Git-Mirrors/privacyguides.org
1
0
Fork 0
mirror of https://github.com/privacyguides/privacyguides.org.git synced 2024-07-31 15:42:52 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revamping the VPN recommendations (#257)

Browse Source
This commit is contained in:
Tommy 2021-11-10 03:55:04 -05:00 committed by GitHub
parent fbb4ca8151
commit a86cffb0bd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
_includes/legacy/sections/vpn.html
View File

@ -48,7 +48,7 @@
<h5>{% include badge.html color="success" text="Mobile Clients" %}</h5>
<p>Mullvad has published <a href ="https://apps.apple.com/app/mullvad-vpn/id1488466513">App Store</a> and <a href="https://play.google.com/store/apps/details?id=net.mullvad.mullvadvpn">Google Play</a> clients, both supporting an easy-to use interface as opposed to requiring users to manual configure their WireGuard connections. The mobile client on Android is also available in <a href="https://f-droid.org/packages/net.mullvad.mullvadvpn">F-Droid</a>, which ensures that it is compiled with <a href="https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html">reproducible builds</a>.</p>
<h5>{% include badge.html color="info" text="Extra Functionality" %}</h5>
<p>The Mullvad VPN clients have a built-in killswitch to block internet connections outside of the VPN. They also are able to automatically start on boot. The Mullvad website is also accessible via Tor at <a href="http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion">o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion</a>.</p>
<p>Mullvad is very transparent about which nodes they <a href="https://mullvad.net/en/servers/">own or rent</a>. They use <a href="https://shadowsocks.org/en/index.html">ShadowSocks</a> in their ShadowSocks + OpenVPN configuration, making them more resistant against firewalls with <a href="https://en.wikipedia.org/wiki/Deep_packet_inspection">Deep Packet Inspection</a> trying to block VPNs. Supposedly, <a href="https://github.com/net4people/bbs/issues/22">China has to use a different method to block ShadowSocks servers</a>. Mullvad's website is also accessible via Tor at <a href="http://o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion">o54hon2e2vj6c7m3aqqu6uyece65by3vgoxxhlqlsvkmacw6a7m7kiad.onion</a>.</p>
</div>
</div>
<div class="row mb-2">
@ -77,7 +77,7 @@
<h5>{% include badge.html color="warning" text="No Port Forwarding" %}</h5>
<p>ProtonVPN does not currently support remote port forwarding, which may impact some applications. Especially Peer-to-Peer applications like Torrent clients.</p>
<h5>{% include badge.html color="info" text="Extra Functionality" %}</h5>
<p>The ProtonVPN clients have a built-in killswitch to block internet connections outside of the VPN. They also are able to automatically start on boot. ProtonVPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using <a href="https://www.torproject.org/">the official Tor Browser</a> for this purpose.</p>
<p>ProtonVPN have their own servers and datacenters in Switzerland, Iceland and Sweeden. They offer adblocking and known malware domains blocking with their DNS service. Additionally, ProtonVPN also offers "Tor" servers allowing you to easily connect to onion sites, but we still strongly recommend using <a href="https://www.torproject.org/">the official Tor Browser</a> for this purpose.</p>
</div>
</div>
<div class="row mb-2">
@ -107,7 +107,7 @@
<h5>{% include badge.html color="success" text="Mobile Clients" %}</h5>
<p>In addition to providing standard OpenVPN configuration files, IVPN has mobile clients for <a href="https://apps.apple.com/us/app/ivpn-serious-privacy-protection/id1193122683">App Store</a> and <a href="https://play.google.com/store/apps/details?id=net.ivpn.client">Google Play</a> allowing for easy connections to their servers. The mobile client on Android is also available in <a href="https://f-droid.org/en/packages/net.ivpn.client">F-Droid</a>, which ensures that it is compiled with <a href="https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html">reproducible builds</a>.</p>
<h5>{% include badge.html color="info" text="Extra Functionality" %}</h5>
<p>The IVPN clients have a built-in killswitch to block internet connections outside of the VPN. They also are able to automatically start on boot. IVPN also provides "<a href="https://www.ivpn.net/antitracker">AntiTracker</a>" functionality, which blocks advertising networks and trackers from the network level.</p>
<p>IVPN clients support two factor authentication (Mullvad and ProtonVPN clients do not). IVPN also provides "<a href="https://www.ivpn.net/antitracker">AntiTracker</a>" functionality, which blocks advertising networks and trackers from the network level.</p>
</div>
</div>
</div>

41
legacy_pages/providers/vpn.html
View File

@ -53,8 +53,9 @@ breadcrumb: "VPN"
<div class="col-md-6">
<p><strong>Minimum to Qualify:</strong></p>
<ul>
<li>OpenVPN support.</li>
<li>Support for strong protocols such as OpenVPN.</li>
<li>Killswitch built in to clients.</li>
<li>Multihop support. Multihopping is important to keep data private in case of a single node compromise.</li>
