NBC: 'You Probably Don't Need to Rely on a VPN Anymore'

NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. "Most commercial VPNs are snake oil from a security standpoint," said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. "They don't improve your security at all...."

Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people's internet habits, isn't feasible. It's not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. "Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS," he said in a text message.

There are still valid uses for VPNs. They're an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users' traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they're a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.

Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers' browsing history to data brokers, or by having poor cybersecurity.
The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. "In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.

"Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation's browser extension no longer necessary for most people."

VPNs are just for evading geo-restrictions

[ffkom]

Clearly, there is little benefit to be expected from commercial, centralized VPNs with regards to security - you basically exchange one carrier for another that can block/redirect/DNS-spoof you.

But these days the selling point of VPNs is mostly to access services that, for whatever bad reason, are made inaccessible from certain regions of the world. Including ordinary entertainment with country-specific licensing issues or adult entertainment.

Re:VPNs are just for evading geo-restrictions

[Spazmania]

VPN services are about anonymity not security. The "protect yourself at the coffee shop" scenario was false even before widespread encryption. You use a VPN service when you don't want anybody who knows your real identity to know what you're up to. Nothing about their protection of anonymity has changed.

VPNs for access to work and things like that are an entirely different ball game. Anyone who says they don't enhance security doesn't understand security worth a whit. Security is all about attack surface and defense in depth. If hacker has to breach the VPN before he can attempt to breach the interior resources the initial attack surface is tiny: the well hardened VPN. And that tiny attack surface is an extra layer of defense for the resources sitting behind it.

Re:

[YetAnotherDrew]

Exactly. Masks, not condoms.

Re:

[jonbryce]

Work VPN is not something you buy from the likes of NordVPN or any of the other ones, probably owned by the same parent company, that get advertised constantly.
You either buy some box to put in the server room at your office or install some software on a computer with 2 network cards, and put that in your server room. This is a completely different market, and not what this article is about.

Re:

[drinkypoo]

The "protect yourself at the coffee shop" scenario was false even before widespread encryption.

No, it was not. If you were on an unencrypted WiFi network before the rise of encrypted protocols then people could gather useful data from your communications just by sniffing. And even if you were connecting to an encrypted network, someone else could set up their own AP which spoofed the one you thought you were connecting to, and have access to your full unencrypted connection and all your packets. Before widespread encryption, a VPN absolutely would improve your security when connected to a coffeeshop

Re: VPNs are just for evading geo-restrictions

[vyvepe]

Moreover most people do not disable cookies and do not defend their browsers against fingerprinting. They are not really anonymous. VPNs increase anonymity only marginally by hiding the IP address and adding one more step when determining the identity (the need to get user identity from the VPN provider instead of directly). On the other side, VPNs increase risk by adding a middleman who has all the information on the users. My opinion is that working around geo-blocking is the only VPN feature worth paying for.

Re:

[aRTeeNLCH]

I took the anonymity bit to refer to not being able to get your name and postal address from your IP, as in file sharing something over Bittorrent. For that it works fine, as long as your VPN provider can avoid having to state it was a computer under your control that they found offering a file they claim the rights to.

Re:

[bhcompy]

The anonymity isn't to the provider. You get what you pay for, servicewise. The anonymity is to masking where (and potentially who) you are to the sites you visit in general, assuming they're not also affiliated in some way to the provider. And by anonymity, it's primary just to change your entry point into the internet. I'm in Los Angeles, not Pittsburgh, today, because my IP says I am, so serve me sporting events from Los Angeles. Now, website operators may know it's a known VPN address and may black

Re:

[Shinobi]

At least with Mullvad I can buy a prepaid number account with cash, that is not tied to any credit card, email address, phone number or anything. I can also buy a prepaid cash 4G SIM, a cheap 4G dongle, and a Raspberry Pi 4 or something, and there we go.

Re:

[omnichad]

This was also a time before casual users had ever heard of the term VPN. It has always been non-news.

Re: VPNs are just for evading geo-restrictions

[klipclop]

VPN + socks 5 proxy is a good way to mask your ip when downloading copyright materials or to try and bypass geo restrictions. I also agree that random 3rd party vpns don't provide anonymity. A lot of these companies have been caught performing verbose logging of users or VPN companies are fronts for malicious state actors. (so they can vacuum up users traffic logs)

Re:

[vyvepe]

A lot of these companies have been caught performing verbose logging of users or VPN companies are fronts for malicious state actors. (so they can vacuum up users traffic logs)

THIS! VPNs are really good only for working around geo-blocking.

