I don’t understand the value of consumer VPNs. Can someone explain it to me?
We do pretty much everything over SSL these days. Definitely everything that matters. That provides confidentiality, so network intermediaries can’t see the data, and server authentication, so they can’t impersonate the server.
Yes, DNS is the exception, it’s not encrypted, but more and more browsers and other user agents are building in DoH and DoT, and even enabling it by default.
So, given all that, what do general purpose VPNs add? What am I missing? Are they just security theater marketing? Or do they bundle other security features like anti-malware etc, and the term “VPN” now means a bundle of miscellaneous endpoint security features, like (shudder) anti-virus used to?
One common usage is to get around IP geo-restrictions that some online services have in palace.
@snarfed.org TLS provides privacy but not anonymity. VPNs, in principle, provide both.
Beyond that, though, no, it’s all just marketing. If you don’t care to hide your identity they don’t add anything useful.
@snarfed.org Well, isn’t that about hiding your true location so you can access websites which would otherwise be blocked for you at your real location? I remember that I first went after such a VPN thing when my children wanted to see football on a German TV-channel in France.
@snarfed.org honestly pretty sure it’s mostly security theater marketing.
The two features they really offer:
Changing IP geolocation… which isn’t reliable because those endpoint IP addresses get blocked by the providers you’d use it to access.
Logless anonymity… which most don’t really even do even if they advertise it, but basically just protecting from cases where your IP address could be targeted (like for instance bittorrenting)
Everything else has just been them pretending https isn’t commonplace today.
True, good point. How far we have fallen ๐คทโโ๏ธ
@snarfed.org security in depth, circumventing geographical restrictions, bittorrent.
@snarfed.org Security theater. Weโre long past the days of Firesheep. Their primary consumer uses are to access streaming content in a different geography and to torrent with (slightly) greater impunity. (If youโre subject to a repressive regime, you have larger problems and, in any case, typical consumer VPN service is probably blocked regardless.)
Countries, too, place restictions on services so it can help when travelling.
That said, most of the general VPN services have identifiable IP ranges so I remain unconvinced that it’s a solution without a cat and mouse game.
I saw one concept that had end-to-end encryption so even the VPN couldnโt see the data, but not sure if it ever came to fruition
@snarfed.org Doesn’t it hide what pages you open?
mostly just spreading FUD imo but i personally used to use consumer VPNs to trick DPI and get around some port blocking like ssh (both are caused by gov politics)
@snarfed.org Without a VPN your ISP (and whomever asks them … ) knows the IP/domain of the other end of your communication.
With a VPN … the VPN provider knows, but not the ISP.
Some VPN providers most certainly fight requests for that data more than the ISPs – but not all. I think the general consumer is unaware of the difference between VPN providers in general.
FUD and marketing
The VPN providers all track this data themselves and sell it or hand it over to law enforcement on demand.
It’s useful for getting round georestricted content (although all the streamers are wise to it) but nothing else. The reality is that it’s all marketing hype and the VPN companies are doing the worst kinds of surveillance to capture and sell your data.
Europeans are not able to read a number of American news sites because the GDPR requirements can’t be met. I don’t know which issue they can’t handle, but also they don’t care because the ads may not be seen by the target audience.
A quick trip on VPN allows us to read these.
it’s irresponsible to spread FUD about privacy services like this. we know for a fact that mullvad hasn’t, for one, as they were raided by swedish police and couldn’t provide any details. obviously there are bad actors who might collect data, so doing your research is important.
@snarfed.org 1. geoblocked content – region limited streaming services and live sports streams
2. For people who pirate stuff, additional layer of security in hopes that the service is not keeping logs
3. Punching a hole in your country’s great firewall. My country blocks a bunch of Russian websites. Not that I visited them, but they might be needed for journalists.
4. Other reasons to hide your region/country
They are very much security theater marketing. They are also entincing to people who are very distrusting of their own ISPsโฆ Although I’m not sure if those people are aware they must put the same trust in the VPN provider. The “feature bundles” are also increasingly a thing too
All that said, a consumer VPN has been useful to me a couple of times through my life in order to spoof my geographical location (i would get them for the occasion and cancel them immediately afterwards)
Some have ad-blocking ay the DNS level. Handy if you can’t change the DNS on your device/router.
Geoblocking circumventing is also moderately useful.
Other than that, it depends on who your adversary is. Are you trying to hide traffic from your partner, ISP, or the state?
@snarfed.org there are a few advantages and one big gotcha.
Pros:
– you can pretend to be in a different country to where you are to get around services that geoblock (like accessing BBC iPlayer from outside the UK)
– your VPN provider may also provide filtered DNS to โprotectโ you from content you donโt want yourself or your family to access (porn, malware, etc.)
– while SSL prevents eavesdroppers from seeing the detail of your traffic, they still know what addresses/sites and when you access
Itโs basically become essential in the UK since the online safety act came into force. Bluesky wanted me to verify my age with a credit card, for example
If we are talking about the average consumer, the point is valid.
