Gaming The VPN Fallacy

[dAVID_]

Lately (in these past years) I've seen VPN services promoted across the internet. I think a lot of people who use VPNs have been manipulated into believing that a VPN is a silver bullet for privacy. However, this couldn't be farther from the truth.

In this thread I'll be going through what I think are some of the common myths/misunderstandings/falsehoods about VPNs.

Why VPN services will not give you the privacy they advertise.

Unfortunately, your IP address isn't the only data point that companies use in order to track you. Information about your computer, like your operating system, the fonts you have installed on your system, your monitor size, your WebGL fingerprint, and other data is used to uniquely identify users.

There are ways to reduce fingerprinting. This can be achieved by using Mozilla Firefox with several add-ons and modifications, or, better yet, using Tor Browser on the safest security setting, which has very strong protection against fingerprinting.

However, one tradeoff is that this will require disabling JavaScript whenever possible, which will break a lot of sites. However, this is essential for preventing fingerprinting.

"But why would I want to use Tor Browser if I can simply use a VPN along with a hardened version of Firefox?".

Unfortunately, all VPNs have a major flaw: Trust. In order to use a VPN you must have absolute trust that your provider will not log your data, or provide to a third party, or somehow collaborate with authorities. You're putting all your trust in single point, and that's the problem!

Tor Browser directs your traffic through three different nodes. Unlike a VPN, you can be sure that the Tor Project isn't logging your data, since Tor is open source software. Additionally, in order to deanonymyze a Tor user, an adversary must compromise your first and last node (traffic correlation attack).

This is an improvement over a VPN, since there is no single point of failure.

"But Tor Browser is a lot slower compared to using a VPN with Firefox!".

Privacy often comes with tradeoffs, and Tor Browser will make your connection slower, due to the fact that it encrypts your data (only the exit node can see unencrypted data).

"Using a VPN can protect me when I'm using public WiFi".

Since anyone with a laptop and Wireshark can do packet sniffing on a public network, it might be a good idea to use a VPN in order to connect to websites. However, you must consider that a lot of sites use HTTPS, which is like regular HTTP but with encryption. You're only at risk of packet sniffing if your connection is done over plain HTTP.

But, if you also don't want an adversary to know which sites you visit, then using a VPN might be a good idea, though Tor also masks the IP address of the sites you visit.

"But I regularly torrent and my ISP will send me letters if I keep on doing it".

You might think a VPN is necessary at this point. Think again. Instead of using a VPN, you can get a seedbox. A seedbox (as the name suggests) does the torrenting for you. Once it's done, it'll keep seeding perpetually (very useful if you're on a private BT tracker) and you'll be able to download the file anonymously.

My conclusion:

• VPN services use misleading marketing in order to manipulate the public into believing that they are a simple privacy solution.

• VPN services can never be completely trusted, as it is impossible to verify their claims without resorting to some third party.

• If you really want privacy, using Windows/macOS is definitely not an option.

• If you torrent and live in a country that might get you in trouble for it, a seedbox is a good idea. If you can't access a torrent site due to blocking, you can use Tor.

 

[spectral]

I use one but for using US/CA netflix and Funimation.

 

[dAVID_]

I use one but for using US/CA netflix and Funimation.

Good point. I did miss that.

 

[The Real Jdbye]

Lately (in these past years) I've seen VPN services promoted across the internet. I think a lot of people who use VPNs have been manipulated into believing that a VPN is a silver bullet for privacy. However, this couldn't be farther from the truth.

In this thread I'll be going through what I think are some of the common myths/misunderstandings/falsehoods about VPNs.

Why VPN services will not give you the privacy they advertise.

Unfortunately, your IP address isn't the only data point that companies use in order to track you. Information about your computer, like your operating system, the fonts you have installed on your system, your monitor size, your WebGL fingerprint, and other data is used to uniquely identify users.

There are ways to reduce fingerprinting. This can be achieved by using Mozilla Firefox with several add-ons and modifications, or, better yet, using Tor Browser on the safest security setting, which has very strong protection against fingerprinting.

However, one tradeoff is that this will require disabling JavaScript whenever possible, which will break a lot of sites. However, this is essential for preventing fingerprinting.

"But why would I want to use Tor Browser if I can simply use a VPN along with a hardened version of Firefox?".

Unfortunately, all VPNs have a major flaw: Trust. In order to use a VPN you must have absolute trust that your provider will not log your data, or provide to a third party, or somehow collaborate with authorities. You're putting all your trust in single point, and that's the problem!

Tor Browser directs your traffic through three different nodes. Unlike a VPN, you can be sure that the Tor Project isn't logging your data, since Tor is open source software. Additionally, in order to deanonymyze a Tor user, an adversary must compromise your first and last node (traffic correlation attack).

This is an improvement over a VPN, since there is no single point of failure.

"But Tor Browser is a lot slower compared to using a VPN with Firefox!".

