An honest VPN commercial – from somebody who actually knows what he’s talking about

Topic

New Reply

https://www.youtube.com/watch?v=WVDQEoe6ZWY Tom Scott knows whereof he speaks – and he speaks the truth, as best I know it. Thx Catalin Cimpanu
[See the full post at: An honest VPN commercial – from somebody who actually knows what he’s talking about]

15 users thanked author for this post.

RetiredGeek, Lori, Mr. Austin, DriftyDonN, Great Lake Bunyip, Fred, 280park, Noel Carboni, plodr, AJNorth, CAS, doriel, PKCano, GreatAndPowerfulTech, lurks about

Reply | Quote

Replies

Good overview of the real reason to use a VPN and the over-hyped claims made by the ads.

Reply | Quote

Enjoyable  to watch. Thanks!

GreatAndPowerfulTech

1 user thanked author for this post.

Mr. Austin

Reply | Quote

I’ve always questioned many of the claims VPN providers have been making, and now I know I was right to.  Thanks.

Regarding torrents – so long as you disable peer exchange and DHT, and enforce encrypted connections, you won’t get flagged by your ISP.   At least not on Comcast.

1 user thanked author for this post.

Mr. Austin

Reply | Quote

Thank you so much for posting this video, Woody. Hearing the truth about anything is so rare today. Tha’s why I come to your site and ghacks, even though I don’t understand much of the technical information.

Since the advent of VPN’s I must have read hundreds of articles and investigated 10’s of VPNs. (The result has been confusion.) No more; not after watching this video.

I’ve returned to using FF ESR as my default browser so when I see the “green lock” I know my information is encrypted. I also use HTTPS Everywhere, a FF add-on, and rarely go to a site without it. I admit that I use Browsec’s free VPN, also a FF add-on, for all of my browsing, except your site because you kindly told me that spammers use this VPN and I couldn’t post here if I used it. On those rare occasions that HTTPS has to be disabled to get to an http site, my lame VPN tells them I’m in Clifton, NJ. I never log into an insecure site. I don’t care if they keep a log or that FF add-on’s all request permission to know my browsing activity.

I’m doing the best I can, security-wise, and will continue to read and patch, based on your suggestions. I’m sending you another check to show my continued support and for saving me from researching and worrying about not having a “real” VPN.

2 users thanked author for this post.

Mr. Austin, woody

Reply | Quote

“https” is great but I think you need to know your client configuration, certificates, possibly OpenSSL version to know if you have vulnerabilities.  Same with a VPN service, or running a private VPN such as on your NAS.

Reply | Quote

Nice video.  I’ve had a few users asking about VPNs recently (specifically our customers trying to connect to our services from Asian-based IPs) and was trying to explain why VPNs are useful and why they’re a fad.

Hits the nail on the head for both issues.

Reply | Quote

I’ve always liked Tom Scott’s ‘no nonsense’ approach to subjects.

Reply | Quote

Me too; I hope he’s OK as he always sounds out of breath to me.

Reply | Quote

Nicely done, the video. I only use VPN to telecommute to NASA, which I enjoy doing to perform most of my work there from home and entirely in my own hours, being semi-retired these days, and using only the VPN software the government IT people has prescribed and that I do not get to choose.

Otherwise and among other serious uses of VPN, such as those discussed by Tom Scott in his YouTube video blog, and that are all very good reasons for using it to secure anonymous and untraceable Internet access: I am not, right now, planning one or more assassinations, or have plans for massive smuggling of “content”, or manage the importation and distribution of drugs for a Cartel, or assist with money-laundering operations, or actively engage in human trafficking, or am working towards the violent overthrow of some government.

But it is very nice to know, if one ever finds oneself in real need to do any of those things, that one can always count on VPN for doing it.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

This is an example of what has caused me some confusion, and maybe you can help. Please forgive any misuse of terms and correct where needed.

For longer than VPN has been a hot topic, I have known of remote connections, or end to end tunnels, or other ways to describe a dedicated link to a customer or vendor. I have lumped these concepts under a heading of private network, where there is no non-encrypted (in the clear) exposure along the way.

VPNs that are widely advertised only give that protection to their node. Whereupon they became your remote ISP so to speak. With all the same privileges and hazards that you wished to deprive your actual paid ISP. I have joked that the name Virtual Private Network is very apt. In that it is neither private nor a closed network. Virtual applies to both descriptors. And for myself, I have decided I have more trust in a paid contract (with my ISP) than a service provided for free (where I am likely the product). I remain unconvinced that the service has enough value to pay a subscription or purchase.

