On Sunday, 7 August 2022 19:27:42 BST Rich Freeman wrote: > On Sun, Aug 7, 2022 at 11:36 AM Michael <confabul...@kintzios.com> wrote: > > The best a well configured VPN tunnel can offer is a secure connection > > between client and VPN server, which is handy if you are out and about > > using untrusted and insecure WiFi hotspots. > > > > The only other reason for using a VPN service is to present a different > > geolocation for the purpose of overcoming country-specific website > > restrictions. > > I think ONLY is a bit strong here. A VPN effectively makes it > impossible for your ISP to know who you're talking to, and it obscures > your IP from hosts you are connecting to.
Yes, fair point. I was thinking why would you go to such an effort just to obscure your comms from your ISP. I'm not saying there aren't use cases supporting this endeavor. I was thinking more about political activists operating under oppressive regimes where state-level surveillance would be the threat model. In this case I would think state actors wouldn't rely on ISPs alone to share such information, although ISP's data would be tapped into for good measure. > Sure, there are ways to defeat this, but most of them are only > applicable for state-level actors, and the methods available to > ordinary companies can only identify at best a unique browser profile, > which only lets them correlate traffic with those they share info with > to the degree that you use a single browser profile across those > platforms. For non-web traffic there are generally fewer attacks > available. Many of the attacks that are often cited like DNS-based > attacks are not that difficult to prevent (eg by ensuring your DNS > traffic goes out over the VPN). Yes, careful VPN implementations would guard against DNS leaks and the like. > If there are sites you browse using a different browser profile > (ideally on a VM/etc), and you never use that browser profile for > ecommerce or activity associated with your normal social media > accounts, then it is unlikely that those sites will actually be able > to identify you. > > Really the biggest pain with the VPNs is the number of websites that > actively try to block connections from them or flood you with > CAPTCHAs. Many more mainstream social media sites/etc also > effectively require association with a mobile phone number, or trigger > this behavior if they don't like your IP address. Obviously VPNs can > be abused to attack hosts or evade bans and generally cause trouble, > which is a frustration for those who simply don't want companies to > know who you are. > > Bottom line is that just because the NSA can track your connections > doesn't mean that every random webserver on the planet can do so. The > few government agencies that are likely to be that well-connected are > also very interested in keeping the extent of their capabilities > hidden from each other, and so when they intercept your data they're > going to guard it even more carefully than you would. I would sincerely hope so. Can't vouch their contractors and subcontractors would do the same in all cases though. > A solution doesn't need to be able to defeat the NSA to be useful. ACK. It boils down to use cases and requirements. I suppose people who seek to avoid state surveillance would probably use multilayered encryption and steganography, or better stay off the Internet all together? ;-)
signature.asc
Description: This is a digitally signed message part.