This is the problem with using VPN services in general, you have to have complete trust in the service provider.
A man-in-the-middle attack — nowadays also called adversary-in-the-middle
Oh Jesus why
Because “adversary” is clearly gender neutral and “man” is not, so “man” isn’t able to continue it’s double meaning as being short for “mankind” which itself is short for “humankind,” for fears that it’s exclusionary.
“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this
I agree, but wait till you hear what network appliances are doing and what processor manufacturers are doing…
you have to have complete trust in the service provider.
Not completley, there is 3rd party audit companies that can verify claims made by the VPN providers, like confirming no-log policy and such.
How do you trust the third parties? And even if the third parties think it is ok that doesn’t mean that they aren’t hiding something.
VPNs weren’t designed to be private.
The p stands for private. They were designed to connect someone to a remote intranet…privately.
Yes, VPNs were quite literally designed to be private
How do you trust the third parties?
How do you trust anyone? At some point you either do or don’t, because it’s just not possible to verify everything in your life.
The alternative would be not using an VPN and for me personally I trust my VPN provider a lot more than my luck of not getting chaught by chance.
Another option, if you have technical skills, is to just run your own VPN which tends to be pretty easy to setup on a VPS nowadays. You can find a VPS provider in a jurisdiction you want, and you control what gets logged.
…so, trust the hosting provider to not log…and that you won’t screw up any config or update, and make sure to use anonymous payments, and…and…etc.
The only thing that actually matters is the jurisdiction. If your hosting provider is in a place that the country you live in can’t legally force to hand the data over then you’re much better off than using a service that may be sharing data with your government.
The topic in question here is not about government abuse of data, it’s corporate abuses, but okay, let’s set that aside.
You’ve said that it’s safer to roll your own VPN using a VPS service precisely because you can’t trust any VPN providers, or auditing organizations.
But you’re now saying that you can trust a hosting provider based solely on which jurisdiction they reside in.
You’re just arbitrarily picking which companies to trust with your connection traffic, but with added complexity, and significantly reduced egress locations for your traffic, which itself dramatically impacts any privacy benefits you were looking to achieve.
First of all, nowhere did I say anything about trusting any hosting provider. The point once again was about jurisdiction of the provider. Meanwhile, there’s nothing more arbitrary about picking a hosting provider than a VPN.
There is a lot of confusion amongst plenty people here, in how they are perceiving VPNs.
It is correct that VPNs are not designed for complete anonymity, security or privacy. However, they absolutely are designed for privacy and anonymity against certain actors, ISPs and regular script kiddies being one of them.
It is also correct that VPNs are not easy to trust, but that is the case with most, NOT all VPNs. Mullvad, IVPN are solid paid options, and Windscribe, AirVPN, ProtonVPN and Cryptostorm are slightly below but good to use as free/paid options. Most other VPNs either have poor technical management, poor uptime or poor track record (affiliate ads, user data leaks) or may be shady.
I agree, it’s all about understanding what the actual value these services provide is and what the risks are. There are legitimate use cases, but it’s important to be aware that it’s not a panacea.
This is a very important video to watch for ordinary people, as far as VPNs are concerned. https://www.youtube.com/watch?v=WVDQEoe6ZWY
Here is an alternative Piped link(s):
https://www.piped.video/watch?v=WVDQEoe6ZWY
Piped is a privacy-respecting open-source alternative frontend to YouTube.
I’m open-source; check me out at GitHub.
Zuck really took that P out of VPN huh .
deleted by creator
just wait until we hear about the new Crypto AG scandal
So…Facebook wanted to be a better app for sending disappearing dick pics?
“No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works”
Apparently there was some debate among the Facebook leadership about whether getting clueless people to sign a consent form was good enough for them.
Cool.
This is the best summary I could come up with:
In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers.
On Tuesday, a federal court in California released new documents discovered as part of the class action lawsuit between consumers and Meta, Facebook’s parent company.
“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit.
When the network traffic is unencrypted, this type of attack allows the hackers to read the data inside, such as usernames, passwords, and other in-app activity.
This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.
“We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.
The original article contains 687 words, the summary contains 175 words. Saved 75%. I’m a bot and I’m open source!
So (and im asking for technical clarification as a layman) Facebook didn’t put this data miner on unknowing user’s phones but did pay teenagers to install one (onavo) on their phones that worked to decrypt traffic for everyone those users interacted with… Right?
yup that’s basically it
deleted by creator
There is no way to know whom the trustworthy VPN provider shares data with. That’s just the reality. And sure you’re back to square one if you don’t use a VPN, but the point here is that people think that using a VPN is much safer than it actually is. Furthermore, another option is always to just run your own VPN that you can host in whatever jurisdiction you want.
deleted by creator
The creators of MullvadVPN or their identities are not prominently disclosed, which means you have to trust them. For all we know they could be working with Swedish law enforcement or other nations and you’d never know.
deleted by creator
It’s safe to assume they were not providing data to anyone at the time, and perhaps they are not now. Thing is that you don’t know that, and it’s a relationship fundamentally based on trust. There’s nothing wrong with trusting a company like Mullvad, but it is just trust in the end.
