Thoughts on VPNs and privacy, not selling you anything
I’ve been thinking about this a while, especially with all the VPN companies contacting me and offering me pretty insane rates to get you to sign up for something (starting at 50% commission.) There are some significantly different requirements for security for different users, one part of which is a VPN, and I thought I’d run through some of them.
VPNs are just one part of connection security and do not ensure privacy
Every VPN is probably going to say they’re insanely secure, only log to memory for diagnostic and abuse mitigation, and that your tracks are covered. For the start we’re going to assume every VPN is the same (they’re not, but that’s not what I’m writing about).
These are the types of VPN users I’m thinking there are and each one has different requirements
- you want a VPN if you’re conducting business on WiFi you don’t trust
- you want a VPN if you’re watching movies overseas
- you want a VPN if you’re a movie or software pirate
- you want a VPN if you’re dealing with a large number of unknowns connecting to your access point and you’re just tired of receiving DMCA complaints
- you want a VPN if you’re trying to completely be undetected for great evil
- you want a VPN so you can discuss politics without your government coming and imprisoning you
Entry level security (get a VPN)
So let’s talk about entry level – this is if you’re watching movies, or conducting non-NSA level business on WiFi or a network you don’t manage, or watching a movie overseas. Getting any VPN and running it is probably going to take care of you.
You’ve got some leaks here, a malicious third party could get your IP address, any web services you’re logged into has recorded your name with that IP and you can bet they’ll turn it over to the authorities in a heartbeat. But for the most part anyone around you the most they’re going to get is some DNS you’re leaking.
Websites you visit can figure out your original IP, browser, time zone, connection type, DNS servers you’re using, WebRTC IP local leaks, and a few other pieces of info. But, your data is running over an encrypted stream so meh, you’re pretty secure from the average hacker sniffing around.
There are free VPN that accomplish this.
Pirates
If you’re a pirate, you probably want no record of your IP associated with anything. Your average home grown pirate is probably connected to a few social media accounts, running Vuze or some torrent client, and not thinking that those social media accounts can be tied right back to the IP requesting.
For these people you’re either going to need to dedicate a computer or virtual machine to be your piracy box, or get a VPN software that will let you VPN traffic from say Firefox and uTorrent, but not from Chrome, Facebook Messenger, etc. The instant one of the social media companies grabs your VPN IP it’s stored and associated with you ferrrevvvrrr.
You’ll also want to kill IPv6, flash, WebGL, Javascript, change the timezone or use a browser that doesn’t send it, disable cookies.
Alternately, just get a VPN and hope your ISP and the MPAA aren’t watching you specifically. They’re probably not unless you’re a release group. If you’re a release group and looking at my writing, feel free to point and laugh.
Virtual machine running some version of Windows that’s firewalled and can’t touch Microsoft may do the job for most.
Political dissidents
If you’re at risk of torture and jail time for insulting your glorious leader, there’s another hurdle you’re going to want to go through. This is getting a computer devoted to your privacy, setting up a VPN, running TOR over the VPN as a relay.
Not even quite sure where one starts with this, but you’re going to need an OS and a browser designed for security just to get the software installed.
The reason for the TOR relay is so there’s always traffic and an ISP can’t track that you used no data and when you did it was right as posts against the regime surfaced.
I’d say TOR+VPN, Linux build for both, computer only used for that as the minimum starting point. You’ll need to pay for a VPN with some method untraceable to you.
This computer should have nothing whatsoever personal on it. No bookmarks, no saved passwords, no cookies, no “This PC” icon that’s been renamed to “Maya’s PC”.
The browser cannot download fonts to prevent browser fingerprinting. Time zone should be different from you. Best if you can set everything up somewhere public and control it from another location.
If you think you can do this from your cell phone which is running on a probably government-run network that can silently push software to your phone at any time to monitor what you’re doing, you’re not correct. Think your mobile OS is secure? It’s not. But but but no.
Your VPN provider can also be intercepted and shut down. Always posting stuff from Private Internet Access? Any guesses on how easy it is for a country to find out who’s logging on, logged on, etc?
That’s just the start. If you value your fingernails…
VPNs – good for IP address obfuscation, that’s about it
While some VPNs have ad blocking, pre-scanning, etc, in the end the only thing they’re really doing is blocking the website or service you’re connecting to from seeing your originating IP, and preventing people around you at Starbucks sniffing your email.
The privacy they add is mostly an illusion, but if it’ll keep your ISP from sending DMCA complaints because you downloaded Blackish a day before it came on Hulu, keep your work’s 1997 database sitting on an insecure file share protected, or keep your psycho Starbuck stalker at bay, they’ve got their uses.
How good is my VPN?
As part of the deluge of VPN related emails I’ve been being given various leak tests and “OMG I can’t believe site X can see that” pages. Here’s a few, I’m not endorsing them, they most likely get your IP address and any information they can gather, but for most people who cares?
At least a couple of those are attempting to sell you a service. At this point I’m not. You can search for your own privacy tests.
What did I get wrong or what needs improving?
Your chance to tell me, I’m not claiming I’m an expert political dissident, privacy expert, or that my tinfoil hat is better than anyone else’s. Just that I’m seeing VPNs being sold as a one size fits all solution and they simply are not. Hell, half of the VPNs out there don’t even support IPv6 and let it slide around them.
Chime in?
