VyprVPN. I’m late to the party, but I’ve spoken to the founder a couple of occasions, he seemed like a guy that really just wants to provide no nonsense VPN. Its not the best or fastest service, and I don’t need VPN for everything, but for whatever I need, it’s cheap and it’s privacy friendly.
I don’t. Your ISP can hardly see anything you do online. Almost all websites are encrypted with HTTPS and if you are concerned about them seeing what domains you visit you can just change your dns server to quad9 or something else privacy respecting. A more valid usecase for VPN is preventing websites from tracking you IP address, downloading “Linux ISO’s” or bypassing geographical blocks and for that I used mullvad but I am looking for something else now that they blocked port forwarding.
I wont go into much detail but ISPs can act as intermediaries in https calls and TLS would work only between you and the ISP and then ISP and the requested server. Software like Zscaler does similar stuff you can look it up if you want
I’m familiar. Other than key exchange for encrypted connections, the whole point of HTTPS/TLS is establishing who you’re connecting with is who they say they are and preventing man in the middle attacks just like you described.
If your traffic was being intercepted by something like Zscaler it wouldn’t be able to provide the proper signed certificate of that web address and your browser would throw a mismatch error. IT departments using such intermediaries for https traffic inspection only get around this by installing the intermediaries’ root CA on your system so it’s not flagged by your browser or whatever you’re using for TLS traffic.
The only way someone could intercept your TLS traffic and then pass it onto you without you knowing is by having that website’s private key to sign the traffic with, which is a major security breach. As soon as something like that is discovered the certificate is revoked and a new one is issued with a different private key.
What would you suggest now? IVPN and mullvad used to be my go-to VPN providers but now that they both removed port forwarding I really don’t know what to use.
Even DNS traffic and IP address and packet metadata is extremely valuable to ISPs like Comcast and AT&T. They use it to control what you can and can’t do – for example, throttling your access to streaming video services that compete with their own streaming products or partners’ products. They spent millions to overturn Net Neutrality regulations so they can use what they know about your traffic to monetize you (steer you to their products).
Yup. An ISP could potentially gain some information based on the IPs you’re hitting and the number/frequency of packets sent and received, but that would take serious logging and analysis on their part. It’s much easier to collect data through DNS requests.
Deep packet inspection by definition requires the ability to see inside the packet, which if using HTTPS wouldn’t be possible for your ISP.
They can still see the destination IP, return IP, and port number, but that’s it. It would take a ton of storage to log all of that packet data though, and it’d be difficult to come up with a way not to double count it if it’s going through multiple hops on the ISP network.
Logging DNS requests on the DNS server would be a much easier way of collecting that data if they wanted it. I know cloudflare collects aggregate DNS query data through their public DNS server, and Google likely does too.
@just_browsing I was just bullshitting. Sure, they would need a proxy of sorts and a certificate to open your packages if you use HTTPS. I suppose the only thing that can help with carrier surveillance is a good VPN or TOR. But even then, the VPN provider is a problem in and of itself.
If you torrent copyrighted material in Germany, you definitely want a VPN. Private law firms “representing copyright holders” regularly request information about consumers based on source IPs/protocol/ports from ISPs with a court’s rubber stamp, then send out demand letters for hundreds of euros, with a risk of thousands if you choose to fight it.
Sometimes they follow up if you ignore it, sometimes not. It is horribly oppressive.
tl;dr germans who torrent from a consumer internet service should use a vpn
ISP says hello, seeing which sites, videos you visit and sharing this info with government. Reputable VPN’s exist. Link to reputable resource for comparison.
The DNS resolution, assuming you’re just using your ISP’s DNS authority servers, is still very much known to your ISP.
They can still identify my traffic, where I’m going, what I’m browsing, etc.
With a VPN that you can trust, that emphasizes user privacy, that doesn’t store PII, that doesn’t comply with local law enforcement short of being issued a warrant, all my ISP sees is I keep routing encrypted web traffic to an IP that they can identify is a machine somewhere in the Netherlands.
And besides that they know absolutely fuck all.
Without the VPN they can identify the IPs I make https requests to belong to beehaw, belong to imgur, belong to Netflix, belong to some torrenting site, etc etc.
They do hide your “real” IP address from other peers when using BitTorrent, such that angry letters from copyright holders go to the VPN instead of your ISP. The assumption is that your ISP would be more likely to snitch on you when compared to a reputable VPN.
I tried Proton for a month for I’d get A LOT of “confirm you’re not a robot” when entering a lot of websites. Was really annoying. Did you ever get around that?
Well they changed the IP logging policy of protonmail on a dime, so who’s to say that they won’t change their VPN’s policy? They just don’t have as good of a track record as people seem to think around here.
But the point is what Swiss law is. They cannot be compelled by a court order to log data for their VPN service, but they can be compelled by a court order to log email accesses. This needs to be considered by users of Proton, and indeed it is a bad mark against them that this wasn’t clear upfront before the French activist case.
I’m not saying all this to defend Proton, really. I don’t even use their service anymore, but I did use the vpn for 3 years without incident.
Of course it’s dissapointing that protonmail did this, although i wouldn’t say that the policy was changed “on a dime”, as it said that ip logging was not “on by default”^[1]^. But while dissapointing, i can imagine courts pressuring Proton to start ip logging since it’s easier rather than, say, change the entire backend to not encrypt the emails anymore. But to be fair i would say that if your threat model might include the government somehow, you should probably not trust any service with sensitive details like your ip. But as protonmail does what it sets out to do (encrypt your emails + some more) and as there aren’t too many alternatives exept maybe tutanota, i think i’ll stick with it. As for the VPN, it’s open source^[2]^^[3]^^[4]^ (atleast the clients, I don’t know about the server), but as I don’t know how to audit code, take that with a grain of salt. And it does semi-regular(?) audits, although the last ones seem to be from 2019(?)^[3]^ and a penetration test (or maybe it was an audit, doesnt seem like it though) from 2021^[5]^^[6]^. But they said that they’re planning an audit in the next months. ^[7]^.
Selfhosted DigitalOcean VPS with SOCKS 5 SSH tunnelling for masking my home IP when web browsing and OVH VPS with OpenVPN server for masking my home IP for my local seedbox server. I don’t really need commercial VPNs since I only really need basic functionality to mask my IP and I don’t really need a shared service to do that.
Did you care about traces that you left behind and can be linked directly to you? Is a nice setup but if you pay DigitalOcean VPS with PayPal for example or credit card all your efforts to hide your real IP that is linked to you is useless. I don’t know if this is a major concern to you, of course.
Yeah, I’m aware it’s dedicated and not shared, and there’s billing info etc. It’s just so that websites, particularly forums etc cannot have my home IP just like that. It’s an additional layer of protection.
Add comment