No, but VPNs are a false illusion of privacy. When you use a VPN, you’re really just shifting your trust from your ISP to the VPN company. And governments can just force both to give them the data they have about you
It’s not that simple though. VPN providers in most cases have been externally audited not to store any logs of user activity, meaning they couldn’t comply with government requests of this nature. Generally, their entire legitimacy as companies depends on trust, meaning they have much stronger incentives to actually keep user data private than an ISP does. Of course I agree that using a VPN is no privacy silver bullet, but it’s not like they have zero privacy benefits either.
I agree, and of course it’s a matter of trust. I am trusting what the VPN says when they say…they’re physically incapable of storing logs. NordVPN & I think a couple others both claim their services literally don’t store any logs of any kind.
So the feds could come around & demand info, but they shouldn’t have anything.
It is safe to assume that somebody, somewhere, somehow could be watching you or have the capacity to monitor your web activity. If they gave a shit, if they cared enough to hone in on you. ¯\(°_o)/¯
That’s why you do your research and use a VPN domiciled in a country that won’t budge to requests coming from your country.
This is exactly right. If you really want to browse privately, use Tor.
Either you give your browsing details to the VPN provider or someone else. It’s never really private. I just have a VPN back to my home network. My ISP sees all my porn surfing and I don’t really give a fuck.
Of course, besides the people who fall for the basic “VPN are some magic security device” most people (in particular those that know what they’re getting) always looks for the same thing “which one can I actually trust”.
Even if it’s not government owned you have no idea whose keeping logs, sharing data etc.
So you can really only base your trust on whether the company has come up to any issues with the government and have refused, or has run for a number of years and provide a positive track record. With the changing of laws and how companies work, you also need to regularly check that your they stay respecting privacy and security.
For what it’s worth, a VPN company worth is if it private, security and stands up to scrutiny. The moment trust is lost, the company is meaningless. So that’s something for those that are long lasting.
I believe protonvpn is no log. I hope they make their servers ram only like mullvad eventually though, it would be a great improvement.
Is mullvad good? Are they no log?
Very. They’re probably the best out there. Fully anonymous payments, no log, ram disk servers, audited, I believe they’re open source. I think some downsides they have that I’ve heard is no port forwarding and they don’t have too many servers. However, they’re still very good nonetheless.
Mullvad is the most private a VPN company can get. They literally accept cash by mail.
Mullvad is RAM only for a few months by now, no log since forever and regularly contributes to privacy related topics.
The thing is: you can’t trust a company when they say they are no log or RAM only. But you can trust what info you give them. Mullvad only has my IPs. No info about who I am otherwise. I send them 30€ twice a year and that’s it.
BUT: they don’t allow port forwarding anymore, if you need that, so they are not perfect.
I fear false privacy because a corporation runs it. I’ve never been afraid of a government but I worry about corporate shittery all the time.
I’ve never been afraid of a government
That’s stupid. Government is the one with the guns and prisons.
What “corporate shittery” are you actually afraid of? Having your Netflix cancelled for password sharing?
Or maybe going to jail for torrenting? If that’s the kind of thing you’re afraid of, then who exactly do you think enforces that corporate shittery? It’s the DOJ that investigates your IP and analyzes your traffic and signs the warrant. It’s the cops who kick in your door, take your computer, and put you in cuffs, not Warner Brothers.
Government and capital are two sides of the same coin, but government has the monopoly on violence. You want to give all of them as little on you as possible.
I use a VPN to stop work camps I stay at from knowing what porn I watch, to stop media companies from sending me copyright infringement notifications, and to stop public wifis from having as much info on me.
Its all about threat model. If you’re concerned with government actors then you need to be more secure than just a VPN.
My countries intelligence agency is not working with media companies like that. The cops and courts would eventually enforce some order against me if it ever went to court but more likely is my ISP just ditches me as a customer if I get too many strikes.
to stop media companies from sending me copyright infringement notifications
I mean, your reasons are perfectly valid. Your boss shouldn’t be able to fire you for your porn, but he can. There is no reason any corporation should profit from data you didn’t consent to their collection, but they do. Fuck em, privacy FTW. But this one is specifically my point. Who gives a shit about copyright notices? Hell, why would your ISP disconnect you over some media company’s copyright claim? Why bother avoiding them? Just ignore it and keep torrenting and hop to new ISPs forever, right? Whatever.