But I feel like I’ve only rewritten what Scott already covered with more style in that excellent video. Only in a much more clumsy way.

So I guess my real question is, does your NASA contract have you utilizing a proprietary tunnel all the way through; or simply advise you to use one of these advertised products that are only half a tunnel?

I can see how that anonymizes your end of the connection, but not how it would conceal traffic from the VPN service. I assume your payload of data transmitted is itself encrypted within the overall transmission packets. Thanks for any corrections and help in understanding better.

Reply | Quote

Transmission is encrypted, both ways. I don’t know about the details. Also, to be able to use this VPN one has to make use of a valid government-issued PIN in a keychain, to be allowed access to the government network. I imagine this security setup is no invulnerable to attacks (what is?), but even so, it should deter many from trying to break into the network that way.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Mr. Austin

Reply | Quote

VPN is a group of protocols on how traffic should be encrypted, end-to-end.  VPN’s original purpose was to allow external users to connect into company resources securely.  In the case of NASA they probably host their own VPN service internally; they wouldn’t be using another service like NordVPN.  They probably do use a specific implementation of VPN, something provided by a  specific software or hardware vendor (eg, Dell, Cisco, HP)

Most VPNs in the world are privately run by corporations for their external users.  They are not services that resell an Internet Point of Entry.

Reply | Quote

Anonymous: “In the case of NASA...”

The way you describe it is how it’s done.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

A few years back I read here at AskWoody or at Windows Secrets that https security was broken. Has it been fixed?

Group "L" (Linux Mint)
with Windows 8.1 running in a VM

Reply | Quote

HTTPS isn’t broken, but there are potential issues. See this article for more info.
https://en.wikipedia.org/wiki/HTTPS#Limitations

cheers, Paul

3 users thanked author for this post.

Great Lake Bunyip, OscarCP, woody

Reply | Quote

Good, practical presentation. Thanks for sharing it, Woody / Catalin.

All encryption can be broken. It’s designed to be difficult but not impossible. Do you even begin to imagine your government would allow you to encrypt things they can’t decrypt with a government budget? Why do you think key lengths keep increasing only incrementally as time goes on?

Security is mostly about weighing costs and probabilities, and beyond that deciding who to trust.

What security is most certainly NOT is something that should motivate our actions (or spending!) through fear, uncertainty, and doubt. Computing companies have understood security for a long time and know how to market it to leverage their sales, and make no mistake, they DO market it – even with absolutely no practical evidence (where’s that post Woody wrote about “where are all those exploits anyway?”).

Read and learn as much as you can. You’ll find understanding is a good antidote for fear.

Now consider this: Before signing up to spend $$ each month for a service, run by who knows whom in some other part of the world, understand this: Many home routers, with a little setup, offer the ability to establish a VPN connection to your home network when you are away. I have one myself. If you’re really worried about what might be sent across your wireless link when you’re abroad, or whether someone locally might get to know you in ways you don’t want through your DNS resolutions, that home VPN connection will net you that fully encrypted tunnel… Web site names will be resolved just as if you were on a computer at your home, and not by whatever DNS server the coffee shop or airport has. Food for thought.

In my mind part of it boils down to “whom do you trust more” (in a world where it’s practically impossible to judge): When I think about this I imagine I might be able to trust a local service provider in my own country a bit more than some overseas VPN company.

-Noel

3 users thanked author for this post.

Mr. Austin, Great Lake Bunyip, Sessh

Reply | Quote

[Sessh]

The thing about VPN’s is that it’s kind of important what country the VPN is operated out of. What is known as the “Five Eyes” consist of the US, UK, Canada, Australia and New Zealand. There is an intelligence sharing agreement between these five countries, so if any of them gain access to your personal data, you can be sure they will share it with the others.

Then, there are two other international alliances (Nine Eyes: Five Eyes + Denmark, France, Holland and Norway / Fourteen Eyes: Nine Eyes + Germany, Belgium, Sweden, Spain and Italy) which also share your data. Japan, Israel, South Korea and Singapore could also be involved, but not confirmed.

Therefore, a VPN based in any of those countries is not a good idea for anyone who cares about their online privacy. Of course, there’s always risk no matter what, but the above mentioned countries are involved in global surveillance and share people’s data with each other regularly and Snowden is a big reason why we’re aware of this now. VPN’s based outside of those jurisdictions are better choices for privacy than ones that are in it.

I will certainly keep routers with built-in VPN’s in mind next time I am set to purchase a new modem.

• This reply was modified 3 years, 10 months ago by Sessh.

3 users thanked author for this post.

SueW, Alex5723, Fred

Reply | Quote

Sessh: that leaves a lot of the world out, but does not leave much to choose from. So: Portugal? Norway? Finland? The Central African Republic?

