back to article Using a free VPN? Why not skip the middleman and just send your data to President Xi?

Many popular free VPN apps are sketchy Chinese operations with dubious privacy policies, according to research. Metric Labs' Top10VPN conducted a rare investigation into the ownership structure and responsiveness of top VPN providers who distributed their services on iOS and through Google's Play Store. 86 per cent are deemed …

Page:

  1. Anonymous Coward
    Coat

    As usual, when it's free....

    .... you are the turkey

    (seasonal variation)

    1. steelpillow Silver badge
      Meh

      Re: As usual, when it's free....

      Either that or support is a GitHub wiki that you are the only one to post on in the last five years.

      Or both.

    2. Anonymous Coward
      Anonymous Coward

      Re: As usual, when it's free....

      Just like what you get with Linux.

      1. MMR

        Re: As usual, when it's free....

        Just like what you get with Linux.

        This is so wrong and not true on so many levels it's not worth getting into deeper discussion.

      2. GnuTzu

        Re: As usual, when it's free... -- as in Service

        "Just like what you get with Linux."

        Linux is not a service. You don't sign up for it, and you don't send your data through somebody else's server in order to use Linux.

        (@MMR, voted you up, but I just had to go and at least explain the key difference, in case other don't get it.)

  2. elDog

    The only way for the phone/carrier vendors to "curate" the vendors

    Is to become the VPN supplier by default.

    I'm not sure what Migliano wants to do here. Has he ever run, or have good knowledge of, the circuitry involved in protecting all of the networks involved.

    I do think that the eventual path of personal privacy along with stuff like VPNs will be to entrust our souls to the suppliers and governments.

    Perhaps that's what they want?

    1. big_D Silver badge

      Re: The only way for the phone/carrier vendors to "curate" the vendors

      The problem is, Apple and Google are victims of their own success. They never designed their approval systems to consider actually vetting apps, other than a quick code scan to ensure they don't do anything bad on the phone (which, mostly, works). None of these systems actually seems to check the background of the companies writing the apps or the web services behind the apps.

      That would require time and effort and, due to the scale that has built up, it would be next to impossible to start now. You would have to implement this sort of checking when the system was introduced and scale it up with demand. But that would mean hundreds of extra employees who do nothing but background check companies applying to be app developers and auditing their backend services on a regular basis.

      That would then impact their profits, so users are screwed.

  3. R 11

    Browsing history?

    VPNs gain full access to a user's browsing history.

    Do these apps get permission on iOS/Android to access browsing history? Is that something available without user agreement? Or do the apps actually operate as a browser?

    I ask because, in this day and age, most major websites are secured and therefore while the browser knows where you have been, the network operator and any middle men should know only the root of the site. For example my ISP knows I visited forums.theregister.co.uk but can't see that I visited this page (at least not without trying to correlate the timestamp for this submission to that displayed by the post).

    If you're visiting an insecure site, assume everyone and their grandmother knows where you went and what you did while you were there.

    1. diodesign (Written by Reg staff) Silver badge

      Re: Browsing history?

      It depends on the VPN. Anything clear-text can be snooped on or tampered with to inject ads. Any DNS look-ups for host names will be visible. Some VPNs offer a free browser that may collect your browsing history.

      The VPN app could install a root certificate and MITM your SSL/TLS connections, if the websites you browse aren't mitigating that.

      We've tweaked the sentence to clarify it.

      C.

      1. hmv

        Re: Browsing history?

        See also ssl.handshake.extensions_server_name (the Wireshark/Tshark variable) which shows the domain part of the URL in plain text.

    2. big_D Silver badge

      Re: Browsing history?

      They don't need to act as browsers or gain any extra access rights on the phone, all traffic goes through them, so they know where the traffic is routed and what you have been looking at.

      The same as ISPs and mobile operators, if you aren't using a VPN. The traffic goes through their network and they can log where you are going and what you are doing - to a greater or lesser degree; if the traffic is encrypted, they only know where you have been, if it is unencrypted they can see what you are doing.