<li>If VPN clients are provided, they should be <a href="https://en.wikipedia.org/wiki/Open_source">open source</a>, like the VPN software they generally have built into them. We believe that <a href="https://en.wikipedia.org/wiki/Source_code">source code</a> availability provides greater transparency to the user about what their device is actually doing. We like to see these applications <a href="https://www.f-droid.org/en/2019/05/05/trust-privacy-and-free-software.html">available in F-Droid</a>.</li>
</ul>
</div>
@ -165,18 +166,18 @@ breadcrumb: "VPN"
</div>
<hr>
<h2 id="info" class="anchor"><a href="#info"><i class="fas fa-link anchor-icon"></i></a> Further Information and Dangers</h2>
<h2 id="info" class="anchor"><a href="#info"><i class="fas fa-link anchor-icon"></i></a> Further Information</h2>
<div class="container">
<div class="row">
<div class="col-md-6">
<h3>Should I use a VPN?</h3>
<p>The answer to this question is not a particularly helpful one: <strong>It depends.</strong> It depends on what you're expecting a VPN to do for you, who you're trying to hide your traffic from, and what applications you're using.</p>
<p><strong>In most cases, VPNs do little to protect your privacy or enhance your security</strong>, unless paired with other changes.</p>
<p><strong>Yes</strong>, unless you are already using Tor. A VPN does 2 things: shifting the risks from your Internet Service Provider to itself and hiding your IP from a third party service.</p>
<p>VPNs cannot encrypt data outside of the connection between your device and the VPN server. VPN providers can see and modify your traffic the same way your ISP could. And there is no way to verify a VPN provider's "no logging" policies in any way.</p>
<h3>What if I need encryption?</h3>
<p>In most cases, most of your traffic is already encrypted! Over 98% of the top 3000 websites offer <strong>HTTPS</strong>, meaning your non-DNS traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator.</p>
<p>Even if a site you visit doesn't support HTTPS, a VPN will not protect you, because a VPN cannot magically encrypt the traffic between the VPN's servers and the website's servers. Installing an extension like <a href="https://www.eff.org/https-everywhere">HTTPS Everywhere</a> and making sure every site you visit uses HTTPS is far more helpful than using a VPN.</p>
<p>However, they do hide your actual IP from a third party service, provided that there are no IP leaks. They help you blend in with others and mitigate IP based tracking.</p>
<h3>What about encryption?</h3>
<p>Encryption offered by VPN providers are between your devices and their servers. It guarantees that this specific link is secure. This is a step up from using unencrypted proxies where an adversary on the network can intercept the communications between your devices and said proxies and modify them. However, encryption between your apps or browsers with the service providers are not handled by this encryption.</p>
<p>In order to keep what you actually do on the websites you visit private and secure, you must use HTTPS. This will keep your passwords, session tokens, and queries safe from the VPN provider. Consider enabling "HTTPS everywhere" in your browser to mitigate downgrade attacks like <a href="https://www.blackhat.com/presentations/bh-dc-09/Marlinspike/BlackHat-DC-09-Marlinspike-Defeating-SSL.pdf">SSL Strip</a>.</p>
<h4>Should I use encrypted DNS with a VPN?</h4>
<p>Unless your VPN provider hosts the encrypted DNS servers, <strong>no</strong>. Using DOH/DOT (or any other form of encrypted DNS) with third party servers will simply add more entities to trust, and does <strong>absolutely nothing</strong> to improve your privacy/security. Your VPN provider can still see which websites you visit based on the IP addresses and other methods. Instead of just trusting your VPN provider, you are now trusting both the VPN provider and the DNS provider.</p>
<p>A common reason to recommend encrypted DNS is that it helps against DNS spoofing. However, your browser should already be checking for TLS certificates with <strong>HTTPS</strong> and warn you about it. If you are not using <strong>HTTPS</strong>, then an adversary can still just modify anything other than your DNS queries and the end result will be little different.</p>
@ -185,15 +186,19 @@ breadcrumb: "VPN"
<p>VPNs cannot provide strong anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data.</p>
</div>
<div class="col-md-6">
<h3>Shouldn't I hide my IP address?</h3>
<p>The idea that your IP address is sensitive information, or that your location is given away with all your internet traffic is <strong>fearmongering</strong> on the part of VPN providers and their marketing. Your IP address is an insignificant amount of personal data tracking companies use to identify you, because many users' IP addresses change very frequently (Dynamic IP addresses, switching networks, switching devices, etc.). Your IP address also does not give away more than the very generalized location of your Internet Service Provider. It does not give away your home address, for example, despite common perception.</p>
<h3>Should I use Tor <em>and</em> a VPN?</h3>