Moreover, VPN providers could even perform a man-in-the-middle and swap certificates.
the thread is about if vpns have a usage now that browsers usually have encrypted dns and most websites are encrypted. i pointed out something vpns do that browsers do not, obfuscate your ip address.
“they might lie and collect data” is true about browsers as well, insofar it’s a relevant point.
if 95% of hammers on the market shattered as soon as you used them, would you say that hammers are useless? no, you’d say “get a good hammer”.
if someone uses chrome and syncs their history to google, then they can use the most trusted vpn in the world and yet their browser will have betrayed them.
I should maybe say what I do when travel inhibits my use-cases: I open a tunnel into my homelab from which I present an outward internet face.
I look nearly the same regardless of my physical location: VPN blockers are unable to distinguish.
The only downside is increased latency.
@snarfed.org Website SSL only offers encrypted exchange between you and the website. Anything you do within the website is generally safe.
VPN offers encryption between you and your ISP (and in extension, your government).
Q: But doesn’t it mean you have to trust your VPN since they can see which sites you’re visiting since encryption happens at the VPN network?
A: Yes.
There is a solution to that, TOR with Exit.
TOR with Exit will hide your requests from you to your VPN.
๐๐ฝ TOR > VPN > SSL website
Some also do this: TOR > VPN > TOR > SSL website. It will hide from the website if you’re using a VPN (which can help bypass anti-VPN blocks).
Of course, one could argue that using TOR is not as anonymous as people assume.
I’ve seen this setup: I2P > VPN > TOR > SSL website.
But all that is useless if we’re mixing casual with sensitive. Like using the same browser for both. ๐
Then again, it all depends on what one wants to achieve:
– anonymity
– security
– both
And for what or from whom:
– ISP / Government
– Circumvention of blocks and National firewalls / orders
– Are you a whistleblower that needs extreme anonymity and security (you better use e2ee communication too, among others)
For example, if you’re from China, you definitely want to use a VPN (even if it is illegal) to circumvent firewall blocks and make it hard for Big Brother to monitor you.
Or, if you don’t like ISPs/governments snooping.
For example, ISPs can actually spoof your SSL connection to a website. The browser will still detect that the SSL cert is valid. ISPs have a tool to do that. I blogged about it a few years back. It’s a false assumption that it can’t be spoof and browsers will detect it. If it’s done on the ISP-level, it is possible. ๐
Circumnavigating geographical restrictions
Accessing out-of-region streaming content is such a big usecase they actively advertise it.
@snarfed.org They are used for censorship circumvention and for privacy (to hide IP address).
Basically no value beyond (crudely, in the grand scheme of things) obfuscating your current geographical location.
I say “crudely” because while an IP says one thing, we probably betray our true location in a myriad of ways a VPN can never block.
I think it’s:
1) like people say, getting around various restrictions
2) encrypted DNS isn’t rolled out widely yet, and some sites are sometimes not HTTPS, so if it’s important to you that your ISP doesn’t see some things you’re openingโฆ (might also be more important when traveling or on free WiFi)
And I think “your ISP isn’t recording what sites you visit” is something that might be getting more and more important for Americans right nowโฆ
It does obfuscate your location. I think IP address info still ends up in the metadata of emails but I would have to double check that.
Plus coffee shops, added protection there.
No longer part of the email metadata that I can see (I swear it was there at least back in ~2001 … I don’t think I can tell a certain story in 300 characters.)
Point still stands that VPNs are a bit of peace of mind about giving out location info less.
Hiding your IP, definitely!
I don’t see the value for coffee shops or other “untrusted networks” though, that was my point about SSL in the original thread.
This has been about 8 years now, and Iโm not sure how viable SSL strip is now a days. I found that a local bank I used had a username input on their landing page. No SSL, you would enter the username for your account, redirect to the online banking software that had SSL. Well I found out I could doโฆ
ARP spoofing so I would get users traffic directed to my device for a MITM attack. I could then run SSL strip on that redirect and grab the cookie to login. This is pretty dated, most sites force SSL but with how local places are sometimes I wouldnโt be surprised if this still works somewhere.
I see a decent bit of questionable security with various sites at my day job. A lot of software thatโs not the newest, but is critical to those who use it.
*disclaimer I didnโt leverage the attack beyond a proof of concept and reported it to the bank. They resolved it pretty quickly
The coffee shop argument sounds like an edge case? You would need a plaintext website, WiFi network for a commercial VPN to be worth IMO
Not that it’s impossible, but certainly rare these days
Yes! Great example, good argument for HSTS, which fortunately is already pretty widespread these days
Ooooo nice, never though about it as a network troubleshooting tool!
Metadata collection laws in Australia. All ISPs hoard your metadata.
Meaning if the eye of sauron happens upon you they can see all the filthy websites you’ve visited. Your interests. etc.
Nobody has actually come out and said it yet: accessing pornography in a state that blocks pornography.