      That is why responsible VPN providers don't keep logs or delete them after a few hours, if they don't have network problems which need investigating.

  4. chasil

    Just use Tor.

    There are many cases where hostile sites block Tor exit nodes, and shopping through one subjects you to much more extensive 2fa, but the more people who use Tor, the more accommodating they will become.

    1. IceC0ld

      Re: Just use Tor.

      but the more people who use Tor, the more accommodating they will become.

      ==

      Err, I THINK you will find that the more people that use TOR that the whole edifice will start to crumble as stupidity arrives in spades, just because a user has found TOR is NO indication they have any idea of WTF they are actually doing, and so they will whinge and whine, and eventually it will all be as easy as it is now outside TOR ffs :o( and not in a good way

    2. Alister

      Re: Just use Tor.

      There are many cases where hostile sites block Tor exit nodes

      That's probably because a high percentage of the traffic coming from Tor exit nodes is malicious.

    3. DerekCurrie
      Gimp

      Re: Just use Tor.

      Tor is helpful, but not perfect. Despite rumors to the contrary, Tor is hacked regularly. Tor was hacked last month, October 2018. Then again, OpenVPN and IPSEC are hacked regularly as well. Use caution no matter the service. Research is required for maximum safety. Don't open yourself to surveillance through personal ignorance or laziness that could have been avoided.

    4. steviebuk Silver badge

      Re: Just use Tor.

      Accept that, according to various sources, most Tor nodes are compromised now by government spooks.

      Whether that is true or not I'm not sure.

      Best solution is a Tor through VPN. I use Airvpn and they have such a feature. Not that I really use that bit much, I just know it's there. Airvpn have been good since I started using them. Very useful when on YouTube and you get "Channel 4 has blocked this video in your country". What? The UK? The very fucking country where Channel 4 is. I'd use your app but it's shit. It has a piss poor habit of playing adverts, then getting to the documentry/show and crapping out. But, magically, the adverts successfully play every fucking time, but the actual show you want to watch, doesn't.

      ):o( rant over.

    5. Anonymous Coward
      Anonymous Coward

      Re: Just use Tor.

      There are many cases where hostile sites block Tor exit nodes, and shopping through one subjects you to much more extensive 2fa, but the more people who use Tor, the more accommodating they will become.

      With respect, I disagree. I have as yet to see a single instance of someone originating from a Tor node actually reading or using the sites I manage. Every single one of the Tor-originated visits was about running some sort of attempt to breach the site or use hacks that may have been installed already.

      Ergo, from a risk management perspective I am about to lock out people that use Tor (source: paid-for Maxmind). The stats show it will not lose any business, but it sure improves business-to-hacking attempts ratio in the logfiles.

  5. Anonymous Coward
    Anonymous Coward

    Damn, now the Chinese know about my unhealthy obsession of watching S-Club 7 videos. I'll never be able to visit China now, oh the shame.

    1. Rich 11

      Given the tat that passes for pop in China, you'd probably be welcomed there like a god.

      Tat that passes for pop. That has to be the lowest of the low.

  6. petef

    The Opera browser has offered free VPN for the web for some time now.

    1. Anonymous Coward
      Anonymous Coward

      The Opera browser has offered free VPN for the web for some time now.

      And Opera Software AS was bought by Chinese interests in 2016.

      1. hellwig

        Opera's free VPN is good for changing your region of origin for region-locked websites, but yeah, don't use it for actual security.

        1. tiggity Silver badge

          .. free VPN be it Opera or more dubious not really to be trusted. Might be OK to access region locked content e.g. US media from UK (big regional release date differences on film / TV - silly (IMHO) as it encourages the keenest fans (who must see it ASAP) to pirate)

          Dont ever do anything that involves exposing "proper" credentials with them, just use if as a region block unlock and ensure you run it in a VM in case it tries any nasties.

