiar? Your router at home does NAT too, just without the VPN and without the option to select the router.

20 years ago I used a VPN service to get a routable IP, so no NAT was involved except on my side if I wanted.  This type of service is still available at a premium price, if only because IPv4 addresses are now scarce.

A VPN service that operates through NAT has the advantage of aggregating the traffic of many users to one IP address spoiling traffic analysis.  With the service that I currently use, I can also forward ports as needed to accept incoming connections.

Of course none of this does anything to block tracking at the application layer, although some VPN services act to block this also in some respects.  They may provide a sanitized DNS service or outright block IP access to known offenders much like various browser plugins do.

As far as trustworthiness, I would sure avoid "free" VPN services and services based in nations like China and Russia, and I would be wary of any of the VPN "conglomerates":

https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-23-companies/
https://www.vpnmentor.com/blog/companies-secretly-own-dozens-vpns/
https://www.cnet.com/tech/services-and-software/3-companies-control-many-big-name-vpns-what-you-need-to-know/
https://www.computerweekly.com/news/252466203/Top-VPNs-secretly-owned-by-Chinese-firms
https://www.csoonline.com/article/3335480/china-owns-half-of-all-vpn-services.html
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: rant about so-called VPN services
« Reply #4 on: April 20, 2023, 08:36:05 pm »
Well those VPN services just get your ISP out of the way for the most part, but sure then you're in the hands of the VPN service itself, which may not be much better.
And no doubt the bigger ones have agreements with governments to get data if they need it, just like ISPs.
And yes, the ones that have proprietary apps to get connected, these are probably pumped full of telemetry.

You know that the RESTRICT act plans on sentencing up to 20 years of prison for accessing banned online services (such as TikTok) through a VPN?
How do you think they will figure it out?
 :popcorn:
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1170
  • Country: pl
Re: rant about so-called VPN services
« Reply #5 on: April 21, 2023, 11:28:46 am »
To start with, the obligatory explanation of how VPN works. :D

VPNs are a subject of marketing and do suffer from the same issues. In the distribution there are bullshit claims, exaggaerated or misleading statements, and truth. In various proportions, but the first part is something I rarely see. Much more often the second case: claims, that may be deceiving to the general population.

VPN removes LAN and ISP from the equation. This is nothing more than shifting the issue elsewhere. While both cases are identical from technical perspective, the privacy and security implications are not necessarily the same. In the most basic scenario you must choose between two entities: the ISP and the VPN. The VPN provider may be more trustworthy(1) than the ISP, depending on one’s situation. Putting that in the game theory perspective, we are dealing with two variables, each being a probabilistic distribution.(2) If the ISP variable is already degraded to a single, unacceptable value, choosing the unknown case is likely to be the better choice. If that wasn’t enough, local network may be malicious and VPNs do protect against this.(3) Of course the problem is, that most of the advertising audience will never use the VPN in such circumstances. This is why it is an exaggerated claims. But not strictly false.

Some other statements are so exaggerated, they are on the edge of being false (but still strictly not false). They usually appeal to unreasonable fears. Fears that are not completely wrong, but are greatly inflated. For example: falling a victim of DDoS, and retaliatory attack or being harmed in the meatspace. This does in fact happen and VPNs do provide protection against this. The catch? Not only the threat is orders of magnitude less likely than people expect it to be, not only people themselves subvert the protection, but they fail to recognize random campaigns are more likely to hit them than targeted attacks.

My primary concern are VPNs that claim to be “free”. There is no way they are honest, yet people fall into that trap. They turn victim’s computer into an open relay to proxy traffic from other “free” tier users, they force the user into paid plan by artificially handicapping the service quality, or the “free” service is a temporary offer to attract victims. To people advertising “free” VPN I have one message: the one between the index and the ring finger.


(1) For any definition of “trustworthiness” you choose. I leve it imprecise here, not making too many assumptions.
(2) Here I assume the distributions are similar. This is not necessarily the case in all real world examples. And that may be a subject of a debate, but the discussion would be about deviations from this central assumption.
(3) Pushing for HTTPS made the practice practically obsolete, but some risks remain.


« Last Edit: April 21, 2023, 11:35:29 am by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline jonpaul

  • Super Contributor
  • ***
  • Posts: 3285
  • Country: fr
Re: rant about so-called VPN services
« Reply #6 on: April 21, 2023, 01:46:47 pm »
Bonjour à tous

Very interesting and topical note

Any experience or thoughts on

NORD VPN
Proton (Swiss) VPN, security email
Cloudflare
Express VPN
SurfShark

Mille mercis pour votre réponse

HAVE AN ABSOLUTELY FANTASTIC DAY

jon
Jean-Paul  the Internet Dinosaur
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 14230
  • Country: fr
Re: rant about so-called VPN services
« Reply #7 on: April 21, 2023, 08:13:02 pm »
I guess if you want something that really works, use Tor.
Keep in mind Tor may be illegal in various ways in some countries.
Otherwise spend money on something that will screw you up the moment they are able to. ;D
And as I said, keep in mind that even using a perfectly legal VPN may throw you into the illegal territory soon enough. :popcorn:
 

Online golden_labels

  • Super Contributor
  • ***
  • Posts: 1170
  • Country: pl
Re: rant about so-called VPN services
« Reply #8 on: April 22, 2023, 09:19:08 am »
Tor is suitable for providing high anonymity. This isn’t what an average VPN user asks for. Getting more than needed wouldn’t be a problem, if Tor had no downsides. Most notably high latency and relatively low speed. Exit nodes face overblocking, making it impossible to rely on Tor for many services.