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

Mr. Austin, Sessh

Reply | Quote

A few examples of highly regarded VPN’s outside of those jurisdictions:

• CyberghostVPN (Romania)
• ProtonVPN (Switzerland)
• NordVPN (Panama)
• ExpressVPN (Virgin Islands)

You are still right, though. It does leave a lot of the world out, but it’s disturbing that so much of the world has to be excluded in order to have any hope of staying out of the 14 eyes line of sight. Quite depressing really.

 

1 user thanked author for this post.

Mr. Austin

Reply | Quote

A very good post, thanks. In philosophy it reminds me of my policy that I prefer to store my password credentials locally rather than have them mediated by some cloud company I don’t know.

Reply | Quote

Even if I accept the claims of enhanced security made by a VPN, is it not true that my internet traffic must first reach the VPN in order for the VPN to work its magic? In other words, if, for example, I use my home computer to do some online banking (which I do not do) the data and passwords that I enter into my computer first goes to my wifi router, then by dsl on a copper wire to my isp, and only then to the VPN? I don’t understand how a VPN does anything to enhance the security of my data on its trip from my computer to the VPN.

Reply | Quote

280Park: That’s a really good question. The answer being, as explained in more detail here:

https://www.namecheap.com/vpn/how-does-vpn-virtual-private-network-work/

“A VPN works by routing your device’s internet connection through your chosen private server rather than your internet service provider (ISP) so that when your data is transmitted to the internet, it comes from the VPN rather than your computer.”

So, as already discussed here earlier, it all comes down to just how trustworthy is the “chosen private server” operator that provides you with the VPN connection. And to how well-encrypted are the transmissions you send and receive through the VPN.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Fred

Reply | Quote

OscarCP wrote:

So, as already discussed here earlier, it all comes down to just how trustworthy is the “chosen private server” operator that provides you with the VPN connection. And to how well-encrypted are the transmissions you send and receive through the VPN.

It’s nice to try the TOR-networks through the own VPN connection, or using TOR and then an extra VPNproxy in the browser…
Concidering the xEyes-international-cooperation:
Last week it became clear in the Netherlands that the intelligence services still are exchanging data with other countries in an uncontrolled manner. Data that can still be swept or checked without real legal necessity. Whatever the legal limits are, it is still being done, …… and most people don’t seem to care, after all, “they have nothing to hide …”

It seems that the time of “Permanent Record” by Edward Snowden is even more elusive.

* _ the metaverse is poisonous _ *

Reply | Quote

@280park, you do understand the basic concept correctly. The quotation offered to you makes it sound as though your traffic finds some magical path that does not go through your ISP. You correctly realize that just cannot be true, the way your system is set up. Your only link to the internet is through your ISP, it’s right there in the name. And all the bits you send and receive go through them.

What you are not shown is the secret pocket where the magician holds the doves before exposing them with a flourish. By wrapping your traffic in a packet that only goes to the VPN before it crosses your ISP’s gear, you hide the information that gives the real purpose of your requests. Just like wrapping your postal packages in brown paper and twine to protect the goods within. The only addressees you have written on the outside is your own return and the VPN. Your ISP sees all your traffic go to a single choke point, and knows nothing of what happens after that.

The VPN now handles your traffic in exactly the same manner your ISP would have. And offers no further protection from corruption further down the line from their node. You have hired a Man-in-the-Middle to handle all your traffic. But because you trust this service, you prefer to call it a VPN.

Reply | Quote

Anonymous: “you do understand the basic concept correctly. The quotation offered to you makes it sound as though your traffic finds some magical path that does not go through your ISP.

Or perhaps that is not entirely so:

https://www.quora.com/Is-it-possible-to-have-two-different-internet-providers-in-one-house

It says there that “yes, one can” have two, or even more ISPs. It just takes some more work. If that is so, then, perhaps, if one ISP is, let’s say, your original one and, until now, only ISP, could not the second, eventually, be the owner of your future “chosen private server”: the VPN provider?

I am not trying to refute anyone here. I am really interested in learning from this discussion on a topic that rarely comes up. And others here might be interested, too.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

When thinking of how ISPs work, it’s usually easier to think of them as streams feeding into a larger river, which reverses (from river to streams) on the other end.  Your ISP will run your traffic up to a certain level, after which one of the national or international carriers takes over routing data.  When you sign up for a VPN service, you’re not getting a second ISP.  Having a second ISP is like having a second stream connected to your house:  You can choose down which stream your internet traffic goes.  You can even choose which types of traffic goes down which streams, eg all standard browser traffic goes down one while your VoIP (Voice over Internet Protocol, like Skype or IP Phones) goes down the second.