          .Finding a VPN you can trust is non trivial (there's always the set up a box in a different country and roll your own VPN for the truly paranoid)

        2. Anonymous Coward
          Anonymous Coward

          Opera VPN does have its uses (if you want to download gigabytes of porn / cat videos, and you don't want to show your private taste to Ms May's minions, AND if you're not in a hurry. But google search routinely shows you the middle finger, and endless (literally) capchas. But it's a useful stopgap, or just for fun, if you enjoy pissing in the tracking industry's piss-resistant circuits. For serious privacy I would pay for a VPN, though there are only a few which appear (APPEAR) FAIRLY secure (cash payments, no logs, RELATIVELY pressure-resistent legal system (yeah, unlike the UK ;)

          That said, it's quite possible that those hiding behind proper VPNs are flagged as worthy particular interest so, ironically, you might be subject to more detailed scrutiny.

          1. hellwig

            re: But google search routinely shows you the middle finger, and endless (literally) capchas.

            Yeah, that's what Duck Duck Go is for.

    2. DerekCurrie
      FAIL

      No, Opera does not offer a VPN. They offer a proxy node only.

      I suggest you research the difference between an actual VPN and a mere proxy node. They are by no means equivalent. You are NOT solving the surveillance dangers by simply exiting onto the Internet at a different IP address. Your DNS lookups remain UNencrypted. Your data transfers back and forth remain UNencrypted. That's bad.

      Also, my understanding is that Opera is dropping their proxy node service.

    3. Baldrickk

      Opera

      A family member was having trouble with internet connection over wifi at home, mobile internet was fine, so I had a look.

      He had the Opera security/helper app installed (whatever it is called), which amongst other things enabled a VPN (might have been a proxy, it called it a VPN, I didn't waste time investigating further) which had a terrible throughput. It _may_ have been useful against a dodgy "public" wifi point, but not being able to white-list home wifi?

      nixing that thing was the best solution.

  7. Anonymous Coward
    Anonymous Coward

    If you are going to do something stupid, it might as well be free.

    China.. Keeping foolishness affordable.

  8. Anonymous Coward
    Anonymous Coward

    I don't think the claims are right....

    Most free VPNs are coming from China because Chinese have those need, and some Chinese people have resources that are willing to share to others.

    If you claim that the free VPNs are sending datas to China's President, I could say that U.S. based VPNs are sending datas to CIA or FBI....(although they normally don't)

    If a VPN service is operated in China, it DOES NOT mean it's powered by Chinese Government, because those softwares are used to bypass Chinese firewall, and Chinese Government does not allow such act (actually it's a crime in China to develop / use such kind of service to bypass the firewall)

    1. diodesign (Written by Reg staff) Silver badge

      Re: anonymous coward

      It's true VPNs are useful in China, which is why there's such an interest over there.

      However, that doesn't excuse crap security. If you're using a stranger's VPN, you're placing an enormous amount of trust in that provider to not screw you over. With near-zero transparency, scrutiny or oversight, free VPNs are a privacy nightmare.

      Edit: Oh yeah, don't forget all VPN providers must register with the Chinese government (see below, Google, etc), which is not... great.

      C.

      1. Anonymous Coward
        Anonymous Coward

        Re: anonymous coward

        I buy all three arguments, i.e. that having so many VPN providers in China is suspicious, that having them in China is not suspicious, because of demand/supply, and having them have crap terms of privacy is suspicious / inexcusable. However, to add to the stack, it might be that their privacy is crap, because privacy in China is crap in general, as much as other issues, such as general "customer service". Though you would think that if somebody offers you a a privacy tool, the key element of the service would be actual privacy. OK, suspicious.

