Exclusive: Millions of VPN users endangered by this cross-border intelligence pact

Discussion in 'privacy problems' started by BriggsAndStratton, Apr 22, 2020.

  1. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    89
    Location:
    A Galaxy Far Far Away.
  2. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,305
    Seems obvious there is NO free lunch. VPNs are no different. Duh!!
     
  3. roen

    roen Registered Member

    Joined:
    Apr 28, 2020
    Posts:
    6
    Location:
    ::1
    Yes and no. There is no such thing as a free lunch - but its a bit more complex when it comes to VPNs. Stating that free VPNs are inherently evil implies that paid VPNs are not. Which is not true. Too often - especially by those less savvy - VPNs are seen as a magic fix for privacy and security. It is not:
    • Running a VPN requires some hefty resources - especially when doing it properly. Having users pay for a subscription takes away part of the incentive to raise funds in different ways. While certainly feasible to cover the costs and even make money off it, there still is the possibility - for paid providers - to sell data. There still is an incentive to do so.
    • VPN providers can make all sorts of claims, which can't be verified. At least, not in every detail. Yes, there have been court cases before that might indicate that some providers adhere their no-logging claims, but even then - it is not certain that they don't.
    • Using a VPN means that you move the trust from your ISP to the VPN provider. Which is likely located in a different judisdiction. Some countries have sane privacy protections - using a VPN in a different country basically evades those protections.
    • You'll need to trust the competencies of the VPN provider to actually secure the traffic flowing from your computer to the VPN provider and keep it secured while being a customer.
    Aside from that, much more aspects weigh in here. Heck, your VPN provider could - theoretically be a sting operation from three to four letter agencies, comparable with the Crypto AG sting, effectively routing your traffic straight to adversaries you want to escape in the first place.

    That being said, there are some legitimate use-cases, like circumventing location restrictions (think Netflix, BBC iPlayer, etc) or obfuscating your traffic by combining it with much more outgoing traffic. But the latter one is no certainty.

    Tl;dr: rethink whether you actually need a VPN - and if so, consider segmenting your traffic. Not routing one hundred percent to a sole party :)
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    There's no way to really know what's up with any VPN service. Many are now having outside audits done, and open sourcing their apps and networks. And that's refreshing. But the truth is that there are ways to work around all that.

    Even so, you can distribute trust by using nested VPN chains, with each server from a different provider. So adversaries would need to compromise multiple VPN services in order to deanonymize you.

    And then you can combine that with Tor. So you don't need to fully trust the VPN chain or Tor.
     
  5. roen

    roen Registered Member

    Joined:
    Apr 28, 2020
    Posts:
    6
    Location:
    ::1
    Exactly. Open source clients and external audits can entail a secure/hardened client application, without backdoor. It is a first good step. But, unfortunately, we need something like configuration attestation to be really able to verify the clains. And currently, that is a real challenge that might take a considerable time to solve.

    How would a nested VPN chain work? I mean, sure, you can setup your router as a VPN client and then run a VPN from your local machine, but all that does is - yet again - move the trust. The VPN provider that is used on your router can still see your IP, whereas the VPN on your computer is both the entry and exit node. If your habits and behaviour doesn't change, you are still unprotected from global adversaries. Hence, segmentation of traffic does make a lot of sense.
     
  6. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Nested VPN chains distribute trust very much like Tor relays do.
    Yes, and it also sees the server for the VPN in your computer.
    It is the exit node. But it only sees the exit IP of the VPN in the router, and not your ISP-assigned IP.

    So with two VPN services, neither one knows both your ISP-assigned IP
    the stuff that you do online.
    I agree, somewhat. I'd call it compartmentalization. That is, you segment traffic in different VMs, using different connectivity paths.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,828
    Location:
    UK
    Distribution of trust can include competing/adversarial jurisdictions.

    In fact, you may be better off with jurisdictions that are hostile to the one you are in: they are less likely to cooperate with your own jurisdiction (as per the x-eyes stuff), and the really nice thing is that - unless you are personally part of the "empire" - they do not care about you, and what's more cannot lock you up.
     
  8. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,260
    What's so exclusive about the article? isn't this information that is already known?

    Besides having a percentage of what kind of VPNs different people use, there doesn't seem to be anything new or concrete.
     
  9. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    "Danger" always sells :)
     
  10. roen

    roen Registered Member

    Joined:
    Apr 28, 2020
    Posts:
    6
    Location:
    ::1
    Agreed, compartmentalization is a better phrasing. Qubes has a pretty good foundation for this. Naturally, the user still has to make sure not to mix up different identities in different environments. But that isn't solved with technology, but education of and willingness from the user.
     
  11. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    @roen - I use distinctive background images.
     
  12. BriggsAndStratton

    BriggsAndStratton Registered Member

    Joined:
    Aug 28, 2018
    Posts:
    89
    Location:
    A Galaxy Far Far Away.
    There are a lot of misconceptions about VPNs and the anonymity they provide. People need to be made aware.
     
  13. longshots

    longshots Registered Member

    Joined:
    Oct 20, 2017
    Posts:
    266
    Location:
    Australia
    and that's a wrap
     
  14. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    766
    Location:
    usa
    I have quite a few VPN apps purchased at discount prices, mostly from discount lifetime specials. They are not perfect, they have a lot of different issues, ranging from their Interface to DNS Leaks, etc., but...
    Just some "strange" issues.
    I used to trust Ikev v.2 until recently I've noticed that Ikev 2 is LEAKING. I've informed the support teams of the appropriate VPN apps, but the problem is still there.
    Out of many VPN's, probably, only Windscribe did not leak while using Ikev2, but FastestVPN, VeePN, IVACY, VPNUnlimited, etc., were LEAKING.
    (My favorite DNS leak test is at ipleak org)
    Now, I either use Wireguard, OPENVPN, or TCP, UDP, but NEVER Ikev v.2!

    About browser extentions.
    Firefox - only IVACY did not leak my original IPS DNS servers. All other VPN extensions LEAKED.
    For some reason, I has fewer DNS leaks while using Brave or Vivaldi.

    P.S. Currently using Vivaldi with Wireguard Windows app and IVACY extention.
     
  15. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Counting on apps from VPN providers is iffy. A few that I tested, years ago, didn't leak. But most did.

    The safest bet is using stock open-source apps, plus firewall rules to prevent leaks.
     
  16. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    2,305
    Find the really long thread we have running in this forum website and pick one of the 5 top superstars from that list. Several of us have hit them from every angle and find them to be solid and about as trustworthy as can be without being on the inside of their systems. Some of us are even on the inside of a few providers providing support and guides for their members behind the scenes. I don't have the time or inclination to inspect or consider any others but those major approved by the sage folks here that know such things. I am not saying these are the only good VPNs only those are trusted, tested, and stand the test of time so far. You do what you want. No PM's on this please.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.