Privacy often comes with tradeoffs, and Tor Browser will make your connection slower, due to the fact that it encrypts your data (only the exit node can see unencrypted data).

"Using a VPN can protect me when I'm using public WiFi".

Since anyone with a laptop and Wireshark can do packet sniffing on a public network, it might be a good idea to use a VPN in order to connect to websites. However, you must consider that a lot of sites use HTTPS, which is like regular HTTP but with encryption. You're only at risk of packet sniffing if your connection is done over plain HTTP.

But, if you also don't want an adversary to know which sites you visit, then using a VPN might be a good idea, though Tor also masks the IP address of the sites you visit.

"But I regularly torrent and my ISP will send me letters if I keep on doing it".

You might think a VPN is necessary at this point. Think again. Instead of using a VPN, you can get a seedbox. A seedbox (as the name suggests) does the torrenting for you. Once it's done, it'll keep seeding perpetually (very useful if you're on a private BT tracker) and you'll be able to download the file anonymously.

My conclusion:

• VPN services use misleading marketing in order to manipulate the public into believing that they are a simple privacy solution.

• VPN services can never be completely trusted, as it is impossible to verify their claims without resorting to some third party.

• If you really want privacy, using Windows/macOS is definitely not an option.

• If you torrent and live in a country that might get you in trouble for it, a seedbox is a good idea. If you can't access a torrent site due to blocking, you can use Tor.

Seedboxes are way more expensive than VPNs. But yeah, I don't agree with how many YouTubers are shilling VPNs as a must have for everyone on the planet and that if you don't use one at all times everyone can see what you're doing. For a casual PC user, that might be a fine explanation, as they probably wouldn't care about the specifics of how VPNs work and when they are a good idea to use. But these are all tech channels, they should know better.
I would say that a VPN is only necessary in very specific circumstances (on a public wifi accessing sites over HTTP, or when torrenting in a country where you might get contacted by your ISP)
BTW, Tor is not slow because it encrypts your data. VPNs and HTTPS also encrypt your data with little to no impact on speed. Tor is slow because the network is ran by volunteers, and often the connections on the nodes aren't great, or they're being overloaded by the sheer number of people using Tor. I would not use it for torrenting, video streaming or much of anything really, it's simply far too slow. But it does the job if you're on a public wifi and don't want anyone snooping on your traffic.
A VPN is just fine for protecting yourself from your ISP sending you piracy warnings, or protecting yourself from snooping by 3rd parties when on public wifi. But you are right, there's no way to know for sure that they don't log any data. So you shouldn't trust them for anything illegal enough that law enforcement might want to dig deep. But for the purposes they're advertised for, they're just fine -- your ISP probably logs more data than they do, anyway.

 

[dAVID_]

Seedboxes are way more expensive than VPNs. But yeah, I don't agree with how many YouTubers are shilling VPNs as a must have for everyone on the planet and that if you don't use one at all times everyone can see what you're doing. For a casual PC user, that might be a fine explanation, as they probably wouldn't care about the specifics of how VPNs work and when they are a good idea to use. But these are all tech channels, they should know better.
I would say that a VPN is only necessary in very specific circumstances (on a public wifi accessing sites over HTTP, or when torrenting in a country where you might get contacted by your ISP)
BTW, Tor is not slow because it encrypts your data. VPNs and HTTPS also encrypt your data with little to no impact on speed. Tor is slow because the network is ran by volunteers, and often the connections on the nodes aren't great, or they're being overloaded by the sheer number of people using Tor. I would not use it for torrenting, video streaming or much of anything really, it's simply far too slow. But it does the job if you're on a public wifi and don't want anyone snooping on your traffic.
A VPN is just fine for protecting yourself from your ISP sending you piracy warnings, or protecting yourself from snooping by 3rd parties when on public wifi. But you are right, there's no way to know for sure that they don't log any data. So you shouldn't trust them for anything illegal enough that law enforcement might want to dig deep. But for the purposes they're advertised for, they're just fine -- your ISP probably logs more data than they do, anyway.

I think the slowness of Tor is a bit exaggerated. For instance, I've watched 720p on Tor with minimal issues. It's definitely trash for video streams, which require low latency.

 

[The Real Jdbye]

I think the slowness of Tor is a bit exaggerated. For instance, I've watched 720p on Tor with minimal issues. It's definitely trash for video streams, which require low latency.

It varies a lot, you may have to switch nodes multiple times before you find one that is fast enough.

 

[dAVID_]

It varies a lot, you may have to switch nodes multiple times before you find one that is fast enough.

I've switched circuits several times, and I can still view the video well. Though it might be that my entry node is very fast, since entry nodes only change every month or so.

 

[Armadillo]

I have one.

Geolocked content. Netflix did crack down, but there's plenty elsewhere that haven't cracked down yet/if at all to enjoy.
UK ISPs are block happy and block a ton of stuff. Easier to just sit on the vpn than jump onto a proxie or whatever everytime you want to go somewhere that is blocked.
UK ISPs log every connection and store for 12 months. Sure only have the word of the vpn provider, but no vpn=definitely logged by isp. Vpn=maybe, maybe not.
Wank pass. UK wanted to make you sign up to a pass for adult content. Shelved for now, but I'm sure they will dust it off whenever the next pressure group says "think of the children".

