I’m thinking about getting Mullvad, but I’m doing a lot of research before buying and it seems to be some discussion about whether a VPN is a good option or not. Do you use one? Why? If not, in what services do you use your money (like Proton, donating to Signal, etc)?
These are the privacy resources I use —
Desktop Browsers: Firefox and Brave
Mobile Browser: Safari
Cloud Storage: ProtonDrive
Virtual Cards: Privacy.com
Email Aliasing: SimpleLogin
2FA TOTP: 2FAS
Password Manager: ProtonPass (Gonna be switching to Bitwarden soon)
Personally, I don’t use a VPN cause I don’t see a need for one unless you are on a public Wi-Fi network or want to hide your web traffic from your ISP but even then something like NextDNS can do that fine. Using an encrypted DNS resolver does the important security and privacy job of a VPN by encrypting your search traffic.
All a VPN truly provides is location spoofing and IP address spoofing. Location spoofing is good if you are trying to access content that’s geographically locked. IP address spoofing can be good to protect yourself on a public Wi-Fi network.
Ultimately, it’s up to you if you want to use a VPN. I’d recommend ProtonVPN if you want to be able to use streaming services(you will have to pay for this feature) or MullvadVPN if you want to have a more anonymized account and payment method for your VPN.
I do use Mullvad for my VPN mainly to hide my traffic from my ISP and my parents from getting a letter from my ISP because my web traffic. I’ve found it useful and as expected as advertised.
Are you talking about the path? (e.g. searchdotbravedotcom**/search?q=wwww**), yes, but it’s not effective in hiding the website you visit, so in this case your ISP would know you’re using Brave Search. In this case a VPN would be necessary… I think.
Maybe it could be used to enforce some privacy practices from countries with better laws? Don’t know if it’s effective tho, but could be a use case?
You encrypting that domain lookup through the DNS keeps the ISP from knowing what site you’re visiting. Because when you interact with stuff on the site as well, you are also interacting with the DNS to get access to that data.
Not necessarily. Even if you connect to a VPN server in Switzerland, that isn’t a guarantee that your traffic is safe.
The safety is that with VPNs like Mullvad and Proton that integrate E2EE, even if a government requested your data from them, that data would be a bunch of encrypted data and maybe the IP address of the last server you were connected to.
Not exactly, I think you are mistaken / don’t have all the info here.
Encrypted DNS takes care of common one way in which your ISP can know what site’s you are visiting. But there are other ways that Encrypted DNS does not and cannot protect against on its own which a VPN can.
I think it is easiest to explain if we briefly look back at the history of encryption and the web:
- Originally, neither the HTTP or the DNS connections were encrypted. A Man-in-the-Middle like your ISP could observe both the DNS traffic and the HTTP traffic. In practical terms, that means a MitM can see what sites you visit, and observe your connection to those sites.
- Then encrypting the HTTP traffic became the norm (HTTPS / TLS) but DNS traffic was still unencrypted and visible to a MitM. In practical terms that means a MitM can no longer observe your connection to those sites, but can still see what sites you visit.
- Now we are beginning to encrypt DNS traffic as well, so now a MitM cannot see your DNS traffic or observe your connection to the sites you visit. You’d think that would make your connections private now since both the HTTP and DNS traffice are encrypted, however:
- There is a lesser known thing called SNI, it is part of the TLS handshake, and it includes the hostname or domain name in unencrypted form which a MitM could observe… So even if you’ve encrypted both the HTTP and the DNS traffic, your ISP could still see the domains you connect to. There is something being worked on by Cloudflare + Mozilla called ECH (Encrypted Client Hello) which is intended to fix this, but it is not yet implemented.
- Finally, there is of course IP address. Even if we encrypt every part of the DNS and HTTP connections, your ISP still needs to know where to route your traffic, primarily using the IP address system. While it is just a set of numbers that doesn’t immediately give away what the domain you are connected to is, in many cases, an IP address can easily be used to know what websites you visit.
So while encrypting HTTP traffic and DNS traffic does dramatically reduce the visibility your ISP has over your browsing it certainly doesn’t prevent all forms of snooping on your browsing, and doesn’t prevent your ISP from seeing the websites you visit in many cases. A VPN does prevent your ISP from seeing any of this, including the IP addresses you visit (all the ISP can see is the connection to your VPN providers entry IPs)
Basically a VPN offers 3 primary benefits:
- Protects you from MitM snooping or malicious activity in a way that Encrypted DNS + HTTPS cannot.
- Hides your IP address from the websites you visit.
- Shifts your IP address to a geographical or legal jurisdiction that you prefer.
edit: here is some info on ‘encrypted client hello’
I don’t believe this is true or technically possible. These VPN providers promise not to keep logs (and audits hopefully prove that they do not). But it is not End-to-end encrypted in the way that you believe it is. Technically speaking, it can’t be. With a VPN, your connection is encrypted in transit, between you and the VPN server, but the VPN server can observe that traffic. A VPN service cannot be E2EE because the ‘other end’ of the connection is a 3rd party.
Can you elaborate more on what you mean when you say “Mullvad and Proton” “integrate E2EE” maybe I’m just misunderstanding what you mean, but I Think you may have a false sense of security here. You absolutely must trust your VPN provider to some degree (in ways you don’t have to with truly e2ee services).
edit: I want to add that this comment and the last one should be prefaced with “to the best of my understanding” if you think I am misunderstanding anything please let me know and hopefully we can clear it up.
Gotcha. My bad for being ignorant on the particulars.
Luckily, I’ve been studying for a CCNA so I understand some of these terms lol.
I understand what you mean though.
Can’t the VPN provider E2EE encrypt any logs of traffic from their server to the ISP though? I might be completely wrong.
