As usual, when it's free....
.... you are the turkey
(seasonal variation)
Many popular free VPN apps are sketchy Chinese operations with dubious privacy policies, according to research. Metric Labs' Top10VPN conducted a rare investigation into the ownership structure and responsiveness of top VPN providers who distributed their services on iOS and through Google's Play Store. 86 per cent are deemed …
"Just like what you get with Linux."
Linux is not a service. You don't sign up for it, and you don't send your data through somebody else's server in order to use Linux.
(@MMR, voted you up, but I just had to go and at least explain the key difference, in case other don't get it.)
Is to become the VPN supplier by default.
I'm not sure what Migliano wants to do here. Has he ever run, or have good knowledge of, the circuitry involved in protecting all of the networks involved.
I do think that the eventual path of personal privacy along with stuff like VPNs will be to entrust our souls to the suppliers and governments.
Perhaps that's what they want?
The problem is, Apple and Google are victims of their own success. They never designed their approval systems to consider actually vetting apps, other than a quick code scan to ensure they don't do anything bad on the phone (which, mostly, works). None of these systems actually seems to check the background of the companies writing the apps or the web services behind the apps.
That would require time and effort and, due to the scale that has built up, it would be next to impossible to start now. You would have to implement this sort of checking when the system was introduced and scale it up with demand. But that would mean hundreds of extra employees who do nothing but background check companies applying to be app developers and auditing their backend services on a regular basis.
That would then impact their profits, so users are screwed.
VPNs gain full access to a user's browsing history.
Do these apps get permission on iOS/Android to access browsing history? Is that something available without user agreement? Or do the apps actually operate as a browser?
I ask because, in this day and age, most major websites are secured and therefore while the browser knows where you have been, the network operator and any middle men should know only the root of the site. For example my ISP knows I visited forums.theregister.co.uk but can't see that I visited this page (at least not without trying to correlate the timestamp for this submission to that displayed by the post).
If you're visiting an insecure site, assume everyone and their grandmother knows where you went and what you did while you were there.
It depends on the VPN. Anything clear-text can be snooped on or tampered with to inject ads. Any DNS look-ups for host names will be visible. Some VPNs offer a free browser that may collect your browsing history.
The VPN app could install a root certificate and MITM your SSL/TLS connections, if the websites you browse aren't mitigating that.
We've tweaked the sentence to clarify it.
C.
They don't need to act as browsers or gain any extra access rights on the phone, all traffic goes through them, so they know where the traffic is routed and what you have been looking at.
The same as ISPs and mobile operators, if you aren't using a VPN. The traffic goes through their network and they can log where you are going and what you are doing - to a greater or lesser degree; if the traffic is encrypted, they only know where you have been, if it is unencrypted they can see what you are doing.
That is why responsible VPN providers don't keep logs or delete them after a few hours, if they don't have network problems which need investigating.
but the more people who use Tor, the more accommodating they will become.
==
Err, I THINK you will find that the more people that use TOR that the whole edifice will start to crumble as stupidity arrives in spades, just because a user has found TOR is NO indication they have any idea of WTF they are actually doing, and so they will whinge and whine, and eventually it will all be as easy as it is now outside TOR ffs :o( and not in a good way
Tor is helpful, but not perfect. Despite rumors to the contrary, Tor is hacked regularly. Tor was hacked last month, October 2018. Then again, OpenVPN and IPSEC are hacked regularly as well. Use caution no matter the service. Research is required for maximum safety. Don't open yourself to surveillance through personal ignorance or laziness that could have been avoided.
Accept that, according to various sources, most Tor nodes are compromised now by government spooks.
Whether that is true or not I'm not sure.
Best solution is a Tor through VPN. I use Airvpn and they have such a feature. Not that I really use that bit much, I just know it's there. Airvpn have been good since I started using them. Very useful when on YouTube and you get "Channel 4 has blocked this video in your country". What? The UK? The very fucking country where Channel 4 is. I'd use your app but it's shit. It has a piss poor habit of playing adverts, then getting to the documentry/show and crapping out. But, magically, the adverts successfully play every fucking time, but the actual show you want to watch, doesn't.
):o( rant over.
There are many cases where hostile sites block Tor exit nodes, and shopping through one subjects you to much more extensive 2fa, but the more people who use Tor, the more accommodating they will become.
With respect, I disagree. I have as yet to see a single instance of someone originating from a Tor node actually reading or using the sites I manage. Every single one of the Tor-originated visits was about running some sort of attempt to breach the site or use hacks that may have been installed already.
Ergo, from a risk management perspective I am about to lock out people that use Tor (source: paid-for Maxmind). The stats show it will not lose any business, but it sure improves business-to-hacking attempts ratio in the logfiles.
