How private is my VPN?(themarkup.org)
themarkup.org
How private is my VPN?
https://themarkup.org/ask-the-markup/2021/08/12/how-private-is-my-vpn
56 comments
Well, that sucks. I moved away to Mullvad about 6 months back (super happy so far). It didn’t make good sense to have one provider for email, calendar, cloud storage and VPN. We know where that road can lead…
Source for that? First I've heard of it, but admittedly not a user!
Happy Mullvad user here. The fact that they do zero advertising and provide no offers or discounts etc is the number one reason I went with them. They don’t even collect your email. You have an account number that’s all. You can even pay for that account in cash by sending that money to the company’s PO box anonymously.
That sounds excellent. Is that even legal for them to do though? Aren't there "know your customer" laws all over the world now?
Hi! Yes, it is legal. Your average corner shop has no requirements to do KYC when selling chocolate bars, and neither do we. :)
Cheers, Fredrik Strömberg, cofounder of Mullvad.
Cheers, Fredrik Strömberg, cofounder of Mullvad.
Thanks! Reading your site now. Is support for using native wireguard and OpenVPN clients considered first class alongside the Mullvad app?
And any restrictions accessing geoblocked streaming content (both from your side and providers' sides blocking Mullvad)?
Last I checked Mullvad wasn't great for sites that actively ban VPN IPs like Netflix. For that NordVPN is better since (I recall reading) they use the residential IPs of users of some other free VPN services, so these rotate too frequently for Netflix to ban. You'll still have to ask for fresh IPs from time to time though as even those get blocked.
Yeah, streaming sites was the one issue I had with Mulvad. But I don't stream that much, and am super happy with them otherwise.
As Netflix is now banning more residential IPs more aggressively, all "streaming VPNs" face problems nowadays: https://torrentfreak.com/netflix-intensifies-vpn-ban-and-tar...
Hi!
I've been looking for a new VPN provider for a while, but most i found seem to disallow tormenting. Does mullvad permit it?
I've been looking for a new VPN provider for a while, but most i found seem to disallow tormenting. Does mullvad permit it?
Tangential: If you mean torrenting (I see a typo in your comment), and if you don’t really need a VPN or can do with a basic VPN service, there are many “seedbox” providers who provide disk space, data traffic, and a set of ‘ready to install and use’ apps.
Another Mullvad user here. Generally happy, but the Windows and Android apps are somewhat buggy.
Every couple of weeks I have to reinstall the Windows app because it's failing to update, and the Android app started eating my battery recently (used 46% of a full charge yesterday after some hours of internet browsing).
In their defense their support has always been amazing when I contacted them about it, and the Android issue could be manufacturer's fault, since OnePlus is known for its shenanigans.
I'll continue with Mullvad for the foreseeable future.
Every couple of weeks I have to reinstall the Windows app because it's failing to update, and the Android app started eating my battery recently (used 46% of a full charge yesterday after some hours of internet browsing).
In their defense their support has always been amazing when I contacted them about it, and the Android issue could be manufacturer's fault, since OnePlus is known for its shenanigans.
I'll continue with Mullvad for the foreseeable future.
You could try using the official WireGuard app rather than Mullvad’s. Just generate a WireGuard config on Mullvad’s website, and you should be able to import that no problem.
The windows app works perfectly for me - I'm vpn'd 24/7 and it never crashes. I think it depends on your usage.
Can you use them with third party VPN clients?
Yes [1], the technical aspects are easily accessible. I'm avoiding third party VPN clients for simplicity and trust-minimization, but it's my plan B.
[1] https://mullvad.net/en/help/faq/#40
[1] https://mullvad.net/en/help/faq/#40
Yes
I like your criterion there. How well does it do for geofencing? NordVPN has been okay except for the BBC which seems to smart for any of that.
Nord uses "residential IP addresses". There was some discussion around its cagey ownership as well.
Thanks for this, just switched to Mullvad.
Happy Mullvad user here. Plus they offer WireGuard which is awesome.
Thats good, that has nothing to do with privacy.
The VPN concept can provide no assurance on privacy and any supposed assurance can change at any moment’s notice, whether they VPN provider is aware or not, coerced or not.
Who you want privacy from is important, but the people VPNs provide privacy against results in no differentiation between VPN providers.
