It’s Time to Stop Paying for a VPN (Published 2021)
www.nytimes.com
external-link
Many virtual private network services that were meant to protect your web browsing can no longer be trusted. Here are other ways.
shoe
link
fedilink
21Y

Highly recommend setting up Wirehole on a free tier cloud server. Here’s a link with everything you need, including Docker install:

https://github.com/IAmStoxe/wirehole

@TheAnonymouseJoker@lemmy.ml
banned
link
fedilink
0
edit-2
6M

removed by mod

This article is downright harmful.

HTTPS only ensures the data stream is private and protected, but DNS requests can still leak things like search queries or other bits of identifying info.

If you setup your own VPN in a VPS, it will not protect your privacy since the hosting provider usually can be subpoenaed for information on the owner of a particular server.

How would a DNS request leak a search query? Not much more than the domain name is sent in a DNS query. And likely the OS has the search engine in the DNS cache so each search doesn’t require a DNS query.

You make a search and then you start clicking through the websites in the results. A lot of browsers also do link prefetching, so even just the fact that you open search results will reveal info about the query because your browser might preemptively resolve DNS for result items.

And likely the OS has the search engine in the DNS cache so each search doesn’t require a DNS query.

Cache doesn’t matter, you still have to build up the cache in the first place which will make DNS calls out. The TTL for DNS cache entires is usually pretty short as well at around 5 minutes, so even if you have a cache, your computer will still make DNS calls out periodically at quite a frequent rate. My point is that HTTPS doesn’t prevent third parties from snooping on your browsing habits because it does nothing to hide your DNS queries.

Yes your original point was well made. It just wasn’t clear yet how DNS requests would leak search queries. So more precisely, multiple DNS requests with local cache misses in a short period of time can be used to infer search queries. Like if there are DNS requests for google, amazon, and a botany supplier one after another, then it could be inferred that you searched for something related to shopping and plants.

Thanks for the detailed response!

Fun fact your data isn’t safe anywhere

No, but you can at least choose who you distrust the least with a VPN.

Fly4aShyGuy
link
fedilink
21Y

And at least that entity has some stake in doing what they say they are doing. Proton VPN just to pick one as an example should care a lot about if a story were ever to surface about not being trustworthy as users would leave since that’s it’s only purpose.

My ISP on the other hand probably doesn’t care too much since my choices are A) take it, or B) leave it and go without internet (or drastically subpar services, 5G internet, satellite, etc).

Meanwhile, ISPs actively sell every single byte about you and your browsing habits that they can.

@jsdz@lemmy.ml
link
fedilink
16
edit-2
1Y

I’d believe about 50% of it. Yes, it’s true that many VPN providers are not completely trustworthy. No, that doesn’t mean that they’re all bad or that none of them are worth using.

If you have a need for one, take the time to choose carefully. Setting up your own avoids the burden of having to find a good one, but is even more work and comes with some downsides if your aim is to have any protection against people who might want to track you down through your hosting provider.

Would you say it’s a must for the average Privacy-conscious individual?

Eh, it depends. If you want maximum privacy then it’s probably a good idea. If you’re aware of the risks, have some trust in your ISP, don’t do anything that’s likely to attract unwanted attention, don’t care about making indiscriminate mass surveillance slightly more difficult, and live in a country where there isn’t too much censorship, then not really.

Would you say it’s a must for the average Privacy-conscious individual?

Vultr kicked me for grabbing the latest episodes of Debian 11 AMD_64

[…] I set up a cloud service where my VPN service would be located on Amazon’s web services, a reputable and widely trusted cloud provider. […] After about an hour, I set up a VPN that worked flawlessly. The best part? Not only is it free to use […]

Sorry, what? Last time I checked AWS VPSs were very much NOT free to use, and I’m pretty sure the lowest tier is still more expensive than your average VPN.

Also, this article seems to be arguing against its own points: “you probably don’t need a VPN, but I have one anyway”…

Greg Clarke
link
fedilink
41Y

My guess is they’re using an AWS free tier VM to host a VPN. It’s not a bad option but it can be insecure unless you know what you’re doing

Rikudou_Sage
link
fedilink
81Y

It has a free tier, for 12 months you can run one t3.micro for free. That’s more than enough for a single user VPN. Afterwards it costs like $9 a month for on-demand instances (in the EU, it’s cheaper in the US), at that point you can either switch to reserved instances (which brings the cost down to around $3 or create a new AWS account to enjoy the free tier again.

Arrrticle

I’m done with paying for a virtual private network, a service that claims to protect your privacy when you’re connected to a public Wi-Fi network at the local coffee shop, the airport or a hotel.

For more than a decade, security experts have recommended using a VPN to shield your internet traffic from bad actors who are trying to snoop on you. But just as tech gadgets become outdated over time, so does some tech advice.

The reality is that web security has improved so much in the last few years that VPN services, which charge monthly subscription fees that cost as much as Netflix, offer superfluous protection for most people concerned about privacy, some security researchers said.