.. free VPN be it Opera or more dubious not really to be trusted. Might be OK to access region locked content e.g. US media from UK (big regional release date differences on film / TV - silly (IMHO) as it encourages the keenest fans (who must see it ASAP) to pirate)
Dont ever do anything that involves exposing "proper" credentials with them, just use if as a region block unlock and ensure you run it in a VM in case it tries any nasties.
.Finding a VPN you can trust is non trivial (there's always the set up a box in a different country and roll your own VPN for the truly paranoid)
Opera VPN does have its uses (if you want to download gigabytes of porn / cat videos, and you don't want to show your private taste to Ms May's minions, AND if you're not in a hurry. But google search routinely shows you the middle finger, and endless (literally) capchas. But it's a useful stopgap, or just for fun, if you enjoy pissing in the tracking industry's piss-resistant circuits. For serious privacy I would pay for a VPN, though there are only a few which appear (APPEAR) FAIRLY secure (cash payments, no logs, RELATIVELY pressure-resistent legal system (yeah, unlike the UK ;)
That said, it's quite possible that those hiding behind proper VPNs are flagged as worthy particular interest so, ironically, you might be subject to more detailed scrutiny.
I suggest you research the difference between an actual VPN and a mere proxy node. They are by no means equivalent. You are NOT solving the surveillance dangers by simply exiting onto the Internet at a different IP address. Your DNS lookups remain UNencrypted. Your data transfers back and forth remain UNencrypted. That's bad.
Also, my understanding is that Opera is dropping their proxy node service.
A family member was having trouble with internet connection over wifi at home, mobile internet was fine, so I had a look.
He had the Opera security/helper app installed (whatever it is called), which amongst other things enabled a VPN (might have been a proxy, it called it a VPN, I didn't waste time investigating further) which had a terrible throughput. It _may_ have been useful against a dodgy "public" wifi point, but not being able to white-list home wifi?
nixing that thing was the best solution.
I don't think the claims are right....
Most free VPNs are coming from China because Chinese have those need, and some Chinese people have resources that are willing to share to others.
If you claim that the free VPNs are sending datas to China's President, I could say that U.S. based VPNs are sending datas to CIA or FBI....(although they normally don't)
If a VPN service is operated in China, it DOES NOT mean it's powered by Chinese Government, because those softwares are used to bypass Chinese firewall, and Chinese Government does not allow such act (actually it's a crime in China to develop / use such kind of service to bypass the firewall)
It's true VPNs are useful in China, which is why there's such an interest over there.
However, that doesn't excuse crap security. If you're using a stranger's VPN, you're placing an enormous amount of trust in that provider to not screw you over. With near-zero transparency, scrutiny or oversight, free VPNs are a privacy nightmare.
Edit: Oh yeah, don't forget all VPN providers must register with the Chinese government (see below, Google, etc), which is not... great.
C.
I buy all three arguments, i.e. that having so many VPN providers in China is suspicious, that having them in China is not suspicious, because of demand/supply, and having them have crap terms of privacy is suspicious / inexcusable. However, to add to the stack, it might be that their privacy is crap, because privacy in China is crap in general, as much as other issues, such as general "customer service". Though you would think that if somebody offers you a a privacy tool, the key element of the service would be actual privacy. OK, suspicious.
But then... FREE, so perhaps the reason is just to "monetize" a relatively new and growing trend of "privacy" (hey, did you hear about PRIVACY stuff yet?! Click HERE to find out!), like there's been a new trend in "cargo" cloths, courtesy of Ryanair (fuck you Ryanair, fuckyouverymuch)
And you know exactly what that means. The totalitarian Chinese government (inexplicably still considered 'socialist' or 'communist') demands ALL data on citizen behavior be available to them at ALL times. Period. Don't fool yourself otherwise. China is a full bore surveillance state. Rumors to the contrary are plain ignorance. That includes Hong Kong as well.
>The totalitarian Chinese government (inexplicably still considered 'socialist' or 'communist')
That is just like all the People's Free Democratic Republic of Wherever is neither free nor democratic, and is not much for the people either. What remains is the wherever part. Still, they like to think people fall for the name.
This post has been deleted by its author
"For what it's worth, we recommend setting one up yourself using OpenVPN, Algo, or Outline, for example, if you know what you're doing."
This has always struck me as a bizarre recommendation for what's probably the major reason for using a VPN: making it look like you're somewhere else. After all, most people in the UK who want to look like they're connecting from the US probably don't own a house in the US they can stick a VPN server in. Or even have the means to run one out of a US-based colo or something. (Ditto Chinese people wanting to look like they're almost anywhere else, etc etc). Surely it's more practical to recommend a vaguely reputable paid provider for this case.