The VPN concept can provide no assurance on privacy and any supposed assurance can change at any moment’s notice, whether they VPN provider is aware or not, coerced or not.
Who you want privacy from is important, but the people VPNs provide privacy against results in no differentiation between VPN providers.
I am surprised to see Tracking in Privacy Policy marked “Y” for ProtonVPN.
Why do I need to enter my email address on their app?
I just need an anonymous connection to their servers. It can be done without email (you pay and get a random ID from them).
Why do I need to enter my email address on their app?
I just need an anonymous connection to their servers. It can be done without email (you pay and get a random ID from them).
don't know the source or quality/people building it, but i did use [0] (get the detailed table and change to "all") when picking a VPN to roll with.
After i had already found OVPN i was amazed that they had the option to just anonymously mail them cash.
[0]: https://www.safetydetectives.com/best-vpns/#detailed
After i had already found OVPN i was amazed that they had the option to just anonymously mail them cash.
[0]: https://www.safetydetectives.com/best-vpns/#detailed
Mullvad and IVPN offers the same (disclaimer: I'm part of the IVPN team). SafetyDetectives is a site that is owned by a VPN conglomerate [0] with the added bonus of having a history of distributing malware [1]. I suggest not using them as a source for VPN related info due to conflict of interest.
[0] https://restoreprivacy.com/vpn-review-websites-owned-by-vpns... [1] https://www.cnet.com/tech/services-and-software/what-is-kape...
[0] https://restoreprivacy.com/vpn-review-websites-owned-by-vpns... [1] https://www.cnet.com/tech/services-and-software/what-is-kape...
had no idea there was this level of dodgyness (nor consolidation) going on in the industry :(
Unless you are peering a VPN is just another ISP and like any ISP they are in complete control of your traffic.
Imagine you are in a hotel. When you order room service your food hygiene is in the hands of the hotel chef — the In-room-dining Service Provider (ISP) if you will.
You can order takeout instead, but you’re really only delegating food hygiene to a different chef, one that’s harder to track down and with a considerably lower stake in your well-being than the one provided by your hotel manager.
I’m more into camping, personally, but even then your produce comes from somewhere else.
Imagine you are in a hotel. When you order room service your food hygiene is in the hands of the hotel chef — the In-room-dining Service Provider (ISP) if you will.
You can order takeout instead, but you’re really only delegating food hygiene to a different chef, one that’s harder to track down and with a considerably lower stake in your well-being than the one provided by your hotel manager.
I’m more into camping, personally, but even then your produce comes from somewhere else.
The point of VPNs is IMO that some people cannot choose which hotel they are staying at to use your analogy.
E.g. if you are traveling into certain countries etc.
Or you might wanna create the impression you are coming from somewhere else than you actually do for various reasons. E.g. let's say you want to consume media from a different country. Running your own VPN is practical if it is just about the tunnel, but it gets unwieldy if it is about having one in different countries or if it is about hiding your identity.
E.g. if you are traveling into certain countries etc.
Or you might wanna create the impression you are coming from somewhere else than you actually do for various reasons. E.g. let's say you want to consume media from a different country. Running your own VPN is practical if it is just about the tunnel, but it gets unwieldy if it is about having one in different countries or if it is about hiding your identity.
If you know the food in the particular hotel where you're staying is bad, then yeah, ordering takeout is helpful. But as general advice, the idea that a VPN, any VPN, is going to be inherently more secure than your ISP, any ISP, is nonsense.
Depends on how much you trust your ISP. For example, AT&T is in the top five list of ISPs around the world that do Deep Packet Inspection, so that they can throttle your NetFlix and Amazon Prime streaming TV speeds, as well as insert their own ads where they want, etc…. Who knows what else they’re doing?
Same with Spectrum. That’s the two high speed carriers that are common here in Austin. Sure, there are smaller carriers in fringe areas, but they are a small fraction of the market.
This is why I want a proper SDN. Let me treat the carrier like opaque dumb pipes, and aggregate the bandwidth across those channels, so that I am insulated from total failure if just one of them should go down, and in the expected case I can manage my own traffic shaping the way I want it to be in the house.
Same with Spectrum. That’s the two high speed carriers that are common here in Austin. Sure, there are smaller carriers in fringe areas, but they are a small fraction of the market.
