I’m may be dumb wrt this but i really don’t get the VPN business. Why so much advertising for VPNs in particular?
Looking at why someone would want to use a VPN:
- Protection from governments or big businesses: you probably do actual research, not listen to some ad by your favorite gamer
- Protection from scummy ad tracking: Most people still do some research here albeit less carefully. But again, if you’re worried about ad tracking, wouldn’t you worry about a VPN aggressively advertising themselves?
- Access region-locked content: Any VPN works here. This could explain some of the advertising. But still, most VPNs talk a lot about security, and only a small section on region switching. I would imagine if this was the main target audience VPN advertisements would be different.
Are people so gullible that they see an ad for NordVPN, think “oh shit I need to protect my security”, and then buy NordVPN, without questioning at all if it’s worth the money, if there’s an alternative, or why NordVPN advertises on XxGamerClipz? So much that NordVPN makes money off of its ads? And if so, why don’t other companies do this that could better target dumb people?
> Access region-locked content: Any VPN works here. This could explain some of the advertising.
Actually, most of the time your VPN is just going to be blocked entirely by the service: they have a limited pool of IP addresses being shared by users, so the patterns of access of users randomly popping up on their addresses makes even automated bans pretty easy.
To really get this right requires crazy tricks like taking all of the traffic destined for a service and routing it to per-user stable addresses that you cycle much more slowly. NordVPN seems to do this with Disney+, for example. There was a great analysis of this done (but to get it you will need to use an archive site as the author mysteriously deleted it).
The result is that users trying to do this tend to have to keep using different VPN services until they find a server on one that actually works today, and probably in the process keep accumulating subscriptions to "too many" VPN services for "too long". A lot of random review sites are then just claiming to tell you which service is best able to access such content at any time (but honestly, it is a losing battle: there is no obvious way to win this in the long term).
> Actually, most of the time your VPN is just going to be blocked entirely by the service
Actually, my experience is Netflix blocks some of the time; Wikipedia blocks (edits) all of the time (which really pisses me off - I'm logged in!); and nothing else that I use blocks me.
>Actually, most of the time your VPN is just going to be blocked entirely by the service
Doesn't seem to be the case 'most of the time' for non-free VPNs or at least mine. You can definitely access YouTube videos available abroad or BBC iPlayer or whatever. I'm on VPN a 3rd of the time and it's only very occasionally I have issues. Sure, maybe it's worse with some services but not 'most of the time'.
I am doing an implied integral here over over all random VPN services and servers, as the person I am replying to said that "any" VPN would work. If you have found one that seems to consistently work for the BBC--and based on their efforts against Disney+, I bet NordVPN would work?--you are now a single data point: if you search for BBC blocked VPN on Google, however, you will see that it is an extremely common issue that the BBC blacklists VPNs from accessing their service.
(FWIW, I could accept an argument that I am not "weighting" my certainly-informal statement well on actual usage figures: if NordVPN and ExpressVPN are even the only two VPNs that work well against the BBC, maybe they are alone a considerable percentage of the market. I am pushing back on the idea that "any" VPN would work, and so I am looking more at the idea of choosing a random brand, equally weighted.)
Actually, you are right. I just tried again and now only 1 of my ips works for BBC so they are clearly getting more aggressive (or my provider hasn't been changing them as often recently).
I wonder if this will continue with Apple (and my guess is other similarly sized tech companies) offering VPN. In other words, shutting out Apple's VPN might mean losing 5-10% of your market? Probably not but it will certainly be a new situation for so many non-tech people to have easy access to a VPN and Apple likely pushing it as "good for your privacy"
Apple's VPN explicitly maps users to an IP with a [relatively] close IP address[0] (as in, for IP geolocation purposes), and does minimal actual proxying:
> In iOS 15 and macOS 12, Private Relay will apply to all web browsing in Safari, all DNS name resolution queries, and a small subset of traffic from apps.
> Specifically, this will include all insecure HTTP traffic, such as TCP port 80.
So I can see most services not needing to block iCloud Private Relay.
At some point, we're going to have more and more users behind NAT and IP address looks even worse as a device for banning someone. Them making impossible journeys and changing country every five minutes, however, provides more useful information.
I live in Germany but don't speak (or read) German. Almost all internet sites completely ignore my browser's "preferred language" preference and serve me content in German because I have a German IP address.
So I use a VPN to pretend I'm in the UK, and get English language.
I actually have to turn this off to watch streaming services, because they detect it too easily. The streaming services then cheerfully serve me English UI (because my account preference is for English) but German language content. I understand why, but this is such bullshit.
If you want people to stop using VPN's, then stop assuming that their IP address has anything to do with their physical location, culture, language, bank account region, home address, telephone prefix or anything else.
I lived a bit in Sweden, and got the opposite frustration: everything was in English. Even people would see I'm not swedish and speak to me in English. How was I supposed to learn swedish without ever hearing any swedish? (I did have lessons, but it takes much more time to learn with lessons only)
I'm having the same problem learning German in Berlin - everyone speaks English here and the slightest mispronunciation or "vie bitte?" and they switch to English. Which is appreciated - I'm a foreigner in their country and they're being incredibly hospitable to speak my language - but it makes practising German very difficult.
Also, a Swedish distant relative of mine told me (decades ago) "We Swedes prefer to talk to foreigners in their own language, and keep Swedish as a private language for ourselves". I've never heard that said by anyone else, but it has always stuck with me as a cool idea, and the antithesis of the English ;)
> stop assuming that their IP address has anything to do with their physical location, culture, language, bank account region, home address, telephone prefix or anything else.
The unfortunate truth is that analytics have show that more users have their browsers configured than an IP that doesn't "match" a language that they understand. Very unfortunately but is basically the common case for browser defaults on the internet.
But this is circular reasoning. If every web dev ignores the browser setting and uses IP to determine language then the browser setting is irrelevant and no-one bothers setting it. So the browser setting is inaccurate for the majority of users and the web devs can cheerfully ignore it.
I have started a one-man campaign of creating support tickets for all sites that ignore my browser setting. Join me!
The simple answer is that VPN services are really pretty easy to stand up. There is an enormous menu of VPN services out there, and many of them are basically some slapped-together Ansible playbooks and machines in sketchy datacenters. Running a VPN service is actually advantageous in this regard, because you can place a lot of your infrastructure in the cheapest DC markets and it almost comes off as a feature (look at all those global PoPs!). And now more and more VPN services allow resellers, so you don't even need the Ansible playbooks... you can just sign up to resell.
It's basically the 2010s version of web hosting in that regard, an industry that absolutely proliferated with tiny companies that were ultimately just reselling larger providers or running their own infrastructure very shoddily. It was seen as easy money, and that was true to an extent until they proliferated so much that it was hard to grab many customers... which lead to some very heavy-handed advertising pushes.
Consider, for example, the large number of Usenet providers that have affiliated VPN services now... they're priced so cheap it's hard to imagine them making much money off of them, but consider that they're just reselling from a larger Usenet provider that already has a lot of owned capacity and bandwidth. Since Usenet is so storage heavy they may just run the VPN endpoints right on their NNTP servers. It's basically free for them to offer!
It's a bit weird that you omit the main reason for VPNs—avoiding dumb copyright strikes from your ISP when torrenting. To be fair this is a US-only reason. Maybe you live in Bulgaria or Finland.
Finland certainly has it's fair share of stories, including them taking your equipment and holding it for lengthy times. We even have our own legal firms specialising in fun letters...
VPNs, much like gas stations, are selling an almost indistinguishable product. Essentially every VPN is fast enough, and secure enough in its selection of software.
The only differences are:
* Undetectable things (they say they don't keep logs, but do they really not keep logs?)
* Price - which they don't want to compete on if they can avoid it
* Reputation - which advertising can buy you a simulacrum of
Some VPN companies have decided the way they're going to stand out in the sea of very similar looking options is by being the company whose name you recognise.
"Secure enough" depends on your threat model. Many VPNs were poorly configured in the past and were leaking information. Only a few (like IVPN) were doing a proper job and had that verified by a third-party audit.
The next big question is jurisdiction. I would never trust a VPN that is based in the US, UK or a similar country where government access is virtually a given.
I use it mainly because my ISP does traffic shaping, videos and images load painfully slow on a full duplex half gigabit fiber connection. We do have a law that makes traffic shaping illegal, but it's not enforced, so the only way around it is to use a VPN.
Funny enough my DnD group has found that we get fewer Zoom drops when we all turn on our VPNs. It is odd that in the age of video conferencing that video conferencing would be unstable due to... presumably the ISP.
I first installed a VPN after receiving a menacing letter from my ISP for torrenting. Then I moved to a country that doesn't care about torrents, but where I could be jailed for liking a wrong facebook post. Still, I don't want G$$gle & Co. to know everything about me. I travel a lot and do fear the wi-fi MITM. So I use a VPN.
> Are people so gullible that they see an ad for NordVPN, think “oh shit I need to protect my security”, and then buy NordVPN
Well not the people serious about VPNs. The ones I consistently see popup in online discussions about what VPNs to use are Mullvad, ProtonVPN (Because of their Switzerland location), & iVPN (because they're based in a non fourteen-eyes jurisdiction, namely Gibraltar).
Of course jurisdiction doesn't matter since the point-of-presence of the particular VPN country is usually housed in some cheap colocation datacenter that could have questionable ethics and could be feeding logs to adversaries, without the VPN provider even knowing.
Then there's the whole 'we never keep logs' claim which can't be proven. So, caveat emptor folks!
Then there's the whole 'we never keep logs' claim which can't be proven. So, caveat emptor folks!
It can be trusted with a fair degree of certainty depending on the company. For instance, we know that PIA at the very least was willing to testify under oath that they had no records to provide the US government. Could they be keeping secret logs or have changed practices since? Sure, but at some point the claim seems credible.
Now those flavor-of-the-month budget VPNs that cannot possibly be profitable unless you're the product? Different story.
Parallel construction also isn't out of the question for these VPN providers that have testified under oath. If I were the NSA I'd buy some "no logs" VPN providers that don't provide logs in court, but do have them to make catching criminals much easier.
It doesn't hurt that the "no logs under oath" assertion will no doubt engender trust with the very people you want to log.
> VPN providers that don't provide logs in court, but do have them
That doesn’t make sense. If the provider has the logs, they’ll be presented in court if the company is given a subpoena and the owners are American. No one is going to risk contempt and jail time for their customers.
The apperence of not having logs is useful for both the law enforcement and the VPN owner, so why whould they subpoena the logs? The VPN could leak some details to the law and in exchange the law mostly leaves them alone. And the law would get cases where they know that spending their time will pay of: Saying "yeah, the computer repair shop found CP on the guys computer", thinking "because we told them where to look".
They were bought by Kape Technologies which used to be called Crossrider and has a history of producing malware and the owners used to work at the Israeli version of the NSA.
They were bought by Kape Technologies, an Israeli surveillance firm whose founders have ties to Unit 8200. PIA literally couldn't up a bigger red flag if they tried.
The issue is that yesterday they may not have kept logs, and today they might, and there's no feasible way to know for sure. Even warrant canaries can't be relief on if the type of warrant requires no notification whatsoever.
They sell fear (with some justification), and then they sell an underperforming product that supposedly addresses that concern.
It would seem that people do [think “oh shit I need to protect my security”, and then buy NordVPN, without questioning ...] or else they would have stopped all that advertising.
There's some truth to the fear they are promoting in some situations. I doubt most consumers are in those situations (ignoring people living under oppressive regimes, as presumably they aren't watching the typical consumer tech videos on Youtube). But like a lot of types of insurance, the consumers are convinced that they need the solution to the problem which they don't really have.
> i think a vast majority of it is people who want to stream content, pirate torrents, etc, without getting a strike letter from their ISP
This use case is definitely very underrated, people usually associate VPNs with higher latency but if your ISP has bad peering to certain locations, which many of them do, a good VPN can do wonders.
I've got another: I don't get a real IPv4 adress from my provider it's all carrier nat on IPv4. On IPv6 I get a direct connection though. The carrier nat is often slow and and I cant forward IPv4 ports. Using mullvad via IPv6 and IPv6 NAT on my router I can route around the carrier and get much better IPv4 Bandwidth and Peering at the cost of a a worse latency (though it goes from 7 to 25ms for the average game) so it's hardly an Issue. That and I can pirate as much as I want with it in germany.
>Protection from scummy ad tracking: Most people still do some research here albeit less carefully. But again, if you’re worried about ad tracking, wouldn’t you worry about a VPN aggressively advertising themselves?
Importantly, most advertising and tracking does not care what your IP address is, and so a VPN does nothing here unless you can separate your cookies / hardware profile / etc.
I always figured the main reason people used VPNs was to be able to pirate movies and music without getting those letters from their ISP and that all the other reasons were just plausible deniability points.
> why don’t other companies do this that could better target dumb people?
This is the interesting question. I think mostly it's the (correct) fear most businesspeople have of being caught taking advantage of rubes. They fear the social stigma, the impact to their business reputation, and potential litigation. It's the ones willing to take on all this additional risk that go on to rake in cash selling snake oil and magnetic holistic government-grade encryption bracelets.
Insofar as there are shitty ISPs that sell your data, yes. Most ISPs don't though. Also: I trust a VPN based in Gibraltar more than an ISP which is known to sell your data.
You sure? ISPs can, and do, this fairly readily. They wiggle on what “your data is” (“CPNI”) but browsing history via DNS queries is not uncommon (and cheap, to boot).
To play the devil's advocate, does a volunteer have more incentive to keep your data private, or a company whose very business and reputation relies on keeping it private? Is a network that can readily and easily be infiltrated by malicious parties "for free" more trustworthy, or a private network locked down to trusted machines by security engineers, audited by third parties?
Because there is enormous incentive to deanonymize Tor. In 2020, nearly 25% of the network was controlled by a malicious attacker. [1] You had, then, a 1.5% chance of complete and total deanonymization by a single party - a near-certain chance of deanonymization if you heavily used Tor. And this is without any traffic correlation antics.
Turning off the devil's advocate, most "trustworthy" VPNs are almost certainly intelligence gathering operations, claiming "no logs" in court but in reality being a tool for parallel construction. It's too valuable a position for the 3LAs of the world to not have some ownership and stake in major VPNs. Crypto AG-style.
IMHO there is no hope for modern anonymity. Interesting connections will be logged for future deanonymization with quantum computers. In the meantime, mixnets like Nym [2] might emerge to be our saving grace.
I use a VPN purely for torrents. Have a VM with a torrent downloading server. Only way that VM can route beyond the local net is they a static VPN address and the VPN interface. No VPN connection means no internet leakage.
It seems like a throwback to the naive old internet.
Being that it is 2021, it seems absurd to actually believe that some cheap service provider is providing any kind of meaningful privacy. I get the notion of being able to watch BBC or avoid baseball blackouts, but competent content providers block VPNs all of the time… consolidating will only help that effort.
This blog post by a VPN company is totally not biased and not written to promote their totally independent (for now)
, transparent (for now) business.
I mean they're not wrong, but it's hard to take seriously when they've got a horse in the race.
I subscribe to not one, but two VPN providers, but it's less about anonymity and more about region blocking and the fact that certain sites behave differently if you're out of the country (which, I am on a permanent basis).
This is mostly, I presume, anti-fraud measures that seem to pop up when visiting niche Australian web apps from overseas.
AWS is my favorite VPN in the few cases I have had to use one. Rent the cheapest instance in the region you want, then SSH tunnel your connection. Very simple and quick. Services never blacklist AWS IPs, in fact in many cases they have extra rules to be more permissive because their infrastructure runs on AWS.
A lot of sites freak out, either explicitly or subtly, when getting a connection from a known AWS pool. In a good case, you may get some explicit notification that they don't like your IP and suspect you are a bot. In a bad case, the site would appear subtly broken (i.e. login won't work, or some functionality would refuse to load) and nothing would suggest it's the problem until you try a non-AWS address.
Services that expect to be contacted by robots (which is mostly what runs on AWS) won't blacklist it, but sites that expect to talk to humans very much do so.
Yegor: I like the way you run windscribe and fully believe in your honesty and integrity (in fact, windscribe and mullvad are the among the few private vpn providers I've ever recommended). My point wasn't that. It was rather that the primary threat remains security of the setups themselves more so than the ownership. May be you don't agree, but that's my view.
That's not what the article is actually saying, and they make some good points in the article about how other VPNs have conflicts of interest. But you're right that this post basically amounts to content marketing rather than a real discussion of the complicated issues at play.