 

[The Real Jdbye]

I have one.

Geolocked content. Netflix did crack down, but there's plenty elsewhere that haven't cracked down yet/if at all to enjoy.
UK ISPs are block happy and block a ton of stuff. Easier to just sit on the vpn than jump between proxies or whatever everytime you want to go somewhere that is blocked.
UK ISPs log every connection and store for 12 months. Sure only have the word of the vpn provider, but no vpn=definitely logged by isp. Vpn=maybe, maybe not.
Wank pass. UK wanted to make you sign up to a pass for adult content. Shelved for now, but I'm sure they will dust it off whenever the next pressure group says "think of the children".

You can still get around Netflix' VPN detection with something like Unlocator.
Yeah, VPN is always gonna have better privacy than your ISP does. Which depending on what you're doing is probably enough.

 

[UltraDolphinRevolution]

I've never heard of the Tor browser. I will give it a try.
I used shadowsocks in China in order to access youtube, but it no longer works (at least the 3 servers I know, do not).

 

[dAVID_]

I've never heard of the Tor browser. I will give it a try.
I used shadowsocks in China in order to access youtube, but it no longer works (at least the 3 servers I know, do not).

In order to access Tor in China you'll need to use a bridge. Use the built in meek-azure pluggable transport. China can't block it because that would mean blocking Microsoft Azure.

 

[UltraDolphinRevolution]

In order to access Tor in China you'll need to use a bridge. Use the built in meek-azure pluggable transport. China can't block it because that would mean blocking Microsoft Azure.

I will ask a relative to send me the .exe.
Hope I can find the option you mentioned. Is it just a matter of clicking on something within the program?

 

[dAVID_]

I will ask a relative to send me the .exe.
Hope I can find the option you mentioned. Is it just a matter of clicking on something within the program?

Also, I'd recommend you download Tor directly from torproject.org, since there are fake versions of Tor that have spyware implanted.

 

[chrisrlink]

yeah but they also discourage downloading anything on tor cause it unhides you (or so they say i think it's a speed issue)i only use vpn to bypass mega's 5gb dl limit i always knew never to trust vpn's 100% thus i never torrent

 

[dAVID_]

yeah but they also discourage downloading anything on tor cause it unhides you (or so they say i think it's a speed issue)

Downloading over Tor doesn't deanonymize you per se, but opening something you downloaded might.

 

[UltraDolphinRevolution]

After installing it, I thought it wouldn't work because it always failed to connect (the green bar did not fill much).
But I recently just opened another file instead and now it works (very very slowly, but it works).

I think the browser actually tells you when you are no longer anonymous.

 

[dAVID_]

After installing it, I thought it wouldn't work because it always failed to connect (the green bar did not fill much).
But I recently just opened another file instead and now it works (very very slowly, but it works).

I think the browser actually tells you when you are no longer anonymous.

Just make sure you're using the meek-azure pluggable transport, or chinese authorities might realize.

 

[ghjfdtg]

Maybe late to the party but https over public WiFi is far from bulletproof. There is https stripping which still works with older browsers. Newer ones have mitigations against this but i would not rely on them. You are also still leaking unencrypted traffic like DNS requests but it's up to you if this is a problem. I don't think anyone needs to know what sites i'm visiting.

Tip: If you only need a VPN for stuff like public WiFi and you have a decent connection at home just setup a VPN server like wireguard and connect to it. Costs you nothing. A few routers even have VPN servers built in you can enable.

But yeah, for a lot of cases they are advertising for it's pure snake oil.

 

[dAVID_]

Maybe late to the party but https over public WiFi is far from bulletproof. There is https stripping which still works with older browsers. Newer ones have mitigations against this but i would not rely on them. You are also still leaking unencrypted traffic like DNS requests but it's up to you if this is a problem. I don't think anyone needs to know what sites i'm visiting.

Tip: If you only need a VPN for stuff like public WiFi and you have a decent connection at home just setup a VPN server like wireguard and connect to it. Costs you nothing. A few routers even have VPN servers built in you can enable.

But yeah, for a lot of cases they are advertising for it's pure snake oil.

While HTTPS stripping might be possible with a MITM attack, most web browsers will display a special icon when a site does not have HTTPS. In other words, even if this attack is a possibility, you can simply avoid it by using common sense and not sending sensitive information like passwords over plain HTTP. Of course, some old sites are still using plain HTTP, but in that case you could simply connect to them via Tor Browser.

 

[ghjfdtg]

The lock icon is often confusing for non-tech savvy. On sites like this one you will (sometimes) get warnings of mixed content (secure site but insecure content pulled in from other sources).

As said, if you just want a secure tunnel and not a different IP you can setup a VPN server at home for free.