Why Your VPN Is Useless

Why Your VPN Is Useless - Of The Nerds - Medium I know that this topic has been discussed a lot, but this article goes into detail about both the advantages and disadvantages of using one.

I find it interesting that so many articles, etc. still insist that you use one, even with Tor, so this spells out in plain English what the actual pluses and minuses are.

EDIT: that being said, I would like to know if there actually are any VPN providers that people trust here; if you don’t want to use Tor for all of your browsing, what’s the next best alternative? Or is there one?

1 Like

I don’t trust any VPN providers personally, not sure about an alternative for Tor though, I basically just use it for everything.

1 Like

I use ProtonVPN, the free version which is subsidized by the paid users but I feel like a leech and my family sees no reason to pay for a VPN. I’m thinking of getting rid of VPNs entirely but wouldn’t it decrease my privacy and security if I did that?

@StrikeStalker

What is your threat model here? Without a threat model, it is hard to tell if you are actually getting any security from VPNs.

Regarding privacy: What do you expect from a VPN provider? You basically change your IP address and that’s all. Without a VPN, you have to trust your ISP; with a VPN, you have to trust your VPN provider.

4 Likes

That’s the question: Who do you trust less, your ISP or a VPN?

2 Likes

I just want to avoid hackers, tracking and corporations I feel like hiding my IP address behind a VPN could mess up their data about me especially if I keep switching servers but not governments because with their resources, I’m sure they can find me VPN or not, anyways I don’t plan on doing anything that get their attention.

I feel like hiding my IP address behind a VPN could mess up their data about me

The problem here is that you only change your IP address while the rest of your system stays the same. For example, you always have the same web browser fingerprint and there is always the same browsing behavior. See also this paper: https://mastodon.at/@infosechandbook/102055522866404883

Besides, there is no protection against “hackers” by just using a VPN.

Edit: Your ISP can still see that you are connecting to a VPN provider. So, it is easy for state actors to identify any VPN provider you use.

1 Like

After having my identity stolen, I was forced to be a lot more careful about what information I put out there, including my IP addresses. I didn’t know whether I should just use Tor for everything (which I know you can do), or if there was some other alternative.

Assuming there are a couple common threat models (journalist, home user tired of ad surveillance, activist, endangered minority), are there obvious answers to this? I would love to see a sort of flow-chart logic that helps people make privacy related choices. The ‘it depends’ answer is a way of making the user/individual responsible for what is a systemic problem.

(no real answer in the following again :smiley:)

Most people think that security is just about using the right technology and tools. Then, they have some security. However, this is far from reality. For security, you need to consider technology, processes/organization, and people.

Some examples:

  1. You set up a web server according to some “best practices guides” on the internet. Many guides only talk about configuration. Then, after part 17 or so, you finish and think that your web server is secure. Since your specific software wasn’t covered by the guide, you miss that there is publicly-accessible configuration on your web server that contains some secret keys.
  2. You use an instant messenger that comes with end-to-end encryption. You happily use it for months and finally lose your phone. A guy finds your phone and is able to access every message on it, because there was no protection of data at rest.
  3. You configure two-factor authentication for your e-mail account and everything looks so secure. Then, you get an urgent warning from your e-mail provider talking about some issues. You fix it by clicking the link in the e-mail, however, in reality you just got phished.
  4. You start to use a VPN and are convinced that everything is more secure now. However, your laptops gets stolen and all of your data is accessible. Or you think that nobody can track you while your VPN provider logs everything and these log files get leaked.

There are many more of such examples. So, you need a basic plan what you want to achieve by using some technology.

This is the same in the physical world. For instance, dozens of smoke detectors and fire extinguishers are useless if people don’t know what to do in case of an alarm.

1 Like

Very good points, InfoSec! I can think of a real world example of #3 - one of the email providers I use is ProtonMail, which is considered to be “privacy oriented.” However, I frequently get phishing emails that claim “your ProtonMail account needs to be verified.”

The service has clearly stated that they would never send such an email, but if the user were unfamiliar with this, they might click on the phishing email and input their password - therefore, it’s not secure! I suppose that’s an example of social engineering, isn’t it?

Also, with regard to number 1, there’s a cybersecurity researcher who goes by the name x0rz on Twitter who pointed out that several Tor hidden services weren’t configured properly, and could basically have their clearnet IPs exposed. Yet, some people have the idea that, “I’m using Tor, therefore I’m perfectly anonymous.”