Mozilla (the non-profit that makes the Firefox browser) has a VPN service and not only do I trust them more than these other private companies but I like supporting them as an organization. A VPN is the best thing for a crook or spy to run, so I expect that eventually they will be all run by them, if they aren’t already. Even SSH encrypted content can be man in the middle attacked by SSH proxying, I don’t see how your VPN couldn’t have access to your bank account or anything else you’ve logged into.
These so-called VPNs are only good to bypass Nexflix’s regional filters, and shouldn’t even be called VPNs. Nobody should assume these services can be used to improve security or privacy.
As part of a software package I get 1Password, AdGuard, the AdGuard VPN and Malware Bytes, all for the same price as paying for 1Password yearly, so I got the bundle deal.
I often wonder how good AdGuard really is, anyone know about this? I’m aware they use some kind of proprietary connection scream, but the actual VPN tunnel appears over IPSec, I think it’s the negotiation that is for some reason non standard.
Anyone know anything about this? I am only testing it out cause I get it in this package deal
Sorry, does anyone in tech actuallty use a commercial VPN?
I have friends who are non technical who often ask me "what VPN provider should I use?", and my response is usually "Why are you using one?". They often say it's to protect their privacy from... someone, they don't know who. However they never know the privacy policies of their VPN company or how to protect against things like DNS leak.
It seems most people actually use them to watch a streaming service in a different country. This is just piracy with a hat on. I don't understand why they don't just pirate the media without paying anyone a monthly fee and be done with it.
To put it in different terms, if one person robs a bank then its realatively easy to catch and prosecute that person. If 100,000 people rob a bank at the same time (for $10 each I guess) then its pretty difficult to catch anyone involved and almost impossible to catch everyone involved.
This post finally inspired me to try out mullvad, and I wish I did sooner. It's actually really easy, and the way they set things up and writing about how they work is a breath of fresh air.
But the several times I've gone looking for a very privacy-focused (but not horrible performing) vpn, I've usually only found 1 or 2 good options. Most of the consolidation list were never the good options.
So a better question is, "Is consolidation of products you shouldn't buy trouble for you?" Probably not.
While not a VPN, it's the sales of Lastpass and Keybase that really bothered me. Those were losses for the consumer.
Small aside: a VPN which sponsors a few dozen youtube tech videos is probably not one you want.
Depends on the country. If you’re downloading 1TB through an Australia VPN, for example, or Taiwan…. The VPN company is going to throttle you or ask you to pay more. There are many other countries that fit that list.
It's unusual for commercial customers to pay for bandwidth on a per-byte-transferred basis. Instead, it's usually on a peak or percentile bandwidth basis. It's not cheap, but once you shell out for say a gbps of transit you can put a very large number of customers on that. The cost of the bandwidth ends up not being that large of a consideration.
Thanks I see. I pay $10 per month for VPN and then 60$ per month for internet so I guess their magnitude of costs is well over 1/6 lower than what I pay for internet
Apart from legal protection, I’ve found that if you are behind a crappy ISP router, bundling a bunch of Torrent connections in one VPN connection can prevent the router from becoming unstable.
It's effectively the same thing. A properly implemented "kill switch" uses the OS firewall to block everything from using your hardware NIC, except the VPN tunnel itself. The "kill switch" name comes from improperly implemented "feature" that kills processes when your tunnel drops for any reason. This is a trash implementation.
> VPN as a protocol is dying.
VPN is not a protocol, what you're referring to is probably OpenVPN, but there are multiple alternatives. It's even possible to use pure SSH as a VPN.
Looking at why someone would want to use a VPN:
- Protection from governments or big businesses: you probably do actual research, not listen to some ad by your favorite gamer
- Protection from scummy ad tracking: Most people still do some research here albeit less carefully. But again, if you’re worried about ad tracking, wouldn’t you worry about a VPN aggressively advertising themselves?
- Access region-locked content: Any VPN works here. This could explain some of the advertising. But still, most VPNs talk a lot about security, and only a small section on region switching. I would imagine if this was the main target audience VPN advertisements would be different.
Are people so gullible that they see an ad for NordVPN, think “oh shit I need to protect my security”, and then buy NordVPN, without questioning at all if it’s worth the money, if there’s an alternative, or why NordVPN advertises on XxGamerClipz? So much that NordVPN makes money off of its ads? And if so, why don’t other companies do this that could better target dumb people?