Re:

[mark-t]

Evading geo restrictions qualifies as a form of circumvention of a technological barrier or protection measure that the licensed distrubutors have put on a copyrighted work, and depending on regional laws, can actually be illegal.

Fortunately for the vpn user, and contrary to the above assertion, there are enough entirely legal use cases for VPN usage that simply using a VPN usually does not provide probable cause for any investigation.

What is probably true, however, is that most of the legal use cases

Re:VPNs are just for evading geo-restrictions

[bloodhawk]

Not aware of any country evading geo restrictions is illegal (though I am sure there must be some). Hell in Australia it is not only legal but recommended by the government consumer authority (ACCC) as a means to bypass unfair restrictions.

Re:VPNs are just for evading geo-restrictions

[mark-t]

Not aware of any country evading geo restrictions is illegal

Not explicitly, no.

But geo restrictions are a technological barrier put in place by the distributors of the copyrighted content to control its distribution, and evading those restrictions would most definitely qualify as circumvention of that measure. The DMCA in the USA, for example, outlaws such circumvention, and would ordinarily implicitly render evading geo restrictions illegal. However, this isn't an actual issue because geo restrictions are typically on a nation wide level, and national laws do not govern other countries. It would only come into play if *BOTH* of the involved nations had laws resembling the DMCA in this regard. The sheer difficulty of identifying such use, however, renders it impractical to try to enforce it on anything less than corporate levels.

But that doesn't mean it's legal to to it on an individual level, it just means that the expense of identifying and verifying such individual cases far outweighs what can reasonably be gained by stopping them.

Re:

[thegarbz]

The DMCA in the USA, for example, outlaws such circumvention, and would ordinarily implicitly render evading geo restrictions illegal.

No it does not in the slightest. The circumvention outlawed is exclusively messing with a content stream that is given to you. It in no way outlaws lying about who you are so that a different content stream is provided to you.

You can't break the encryption used for geoblocking, but you are legally within your right to pretend to be somewhere else. The two are very different things, and no one has ever been DMCA'd for changing the region code on their DVD player (for example) much less for using a VPN.

Re:

[omnichad]

Correct. It's the content providers who are liable, for distributing content outside of their licensed region. This is why most of the content providers have at least rudimentary bare-minimum anti-VPN measures - but not so restrictive that it keeps paying customers from easily getting around them.

Re:

[Antique Geekmeister]

The list of such countries is available at https://en.wikipedia.org/wiki/... [wikipedia.org] It's nearly all nations of the world, many of which have signed the WIPO clauses of the Berne Convention.

what about hotel room proxies

[goombah99]

Many public wifi have some sort of dns redirects and proxies. Can I really trust https to not be vulnerable to man in the middle attacks under those conditions? Even specifying the DNS by IP address rather than trusting the wifi dhcp to provide DNS doesn't assure that 8.8.8.8 or any common DNS isn't being redirected. It seems like the way around this surely requires so pre-established shared secret. Or am I wrong? Does https really provide some zero config zero knowledge way to avoid a man in the middle

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:what about hotel room proxies

[PPH]

There are major DoH servers operated by Cloudflare and Google (you get to choose.)

This protects privacy.

Not really. It just puts my browsing habits in the hands of Cloudflare and Google. Google is all about monetizing the user. And Cloudflare isn't far behind. They might not be scraping browsing habits directly. But they are the ones that create the "Checking your browser" popup if you turn on ad blockers or block JavaScript from certain sites.

If you use a VPN, those browsing habits are harder to track. Since they no longer know who or where you are by your IP.

Re:

[i.r.id10t]

This.

Let me know when I can update my Bind9 config to provide my own DNS over HTTPS ...

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[PoopMonkey]

DoH wouldn't only be used in a coffee shop though. It'd be used at home, which would limit the number of people that it could possibly be. That plus the various ways Google fingerprints so much means google has little problem telling you apart from everyone else in the same coffee shop or hotel. So, if you're a creature of habit and visit a, then b, then c at home every day and also visit a, then b, then c at a coffee shop or hotel, they'll know exactly who you are.

Re:

[Antique Geekmeister]

The unique SSL connections for DNS over HTTPS make DNS lookups from behind a NAT uniquely identifiable. They should not be considered a security enhancement for most of us, though the lack of encryption of the traffic does permit more untargeted monitoring in a NAT based environment.

Re:

[kingbilly]

Checking your browser

Perhaps the difference won't mean much in the grand scheme of things, but Cloudflare does that because site owners configure it. The end-user isn't attempting to use Cloudflare, they probably don't even know it exists. Contrast that with Google services, where the user is intentionally accessing Google.