VPN hides user’s real identity from the public internet, while Tor does that and also hides it from the exit relay. So indeed Tor offers better privacy. But for most VPN audience revealing their real identity is not the threat model. Except for state agencies and companies wishing to sue a person, nobody sees much value in that kind of data.(1) The value is in ephemeral, abstract relationships between requests one makes. Tor has no safeguards against exit relays seeing these relationships: this never was among its goals.(2) In this matter it is the same as VPN. The more such relationships is collected, the higher price the person may be sold at. In that matter Tor has a slight advantage here: the user being able to request a new circuit, limiting exposure. But that is all: do not delude yourself, believing there is any technological feature in Tor that would prevent exit node from selling you the same way a VPN operator could. At this point I am not even discussing, that most users indiscriminately download and run webapps in their browsers, making any IP address masquerading for privacy purposes pointless.

If you are worried about a VPN selling you, there is an option. Get a VPS and setup your own VPN. Not everybody has skills required to do this, but for many this is a viable solution.

At this point I want to make it clear: I do not oppose using Tor in general. Quite opposite: I hope the use of Tor to be seen as a normal thing. I just don’t like advertising it in a manner, which is no less misleading than what VPN ads do.

As for using anonimization for doing illegal stuff: depends if it’s criminal or not, and if criminal charges are filed by the state. If it’s only about somebody suing your ass, it’s a matter of how much you can trust the VPN operator to not yield and how much risk you accept. Using VPN for serious crime is plain stupid. Even if the operator is not strictly obligated to reveal data, they have no incentive to cover up for you. You may assume they will happily pass your information to law enforcement, even if it’s the lowest police officer in Alaska asking an operator located in Iran.


(1) In the context of mass surveillance. There may be more value for targeted attacks, but this is again not a typical threat model in this scenario.
(2) Tor specification, §6.2: Opening streams and transferring data
« Last Edit: April 22, 2023, 09:26:46 am by golden_labels »
People imagine AI as T1000. What we got so far is glorified T9.
 

Offline onsenwombat

  • Contributor
  • Posts: 35
  • Country: hk
Re: rant about so-called VPN services
« Reply #9 on: June 25, 2023, 11:55:00 am »
Some people use it to circumvent geoblocking, however many/most major VPN providers are well known on this front.
Then there's people who might be running low on their trust / satisfaction towards their local governments, and want to do whatever they can to limit their data sniffing of your personal life.
And a lot more, many of which are already covered here.
 

Offline paulca

  • Super Contributor
  • ***
  • Posts: 3989
  • Country: gb
Re: rant about so-called VPN services
« Reply #10 on: July 04, 2023, 10:52:05 am »
Eggs * baskets = targets.

Those VPN NAT end points are a perfect place to spy, intercept and track all the unencrypted traffic leaving it. 

People go from being behind one of 30 million IP addresses in their region of the 10 million their main network provider has to .... being behind the one of a few dozen the VPN provide gives them.

Much more available targets and more of them and all in one place.  Rubs hands.

For remote access, I run my own VPN on my own kit and use always on VPN mechanics and anti-bridging.  For pretending I'm somewhere else.... I tend not to bother.  I haven't found something yet I wanted badly enough to need to hide behind a remote NAT.  However, if I did, I would just use an AWS service or maybe just a LinNode VPN router.  It's probably cheaper, especially if you take an elastic docker host which can be region migrated without downtime.

When  want to sell cocaine to children I use Tor.
"What could possibly go wrong?"
Current Open Projects:  STM32F411RE+ESP32+TFT for home IoT (NoT) projects.  Child's advent xmas countdown toy.  Digital audio routing board.
 

Offline ve7xen

  • Super Contributor
  • ***
  • Posts: 1192
  • Country: ca
    • VE7XEN Blog
Re: rant about so-called VPN services
« Reply #11 on: July 04, 2023, 06:43:30 pm »
Agreed, using this sort of VPN service is just shifting around the trust model you need to consider. This can be valuable, but you need to weigh where you are placing trust for your own situation and your own 'security model'.

For most of us in Western democracies, I'm not very convinced that a VPN provider deserves any more trust than an ISP, and if they're in a different country, whether there's any recourse against them, or even what laws apply, is pretty unclear. So I generally don't recommend bothering, unless your intent is just to avoid geoblocking and then only use it for that; there's also some value in using it on public/untrusted WiFi. Or of course if you want to engage in illicit activity, it might provide some barrier to law enforcement that they too need to cross national jurisdictions. Other than that though, I don't see how the security model improves by running all your traffic to an organization administered by a foreign company. In other words I trust these companies even less than the local ISPs in my country, and have less recourse against them. There's an argument to be made for using one while travelling, where you might not understand the local situation, as well.

That equation might change substantially if you don't trust your local government, the local ISPs are forced to engage in censorship, or you might be persecuted for your online speech. Then you may very well trust a foreign VPN company more than your local ISP.
73 de VE7XEN
He/Him
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf