Exclusive: Millions of VPN users endangered by this cross-border intelligence pact

Discussion in 'privacy problems' started by BriggsAndStratton, Apr 22, 2020.

  1. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    89
    Location:
    A Galaxy Far Far Away.
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,218
    Seems obvious there is NO free lunch. VPNs are no different. Duh!!
     
  3. roen

    roen Registered Member

    Joined:
    Apr 28, 2020
    Posts:
    6
    Location:
    ::1
    Yes and no. There is no such thing as a free lunch - but its a bit more complex when it comes to VPNs. Stating that free VPNs are inherently evil implies that paid VPNs are not. Which is not true. Too often - especially by those less savvy - VPNs are seen as a magic fix for privacy and security. It is not:
    • Running a VPN requires some hefty resources - especially when doing it properly. Having users pay for a subscription takes away part of the incentive to raise funds in different ways. While certainly feasible to cover the costs and even make money off it, there still is the possibility - for paid providers - to sell data. There still is an incentive to do so.
    • VPN providers can make all sorts of claims, which can't be verified. At least, not in every detail. Yes, there have been court cases before that might indicate that some providers adhere their no-logging claims, but even then - it is not certain that they don't.
    • Using a VPN means that you move the trust from your ISP to the VPN provider. Which is likely located in a different judisdiction. Some countries have sane privacy protections - using a VPN in a different country basically evades those protections.
    • You'll need to trust the competencies of the VPN provider to actually secure the traffic flowing from your computer to the VPN provider and keep it secured while being a customer.
    Aside from that, much more aspects weigh in here. Heck, your VPN provider could - theoretically be a sting operation from three to four letter agencies, comparable with the Crypto AG sting, effectively routing your traffic straight to adversaries you want to escape in the first place.

    That being said, there are some legitimate use-cases, like circumventing location restrictions (think Netflix, BBC iPlayer, etc) or obfuscating your traffic by combining it with much more outgoing traffic. But the latter one is no certainty.

    Tl;dr: rethink whether you actually need a VPN - and if so, consider segmenting your traffic. Not routing one hundred percent to a sole party :)
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,198
    There's no way to really know what's up with any VPN service. Many are now having outside audits done, and open sourcing their apps and networks. And that's refreshing. But the truth is that there are ways to work around all that.

    Even so, you can distribute trust by using nested VPN chains, with each server from a different provider. So adversaries would need to compromise multiple VPN services in order to deanonymize you.

    And then you can combine that with Tor. So you don't need to fully trust the VPN chain or Tor.
     
  5. roen

    roen Registered Member

    Joined:
    Apr 28, 2020
    Posts:
    6
    Location:
    ::1
    Exactly. Open source clients and external audits can entail a secure/hardened client application, without backdoor. It is a first good step. But, unfortunately, we need something like configuration attestation to be really able to verify the clains. And currently, that is a real challenge that might take a considerable time to solve.

    How would a nested VPN chain work? I mean, sure, you can setup your router as a VPN client and then run a VPN from your local machine, but all that does is - yet again - move the trust. The VPN provider that is used on your router can still see your IP, whereas the VPN on your computer is both the entry and exit node. If your habits and behaviour doesn't change, you are still unprotected from global adversaries. Hence, segmentation of traffic does make a lot of sense.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,198
    Nested VPN chains distribute trust very much like Tor relays do.
    Yes, and it also sees the server for the VPN in your computer.
    It is the exit node. But it only sees the exit IP of the VPN in the router, and not your ISP-assigned IP.

    So with two VPN services, neither one knows both your ISP-assigned IP
    the stuff that you do online.
    I agree, somewhat. I'd call it compartmentalization. That is, you segment traffic in different VMs, using different connectivity paths.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Distribution of trust can include competing/adversarial jurisdictions.

    In fact, you may be better off with jurisdictions that are hostile to the one you are in: they are less likely to cooperate with your own jurisdiction (as per the x-eyes stuff), and the really nice thing is that - unless you are personally part of the "empire" - they do not care about you, and what's more cannot lock you up.
     
  8. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,154
    What's so exclusive about the article? isn't this information that is already known?

    Besides having a percentage of what kind of VPNs different people use, there doesn't seem to be anything new or concrete.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,198
    "Danger" always sells :)
     
  10. roen

    roen Registered Member

    Joined:
    Apr 28, 2020
    Posts:
    6
    Location:
    ::1
    Agreed, compartmentalization is a better phrasing. Qubes has a pretty good foundation for this. Naturally, the user still has to make sure not to mix up different identities in different environments. But that isn't solved with technology, but education of and willingness from the user.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,198
    @roen - I use distinctive background images.
     
  12. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    89
    Location:
    A Galaxy Far Far Away.
    There are a lot of misconceptions about VPNs and the anonymity they provide. People need to be made aware.
     
  13. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    207
    Location:
    Australia
    and that's a wrap
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.