Again, it might not mean much, but we can't ignore the distinction. Cloudflare isn't something an end-user chooses to use. Blame the site owners who put their content behind it.

Re:

[omnichad]

Because all of the implementations are set up to be routed through the software provider, not user configurable. And most of that at the browser level, so it has to be configured per-application. It seems that Windows 11 has DoH at the OS-level, but even there it only works with a list of hard-coded preselected DoH providers. If it were really in the name of security, then the push would be going in a completely different direction.

Re:

[ELCouz]

No not really just for geo-restriction. I use my home VPN on phones to block ads (pi-hole) when on LTE. It has also the advantage of accessing files on the network,

Most people are ignorant about computer security.

[Frobnicator]

The article is painful to read. Most people have no idea about networking, what the security threats are, and what to do to mitigate them. For people who think VPN and HTTPS solve the same problems, they really don't understand it so are better off paying others to help them.

Re: Most people are ignorant about computer securi

[raymorris]

> For people who think VPN and HTTPS solve the same problems

Most VPNs *are* TLS (SSL) connections. Precisely the same as https, which simply means making a TLS connection and then using it for http.

From a SECURITY standpoint, they are precisely the same thing.

If the "problem" you're wanting to solve is getting US pricing the EU or vice versa, sure. You can use a VPN service to "hide" your geographic region from service providers who don't give a shit and allow that.

Ps - you aren't hiding squat. Netflix e

Re:

[narcc]

It's even simpler than that. It would be easier and cheaper to use the customer's billing address than their IP address for geoblocking. That they don't is very telling.

Pro tip

[raymorris]

Pro tip: When calling a professional "retarted", try to learn English well enough to make fewer screw ups than the number of words you use. When you use two words and screw it up four different ways, it doesn't have the same impact for *you* to call someone else "retarted".

Two words; four screw ups. That might be a Slashdot record.

Re:

[sabt-pestnu]

Maybe he simply thinks the GP has returned to being a sweet pastry?

Re:

[mad7777]

and... you're retarded.

Re:

[znrt]

welcome to civilization: you probably don't understand all the intricacies of making bread and cheese, which are actually pretty straightforward, so you pay someone else to provide actual bread and cheese instead of eating dry grain and sucking on a cow's tit, and here's the news: you get to consume shit quality bread and cheese which is most likely even bad for your health.

btw, private vpn never have solved any "security" problem whatsoever, specially if you really had something to worry about, they basica

Re:

[Junta]

Problem is a lot of VPN advertising takes advantage of that lack of knowledge, and so an article has to be written to that same level. VPN providers have advertising that suggest they are required to protect your banking information when you access your bank, for example.

The only valid application of these third party vpn services is masknig your geography to get different streaming services than you would normally be allowed.

VPNs are valid for corporate use, mainly because non-VPN encapsulation isn't done

Re: Most people are ignorant about computer securi

[alexgieg]

The article is painful to read.

This is the case for 99% of all articles published by journalists on any topic whatsoever. If the reader actually knows the topic a journalist is (trying to) talk about, no matter what that topic is, the feeling of cringiness and the face-palming are exactly the same.

Reading these awful technical articles is always good for reminding us that journalists aren't conspiring, or even necessarily biased, when they write this or that. They're just complete laymen trying to talk about stuff that's way, way over th

The CONTENT of connection vs. the FACT of it

[mi]

VPNs not only hide the content of your traffic, they also hide the very fact, that you're accessing a particular site from your immediate connectivity-provider.

That is important to a number of people, especially those fearing oppression by powerful entities (such as governments), which are capable of compelling the ISPs to divulge details about your traffic.

That is, they may not know your particular kinks, if you access Porhohub over HTTPS, but they will know, you visited Pornohub — and how many times. Using VPN hides that from the ISP — though, obviously, not from the VPN-provider...

Dozens of VPN companies are one guy

[raymorris]

You're trading reducing the information available to your ISP and instead providing that information to the guy who runs more than 20 different VPN brands.

He may or may not be routing all the "different" VPNs through the exact same AWS servers.

He could make your own guesses as to why he's so interested in your "private" traffic.

Re:Dozens of VPN companies are one guy

[ShanghaiBill]

You're trading reducing the information available to your ISP and instead providing that information to the guy who runs more than 20 different VPN brands.

The cops can get a warrant for my local ISP. They can't do that for a VPN located outside their jurisdiction.