"After all, most people in the UK who want to look like they're connecting from the US"
Why on earth would I want to appear to be from the US? My use case is to appear to be from the UK when I am abroad so that iPlayer works and I can be confident that I am not being MitMd.
My OpenVPN relies on *my* CA trust working and if it refuses to connect then I reach for Wireshark to find out why not. If the "free" wifi is being naughty and doling out certs and intercepting TLS it soon becomes obvious.
Note that with VPN, as with TOR, countries trying to protect their individual copyrighted media (because we humans are so incredibly uncooperative between countries) go out of their way to SEEK and BLOCK exit nodes onto their country's Internet from outside their country. It is entirely common, for example, for the UK's BBC to identify active VPN or TOR exit nodes with a lot of variable traffic of a questionable nature. They then BLOCK that VPN from accessing their service. In turn, a good VPN will then establish a new exit node in that country to provide to their users. Or, TOR users within the country will volunteer their own exit nodes (at their personal peril I must note) for others outside the country to use.
I'll also note that these days the BBC require those accessing their media to have an BBC account with a listed physical UK mailing address. VPNs can't help with that wrinkle.
It's called Cat and Mouse.
"Note that with VPN, as with TOR, countries trying to protect their individual copyrighted media (because we humans are so incredibly uncooperative between countries) go out of their way to SEEK and BLOCK exit nodes onto their country's Internet from outside their country. It is entirely common, for example, for the UK's BBC to identify active VPN or TOR exit nodes with a lot of variable traffic of a questionable nature."
I tried viewing El Regs site over Tor the other day.
Cloudflare complained and wanted me to enable JavaScript.
I tried viewing El Regs site over Tor the other day.Cloudflare complained and wanted me to enable JavaScript.
El Reg really does need to dispense with clodfool. It drove me away for a while, though it seems better now.
There's always something like Whonix (think that's the name) which will let you run that JS BS in a VPN that can only connect to the internet via another VPN that acts as a TOR gateway. Not necessarily absolutely perfectly secure, but more than enough to keep you safe from clodfool's harrassment while you're innocently browsing El Reg.
(As if there was any innocence around here! Naivety maybe, but innocence?????)
this is peculiar, because when I went to the registration page, they wanted ridiculous amount of personal information, starting with your address / postcode, and your age, and your full name, if I remember correctly. Of course, you can fake all / some of these, but even if the system bites, would it be legal? Probably similar to "stealing" your neighbours' tv signal ;)
Actually, this is an interesting legal poser: am I breaking the (UK) law downloading bbc content I am entitled to (supposedly), but from, er... "other sources"?
> I'll also note that these days the BBC require those accessing
> their media to have an BBC account with a listed physical UK
> mailing address. VPNs can't help with that wrinkle.
No they don't. I have no BBC account but downloaded some Iplayer programmes just yesterday.
https://github.com/get-iplayer/get_iplayer
I'll also note that these days the BBC require those accessing their media to have an BBC account with a listed physical UK mailing address. VPNs can't help with that wrinkle.
That's not too hard to work around. Same way you can get stuff where you must have a delivery address in a certain country. Just be on good terms with someone over there :)
You can even do a VPN-swap if you can handle the hit on your data. You set up one there and give me a log in, and I set up one here and give you a log in (no, not offering sorry, my bandwidth is too limited for any more users!)
"My use case is to appear to be from the UK when I am abroad so that iPlayer works and I can be confident that I am not being MitMd."
Most people would use VPN to pretend to be someone else than the registered, named, aged and postcoded iPlayer user, whose information is shared by the beeb with all those beeb offspring and God-knows-how-many carefully selected business partners, never mind government agencies.
There are really good reasons to have a VPN that for instance exits in the US. Buying things like fight tickets get really way cheaper when they do not see one is European.
On-line shopping can be way cheaper, and indeed ones on-line habits are not logged on countless places.
Creating a personal VPN could go like this:
1. Purchase a raspberry pi as home VPN server, configure OpenVPN.
2. Rent a simple t.micro Linux system at AWS in an AWS datacenter located in Virginia.
3. Configure squid on the AWS system.
4. Configure OpenVPN on the AWS server to connect with the pi.
5. Configure AWS linux system as a proxy on the browser.
6. Fix ip-routing on the PC so that the route to the proxy (squid) server points to the pi.
There are costs, like around $ 15,- per month for the AWS server.
This could be more convenient than TOR. With tor ones ip-address exits in random countries, services like gmail and yahoo mail really get nervous about this, and are not accessible anymore.