1 |
On Sunday, 7 August 2022 19:27:42 BST Rich Freeman wrote: |
2 |
> On Sun, Aug 7, 2022 at 11:36 AM Michael <confabulate@××××××××.com> wrote: |
3 |
> > The best a well configured VPN tunnel can offer is a secure connection |
4 |
> > between client and VPN server, which is handy if you are out and about |
5 |
> > using untrusted and insecure WiFi hotspots. |
6 |
> > |
7 |
> > The only other reason for using a VPN service is to present a different |
8 |
> > geolocation for the purpose of overcoming country-specific website |
9 |
> > restrictions. |
10 |
> |
11 |
> I think ONLY is a bit strong here. A VPN effectively makes it |
12 |
> impossible for your ISP to know who you're talking to, and it obscures |
13 |
> your IP from hosts you are connecting to. |
14 |
|
15 |
Yes, fair point. I was thinking why would you go to such an effort just to |
16 |
obscure your comms from your ISP. I'm not saying there aren't use cases |
17 |
supporting this endeavor. I was thinking more about political activists |
18 |
operating under oppressive regimes where state-level surveillance would be the |
19 |
threat model. In this case I would think state actors wouldn't rely on ISPs |
20 |
alone to share such information, although ISP's data would be tapped into for |
21 |
good measure. |
22 |
|
23 |
|
24 |
> Sure, there are ways to defeat this, but most of them are only |
25 |
> applicable for state-level actors, and the methods available to |
26 |
> ordinary companies can only identify at best a unique browser profile, |
27 |
> which only lets them correlate traffic with those they share info with |
28 |
> to the degree that you use a single browser profile across those |
29 |
> platforms. For non-web traffic there are generally fewer attacks |
30 |
> available. Many of the attacks that are often cited like DNS-based |
31 |
> attacks are not that difficult to prevent (eg by ensuring your DNS |
32 |
> traffic goes out over the VPN). |
33 |
|
34 |
Yes, careful VPN implementations would guard against DNS leaks and the like. |
35 |
|
36 |
|
37 |
> If there are sites you browse using a different browser profile |
38 |
> (ideally on a VM/etc), and you never use that browser profile for |
39 |
> ecommerce or activity associated with your normal social media |
40 |
> accounts, then it is unlikely that those sites will actually be able |
41 |
> to identify you. |
42 |
> |
43 |
> Really the biggest pain with the VPNs is the number of websites that |
44 |
> actively try to block connections from them or flood you with |
45 |
> CAPTCHAs. Many more mainstream social media sites/etc also |
46 |
> effectively require association with a mobile phone number, or trigger |
47 |
> this behavior if they don't like your IP address. Obviously VPNs can |
48 |
> be abused to attack hosts or evade bans and generally cause trouble, |
49 |
> which is a frustration for those who simply don't want companies to |
50 |
> know who you are. |
51 |
> |
52 |
> Bottom line is that just because the NSA can track your connections |
53 |
> doesn't mean that every random webserver on the planet can do so. The |
54 |
> few government agencies that are likely to be that well-connected are |
55 |
> also very interested in keeping the extent of their capabilities |
56 |
> hidden from each other, and so when they intercept your data they're |
57 |
> going to guard it even more carefully than you would. |
58 |
|
59 |
I would sincerely hope so. Can't vouch their contractors and subcontractors |
60 |
would do the same in all cases though. |
61 |
|
62 |
|
63 |
> A solution doesn't need to be able to defeat the NSA to be useful. |
64 |
|
65 |
ACK. It boils down to use cases and requirements. I suppose people who seek |
66 |
to avoid state surveillance would probably use multilayered encryption and |
67 |
steganography, or better stay off the Internet all together? ;-) |