Re:Dozens of VPN companies are one guy

[raymorris]

Imagine YOU were on the FBI cybersecurity task force, and because you're the rookie you have to work New Years, sitting there with nothing to do since everyone else is off. It's your job to figure out what the bad guys are doing online.

Would YOU perhaps pass the time by throwing another dozen Wordpress templates up, to advertise another dozen VPN brands in order to get all the criminals to send all their traffic to your monitoring servers? Knowing, of course, that with your VPN don't NEED a warrant for traffic that people *choose* to send you.

Yeah, so would I. If I were working for the FBI, I'd have about 300 different VPN brands by now, putting up a few more whenever I'm bored for an hour. Most of the "smart" bad guys would be using one or more of my VPNs, sending all their traffic right to me. No warrant needed when the bad guys sign up to send the info to you.

Re:

[Kernel Kurtz]

If I were working for the FBI, I'd have about 300 different VPN brands by now, putting up a few more whenever I'm bored for an hour.

And if they want to blow their cover to get me for downloading Matrix Resurrections then they will have 299. Probably not cost effective, but thanks to them I don't get nasty emails from the MPAA/RIAA anymore, so good job in any case!

Re:Dozens of VPN companies are one guy

[narcc]

Imagine YOU were on the FBI cybersecurity task force,

That sounds like the worst Choose your own adventure book ever.

Re:

[sabt-pestnu]

Naw, man. They've got other Network Investigative Techniques [zdnet.com] (aka malware). Why create a VPN when you can create a honeypot?

New to this planet?

[raymorris]

> If the FBI wanted to run a VPN, and assuming they kept the logs secured, so some state hacker couldn't snatch them

US government workers keep things secure? Secure against state-level attacks? Remember the IT folks working for the government for $50K are people who couldn't get a job in the private sector, which paays twice as much.

Re:

[MooseTick]

If the acts of 2 "rogue" FBI agents proves the whole FBI is "the worst evil in the world"; then do you agree that a few "rogue" police officers that murder unarmed suspects proves that police are evil and the group as a whole needs addressing?

Re:

[jodido]

But the local cops where the VPN is located can, and they're best friends with the FBI, or can made to act like best friends. The fact is that if the FBI/CIA/NSA /whoever wants to go after you, nothing will stop them. This is not a good thing.

Re:

[mi]

You're trading reducing the information available to your ISP and instead providing that information to the guy who runs more than 20 different VPN brands.

No, I don't. And the marketing strategies are irrelevant to the topic.

But, yes, it is a choice of whom you trust...

Re:

[mrclisdue]

I run a cheap vps on ramnode and supply my own vpn. No logs.
I trust me.

Well, you made it easier to track you

[raymorris]

I wrote the software that thousands of web sites use to track subscribers for fraud prevention. Meaning we tracked millions and millions of users. For example, if you log in from Arizona every evening around 7PM using Linux, then at 3AM somebody using Windows from Turkey claims to be, the system knows that's suspicious - it's probably not really you.

Coming from the perspective of having actually tracked millions of people for many years, let me ask you a question:

Does the IP of your VPS change every few minutes?

If not, here's the effect of what you've done. Instead of Google or Facebook or whatever having this record for you:

ID IP IncomeBracket Hobby1
9082 xyz.yy.z.w.z 12 Electronics

They instead of this record:

ID IP IncomeBracket Hobby1
9082 zyz.yy.z.zw 12 Electronics

You've changed the IP. That's all.

Well, changed the IP and probably made it more stable, ESPECIALLY if you use your VPS from your phone. Phones change IPs constantly. Routing the traffic from your phone through the VPS, you've switched from having your IP change every 60 or so to instead having a nice stable IP that lasts for months or years - far easier to track you that way.

Those of us with a reason to track appreciate that you've picked that nice stable IP, and stayed away from the messy residential ISP IPs that have so much turnover.

Re:

[mrclisdue]

Yes.

Re:

[Anonymous Coward]

Phones change IPs constantly.

IncomeBracket and Hobby1 are estimated by the behaviors of what? Even if my behavior in IP1 and IP2 was the same, I'd express different facets at different times.

But man. You are amazingly certain that the databases use the IP address as the fingerprint.

Any sane heap would make multiple UIDs based on multiple fingerprints, with confidence pooling. Your own post describes why only a dumbfuck would rely on that alone, when many other fingerprints would make your "constantly changing IP" phone trivial to track

Lots folks using Windows

[raymorris]

You are absolutely right that things like user agent can be used, and are. Along with lots of others things. Unfortunately most of them are strongly correlated. If you're using the iphone browser, you probably have the iphone fonts, you're running one of two popular iphone screen resolutions, etc. So while the list is long, it's largely a long list of ways to figure out it's an iphone. Or a Windows 10 box, with the Windows 10 fonts. That's why IP is very useful.