        But then... FREE, so perhaps the reason is just to "monetize" a relatively new and growing trend of "privacy" (hey, did you hear about PRIVACY stuff yet?! Click HERE to find out!), like there's been a new trend in "cargo" cloths, courtesy of Ryanair (fuck you Ryanair, fuckyouverymuch)

    2. DerekCurrie
      FAIL

      EVERY VPN within China is legally required to be APPROVED by the Chinese government

      And you know exactly what that means. The totalitarian Chinese government (inexplicably still considered 'socialist' or 'communist') demands ALL data on citizen behavior be available to them at ALL times. Period. Don't fool yourself otherwise. China is a full bore surveillance state. Rumors to the contrary are plain ignorance. That includes Hong Kong as well.

      1. sabroni Silver badge

        Re: inexplicably still considered 'socialist' or 'communist'

        It's so anyone mentioning redistribution of wealth can be easily demonised.

        1. Anonymous Coward
          Anonymous Coward

          "anyone mentioning redistribution of wealth can be easily demonised"

          Because China is redistributing wealth among its citizens?

      2. Anonymous Coward
        Facepalm

        "inexplicably still considered 'socialist' or 'communist' "

        Show me a communist government - which usually names itself "socialist" - that isn't totalitarian...

      3. Anonymous Coward
        Anonymous Coward

        Re: EVERY VPN within China is legally required to be APPROVED by the Chinese government

        >The totalitarian Chinese government (inexplicably still considered 'socialist' or 'communist')

        That is just like all the People's Free Democratic Republic of Wherever is neither free nor democratic, and is not much for the people either. What remains is the wherever part. Still, they like to think people fall for the name.

    3. This post has been deleted by its author

  9. FozzyBear
    Black Helicopters

    Well I hope they are enjoying the huge variety of porn the world offers, or would that be still blocked by the great firewall of China?

  10. AdamWill

    run your own? really?

    "For what it's worth, we recommend setting one up yourself using OpenVPN, Algo, or Outline, for example, if you know what you're doing."

    This has always struck me as a bizarre recommendation for what's probably the major reason for using a VPN: making it look like you're somewhere else. After all, most people in the UK who want to look like they're connecting from the US probably don't own a house in the US they can stick a VPN server in. Or even have the means to run one out of a US-based colo or something. (Ditto Chinese people wanting to look like they're almost anywhere else, etc etc). Surely it's more practical to recommend a vaguely reputable paid provider for this case.

    1. Anonymous Coward
      Childcatcher

      Re: run your own? really?

      "After all, most people in the UK who want to look like they're connecting from the US"

      Why on earth would I want to appear to be from the US? My use case is to appear to be from the UK when I am abroad so that iPlayer works and I can be confident that I am not being MitMd.

      My OpenVPN relies on *my* CA trust working and if it refuses to connect then I reach for Wireshark to find out why not. If the "free" wifi is being naughty and doling out certs and intercepting TLS it soon becomes obvious.

      1. Jeffrey Nonken

        Re: run your own? really?

        Not everybody's use case is the same as everybody else's use case. Some of us prefer to obscure our origin.

      2. DerekCurrie
        Meh

        Re: run your own? really?

        Note that with VPN, as with TOR, countries trying to protect their individual copyrighted media (because we humans are so incredibly uncooperative between countries) go out of their way to SEEK and BLOCK exit nodes onto their country's Internet from outside their country. It is entirely common, for example, for the UK's BBC to identify active VPN or TOR exit nodes with a lot of variable traffic of a questionable nature. They then BLOCK that VPN from accessing their service. In turn, a good VPN will then establish a new exit node in that country to provide to their users. Or, TOR users within the country will volunteer their own exit nodes (at their personal peril I must note) for others outside the country to use.

        I'll also note that these days the BBC require those accessing their media to have an BBC account with a listed physical UK mailing address. VPNs can't help with that wrinkle.

        It's called Cat and Mouse.

        1. Anonymous Coward
          Anonymous Coward

          Re: run your own? really?

          "Note that with VPN, as with TOR, countries trying to protect their individual copyrighted media (because we humans are so incredibly uncooperative between countries) go out of their way to SEEK and BLOCK exit nodes onto their country's Internet from outside their country. It is entirely common, for example, for the UK's BBC to identify active VPN or TOR exit nodes with a lot of variable traffic of a questionable nature."

