logo

drewdevault.com

[mirror] blog and personal website of Drew DeVault git clone https://hacktivis.me/git/mirror/drewdevault.com.git

Your-VPN-is-a-serious-choice.md (6737B)

    

  1. ---
  2. date: 2019-04-19
  3. layout: post
  4. title: Choosing a VPN service is a serious decision
  5. tags: ["philosophy", "vpn"]
  6. ---
  8. There's a disturbing trend in the past year or so of various VPN companies
  9. advertising to the general, non-technical public. It's great that the general
  10. public is starting to become more aware of their privacy online, but I'm not a
  11. fan of these companies exploiting public paranoia to peddle their wares. Using
  12. a VPN in the first place has potentially grave consequences for your privacy -
  13. and can often be worse than not using one in the first place.
  15. It's true that, generally speaking, when you use a VPN, the websites you visit
  16. don't have access to your original IP address, which can be used to derive your
  17. approximate location (often not more specific than your city or neighborhood).
  18. But that's not true of the VPN provider themselves - who can identify you much
  19. more precisely because you used your VPN login to access the service.
  20. Additionally, they can promise not to siphon off your data and write it down
  21. somewhere - tracking you, selling it to advertisers, handing it over to law
  22. enforcement - but they *could* and you'd be none the wiser. By routing all of
  23. your traffic through a VPN, *you route all of your traffic through a VPN*.
  25. Another advantage offered by VPNs is that they can prevent your ISP from knowing
  26. what you're doing online. If you don't trust your ISP but you do trust your VPN,
  27. this makes a lot of sense. It also makes sense if you're on an unfamiliar
  28. network, like airport WiFi. However, it's still quite important that you *do*
  29. trust the VPN on the other end. You need to do research. What country are they
  30. based in, and what's their diplomatic relationship with your home country? What
  31. kind of power the local authorities have to force them to record & disclose your
  32. traffic? Are they backed by venture capitalists who expect infinite growth, and
  33. will they eventually have to meet those demands by way of selling your
  34. information to advertisers? What happens to you when their business is going
  35. poorly? How much do you trust their security competency - are they likely to be
  36. hacked? If you haven't answered all of these questions yourself, then you should
  37. not use a VPN.
  39. Even more alarming than the large advertising campaigns which have been popular
  40. in the past few months is push-button VPN services which are coming
  41. pre-installed on consumer hardware and software. These bother me because they're
  42. implemented by programmers who should understand this stuff and know better than
  43. to write the code. Opera now has a push-button VPN pre-bundled which is free and
  44. tells you little about the service before happily sending all of your traffic
  45. through it.  Do you trust a Chinese web browser's free VPN to behave in your
  46. best interests?  Purism also recently announced a collaboration with Private
  47. Internet Access to ship a VPN in their upcoming Librem 5. I consider this highly
  48. irresponsible of Purism, and actually discussed the matter at some length with
  49. Todd Weaver (the CEO) over email. We need to stop making it easy for users to
  50. siphon all of their data into the hands of someone they don't know.
  52. For anyone who needs a VPN but isn't comfortable using one of these companies,
  53. there are other choices. First, consider that any website you visit with HTTPs
  54. support (identified by the little green lock in the address bar on your web
  55. browser) is already encrypting all of your traffic so it cannot be read or
  56. tampered with. This discloses your IP address to the operator of that website
  57. and discloses that you visited that website to your ISP, but does not disclose
  58. any data you sent to them, or any content they sent to you, to your ISP or any
  59. eavesdroppers. If you're careful to use HTTPS (and other forms of SSL for
  60. things like email), that can often be enough.[^1]
  62. If that's not enough, the ironclad solution is
  63. [Tor](https://www.torproject.org/). When you connect to a website on Tor, it (1)
  64. hides your IP address from the website and any eavesdroppers, (2) hides who
  65. you're talking to from your ISP, and (3) hides what you're talking about from
  66. the ISP. In some cases (onion services), it even hides the origin of the service
  67. you're talking to from *you*. Tor comes with its own set of limitations and
  68. pitfalls for privacy & security, which you should [read about and
  69. understand](https://2019.www.torproject.org/download/download.html.en#Warning)
  70. before using it. Bad actors on the Tor network can read and tamper with your
  71. traffic if you aren't using SSL or Onion routing.
  73. Finally, if you have some technical know-how, you can set up your own VPN. If
  74. you have a server somewhere (or rent one from a VPS provider), you can install a
  75. VPN on it. I suggest [Wireguard](https://www.wireguard.com/) (easiest, Linux
  76. only) or [OpenVPN](https://openvpn.net) (more difficult, works on everything).
  77. Once again, this comes with its own limitations. You'll always be using a
  78. consistent IP address that services you visit can remember to track you, and you
  79. get a new ISP (whoever your VPS provider uses). This'll generally route you
  80. through commercial ISPs, though, who are much less likely to do obnoxious crap
  81. like injecting ads in webpages or redirecting your failed DNS queries to "search
  82. results" (i.e. more ads). You'll need to vet your VPS provider and their ISP
  83. with equal care.
  85. Understand who handles your data - encrypted and unencrypted - before you share
  86. it.  No matter your approach, you should also always install an adblocker (I
  87. strongly recommend [uBlock
  88. Origin](https://github.com/gorhill/uBlock/#installation)), stick to
  89. HTTPS-enabled websites, and be suspicious of and diligent about every piece of
  90. software, every browser extension, every app you install, and every website you
  91. visit. Most of them are trying to spy on you.
  93. Related articles:
  95. - [VPN - a Very Precarious Narrative - Dennis Schubert](https://schub.io/blog/2019/04/08/very-precarious-narrative.html)
  96. - [The trustworthy of VPN review sites and how affiliate programs affects their opinion](https://www.skadligkod.se/vpn/the-trustworthy-of-vpn-review-sites-and-how-affiliate-programs-affects-their-opinion/)
  98. [^1]: A reader points out that HTTPS can also be tampered with. If someone else administrates your computer (such as your employer), they can install custom certificates that allow them to tamper with your traffic. This is also sometimes done by software you install on your system, like antivirus software (which more times than not, is a virus itself). Additionally, anyone who can strongarm a certificate authority (state actors) may be able to issue an illegitimate certificate for the same purpose. The only communication method I know of which has no known flaws is onion routing on Tor.