It’s because those notices are backed by government force. When the time comes that you’ve violated enough corporate policies, it’s the government that enforces your compliance.
Well there are only three isps here and yes I understand what you are saying but. It never gets as far as government force it doesn’t have too. The ISP will drop me.
Also the ISP is the media company lots of the time, and its only a crime that will go to court and win if I made money distributing copyrighted material.
I don’t want my ISP to know much about what I’m doing either. They aren’t trustworthy, they often get caught illegally shaping traffic and such too.
Yeah see you’re missing the point, which is: While Government and corporate power are to be feared, your ISP is powerless without Government. You want to protect yourself from both.
The ISP will drop me.
Why? That’s losing them money. Seems stupid of them. Because the government forces them to on behalf of another company.
its only a crime
Government determines what a crime is.
that will go to court
The court is the application of government force, and the government is who will get the evidence that turns you from defendant to convict.
and win if I made money distributing copyrighted material.
Oh sweet summer child. I will never understand how that myth remains after the RIAA campaigns.
Besides, even if you win you lose. Lawyers are expensive.
Don’t condescend to me. I understand the link between government and capital and am not an american.
What are you even proposing anyways? I am against government oppression and copyright law in general. All private property is theft from the commons. But in the meantime I will use a VPN because I trust Mullvad in Sweden more than I trust my own ISPs.
If I was committing crimes that were more serious then I would not use a VPN I would use a more robust security model.
My ISP is not powerless without government. They have massive power, they control 1/3rd of all cellular and internet communications. And like I said also control large amounts of satellite TV and cable broadcasting.
Sorry, I thought we were discussing my reply to the comment about (paraphrasing) “I’ve never feared a government, but corporations scare me.” Which is why I focused on that side of things.
I don’t think I said anything that doesn’t apply to non Americans, but ok.
You do know that a corporation who stole bananas convinced the US government to go to war over just profits, right?
Fuck Milton Friedman, by the way.
Still the government you should be afraid of as well in this case, though.
Sure do. That’s literally what my post is about. (or are you addressing OP?)
*History entered the chat *
Why is “governments” the boogeyman that comes to mind? Scammers and thieves would have much more interest in your everyday consumer internet usage.
What exactly do you mean by “scammers and thieves”? The only protection you get from a VPN is privacy from your ISP. That ISP obviously operates in your country (there has to be some physical connection) and is regulated by your government. It’s easy for the government to demand data from the ISP about you (or about certain usage patterns and which users have them) without you knowing, not to mention how easy it is for the ISP itself to monetize your usage data.
A scammer or thief can’t as easily grab hold of that data. If you’re imagining a hacker gaining access to the ISP’s database or network, that’s certainly plausible but it’s just as possible with a VPN provider. I personally don’t think the big commercial VPNs are much more secure than ISPs. Maybe a little.
Haha, nice try governments
This isn’t a community for speculation or conspiracy theories
This isn’t a community for speculation or conspiracy theories
Based on your comment history it seems as if you think you are some kind of community police. You want to go around and tell others what they can post.
The voting system is used for curating content, not you!
This post has 80 upvotes. So, those people have no issue with the post topic.
Read the rules in the sidebar. This post is not violating any of them.
Keep your opinions to yourself or go create your own alternative community.
People will upvote anything to the point that communities have no identity. Unless you think lemmy is somehow different than reddit and won’t share the same fate?
Also it’s weird behavior to read through someone’s comment history
it’s weird behavior to read through someone’s comment history
No it isn’t. It’s the best way to get an idea about the person you’re talking to. If their post history is nothing but obvious trolling, no reason to engage. If they never argue in good faith, don’t argue with them. Etc.
You must have gone pretty far into my history to make that claim about me and just ignored all my other comments which are mostly positive/jokes lol
I didn’t look at your history nor did I make any claims.
It’s not weird when they are saying weird things and you want to find out about their motives.