This is why I want a proper SDN. Let me treat the carrier like opaque dumb pipes, and aggregate the bandwidth across those channels, so that I am insulated from total failure if just one of them should go down, and in the expected case I can manage my own traffic shaping the way I want it to be in the house.
That's true but doesn't entirely deny the value of a VPN. For example, using a VPN protects your privacy with the endpoints you connect to: Facebook or even some random forum administrators only see your VPN address and don't know where you are, whether at home, visiting your mom in another state, or staying at a hotel.
While I understand your point and I agree and think the same way, there is one small point, which should not be underrated in this: "a VPN is just another ISP" is only true as long as your ISP does NAT and you don't have a publicly available IP. That is true for some mobile networks here in Germany for example.
So a VPN (or things like TOR) provide you with one single out-point/edge/end-point that is (hopefully) shared with many many other people. With that you can hide in the crowed and it is very difficult to find you in the crowed.
On the other side it would defeat the purpose if the VPN provider limits the number of accounts on one out-point/edge/end-point to improve performance, because then it would defeat the purpose.
So a VPN (or things like TOR) provide you with one single out-point/edge/end-point that is (hopefully) shared with many many other people. With that you can hide in the crowed and it is very difficult to find you in the crowed.
On the other side it would defeat the purpose if the VPN provider limits the number of accounts on one out-point/edge/end-point to improve performance, because then it would defeat the purpose.
Each connection is NATed through the VPN though and the fact that the port number does not change makes it possible to make inferences about connections a user has made through the tunnel and inject arbitrary data into the connections.
https://www.usenix.org/system/files/sec21-tolley.pdf
https://www.usenix.org/system/files/sec21-tolley.pdf
I always assume that somewhere between a handful to many of the VPN operators are run by either clandestine government agencies or outright criminals. It’s a perfect place to intercept traffic, similar to how useful ANOM was to law enforcement when it was compromised earlier the year, it’s [1].
Edit: See also the CIA and Crypto AG [2]
1. https://www.reuters.com/world/how-an-informant-messaging-app...
2. https://www.forbes.com/sites/daveywinder/2020/02/12/cia-secr...
Edit: See also the CIA and Crypto AG [2]
1. https://www.reuters.com/world/how-an-informant-messaging-app...
2. https://www.forbes.com/sites/daveywinder/2020/02/12/cia-secr...
Most VPN service providers (barring Mullvad and my current use- iVPN) have white label services. iVPN improved its app; Mullvad's price has remained static and its a brilliant deal for 60 Euros per year.
Proton uses its "pro" pricing to subsidise the people who use its free offering, and I find the product overhyped. AdGuard VPN is appealing for its implementation. I am using it on Android in conjunction with Adguard ad-blocker and have been happy with the outcome. I can also add Next DNS to the Adguard application for DNS level filtering.
Proton uses its "pro" pricing to subsidise the people who use its free offering, and I find the product overhyped. AdGuard VPN is appealing for its implementation. I am using it on Android in conjunction with Adguard ad-blocker and have been happy with the outcome. I can also add Next DNS to the Adguard application for DNS level filtering.
Not affiliated, but I’m very happy with IVPN. Been using them for years. Very clean, zero-cruft native UI for my Mac, PC and iPhone, and they were an early adopter of Wireguard. It’s a bit pricey at $130/yr CAD but it’s one of those things that works exactly as advertised and never gets in the way or bugs me.
How is Astrill doing?
A good trusted VPN may offer some privacy.
The ISPs often openly state that they log traffic, both to comply with government regulations, also to improve their businesses. VPNs state they don’t, and they may or may not.
You choose your option!
I personally don’t trust most VPNs. Very few, however, appear to be trustworthy (at least I trust these particular ones more than my ISP).
The ISPs often openly state that they log traffic, both to comply with government regulations, also to improve their businesses. VPNs state they don’t, and they may or may not.
You choose your option!
I personally don’t trust most VPNs. Very few, however, appear to be trustworthy (at least I trust these particular ones more than my ISP).
im new here (green) but tryin!
whats the consensus re this i found posted years ago posted on github im really curious and have ?? its kinda counter intuitive for me??? https://gist.github.com/joepie91/5a9909939e6ce7d09e29
Blog posts like this are just stupid.
I mean FFS, you are basing your entire privacy beliefs on what a company tells you, but in the end you are still transiting all your internet traffic through their servers.
