HomeLatest ThreadsGreatest ThreadsForums & GroupsMy SubscriptionsMy Posts
DU Home » Latest Threads » Forums & Groups » Topics » Computers & Internet » Computer Help and Support (Group) » Why should you trust *you...

Sat Jul 18, 2020, 01:29 PM

Why should you trust *your* VPN???

VPN services sound like a great idea. Send all your traffic (encrypted) to a VPN server and they fan out to the internet at large. So someone snooping on your traffic (e.g. your ISP) won't see anything about you but traffic to and from your VPN.

But ... now you must trust your VPN provider, since they will have all your traffic flowing through them.

And a lot of VPN's are not local to the US. Many are hosted in unfriendly waters. They are obviously high value targets for state-sponsored (and random) hacking.

This article showed up today writing about several VPN services in Hong Kong. All of them advertise "no logs kept" ... and all of them are keeping logs. And even keeping them in publicly accessible places.

https://www.theregister.com/2020/07/17/ufo_vpn_database/

... seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service. And they were all leaking data onto the internet

... records of websites visited, connection logs, people's names, subscribers' email and home addresses, plain-text passwords, Bitcoin and Paypal payment information, messages to support desks, device specifications, and account info.


Security is hard, the fear is strong, and the combination makes VPN services a ripe field for fraud.

19 replies, 1100 views

Reply to this thread

Back to top Alert abuse

Always highlight: 10 newest replies | Replies posted after I mark a forum
Replies to this discussion thread
Arrow 19 replies Author Time Post
Reply Why should you trust *your* VPN??? (Original post)
CloudWatcher Jul 2020 OP
discntnt_irny_srcsm Jul 2020 #1
cayugafalls Jul 2020 #3
discntnt_irny_srcsm Jul 2020 #7
Ferrets are Cool Aug 1 #17
cayugafalls Aug 1 #18
Ferrets are Cool Aug 1 #19
CloudWatcher Jul 2020 #4
SWBTATTReg Jul 2020 #2
CloudWatcher Jul 2020 #6
cayugafalls Jul 2020 #5
CloudWatcher Jul 2020 #8
douglas9 Jul 2020 #12
CloudWatcher Jul 2020 #14
Miguelito Loveless Jul 2020 #9
CloudWatcher Jul 2020 #10
kag Jul 2020 #11
douglas9 Jul 2020 #13
CloudWatcher Jul 2020 #15
douglas9 Jul 2020 #16

Response to CloudWatcher (Original post)

Sat Jul 18, 2020, 01:50 PM

1. Using a VPN marks you as being suspicious

People worthy of suspicion are usually suspicious themselves and probably would use a VPN as a first line. Even if you find a VPN that really keeps no logs and is in a non-cooperating country, there's probably enough metadata collected which is likely precise enough to generally narrow down who your connecting with.

I'm not sure I would trust the VPS type doings either.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to discntnt_irny_srcsm (Reply #1)

Sat Jul 18, 2020, 02:01 PM

3. How does a vpn mark you as being suspicious?

Hundreds of thousands, possibly hundreds of millions of VPNs are being used currently to access work networks all across the globe during the pandemic. VPNs are everywhere. Hundreds of millions of connections per hour. Distilling the nefarious usage from the good is not something that would be worthwhile, except to maybe catalog all VPN connections and then parse them individually using a supercomputer to weed out corporate from personal.

I agree VPNs aren't perfect, but they are better than a raw connection to the internet if merely for the added protection from ads and marketing data collection. Just because someone uses a VPN does not necessarily mean they are a bad actor.

To each his own. I worked in IT for 30 years and VPNs are ubiquitous and used constantly. Fear or not, they work.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to cayugafalls (Reply #3)

Sat Jul 18, 2020, 02:26 PM

7. I use a VPN to access an internal work network

I have since 2007. I have 2 VPNs running from my home network for LAN access from the internet. I'm not grouping the traffic by protocol or port. I'm thinking of certain entities that would group traffic by the dozens or hundreds of IPs associated with certain servers. If you don't think governments are subscribing to VPNs for that purpose, think again.