          I tried viewing El Regs site over Tor the other day.

          Cloudflare complained and wanted me to enable JavaScript.

          1. Kiwi
            Linux

            Re: run your own? really?

            I tried viewing El Regs site over Tor the other day.

            Cloudflare complained and wanted me to enable JavaScript.

            El Reg really does need to dispense with clodfool. It drove me away for a while, though it seems better now.

            There's always something like Whonix (think that's the name) which will let you run that JS BS in a VPN that can only connect to the internet via another VPN that acts as a TOR gateway. Not necessarily absolutely perfectly secure, but more than enough to keep you safe from clodfool's harrassment while you're innocently browsing El Reg.

            (As if there was any innocence around here! Naivety maybe, but innocence?????)

        2. FrogsAndChips Silver badge

          Re: BBC account with a listed physical UK mailing address

          Huh? Last week I had to create an account to access iPlayer on my TV, all I needed was an email address, no name or physical address was ever asked.

          1. Anonymous Coward
            Anonymous Coward

            Re: BBC account with a listed physical UK mailing address

            this is peculiar, because when I went to the registration page, they wanted ridiculous amount of personal information, starting with your address / postcode, and your age, and your full name, if I remember correctly. Of course, you can fake all / some of these, but even if the system bites, would it be legal? Probably similar to "stealing" your neighbours' tv signal ;)

            Actually, this is an interesting legal poser: am I breaking the (UK) law downloading bbc content I am entitled to (supposedly), but from, er... "other sources"?

        3. Anonymous Coward
          Anonymous Coward

          Re: run your own? really?

          > I'll also note that these days the BBC require those accessing

          > their media to have an BBC account with a listed physical UK

          > mailing address. VPNs can't help with that wrinkle.

          No they don't. I have no BBC account but downloaded some Iplayer programmes just yesterday.

          https://github.com/get-iplayer/get_iplayer

        4. Kiwi

          Re: run your own? really?

          I'll also note that these days the BBC require those accessing their media to have an BBC account with a listed physical UK mailing address. VPNs can't help with that wrinkle.

          That's not too hard to work around. Same way you can get stuff where you must have a delivery address in a certain country. Just be on good terms with someone over there :)

          You can even do a VPN-swap if you can handle the hit on your data. You set up one there and give me a log in, and I set up one here and give you a log in (no, not offering sorry, my bandwidth is too limited for any more users!)

      3. Anonymous Coward
        Anonymous Coward

        Re: run your own? really?

        "My use case is to appear to be from the UK when I am abroad so that iPlayer works and I can be confident that I am not being MitMd."

        Most people would use VPN to pretend to be someone else than the registered, named, aged and postcoded iPlayer user, whose information is shared by the beeb with all those beeb offspring and God-knows-how-many carefully selected business partners, never mind government agencies.

        1. naive

          Re: run your own? really?

          There are really good reasons to have a VPN that for instance exits in the US. Buying things like fight tickets get really way cheaper when they do not see one is European.

          On-line shopping can be way cheaper, and indeed ones on-line habits are not logged on countless places.

          Creating a personal VPN could go like this:

          1. Purchase a raspberry pi as home VPN server, configure OpenVPN.

          2. Rent a simple t.micro Linux system at AWS in an AWS datacenter located in Virginia.

          3. Configure squid on the AWS system.

          4. Configure OpenVPN on the AWS server to connect with the pi.

          5. Configure AWS linux system as a proxy on the browser.

          6. Fix ip-routing on the PC so that the route to the proxy (squid) server points to the pi.

          There are costs, like around $ 15,- per month for the AWS server.

          This could be more convenient than TOR. With tor ones ip-address exits in random countries, services like gmail and yahoo mail really get nervous about this, and are not accessible anymore.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like