<p>By using a VPN with Tor, you're creating essentially a permanent entry node, often with a money trail attached. This provides 0 additional benefit to you, while increasing the attack surface of your connection dramatically. If you wish to hide your Tor usage from your ISP or your government, Tor has a built-in solution for that: Tor bridges. <a href="https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required">Read more about Tor bridges and why using a VPN is not necessary</a>.</p>
<h3>Are VPNs ever useful?</h3>
<h3>What if I need anonymity?</h3>
<p>VPNs cannot provide anonymity. Your VPN provider will still see your real IP address, and often has a money trail that can be linked directly back to you. You cannot rely on "no logging" policies to protect your data. Use <a href="https://www.torproject.org/">Tor instead</a>.</p>
<h3>What about VPN providers that provides Tor nodes?</h3>
<p>Do not use that feature. The point of using Tor is that you do not trust your VPN provider. Currently Tor only supports the <a href="https://en.wikipedia.org/wiki/Transmission_Control_Protocol">TCP</a> protocol. <a href="https://en.wikipedia.org/wiki/User_Datagram_Protocol">UDP</a> (used in WebRTC for voice and video sharing, the new http3/QUIC protocol, etc), <a href="https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol">ICMP</a> and other packets will be dropped. To compensate for this, VPN providers typically will route all non TCP packets through their VPN server (your first hop). This is the case with <a href="https://protonvpn.com/support/tor-vpn/">ProtonVPN</a>. Additionally, when using this Tor over VPN setup, you do not have control over other important Tor features such as <a href="https://www.whonix.org/wiki/Stream_Isolation">Isolated Destination Address</a> (using a different Tor circuit for every domain you visit).</p>
<p>Thus, this feature should be viewed as a convenient way to access the Tor Network, not to stay annonymous. For true anonimity, use the Tor Browser Bundle, TorSocks, or a Tor gateway.</p>
<h3>When are VPNs useful?</h3>
<p>A VPN may still be useful to you in a variety of scenarios, such as:</p>
<ol>
<li>Hiding your traffic from <strong>only</strong> your Internet Service Provider.</li>
<li>Hiding your downloads (such as torrents) from your ISP and anti-piracy organizations.</li>
<li>Hiding your IP from third party websites and services, preventing IP based tracking.</li>
</ol>
<p>For use cases like these, or if you have another compelling reason, the VPN providers we listed above are who we think are the most trustworthy. However, using a VPN provider still means you're <em>trusting</em> the provider. In pretty much any other scenario you should be using a secure<strong>-by-design</strong> tool such as Tor.</p>
</div>
@ -203,7 +208,6 @@ breadcrumb: "VPN"
<p><strong>Sources and Further Reading</strong>:
<ol>
<li><a href="https://schub.io/blog/2019/04/08/very-precarious-narrative.html">VPN - a Very Precarious Narrative</a> by Dennis Schubert</li>
<li><a href="https://gist.github.com/joepie91/5a9909939e6ce7d09e29">Don't use VPN services</a> by Sven Slootweg</li>
<li><a href="/software/networks/">The self-contained networks</a> recommended by Privacy Guides are able to replace a VPN that allows access to services on local area network</li>
<li><a href="https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-1-myth-busting-tor">Slicing Onions: Part 1 Myth-busting Tor</a> by blacklight447</li>
<li><a href="https://write.privacytools.io/my-thoughts-on-security/slicing-onions-part-2-onion-recipes-vpn-not-required">Slicing Onions: Part 2 Onion recipes; VPN not required</a> by blacklight447</li>
@ -225,7 +229,6 @@ breadcrumb: "VPN"
<li><a href="https://blog.privacytools.io/the-trouble-with-vpn-and-privacy-reviews/">The Trouble with VPN and Privacy Review Sites</a></li>
<li><a href="https://vikingvpn.com/blogs/off-topic/beware-of-vpn-marketing-and-affiliate-programs">Beware of False Reviews - VPN Marketing and Affiliate Programs</a></li>
<li><a href="https://torrentfreak.com/proxy-sh-vpn-provider-monitored-traffic-to-catch-hacker-130930/">Proxy.sh VPN Provider Sniffed Server Traffic to Catch Hacker</a></li>
<li><a href="https://www.ivpn.net/privacy">IVPN.net will collect your email and IP address after sign up</a><br />Read the <a data-bs-toggle="tooltip" data-bs-placement="top" title="The IP collected at signup is only used for a few seconds by our fraud module and then discarded, it is not stored. Storing them would significantly increase our own liability and certainly would not be in our interest. You're absolutely welcome to signup using Tor or a VPN.">Email statement</a> from IVPN.</li>
<li><a href="https://medium.com/@blackVPN/no-logs-6d65d95a3016">blackVPN announced to delete connection logs after disconnection</a></li>
<li><a href="https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa">Don't use LT2P IPSec, use other protocols.</a></li>
<li>
@ -281,18 +284,4 @@ breadcrumb: "VPN"
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-lg-6 col-12">
<h3>Related Videos</h3>
<a href="https://invidious.site/watch?v=WVDQEoe6ZWY" target="_blank">
<img
src="/assets/img/legacy_png/layout/this-video-is-sponsored-by-vpn.png"
class="img-fluid float-start me-3"
alt="This Video Is Sponsored By censored VPN">
</a>
</div>
</div>
</div>
</div>