I'm suggesting that the VPNs offering public service and promising anonymity may not be able to make you anonymous enough.

I infer that the Utah Data Center has exaflop machines with enough storage to hold about 1 TB of data for every IP address on the planet. I base that on info that's 2 years old.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to cayugafalls (Reply #3)

Sat Aug 1, 2020, 12:31 PM

17. Can you explain to a VPN newbie why I should use one.

I wasn't even aware of them until recently. I do ALL my business on the interwebs and if it is worthwhile, I certainly don't mind another tax write off.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Ferrets are Cool (Reply #17)

Sat Aug 1, 2020, 01:38 PM

18. Here is a basic guide to what a VPN is and how to use.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to cayugafalls (Reply #18)

Sat Aug 1, 2020, 03:43 PM

19. Thank you!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to discntnt_irny_srcsm (Reply #1)

Sat Jul 18, 2020, 02:04 PM

4. Virtual Private Servers

I do manage a VPS machine for my own use ... as backup for the email server that I run and as a remote "place to stand" when I'm poking at the Internet. But yeah, I wouldn't trust them more than necessary!

I can't think of a reason to trust any VPN service. There is just too much useful information flowing through them to assume that they are secure and are going to remain secure.

The end of the article has some good advice:

The Register suggests savvy readers wishing to encapsulate at least part of their traffic may want to roll their own VPNs using Trail of Bits' Algo, Google's Outline, or WireGuard, all of which are open source.

Or use a VPN provider, and build into your threat model the fact it can see everything your ISP would otherwise be able to see.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Original post)

Sat Jul 18, 2020, 01:54 PM

2. A shame. When I worked for the telephone company, privacy of telephone communications whether...

delivered via land lines, or a virtual network, whether method, were absolutely hands off for monitoring (other than the normal flow of all traffic via that pipeline to ensure that the network itself was working aok).

Listening in on communications on the links themselves were absolutely a no no too. You would get fired (and you should be). We had it in our annual rules of business conduct we had to read and sign off on.

I truly respected the company (it was SWBT back then, now ATT) for its strict adherence to these guidelines.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to SWBTATTReg (Reply #2)

Sat Jul 18, 2020, 02:13 PM

6. Voice calls.

Well, any student of the NSA will tell you that they have been vacuuming up all the calls they can get their hands on for decades.

James Bamford in 1982's The Puzzle Palace (*) reported that the NSA recorded everything they could get their hands on, and legally only considered it intercepted if reviewed by a person.

But the value of recording everything is much less if it's widely known that they're doing it!

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Original post)

Sat Jul 18, 2020, 02:08 PM

5. There are solid VPNs out there, you have to research.

They work if you get the right one.

Hundreds of millions of VPN connections are made each hour around the globe during this pandemic in all sorts of business scenarios. There is a difference, though, in that these are point to point connections and thus more secure, but the technology is the same.

If your provider is in the right country and does not have to comply with logging requirements then your most likely safe. Payments to most providers can be made with bitcoin or even cash in a mailed envelope. You can create an email exclusively for your vpn activities not tied to any other email and thus you have an even smaller footprint.

If you feel the need to get a vpn, do some research, learn about them and make an informed decision.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to cayugafalls (Reply #5)

Sat Jul 18, 2020, 02:29 PM

8. Research how?

Other than checking the hosting country, how exactly do you research a VPN? Google?

Being hosted in Hong Kong now makes you vulnerable to Chinese government snooping.

Being hosted in the US makes you vulnerable to our own government snooping.

Being hosted anywhere makes you vulnerable to the bad behavior of the people running the VPN ... either intentional or accidental (e.g. not keeping their systems secure).