Reading someone’s comment history when they didn’t say anything “weird” and then cherry picking a couple in a sea of others to make a claim about someone’s character is definitely weird. It’s not like my last 10 comments were the same
Not to mention that most of the time I’ve made comments like this, the post in question gets removed
All? No. But some? I’d be more surprised if I found out none were.
Slightly off-topic rant:
I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.
VPN was initially ‘Virtual Private Network’ – used to securely connect own (as belonging to an organization or person) devices over a public network. Like securely connecting bank branches. Or allowing employee connect to a company network. And VPN are still used that way. They are secure and provide the privacy needed.
Now when people say ‘VPN’ they often mean a service where they use VPN software (initially designed for the use case mentioned above) to connect to the public interned via some third-party. This is not a ‘private network’ any more. It just changes who you need to trust with you network activity. And changes how others may see you (breaking other trust).
When you cannot trust your ISP and your local authorities those ‘VPNs’ can be useful. But I have more trust to my ISP I have a contract with and my country legal system than in some exotic company in some tax haven or other country that our consumer protections or GDPR obligations won’t reach.
Back to the topic:
I do not believe that all VPN services are owned/funded by governments, but some may be. I don’t have much reason to trust them, they are doing it for money and not necessarily only the money their customers pay them. In fact I trust my government more that some random very foreign company.I cringe when I see people touting VPN services as somehow better than HTTPS.
Sure VPN helps you re-source your IP address but that doesn’t do anything to help the security of online banking.
You know MITM an https website is child’s play, right? If you’re inputting your password on a network you don’t trust you’re doomed. SSL certificates are worthless because they can be easily forged by anyone pretending to be the site as long as they’re between you and the actual site, which they need to be to MITM.
VPN and HTTPS solve different issues, and are better when used together. Most of the time you don’t need a VPN because you trust your home network and ISP, but if you’re using a public access point https does not replace a VPN.
Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You’d either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?
There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it’s own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn’t be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won’t have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it’s showing it for every site.
None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn’t succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they’ve been getting them for everything else and nothing had a problem.
Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it’s game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.
You went from “MITM TLS is child’s play” to “there are some ways we can social engineer our way around it if the stars align just right” in like one post. You’re clearly not qualified here, stop with the FUD bullshit.
There are cases of malicious/incompetent CAs issuing certificates to parties who don’t own the domains. DigiNotar was the most famous one, and recently there was a Chinese CA (I forgot the name) booted from the list as well. Once they’re detected (browsers report SSL certs they see back to mothership for audit) they would be removed from trusted lists though, so chance that they’re only used for high value targets and can’t be used that often.
Lucky you to be able to trust your ISP. Mine injects ads whenever they can, even hijack DNS and redirect invalid/blocked domains to a page full of ads.
In correct law, that’d be copyright-violation committed by your ISP:
IF the website you hit didn’t authorize your ISP to create a derivative-work,
THEN your ISP adulterating it should be considered commercial-copyright-violation, and stomped by the copyright-lobby.
Notice how this has been going-on for decades, and the copyright-lobby … ignores it, to stomp-on individuals only…
Interesting evidence of “rule of ‘law’”, isn’t it?
Yes, I trust my ISP more than my VPN, but I trust my VPN more than I trust the random wi-fi in the shopping mall. Using a VPN in your house for internet access is pointless, unless you’re purposefully trying to keep your ISP out of the loop for legal reasons, e.g. Torrent, but MITM a VPN is much harder to do than an open wi-fi.
I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.
Agreed. What they’re really selling is a proxy service, I don’t know why that term isn’t used. The fact that VPN software is used to establish that proxy isn’t relevant, the end result is a proxy.
How is the term “proxy” more appropriate though? It’s also the technical name for a concept that already exists. VPNs are by definition broader in scope than proxies, they work at a lower level of the networking stack and have different capabilities even if most people don’t take full advantage of it. Anyway the point is that it’s not a more appropriate term.
AFAIK the only thing VPN providers let you do, like SurfShark, ExpressVPN, NordVPN, ProtonVPN etc., is to route all of your outgoing traffic through their servers. They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
Quote from Wikipedia:
A proxy server that passes unmodified requests and responses is usually called a gateway or sometimes a tunneling proxy.