I don’t have perfect knowledge of how this stuff works.
I think you may be confused about the meaning of the term E2EE (End to End Encryption) because it doesn’t seem to make sense in the context you are using it here (unless I’m misunderstanding you).
E2EE isn’t a synonym for encryption in general, it refers to a specific form of encryption where the connection is encrypted between two or more endpoints and only those endpoints are capable of decryption. Or put more simply, E2EE is a form of encryption where the service provider designs their service so that even they (or anyone else with access to their servers) cannot access your data. But this is not how VPN’s work.
With respect to a VPN, the VPN (and the ISP) are men-in-the-middle. The two ends in the case of web browsing would be your browser and the server you are connecting to. What a VPN does is create an encrypted tunnel for the first half of that connection (between you and the VPN server). Because your ISP sits between you and the VPN server, they can see you have made a connection but they can’t see the contents of that connection (because of the encrypted tunnel created by the VPN). However, because it is not e2ee the VPN does have the capability to view your traffic, and they can’t protect the second half of you connection (from their server’s to the servers you requested (e.g. a website you visit). They do hide you IP address from that website, but that’s it.
I’m not sure if this is clear or not, its hard to explain a lot of this stuff, and my understanding is imperfect as well.
Probably the easiest example of end to end encryption to understand is an e2ee messenger like Signal. Communications go:
you <-> signals servers <-> recipient
as you can see Signal’s servers sit between you and the recipient, but because the encryption takes place only on your device and the recipients device, there is no threat to having Signal’s servers sit between you and the recipient because Signal’s servers can’t decypt the communication.
Contrast this with a VPN where the VPN tunnel’s encryption is only between you and the VPN server, not you and the other end of the connection.
Or put more simply End-to-End Encryption means you only have to trust the other end of the connection. In contrast, with a VPN you are shifting trust from a less trusted (ISP) to a theoretically more trusted (VPN) service provider. But you are not eliminating the need to trust an intermediary.
Thanks for the discussion. After reading it, I don’t see any reason to use a VPN.
I surely trust Mullvad, iVPN or ProtonVPN more than my ISP, but it seems like it’s not worth an additional $5 (~28 moneys here) every month. We don’t have problems with companies sending letters because of piracy or even content blocking (maybe excluding Telegram…), really doesn’t seems like a smart choice.
It’s purely up to you. I’d just look into your ISP and see if they have a track record on privacy and security that you are comfortable with.
If IP spoofing is your main concern, then any VPN is more than sufficient. Of course, if you want to avoid logging etc. then ProtonVPN (which has a pretty decent free tier), IVPN and Mullvad are the strongest options. TOR is ideally the best if you don’t trust VPN providers. Another decent option is Lokinet (the onion network used in the Session messenger). Lokinet supports UDP traffic and is faster than TOR, but it is still somewhat buggy and there are very few public exit nodes. Your best bet is to host your own exit node, but it is linked to the Oxen cryptocurrency so your choice.
That’s true. Thanks for the info. I don’t know why I didn’t think about it this way cause obviously the ISP will need to see the source and destination IP addresses of the frames coming from the VPN server regardless to make sure it reaches the destination even if the data at the application level might be encrypted.
I don’t know if it’s a common practice in other countries, but I live on the “countryside” and there’s a particular situation here. We have local companies that act like a “proxy” to the actual ISP. In other words, we contract a local company that contracts the service from a bigger ISP and then, in my case, there’s another “proxy” that is the local “vendor”, literally a person that contracts the local ISP and sell they services. Seems like a big mess, but from my experience it appears to be very common.
User <--- Local "Vendor" <--- Local ISP <--- Bigger ISP
I think it is also relevant to think about the jurisdiction of your ISP and what they can legally do with your data. For example, in the U.S., your ISP can legally sell your browsing data, so personally, I wouldn’t feel comfortable browsing the web in the U.S. without a VPN.
There’s no one right answer to this question. It depends on one’s threat model. That said, I keep ProtonVPN on because it’s none of my ISP’s business what I do online.
Do you use a VPN? Why or why not?
Thanks for the discussion. After reading it, I don’t see any reason to use a VPN.
So I commented a few times in this thread, but I never directly addressed your question.
To answer your question(s),
- Yes, I do use a VPN, not always, and not for all my browsiing, but I have paid for a VPN for ~10 years now, and it does provide value to me. I find it valuable in a few different ways:
- Prevent snooping by Men-in-the-middle. Primarily (1) my ISP, they are known to collect & sell/share customers browsing history) (2) Untrustred or insecure wifi networks, airports, cafes, even in some cases home wifi networks that are not my own.
- Prevent websites, or services from knowing my IP address. There are a number of different contexts where I feel more comfortable with a layer of semi-anonymity between me and the remote servers or services I connect to. Most of these contexts are pretty mundane, I just prefer my online interactions to have a similar level of semi-anonymity to most in-person interactions. A VPN on it’s own does not make you anonymous, and I for the most part don’t need it to, I just prefer having a small extra layer between me and the entire internet, and prefer not to have everything I do online connected to a single number (IP) connected to my identity. It just feels mildly creepy. And I prefer not to make the job of trackers and data miners any easier than it has to be.
- A VPN can also be useful for any type of peer to peer network where you don’t want the other party to know your IP or rough location.
- Miscellaneous other reasons. For example, I’ve used a VPN to switch my location to a country that didn’t have ads on a social network I used. I’ve used a VPN when I travel to change my location to my home country so search results and websites are in my native language, I’ve used a VPN to get around georestrictions. (edit) Also I’ve used a VPN in situations where I want to create two accounts with a service but not have them linked to one another (e.g. a personal email address with a service, and another email with the same service for activism or online shopping or something else I’d like to compartmentalize).