I’m Hunter Perrin. I’m a software engineer.
I wrote an email service: https://port87.com
I write free software: https://github.com/sciactive
- 1 Post
- 96 Comments
Shadowsocks doesn’t look anything like HTTPS traffic. It looks like a bare stream cipher over TCP connections to one host with bursts of traffic. HTTPS starts off with a TLS handshake (a client hello, a server hello, the server certificate, then a cipher negotiation and key exchange) before any ciphertext is exchanged. Shadowsocks just starts blasting a ciphertext stream. Even if you run it on port 443, it looks nothing like HTTPS.
Without any sort of cipher negotiation and key exchange, it’s obvious that it’s a stream cipher with a pre shared key, so this would be automatically suspicious. There’s also not really any plausible deniability here. If they probe your Shadowsocks host and see it running there, that’s all the proof they need that you’re breaking their rules. With a VPN, you could at least say it’s for a project, and with SSH, you could say you’re just transferring files to your own machine.
I mean, they could have used their eyeballs, but we don’t know, because he didn’t say.
Shadowsocks would work, but I feel like bare stream ciphers over TCP are a dead giveaway that you’re bypassing content restrictions. Especially if they probe that host and see it running. But, what do I know? It’s just my job five days a week.
It very much is. I used it regularly in both high school and college. In high school it was just how I connected to other machines. One of my teachers taught me how to use it. In college we were told to use it by the professor, so at least one entire class was using it for every assignment. That’s pretty normal in any school that has programming or networking courses.
SSH is usually used for work, so it just looks like someone working. Tor is used for nefarious purposes, so it will always look suspicious. VPNs are used to bypass content restrictions, so they will always look suspicious.
They said they got in trouble for Tor, they didn’t say their machine was identified. Even if it was, yet again, there’s nothing suspicious about SSH traffic. SSH traffic looks like work (because it usually is).
And I’ll ask you again, since you avoided the question, what better way is there? What would look more innocent than SSH?
I helped out with my high school network and SSH absolutely would not have looked suspicious. I can’t say for this school, but that was a regular part of the curriculum in mine. Even if it wasn’t, what are you gonna do as a net admin? You have zero evidence that a student is doing something malicious.
I feel like you’re a script kiddy who got called out for being overly confident online, and now you’re grasping at straws. I literally gave you two outs, and you doubled down every time. There is nothing suspicious about SSH traffic, even in a high school network, let alone a college network, and if you think there is, you’re 100% brand new to the industry.
You still haven’t given any alternative that would look any less suspicious than SSH traffic, and you still haven’t given any method a net admin could use to identify your machine from the countless others that connect to an open WiFi network.
In fact, let’s test you. There’s something that old versions of Firefox will expose, even through a SOCKS proxy. What is it, and what did Firefox introduce to prevent that?
These aren’t assumptions. OP states it’s an open WiFi network in their post, and unless you name your computer after yourself, all the network admins can see is your MAC address. And what is suspicious about SSH traffic? And what better way is there? VPN traffic will look more suspicious.
What do you do for a living? I’m a software and network engineer, so this is in my realm of expertise. All the network admins will see is OP’s MAC and that they’re sending a lot of SSH traffic to a Digital Ocean IP (if they even bother to sniff their traffic). This is how I, as a network engineer, have personally bypassed content filters.
It’s an open WiFi network. They’re probably not even able to identify which device is used by which person. Even if they could, why would they be monitoring everyone’s traffic looking for users who only visit one resource? That’s an extremely unlikely scenario.
The worst they’d see is that this device is using a lot of SSH traffic. There’s nothing suspicious about that. SSH is perfectly normal.
- Sign up for Digital Ocean.
- Get the cheapest VM (called Droplets on DO) you can get.
- Install Ubuntu on it.
- SSH into it and open a SOCKS proxy (
ssh -D 8080 <yourdropletip>on Linux, use PuTTY on Windows). - Configure Firefox to use
localhost:8080as a SOCKS5 proxy. - Win.
Bonus points if you set up Cockpit to manage everything over the web (localhost:9090 over your proxy), that way you don’t need to learn all about sudo apt whatever.
I’m working on this for my service, https://port87.com
I’m making custom domains have two options, single user or multi user. Either way, any user can have unlimited addresses.
Single user:
These all go into the same user’s account as a label named the same as whatever comes before the @.
Multi user:
- user1-address1@example.com
- user1-address2@example.com
- user2-address1@example.com
- user2-address2@example.com
The custom domain feature isn’t ready yet, but I’m looking to launch it in the next two months. If you’d like to help me test it, I can give you free access in exchange for trying out all of the features and giving me bug reports.
I’ve been using Proton for several years now, and paying for their Mail and VPN features. Proton Mail is definitely better than Gmail, but other than the privacy features, it’s just a basic email service. Their VPN also is just a basic service. If that’s what you need, then by all means, I’ve always had a good experience with them.
That being said, I do run a competing email service called Port87 that (IMHO) has better features for organization and spam protection, so take what I say with the knowledge that I am technically their competitor (although my user base is tiny compared to them). Really, I see them more as an ally against Gmail and MS Exchange, because I’ve never experienced any sort of anti-competitive behavior from them like I have with both Google and Microsoft.