Even if they're being run responsibly today, they will always be subject to the laws governing the host systems. Just look at what China is doing and what our government is trying to do.

I'm all in favor of VPN services run by corporations to get their employees safely into their internal networks. They have reasons to keep the system secure.

So of course, VPNs *can* work. But the commercial VPN services that sell to the public and are hosted in Hong Kong? Trust them?

I've been in IT on & off for 40 years. Since the Internet was still called Arpanet

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Reply #8)

Sun Jul 19, 2020, 05:44 AM

12. VPN COMPARISON

Welcome to the VPN Comparison! This section is meant to be a resource to those who value their privacy, specifically those looking for information on VPNs (that isn’t disguised advertising). When I started down the path of retaking my own privacy, there was very little unbiased and reliable information with regard to VPNs.

https://thatoneprivacysite.net/#detailed-vpn-comparison

Reply to this post

Back to top Alert abuse Link here Permalink


Response to douglas9 (Reply #12)

Sun Jul 19, 2020, 12:32 PM

14. Close, but no.

You'll note that all the VPN services mentioned in the article *claimed* they did not keep logs. And they all did.

It's tough to do a VPN comparisons when they lie to you.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Original post)

Sat Jul 18, 2020, 03:37 PM

9. You can't trust a VPN, or anyone for that matter

Two people can keep a secret as long as one of them is dead.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to Miguelito Loveless (Reply #9)

Sat Jul 18, 2020, 03:45 PM

10. Ouija boards ....

Yes, fortunately ouija boards have not proved to be very useful!

I've long advised people not to put anything in email that they don't want to read in a newspaper someday. The same should be said today about anything you do on the Internet

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Original post)

Sat Jul 18, 2020, 05:15 PM

11. Interesting.

Thanks for the heads up.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Original post)

Sun Jul 19, 2020, 08:32 AM

13. Browsing Experience Security Check (Cloudfare)

When you browse websites, there are several points where your privacy could be compromised, such as by your ISP or the coffee shop owner providing your WiFi connection. This page automatically tests whether your DNS queries and answers are encrypted, whether your DNS resolver uses DNSSEC, which version of TLS is used to connect to the page, and whether your browser supports encrypted Server Name Indication (SNI).


https://www.cloudflare.com/ssl/encrypted-sni/

Reply to this post

Back to top Alert abuse Link here Permalink


Response to douglas9 (Reply #13)

Sun Jul 19, 2020, 01:52 PM

15. Nice

Interesting link, thanks! Though I hadn't heard of 'encrypted SNI' before, it appears to be a reasonable idea, if not exactly taking the internet by storm.

In particular, if your web service is being hosted on a non-shared machine, then encrypted SNI buys you no additional security, since the IP address of the service is unique enough to determine the web server's identity.

But still, it's a step in the right direction.

Reply to this post

Back to top Alert abuse Link here Permalink


Response to CloudWatcher (Original post)

Sun Jul 19, 2020, 03:37 PM

16. We are not abandoning Hong Kong

On July 6, Chinese authorities forced through Article 43, a collection of new regulations that gave Hong Kong law enforcement sweeping online surveillance and censorship powers. These rules are an extension of China’s National Security Law, which cracks down on “separatism, subversion, terrorism and foreign interference.”

These laws give Hong Kong police the ability to put people in prison for sharing content online that the government considers “offensive” and foreshadow increased surveillance. There is little doubt the Chinese government will use these exceptional powers to crush Hong Kong’s pro-democracy movement and strictly curtail the freedom of expression.

In light of these developments, we have carefully considered whether ProtonVPN will continue to maintain servers in Hong Kong. After much deliberation, we have decided to keep our servers in Hong Kong, not only because we believe we can keep them secure, but also because we believe in fighting for Hong Kong.


https://protonvpn.com/blog/hong-kong-servers/

Reply to this post

Back to top Alert abuse Link here Permalink

Reply to this thread