For starters, how many of these VPN providers actually have regular fully independent, completely open-book, open-doors, audits of 100% of their infrastructure stack. None.
What is that old saying in cyber-security ? Physical access equals game over ?
Well, it's the same for privacy.
You don't control their servers. You don't control who they use as upstream internet providers. Hence you will never know the real answer on whether or not your traffic is being snooped on and by whom unless you are controlling the experience yourself end-to-end.
I mean FFS, you are basing your entire privacy beliefs on what a company tells you, but in the end you are still transiting all your internet traffic through their servers.
For starters, how many of these VPN providers actually have regular fully independent, completely open-book, open-doors, audits of 100% of their infrastructure stack. None.
What is that old saying in cyber-security ? Physical access equals game over ?
Well, it's the same for privacy.
You don't control their servers. You don't control who they use as upstream internet providers. Hence you will never know the real answer on whether or not your traffic is being snooped on and by whom unless you are controlling the experience yourself end-to-end.
Right, the concept alone has limitations so it is weird how tribal people are about their favorite VPN provider.
Name a single VPN provider having no way of having the privacy assurance and people will argue about your proof because to them it damns that company. As opposed to acknowledging that no VPN provider can offer that assurance.
Don't name a VPN provider and people will assume their VPN provider is different, whether its a complete misunderstanding of Swiss data laws, or a gimmick about mailing cash to a PO box.
Name a single VPN provider having no way of having the privacy assurance and people will argue about your proof because to them it damns that company. As opposed to acknowledging that no VPN provider can offer that assurance.
Don't name a VPN provider and people will assume their VPN provider is different, whether its a complete misunderstanding of Swiss data laws, or a gimmick about mailing cash to a PO box.
As a researcher studying VPN security, I have tested a lot of VPN providers, and there are few that stand out as trustworthy. Mullvad is mentioned in this thread several times for a reason. When we publicly disclosed CVE-2019-14899, they had a patch within a day and included it in the release - all within a week. To the best of our knowledge, Mullvad was the only provider and WireGuard was the only protocol to take swift action to mitigate the vulnerability.
This comment is only about the trustworthiness of the provider and not of VPNs in general, which I'm still hesitant about. I'll provide a link for our paper exploring CVE-2019-14899 and attacks we've developed since then:
https://www.usenix.org/system/files/sec21-tolley.pdf
There's also a blog post, which is quicker to read and written for a general tech audience:
https://breakpointingbad.com/2020/05/25/Vintage-Protocol-Non...
This comment is only about the trustworthiness of the provider and not of VPNs in general, which I'm still hesitant about. I'll provide a link for our paper exploring CVE-2019-14899 and attacks we've developed since then:
https://www.usenix.org/system/files/sec21-tolley.pdf
There's also a blog post, which is quicker to read and written for a general tech audience:
https://breakpointingbad.com/2020/05/25/Vintage-Protocol-Non...
I've seen people here mention IVPN in the same breath as Mullvad; do you have any insight on how they compare? AFAIK Mullvad is based in Sweden, which is a Fourteen Eyes country, whereas IVPN is based in Gibraltar, which is not.
Simple privacy VPN Check:
Do you own the VPN hardware? That's the answer of is it's private / secure.
Do you own the VPN hardware? That's the answer of is it's private / secure.
If that hardware isn’t on your own personal private premises, then you can’t really be said to own it.
Even if you really did buy the hardware from somewhere else and shipped it to the co-location facility to have it put into what is supposed to be a private cage, you still don’t own the premises, and the co-location facility can choose to let in anyone they want.
Even if you really did buy the hardware from somewhere else and shipped it to the co-location facility to have it put into what is supposed to be a private cage, you still don’t own the premises, and the co-location facility can choose to let in anyone they want.
This article is pointless at best, and actively misleading at worst. Anyone skimming the content but reading the table could be forgiven for thinking it refers to in-app tracking.
Whether or not a VPN engages in activities such as tracking user actions on their marketing site in no way reflects how well (or poorly) they protect my privacy whilst using the product.
Whether or not a VPN engages in activities such as tracking user actions on their marketing site in no way reflects how well (or poorly) they protect my privacy whilst using the product.
Wow, didn't expect that from Proton... or maybe I did... one more reason to move away from them.