Supporting smaller players in the email space is what keeps email open, so the more people move away from Gmail and Exchange/MS 365, the better.
They asked what the most secure one is, not the most practical. When I said other people wouldn’t communicate with you, I meant because it is very difficult to set up, so I wouldn’t recommend it for anyone. But unless your client and server come from different parties, you’re putting all your trust into one other party (like with Signal), so that’s inherently less secure.
Email, probably. Kind of depends on your needs, and how willing other people are to accommodate them. The most secure messaging platform is email with a third party IMAP client using OpenPGP. That way the client and the server are run by different people, and the encryption is based on a verifiable and well known standard. But will other people use that to communicate with you? Probably not. So probably something like Signal would strike a good balance between privacy and ease of use.
^ This.
I’m a software engineer, and I’ve worked for the big tech giants. I’m familiar with how they track you. VPNs are worthless. Unless you’re trying to hide your activity from your own ISP (like if you’re pirating stuff), the VPN does next to nothing to cover your tracks. And it’s not like they’re gonna advertise their VPN by saying, “you can pirate stuff without your ISP catching you!”
If you want actual privacy, you’ve gotta use something like Tor browser or Tails. Of course, I’ve gotta wonder what you’re up to if you need that kind of privacy. Usually a privacy window is good enough.
Sorry, I don’t have the prices up on the landing site. Here’s the breakdown:
- 500MB of storage, receive unlimited mail, free
- send mail, $1/month (to prevent spam)
- 2GB of storage, $2/month
- 10GB, $6
- 20GB, $10
- 100GB, $20
- 1TB, $40
I’m working right now on custom domains. I haven’t finalized the price, but right now my plan is to do unlimited domains for $10/month, plus $4 for each additional user.
I use (and created) https://port87.com. It lets you use a different address for every account and keeps them all organized. It’s great for managing accounts. (And I have literally hundreds of accounts.)
One of the nice things is you don’t need to create a new email beforehand. You can give out an email address that starts with yourusername-, and it just works. You get a new label in your account that you can approve and it goes in with all your other labels.
You can also enable screening on a label if you wanna use it for real people, then it will screen new senders before you see their email.
Next stop: plausibly deniable end to end encryption.
I’ve been a web and network engineer for 15 years, and I run a VPN on my own production cluster, but sure man, I don’t understand VPNs.
Again, you do not understand how trackers work. Trackers don’t use your IP address. And unless Google changed it since I worked there, I can guarantee that.
Prove to me that you block etags, cookies, localStorage, and service workers. Prove to me that every request you make spoofs a new user agent string. Prove to me that when you run JS, it obfuscates your screen dimensions and hardware availability. Prove to me that it obfuscates your font list and the available vendor prefixes. Prove to me that your browser adds artificial jitter to your real time clock, cause you can be tracked through that. Hell, you can be tracked through your latency, so prove to me you add random latency to your fetch calls. Prove to me you block media queries, because you can be tracked through CSS.
You are paranoid, and you don’t even understand what to be paranoid about.
A VPN doesn’t protect you the way OP thinks it does. It just hides your IP address from the websites you visit. Of course, now instead of one website seeing that you visited it, one organization can see everything you visit.
Basically it just moves your trust from your ISP to your VPN provider. So yeah, if you don’t need that, and you don’t need to get around geo blocks, you don’t need a VPN.
So just make a snapshot, and every time you want a new IP, create a new VM from the snapshot. Or if there’s an option in your cloud provider, just request a new IP.
Whenever you connect to a VPN, you use the same IP address the whole session. You have to reconnect to a different node whenever you want a new IP.
But I feel like you’re just being contrarian here. Your objections aren’t rooted in any sort of actual concern over privacy, and I don’t think you really understand the systems you’re using. In other words, you’re just being paranoid.
If you want true privacy, use Tor.
What personal information do you think the VPN is blocking? Like, exactly. Precisely what information do you believe the VPN prevents a website from seeing about you?
I understand the difference between first and third party cookies. You said you were trying to prevent the website from tracking you. A website’s cookie for its own domain is first party. If you block that cookie, it’s harder for them to track you, and also you can’t log in.
Your IP address is not very useful for tracking you.
- Residential IP addresses change often.
- They’re usually shared by a family or organization through NAT.
- You will often have different IP addresses throughout the day as you switch between WiFi and cell data.
- Your different devices may or may not share an IP address.
The major ad trackers use cookies and etags to track you. They don’t use your IP address.
You think that using a VPN is protecting you from the website you’re connecting to logging that traffic?
No. The website sees the traffic. The only thing they don’t see is your home IP address. That’s not even a useful piece of information for tracking someone. Home IP addresses are usually dynamic.
Websites track you through cookies and etags, and VPNs do not block those. If they did, you wouldn’t be able to log into any websites, and you would always be redownloading JS, CSS, and fonts you’ve already downloaded.
(Copied for convenience, since your comment is duplicated.)
JPEG XL, for sure. Great format.