A VPN travels the same stream as other traffic over your ISP.  It just changes the traffic a bit so that it’s not easy to read what is going on.  Most traffic nowadays is encrypted already.  When you send an encrypted request to https://www.youtube.com, your ISP will see that your traffic is going to YouTube.  If you’re on a VPN and go to https://www.youtube.com, your ISP sees that your traffic is going to a VPN, not that you’re using YouTube.  From the point of view of your ISP it doesn’t know what you’re doing over that VPN.  Once your traffic reaches the VPN provider, the VPN sends out your request over their own ISP.  Their ISP knows that a request was sent out to access YouTube, but since there could be thousands of people using that connection they cannot determine if it was you using YouTube.

That said, if you have a Google account that you log into while using YouTube, then you’re not hidden.  YouTube/Google now knows that you access their services from two different places; your home and a VPN service.  Even after you log out of your Google account, they could theoretically determine which requests are yours via cookies or analyzing the traffic to figure out the likelihood that it matches your usage patterns.  Also, you now have a company (the VPN provider) who also knows that you went to YouTube.  And, if they are malicious and you accept something you shouldn’t, they could know even more like what your account password is as well as which videos you were watching.  Of course that’s a worst-case scenario and I’d assume trusted VPN services would not do this.

1 user thanked author for this post.

Mr. Austin

Reply | Quote

Anonymous: “That said, if you have a Google account that you log into while using YouTube, then you’re not hidden. ”

Quite so. One reason for Google to determine who I am is that they already have my email address as my user ID and they use that to verify that my password and my address match. That should be the same with most of the online services I use. I don’t see a likely problem with Google knowing that I am using an account they keep open for me. If I wanted to anonymize my use of the Internet, it wouldn’t be for hiding my use of those plain-vanilla services I subscribe to.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

There are methods that can be used in order to make certain that all traffic to/from a VPN or another service are encrypted.  It’s a fairly complicated topic, but let’s use a single case to show how this works:

You sign up for a VPN service (let’s call it FooVPN) which requires that you download a client on your PC before you can use their service.  You download this client to your desktop and install.  This client has information baked into it that allows it to encrypt that data between it and FooVPN (Public/Private keys and certificates).  Now assuming that this client has not been compromised in some way, and does come directly from FooVPN, it is capable of recognizing and responding properly to the FooVPN services’ encryption messaging.  Other systems (like your ISP) do not understand this traffic, and instead forward this information on to FooVPN with no modification.  If they do try to modify the traffic, then either the FooVPN client or the FooVPN servers will recognize the message has been tampered with and reject it.

How secure is this tunnel?  That all depends on whether or not the encryption has been compromised in some way, or whether or not one of the end points has been compromised.  Compromising the encryption is usually hard unless the attacker knows the protocols and public/private keys in use so that they can decrypt the data, read it, and re-encrypt the data in such a way that both endpoints accept it as legitimate.  This CAN be done, but is quite hard to do.  HTTPS sites rely on a similar encryption system, however since at least one set of the keys are more publicly well known they may be more likely to be compromised.  The larger concern is whether or not the end points have been compromised.  Eg, do you have spyware installed on your desktop?  Well then your traffic may be compromised and is being sent to some other actor.  This spyware could be part of the VPN client that you just installed…

2 users thanked author for this post.

Mr. Austin, OscarCP

Reply | Quote

I wanted to open this up again.  There was also another thread on VPN’s on Ask Woody.  I use Express VPN and am on the fence whether I should renew it.  I intuively feel that Express VPN would be more reliable than my Verizon ISP.  Also Restore Privacy which I rely on for info on email providers, search engines, etc. does recommend VPN’s in general and specifically Nord VPN, Surfshack VPN and Express VPN.  My use of the VPN is for surfing the web.

Express VPN seems very ligitimate to me.  When I wanted to change my email address I could not do it automatically on the website.  They require you to repeatedly answer questions to prove your identity with one of their staff members.  That said I’m still unsure whether VPN’s are worth it or not since so many people have different opinions.

Reply | Quote

I see no benefit to using a VPN for browsing, unless you go to some very dodgy sites and want to attempt to hide your visits from the authorities.

A VPN is for secure connection to your business or for private / banking use when on public wifi.

cheers, Paul

2 users thanked author for this post.

b, BATcher

Reply | Quote

Thanks Paul.  I was under the impression that it is better for websites not to know where I am located but I am rethinking this.  I only use my home computer and perhaps I have been overly cautious?

Reply | Quote