| 1 |
On Sunday, 7 August 2022 19:27:42 BST Rich Freeman wrote: |
| 2 |
> On Sun, Aug 7, 2022 at 11:36 AM Michael <confabulate@××××××××.com> wrote: |
| 3 |
> > The best a well configured VPN tunnel can offer is a secure connection |
| 4 |
> > between client and VPN server, which is handy if you are out and about |
| 5 |
> > using untrusted and insecure WiFi hotspots. |
| 6 |
> > |
| 7 |
> > The only other reason for using a VPN service is to present a different |
| 8 |
> > geolocation for the purpose of overcoming country-specific website |
| 9 |
> > restrictions. |
| 10 |
> |
| 11 |
> I think ONLY is a bit strong here. A VPN effectively makes it |
| 12 |
> impossible for your ISP to know who you're talking to, and it obscures |
| 13 |
> your IP from hosts you are connecting to. |
| 14 |
|
| 15 |
Yes, fair point. I was thinking why would you go to such an effort just to |
| 16 |
obscure your comms from your ISP. I'm not saying there aren't use cases |
| 17 |
supporting this endeavor. I was thinking more about political activists |
| 18 |
operating under oppressive regimes where state-level surveillance would be the |
| 19 |
threat model. In this case I would think state actors wouldn't rely on ISPs |
| 20 |
alone to share such information, although ISP's data would be tapped into for |
| 21 |
good measure. |
| 22 |
|
| 23 |
|
| 24 |
> Sure, there are ways to defeat this, but most of them are only |
| 25 |
> applicable for state-level actors, and the methods available to |
| 26 |
> ordinary companies can only identify at best a unique browser profile, |
| 27 |
> which only lets them correlate traffic with those they share info with |
| 28 |
> to the degree that you use a single browser profile across those |
| 29 |
> platforms. For non-web traffic there are generally fewer attacks |
| 30 |
> available. Many of the attacks that are often cited like DNS-based |
| 31 |
> attacks are not that difficult to prevent (eg by ensuring your DNS |
| 32 |
> traffic goes out over the VPN). |
| 33 |
|
| 34 |
Yes, careful VPN implementations would guard against DNS leaks and the like. |
| 35 |
|
| 36 |
|
| 37 |
> If there are sites you browse using a different browser profile |
| 38 |
> (ideally on a VM/etc), and you never use that browser profile for |
| 39 |
> ecommerce or activity associated with your normal social media |
| 40 |
> accounts, then it is unlikely that those sites will actually be able |
| 41 |
> to identify you. |
| 42 |
> |
| 43 |
> Really the biggest pain with the VPNs is the number of websites that |
| 44 |
> actively try to block connections from them or flood you with |
| 45 |
> CAPTCHAs. Many more mainstream social media sites/etc also |
| 46 |
> effectively require association with a mobile phone number, or trigger |
| 47 |
> this behavior if they don't like your IP address. Obviously VPNs can |
| 48 |
> be abused to attack hosts or evade bans and generally cause trouble, |
| 49 |
> which is a frustration for those who simply don't want companies to |
| 50 |
> know who you are. |
| 51 |
> |
| 52 |
> Bottom line is that just because the NSA can track your connections |
| 53 |
> doesn't mean that every random webserver on the planet can do so. The |
| 54 |
> few government agencies that are likely to be that well-connected are |
| 55 |
> also very interested in keeping the extent of their capabilities |
| 56 |
> hidden from each other, and so when they intercept your data they're |
| 57 |
> going to guard it even more carefully than you would. |
| 58 |
|
| 59 |
I would sincerely hope so. Can't vouch their contractors and subcontractors |
| 60 |
would do the same in all cases though. |
| 61 |
|
| 62 |
|
| 63 |
> A solution doesn't need to be able to defeat the NSA to be useful. |
| 64 |
|
| 65 |
ACK. It boils down to use cases and requirements. I suppose people who seek |
| 66 |
to avoid state surveillance would probably use multilayered encryption and |
| 67 |
steganography, or better stay off the Internet all together? ;-) |
Archives