VPN: Remain Tunnelbear or Change Providers?

I read through this thread, Choosing VPN service, but didn’t really find an answer to my question.

I know on a show long ago, Katie went with one provider (can’t recall the name), and David went with TunnelBear. He liked it, but then switched to the same provider Katie used. I confess that I mostly believe Katie’s choice influenced David, but there’s a tiny piece of my brain….

My subscription to TunnelBear is expiring soon, so now seems a good idea to ask the MPU hive mind whether I should stay or go.

The one downside—if that’s what it is—that I have noticed with TB is that it can really reduce my download speeds. I’ve gone from 150Mb down to 45Mb. that seems excessive. Often it’s not quite that bad, but it’s always significant.

Thanks muchly!
Keith

What’s the purpose of using the VPN for you? Personally I rarely use one, unless I’m on sketchy wifi (hotels and coffee shops abroad where I can’t just use data). A VPN is going to affect your download speeds - as you can see this can be a significant effect. If I’m downloading a larger file I’ll wait until I’m back on secure wifi to do so if at all possible.

I believe the provider Katie and David are using is encrypt.me (formerly Cloak).

I’m the VPN heritic amongst the MPU crowd. I think that VPNs are largely unnecessary and overall probably do more harm than good. In my opinion, if you can’t to it over open WiFi then you shouldn’t be doing it over the Internet at all.

Carry on with your conversation now

Personally I believe that unless the VPN is your own, you are merely inviting another man-in-the-middle to have a look at your data.

I used TunnerBear and liked it well enough but switched to Encrypt.me because I got it with my Eero Plus subscription (along With 1Password and Malwarebytes). It does an ok job with minimal effect on speeds but I’m usually limited to 25mbps max so YMMV.

Another reason to leave TunnelBear was their purchase by Macafee. My wife hates Macafee and refuses to use their products.

I rarely use a VPN at home or over cellular. I mainly use it when on unsecured public WiFi.

Another Encrypt.me user here. I was using their cheapest level of service only for the times I didn’t trust the open WiFi I was using (e.g. Starbucks) but then upgraded to the unlimited plan as part of my Eero Plus subscription.

Exactly.

Also, TLS (formerly known as SSL) is designed to provide a secure, end-to-end connection over completely untrusted networks. If you’re using a service over the Internet that isn’t protected by TLS, then you shouldn’t be entrusting them with your data whether or not you us a VPN service.

If they’re worthy of having your data/business then a VPN is unnecessary (and potentially increases risk), whereas if you need a VPN for a service, they’re unworthy of your data/business.

(None of this applies to corporate/organization VPNs)

Grumpy security guy rant over

thanks, rosemary. i am often in cafes and other public wifis.

i will sometimes pay bills and check in on bank stuff too (though i usually do that on my phone instead).

so, @ACautionaryTale, you don’t do any banking or bill-paying online? you don’t look at utilities or shop on amazon et al?

reading rose’s, yours, and other comments below, i’m open to the thought that i’ve been brainwashed into buying a false bill of goods, but it freaks me out a bit to think of computing without some protection (beyond https, etc?)!

i’ve considered doing just that, @jec0047.

@glenthompson, thanks. i can’t stand macafee, so i’ll be moving on regardless of rolling my own or subscribing to another provider. thank you!

i should be clear that i never feel the need at home or over cellular.

hmmm….thanks, @ACautionaryTale. looks like i need to investigate this more.

I do all of my banking and a lot of shopping online, and I do none of it with any VPN at all That’s exactly what TLS (https) is designed to let you do.

Although it doesn’t sound like it, I have a slightly more paranoid outlook: I don’t trust any network between my device and the service provider that I’m dealing with (store, bank, etc), and that very much includes VPN services. The data that I exchange with (let’s say my bank) is encrypted between my device and the bank’s server (that’s simplifying things just a touch for clarity); it doesn’t matter if the person next to me at the coffee shop sniffs the traffic. It doesn’t even matter if that person has set up a fake WiFi network and effects a true man-in-the-middle attack.

