VPN services wrong claims?

These couple of weeks I have seen criticism around the VPN providers, mainly that most of the companies advertise misleading services or that they made plain wrong claims about what can they really offer to their customers.

Here is a video from Tom Scott making the case on VPN’s

I was wondering what are your opinions about this? Were you aware of the debate (criticisms) around these types of services? Did you acquire a VPN based on some of the security claims made in adverts and sponsorships?

I’m in no way expert on this topic, but recently I thought I should subscribe to a VPN for security reasons, however now I see the need to make further research.

VPN is about privacy and only partly about security. And there are a lot of bad players out there and it is necessary to choose wisely.

This is a great source of information: https://restoreprivacy.com/no-logs-vpn/

I’m a VPN critic. I don’t think that they’re all terrible, but I do think that they’re pushed and promoted in ways that don’t make it clear what the actual risks are that people face, what one can and cannot expect from a VPN service, and what the additional risks are from using a VPN service.

I’ve written at (tiresome, I’m sure) length about it in the MPU forums The dr;tl of it is that I think that if it’s not safe to do without a VPN (even over open WiFi) then it’s not safe to do with a VPN either. I have no worries doing my online banking over an open WiFi network at the airport.

(I may not be an expert either, but I have managed to convince my employer to pay me to manage their information security for some number of years now. I won’t make any statements as to their wisdom in this )

VPN is another layer of security (privacy). Since it is so easy to implement (you just turn it on), there is no reason not using it, especially when on public WiFi. But it is important to pick a proven service.

Marketing around VPNs is often misleading. VPN is just another tool to be used in conjunction with others. Recently, police destroyed a pedophile network in Europe that used crypto currency. But the police could identify them anyway. So when you do illegal stuff, VPN or even cryptocurrency are not self-saving and you will likely end up in prison.

This is where we’re not likely to agree. The use of almost any service (or security control) involves some additional risk and that’s especially true when you have to install software that integrates deeply into your OS or when you form a trust relationship with the service provider. Understanding that additional risk and whether it lowers or raises your overall risk is complicated way beyond an “it’s easy and can’t hurt so you’re better off using it” kind of reasoning. This is underscored by the recent compromise of a well respected VPN service.

You couldn’t do anything with that logic. Nothing is 100%. But it’s about probability. Is it more probable having your security/privacy compromised by not using a service like a VPN, or is it more probable for such service (provided you choose a respected and proven service) being compromised?

Only recent “compromise” of a known VPN service I know of is NordVPN. And that “compromise” was just an expired TLS key that was useless and couldn’t compromise any users or the service.

That’s a good question and I think that the answer is not obvious. One way to think about it is with trust relationships: If I’m doing some online banking without a VPN service, I don’t trust anything between my computer and the bank’s systems. The bank is heavily incentivized to ensure that my trust in them is warranted; they have absolutely nothing to gain by betraying that trust.

If I use a VPN service then I form a trust relationship with the VPN service provider as well as my bank. The VPN provider has some incentive to keep my trust, but not nearly as much as my bank. Furthermore gaining access to the data that I’m sending is of some potential additional value to the VPN provider but (by definition) of zero additional value to the bank, since the bank is the intended recipient. There is a (likely very small) incentive for the VPN provider to betray my trust.

By using a VPN service to do my online banking I have to deal with an additional trust relationship, something that adds complexity and therefore has the potential to lower security, and that trust relationship is not as clear as the one I have with my bank. Nothing about the use of the VPN service in this scenario increases my security at all, but I do incur (a very slightly) increased risk by doing so.

I’m not saying to not use VPN services: I do, however, think that making blanket assertions about their use one way or the other leads people to make uninformed risk decisions and also leads people to the dangerous notion that they are safer because they trust a portion (the virtual segment) of the network the network between their computer and the actual service they’re trying to use.

I will stand by my simple statement: If it’s not safe to do something without a VPN, then it’s not safe to do with one either.

I’ll leave it at that. Any further argument on my part would only be constructive if it were to happen over beers

(Edited to add: I’m talking only about consumer VPN services and not about corporate/organization VPNs, about which none of my arguments apply)

You communicate with your bank over HTTPS and probably their app. Not much the VPN provider can do with that. Maybe if you tried to login through a web portal and the VPN server mimicked your bank and made you accept fake certificates … but that is a big theoretical maybe. You would have to be very naive and the VPN provider would have to target you specifically (as a client of a specific bank).

I think it absolutely depends whee you are if a VPN is of value or not. I wonder if there are any statistics as to liabilities based on country? As someone who uses a coffee bar every morning to work I restrict online stuff to email and internet browsing.

Plus how does Face or touch ID stack up when it comes to banking apps, is that information clonable by the average script kiddy. I doubt it.

Personally I think most VPNs are snake oil, and all you are doing is moving who you are trusting with our traffic from your ISP to some other party.

I am an advocate of ether rolling your own VPN using one of the cloud providers or using Tor.