Many of the most popular VPN services are now also less trustworthy than in the past because they have been bought by larger companies with shady track records. That’s a deal-breaker when it comes to using a VPN service, which intercepts our internet traffic. If you can’t trust a product that claims to protect your privacy, what good is it?

“Trusting these people is really critical,” Matthew Green, a computer scientist who studies encryption, said about VPN providers. “There’s no good way to know what they’re doing with your data, which they have huge amounts of control over.”

I learned this the hard way. For several years, I subscribed to a popular VPN service called Private Internet Access. In 2019, I saw the news that the service had been acquired by Kape Technologies, a security firm in London. Kape was previously called Crossrider, a company that was named in a research paper by the University of California and Google as being part of an ecosystem of businesses using so-called ad injection technology that could behave maliciously. I immediately canceled my subscription.

In the last five years, Kape has also bought several other popular VPN services, including CyberGhost VPN, Zenmate and, just last month, ExpressVPN in a $936 million deal. This year, Kape additionally bought a group of VPN review sites that give top ratings to the VPN services it owns.

A Kape spokeswoman said that Crossrider, which has long been shut down, was a development platform that was misused by those who distributed malware. She said Kape’s VPN review sites maintained their independent editorial standards.

“It kind of sets a concerning precedent from the consumer standpoint,” said Sven Taylor, the founder of the tech blog Restore Privacy. “As the average user goes online to look for information about the product, do they know that what they’re reading might have been written by the company that owns the end product?”

A caveat: VPNs are still great for some applications, such as in authoritarian countries where citizens use the technology to make it look as if they are using the internet in other locations. That helps give them access to web content they cannot normally see. But as a mainstream privacy tool, it’s no longer an ideal solution.

This sent me down a rabbit hole of seeking alternatives to paying for a VPN. I ended up using some web tools to create my own private network for free, which wasn’t easy. But I also learned that many casual users may not even need a VPN anymore.

Here’s what you need to know.

What Has Changed About VPNs Not long ago, many websites lacked security mechanisms to prevent bad actors from eavesdropping on what people were doing when browsing their sites, which opened doors to their data being hijacked. This helped VPN services become a must-have security product. VPN providers offered to help cloak people’s browsing information by creating an encrypted tunnel on their servers, through which all your web traffic passes.

But in the last five years, the internet has undergone immense change. Many privacy advocates and tech companies pushed for website creators to rewrite their sites to support HTTPS, a security protocol that encrypts traffic and solves most of the aforementioned problems.

You’ve probably noticed the padlock symbol on your web browser. A locked padlock indicates a site is using HTTPS; an unlocked one means it’s not and is therefore more susceptible to attack. These days, it’s rare to stumble upon a site with an unlocked padlock — 95 percent of the top 1,000 websites are now encrypted with HTTPS, according to W3Techs, a site that compiles data on web technologies.

This means that VPNs are no longer an essential tool when most people browse the web on a public Wi-Fi network, said Dan Guido, the chief executive of Trail of Bits, a cybersecurity firm.

“It’s very difficult to find cases where people were harmed by signing on to the airport, coffee shop or hotel Wi-Fi,” he said. These days, he added, the people who benefit from a VPN are those working in high-risk fields and who might be targets, like journalists who correspond with sensitive sources and business executives carrying trade secrets while traveling abroad.

Simple Alternatives So what to do? Fortunately, most of us can secure ourselves online with basic protections that, unlike VPN services, are free, Mr. Guido said.

Importantly, people should keep the software on their devices and web browsers up to date because new software updates include security protections against the latest vulnerabilities, he said.

Another crucial step is setting up online accounts with two-step verification, which requires two forms of verification of your identity before letting you log in. That safeguard can help prevent attackers from gaining access to your data if they obtain your passwords.

For those who would still prefer not to browse the web on a public Wi-Fi network, there’s an easy solution included on most smartphones. The personal hot spot, a feature for wirelessly sharing a smartphone’s cellular data connection with other devices, like your computer, can be activated in the phone’s settings. Many phone plans don’t charge extra to use this feature, though hotspotting does count against the monthly data allotment in your cellular plan.

How to Create Your Own VPN Some people (including myself) still benefit from using a VPN, and not all providers are bad.

Wirecutter, a New York Times publication that tests products, recommends a few that are still trustworthy. But if your next VPN gets bought by a larger company, you may have to vet its trustworthiness all over again. I’m tired of the whiplash, so I created my own private network service.

I turned to Algo VPN, a free tool developed by Mr. Guido that automatically builds a VPN service in the cloud, which shields my browsing activity by allowing me to create a virtual tunnel on an outside server for my internet traffic to pass through.

Following the instructions listed on the Algo VPN project website, I set up a cloud service where my VPN service would be located on Amazon’s web services, a reputable and widely trusted cloud provider. The rest of the steps involved installing some scripts on my computer and typing in commands to generate my VPN.