That’s pretty much what those commercial “VPN” providers offer.
They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
That’s not what a VPN does, that’s what a VPN can do, if desired. What a VPN does is set up an encrypted tunnel between you and some remote network. That’s it. How that remote network is laid out, how the traffic (and also what kind of traffic) is routed into/through/out of that network, and what the clients are allowed to do within are entirely up to the wishes of the network’s owner. It might very well choose to isolate you from all the other clients on the network; that’s not just a possibility, it’s actually one of VPN’s most important, most useful features.
That’s pretty much what those commercial “VPN” providers offer.
Those commercial VPN providers offer you a fully encrypted tunnel that you can route all your network traffic through if you wish. It’s just that people don’t generally use it as anything more than just a proxy. Still, the connection is a textbook VPN connection, it’s there, and it’s capable of things a regular proxy is not, if you choose to make use of them.
This is the prime schizo theory about TOR, but realistically they would need to own every exit node to get you.
I have a pet theory that the CIA has ocilated between both protecting TOR and trying to compromise it depending on the leadership at the moment, because it’s a genuinely useful tool for their needs but also at the same time it undermines some of their goals if people they wouldn’t want using it start using it
I feel that if your government really wanted your secrets, they’d just send goons to your house to beat the fuck out of you.
I have a VPN to protect me from nosey bastard piracy lawyers.
100% this. OP is describing a great plot for an B-tier Hollywood movie, but reality tends to be much less thrilling. Obligatory xkcd.
Yeah and the bonus text is how I think. The CIA, NSA or whoever think you’re too boring to bother with. Even if the VPN was directly owned by the NSA, they don’t really care about whatever fetish porn you’re jerking off to. If you’re some kid still in your edgy socialist phase, they don’t care. Sorry, you’re just a basic bitch to them.
Only one I’d trust is mullvad
Yup.
You know it’s good because nowhere in the internet believes you’re not a bot.
Which means all the bad actors use em.
I like how you can pay in cash. And how you’re account info basically is a wink and a nod.
Proton seems to be pretty good too.
Besides that the claimed “Swiss privacy” is non existent - the Swiss NDB (their intelligence service) has far more rights than most other European agencies - especially against foreigners and still Swiss intelligence History is riddled with scandals - from a system of spy-filed on their own citizens in the 80ies that was on the level of the GDRs Stasi to a recent scandal (January24) that showed that basically all traffic in and out of Switzerland and most within Switzerland is monitored and that the NDB has used its enormous rights very extensively.
Additionally there is a second NSA like agency as well-so while I like Proton as a product I wouldn’t give a shit on their privacy claims.
Their support is terrible. Used it when I moved to China, after a few weeks it stopped working, their support ghosted me on three contact attempts. Never once got a reply or refund. Just silence.
Ok I might be downvoted to shit for this, but why would you move to China? Just curious 🤔
Money. China was my 9th country, I’m a career project manager. Been going all over the world to where interesting projects and of course decent budgets are. Spent 19+ years abroad so far, wouldn’t give up that lifestyle.
I’ve recently read a comment saying the great Chinese firewall somehow “learns” that you are using a VPN. So people doing quick tests “yep VPN works” but then a little later it doesn’t work anymore. No clue if that is true though.
Sort of, they are blocking protocols based on the client-server-handshake. Protocols such as OpenVPN, IKSv2 or WireGuard which have a fixed handshake signature are preemptively blocked. They work occasionally if you are connecting to a previously unknown server, it takes maybe 10-30 min until the signature is identified and the connection killed.
Other VPN providers are using proprietary (home-made) protocols or at least modified ones that are harder to catch. Again others will use obfuscation to hide the actual handshake in some additional overlay traffic. Paired with UDP, where the server doesn’t send an acknowledgment flag back (as is the case with TCP) gives them some extra reach.
So far the only VPN that has consistently worked though is Astrill, I’ve switched there from Proton after about 4 months in the country and am using it in the 5th year now.
Who is gonna listen to the RIAA and MIAA?
Comcast or the CIA?
I’ll take my chances. 🏴☠️
all it’s exaggerated but they are outside yes…
No, bc gvts are themselves owned by companies.