With rolling your own you know the only person with access to your logs is yourself an with Tor you know that no one part of the onion has all the information, the entry point does not know where you are going and the end point does not know who you are.

Since most web traffic is protected by SSL a VPN is all about limiting the exposure of things that fall outside of the SSL envelope (That meta data stuff governments always like to store)

In most of the ads I have heard for VPN services around the Internet, it’s so that you can log into your bank on free wifi without worry, since any bank worth using has been using SSL for a very long time the only packet information that leaks out is that a device is connecting to bank x and some information about the device connecting.

Side rant: who uses free wifi anyway? At this point I get 18GB of data for $24 a month, i live in regional Australia and always have network everywhere I go, if you are worried, just don’t use it.

If using SSL or other data encryption the only things a VPN buys you are:

1. Hides who you are communicating to (other than the VPN service) to anyone sniffing locally, on your side of the VPN service.
2. Hides where you are coming from to the service you are communicating to on the other side of the VPN.
3. Allows secure access to a private network from outside the network (such as an office network from home).

Of course it also encrypts data that might not otherwise be encrypted such as ftp, unencrypted mail, rlogin, but these are fairly rare in this day and age.

So I’d say reason 1 is of little practical use unless you frequent sites for illegal activity. Reason 2 seems to be primarily used to spoof being in other countries to access services only available in those countries. This is commonly either illegal or breaks TOS. Reason 3 is the original use of VPN, but when you do this you don’t need or want a third party VPN.

I’d love to be proven wrong.

Tor is controlled by US government, so not really a secure option And it is also full of unsafe nodes.

Never use Tor.

VPN is an easy-to-use effective privacy tool that also adds a nice layer of added security. Nothing more, nothing less

A VPN basically is a solution to get you “1 step beyond” your current location, if you feel it is needed.

f.e. In a coffeeshop you might hesitate to get on to the unprotected local wifi to do some work. A VPN solution would help “hop” you through the local wifi to a different location (exit node).

Any solution, even a VPN solution, should always be looked at with care, and you have to make your own risk assessment.

For me:
I have encrypt.me on always when not on a trusted wifi, and I only trust 1 network (my own home nw)

But, that is just for regular internet browsing work, and maybe processing email (through protonmail)
When it is more sensitive I add another VPN layer to the mix and tunnel into my home network, and continue from there.

But, it is always to get “1 step beyond”, not to provide full security or privacy protection.
This means additional security controls are needed like using a secure email provider, get a provider that has DNSSEC enabled and so on. But that is up to each individual situation, and the risks associated with that situation.

A VPN is a tool to get to a solution, not a solution in itself.

to this:

Actually Tor is funded for 80% by the US State Department, the Broadcasting board of governors and the National Science foundation. But funding is also received from European governments and many NGO’s.

So yes, funding is received from some US government departments, but there is no indication whatsoever to indicate there is any “controlling” going on. Even better: all software is open source, and I have never seen any report of “US controlling ToR”

My point:
If using ToR is something that can keep you safe or save your life, please keep using ToR.

Tor is a security scam. There were news about this for years.

Best aggregated source on this I found is: https://restoreprivacy.com/tor/

Reading the article, it seems full of conjecture and suggestion, so I don’t really know what to make of it. For me it’s a bit too “Conspiracy Theory Inc.”

It raises valid points though, but they would be equally true for a lot of other VPN options.
(but then maybe substitute US with China and you’re golden)

I think everyone has to do their own risk assessment, and as I said in my reply: there is no magical solution, it is all about defense in depth.

Just because you’re paranoid doesn’t mean they aren’t out to get you

There is just too much going on with Tor to beleive it’s secure. If someone is thinking about using Tor, a good VPN is a better solution. And still, it is just a tool and not a solution for everything.

I agree a little bit with everything being said here … and I disagree a little bit with many of the things said here. I guess that means that I am neutral .

I definitely agree that you should ensure that everything that you do uses SSL/TLS. All email, all websites, etc. That’s the first step. This will ensure that your data (including usernames and passwords) are end-to-end encrypted.

It is also important to not ignore certificate warnings, especially if you are not on your own network. Man-in-the-middle attacks can still happen, especially on public networks.

VPNs are a bit harder to decide on given that most things use SSL/TLS, but I do suspect that they can reduce the possibility of a MITM attack. They increase your privacy just a little since everything is encrypted between you and the VPN service (i.e. all of your data which should already be encrypted by SSL or TLS as well as most of the header information). (And this includes DNS lookups which is a nice benefit) But it does mean (1) you need some trust in the VPN provider and (2) the VPN ends at the provider and your data goes the rest of its journey to the ultimate destination without the benefit of the VPN.

I solve problem (1) by running my own VPN at home. When I am traveling and doing something particularly sensitive like financial things I will usually start up my VPN connection. But I don’t worry about it for most other things. Not much you can do about (2) except use SSL or TLS for everything.