After about an hour, I set up a VPN that worked flawlessly. The best part? Not only is it free to use, but I no longer have to worry about trust, because the operator of the technology is me.

Lmao, people are just adopting HTTPS in the last 5 years? This article is trash.

VPNs still have some practical uses. In terms of privacy, they can help disconnect your IP from your geographic location. Without a VPN every host you connect to can approximate your location down to a few miles.

They are also useful for bypassing country filters or to appear as if you are in another country.

Finally, if it’s your own VPN server, you can use it to access devices on your LAN even when you are far away, negating the need to have a bunch of sensitive servers exposed to the internet. That is actually the original purpose of a VPN.

Perhyte
link
fedilink
21Y

Without a VPN every host you connect to can approximate your location down to a few miles.

I just tried a few geo-IP lookups of my current IP address, and they all point to a location that (as the bird flies) is almost exactly 100 miles from my actual location. This is despite the ISP I’m using being headquartered in my current city, but maybe they have some infrastructure there?

On mobile data I instead get a location 90 miles away, and if I look up the IP address of another machine I know the exact location of, the result is 60 miles off.

60-100 miles is a pretty generous definition of “a few”.

I think it depends. For my parents place, it literally points at the culdesac that their house is in. For my place, which is located in a relatively new community, it’s about 35 miles out.

You are lucky, for many people it’s a lot closer.

Granixo
link
fedilink
91Y

Well the one advantage of paying for a service is that you can sue them for contract infringement.

But the contract states that they will snoop around your data so?

Granixo
link
fedilink
11Y

They can do that to a specific degree, yes.

But they shouldn’t be able to sell it to others.

they could of course sell “AnOnYmOuS” data ( that is just identified by 1 specific id, that is just ACCIDENTALLY identifiable to you )

Granixo
link
fedilink
21Y

Well it would still be traceable to my persona then.

Correct :D You won the 1st price!

Yup, all “anonymouse” data collection is not really anonym its of course pseudo anonym because the id is not directly calling out hey its from the pc xyz and from the person test, hoooman. Its still in the backend trackable who and where he did it.

You read VPN contracts??

Granixo
link
fedilink
71Y

You don’t?

Well there’s one very important thing a VPN can help you with.

If your ISP doesn’t want you downloading… uh… Linux ISOs, yeah, Linux ISOs, then you can use them to download all the Linux ISOs you want with BitTorrent and not get in trouble with your ISP.

Damn, I hate when I receive a letter from my ISP because I downloaded a Linux distro.

Rikudou_Sage
link
fedilink
41Y

You joke, but I’m 100% sure it has happened at least once before.

@TheAnonymouseJoker@lemmy.ml
banned
link
fedilink
-5
edit-2
6M

removed by mod

I wonder if I’ll get a letter some day, for downloading Linux Mint. Though torrenting itself is perfectly legal here, the important part is the content that’s being torrented

It actually happened to me many moons ago. The Canadian ISP in question sent me an email saying that torrenting was “of disputed legality”(or something) and that someone in my house had torrented Ubuntu! I wish I still had the email but this was mid/late 2000’s.

I got a “warning” from my isp because i installed a VM on my pc.

AutoTL;DR
bot account
link
fedilink
41Y

This is the best summary I could come up with:


Kape was previously called Crossrider, a company that was named in a research paper by the University of California and Google as being part of an ecosystem of businesses using so-called ad injection technology that could behave maliciously.

Not long ago, many websites lacked security mechanisms to prevent bad actors from eavesdropping on what people were doing when browsing their sites, which opened doors to their data being hijacked.

Many privacy advocates and tech companies pushed for website creators to rewrite their sites to support HTTPS, a security protocol that encrypts traffic and solves most of the aforementioned problems.

This means that VPNs are no longer an essential tool when most people browse the web on a public Wi-Fi network, said Dan Guido, the chief executive of Trail of Bits, a cybersecurity firm.

These days, he added, the people who benefit from a VPN are those working in high-risk fields and who might be targets, like journalists who correspond with sensitive sources and business executives carrying trade secrets while traveling abroad.

The personal hot spot, a feature for wirelessly sharing a smartphone’s cellular data connection with other devices, like your computer, can be activated in the phone’s settings.


The original article contains 1,190 words, the summary contains 198 words. Saved 83%. I’m a bot and I’m open source!

Create a post

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

  • Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
  • Don’t promote proprietary software
  • Try to keep things on topic
  • If you have a question, please try searching for previous discussions, maybe it has already been answered
  • Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
  • Be nice :)

Related communities

much thanks to @gary_host_laptop for the logo design :)

  • 0 users online
  • 57 users / day
  • 383 users / week
  • 1.5K users / month
  • 5.7K users / 6 months
  • 1 subscriber
  • 3.11K Posts
  • 77.9K Comments
  • Modlog