I could go on at some length about this, but typing this all out on my phone is only slightly less tiresome than reading it

What may be a better solution is to get a cellular plan so you don’t need to use that Wi-fi. This way you know you can trust your connection everywhere. That and usage of https should cover all circumstances

i have a great cellular plan. with at&t. but—in silicon valley of all places!!!—i often lucky to get 1 bar with 4g vs all bars with lte, which i do get many other places. it’s infuriating!

gotta lotta rethinking to do!

OK, so…. (Apologies for being so sporadic in replying! This is important to me, but life has been a whirlwind of new job + moving + life and other distracting whatnots.)

As long as I’m connected via TLS (https), I do NOT need a VPN? I thought even using https:// was vulnerable…before the connection was made…? That unless you were to secure to start with, you were vulnerable to “a man in the middle” (?), someone who intercepted the signal and could see everything even post log in completion?

Apparently that’s wrong? I can go to a cafe and read with impunity because who cares if someone sees me reading a news site or my favorite automation blogger across the pond. Then, reading said blogger, I discover an awesome app or shortcut I simply must have, so I click on the link to the site, see “https://” in the Smart Search Field, and know that it’s safe to give them my credit card without going through a VPN first?

And, if the site does NOT have https://, then I can open the site on my phone and just go through cellular?

No need ever again for a VPN?

I confess that idea freaks me out. Possibly from years of working at IBM and other companies where before we connected, we had to sign in to a VPN. Up above, someone (ACautionaryTale) said “None of this applies to corporate/organization VPNs.” Which makes me ask “why”? If not using a VPN is so “safe,” why is it OK for corporations to use them? Shouldn’t they just forego them as unnecessary too?

I also wonder now about rolling my own VPN. I think I read we could do something like that using macOS Server, but I don’t see installing that anymore (I wanted to, but it looks like the writing is on the wall for it).

Thanks, All, for putting up with my ramblings! My subscription to TunnelBear ends in a few days, and I want to do the safe and responsible thing without throwing away money on something I don’t actually need.

I switched from TB when Mcafee bought them out. Their privacy policy gave me pause and that under US jurisdiction they could be forced to relay whatever data they have (not that I do anything to warrant that concern really) but it bugs me.

After a LOT of review, I am using NordVPN. It’s covered under Swiss jurisdiction, make it plain they don’t collect any information, and the service has excellent throughput with servers all over the place.

Even with https:// I still like the security a VPN brings. Just my 2c worth…

So I’ll try to answer a few of these questions on mobile Keep in mind that there is much of my own personal opinion mixed in here, but that’s opinion that’s born of years as a network admin, and more recently as an information security guy. My opinions are neither poorly thought out, nor infallible.

TLS (https://) is as secure as is reasonably necessary for pretty much everyone. IF you don’t click through warnings of unsafe sites then you’re more or less safe from man-in-the-middle problems, even during the initial connection.

If a site or service does not offer TLS/SSL protection, then (in my opinion) you should not access it over the Internet, VPN or not. It’s not a trustworthy service that’s being professionally run up to what are now very, very basic security standards.

About corporate VPNs: This is a very interesting topic. For the most part, they are not really necessary anymore (we’re strongly pushing people away from using ours, in favour of virtual desktops, which work well for nearly all remote access needs).

There are some use cases where (remote client rather than point to point) VPNs are still desirable, but those mostly revolve around legacy applications that cannot easily be protected via TLS, situations in which given network address ranges must be used, or when network admission control is required.

Another difference between a corporate VPN and an VPN service for individuals is that a corporate VPN protects your network traffic for the whole of its journey, whereas a VPN service like the ones that are fashionable these days only protect your traffic between your computer and their service gateway.

Also, cellular network connections are no substitute for a secure network connection.

I don’t know if that answers any of your questions, but I hope that it sheds a little light. I’m happy to expound at length on the topic, but I’m a little fearful of coming across as that crazy guy over there