Re: Dozens of VPN companies are one guy

[mr.morbo]

Ignoring that your VPS is brought and paid for with real money that ties it right back to you.

Even if you paid in shitcoin your real IP connects to your VPS and is one demand letter away from finding your real identity.

There's safety in numbers on one of the few reputable VPN brands like Mullvad or Proton.

Re:

[EvilSS]

Well you don't log. Your VPS provide, however, does. Plus unless you are paying for it with crypto from a wallet address you only use for that, it's pretty easy to track back to you. So no logs really doesn't matter in your use case.

Re:

[ArmoredDragon]

There are also a lot of other great uses for them, like:

- Download torrents without having to worry about DMCA letters
- Evade IP bans so you can openly troll reddit
- Evade geoblocks so you can watch whatever you want on netflix
- Leak Hillary's emails to the public without having to worry about being disappeared

Re: The CONTENT of connection vs. the FACT of it

[Z00L00K]

However the vpn provider does know about it and then you don't know anyway if your activities are known.

Obviously

[Tailhook]

This is so blatantly obvious that one wonders how it might be lost on NBC.

It would surprise me one bit to learn that NBC is publishing this "news" on behalf of the FBI, DOJ etc. to discourage VPN use.

Re:The CONTENT of connection vs. the FACT of it

[Wycliffe]

if you access Porhohub over HTTPS, but they will know, you visited Pornohub — and how many times. Using VPN hides that from the ISP — though, obviously, not from the VPN-provider...

Most importantly, it also hides it from the remote site. This is especially important if the remote site is a honeypot or some other site a government compromises. For instance, if you post something illegal in your country on social media. If you connect from local ISP to VPN to remote site, the remote site doesn't know where you originated from. Without a VPN, the remote site knows your local IP and then the government just needs to ask your local ISP who you are. With a VPN, they first have to gain access to the VPN records if they exist before jumping to the next step. This is where TOR or the classic movie trick of multiple relays becomes useful. If you have multiple relays between you and the remote site, the records of the remote site only points to the first relay. They then need to compromise that relay which only gives information on the second relay, etc... It makes it even harder if the intermediate relays are in different jurisdictions. In order to trace something back to the origin, you have to gain access to logs on every relay in the path (or some identifying information like billing information from one of the relays) in order to connect it back to the original person.

Re:

[jwhyche]

A VPN is just another tool in the tool box. and like any other tool it has its uses. The basic thing a that a VPN does is keep you from being "low hanging fruit." If you are using it on a public wifi it keeps the evil hacker at bay and lets you circumvent stupid ass restrictions, they have on them.

If you chose to use it for copy right restricted material then by dropping your exit point in another country it makes it almost impossible for the copy right police to peg you. Not impossible but very di

Re:

[mi]

If you’re using your own internet connection at home, no one fucking cares that you’re watching porn.

In the US they don't... (And only until you run for office or otherwise make publicly embarrassing you worthwhile.)

But pornography was just an example. "Hate speech" — already illegal in many otherwise reasonable places [wikipedia.org] — is another.

You need VPN to hide what you are doing (metadata)

[firecode]

You can easily figure out what kind of activities one is up to by analysing which websites you connect to (DNS requests and IP addresses).

You need VPN to hide metadata as well as possible from your connections.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:You need VPN to hide what you are doing (metada

[narcc]

The claim that it's a hoax is not supported by the facts.

Re:

[narcc]

If such "facts" exist, then where are they? Is this one of those things where "it will be revealed in two weeks" like all of the other alleged "facts"? I see a lot of meetings with Russians and a lot of Russian money (by their own admission). Your alleged "facts" will need to account for an awful lot of smoke.

I await your excuses for why you can't present anything.

Re:

[omnichad]

The only debate is whether there is sufficient plausible deniability. I'm sure there was some effort to ensure that. There certainly wasn't any effort to counteract or call out propaganda that was not domestic in origin.

Herald LetsEncrypt

[drkshadow]

The internet being SSL-encrypted was due in one part to LetsEncrypt, and another part AES encryption becoming baked into CPUs.

Without either of those two things, it would still not be viable for the majority of sites to provide SSL.

Re: Herald LetsEncrypt

[nuckfuts]

There were free SSL certificates before Letâ(TM)s Encrypt came along.

Re:

[omnichad]

Startcom ended up being a real mess but was free and trusted for a while.

Piracy

[Powercntrl]

While I realize there are places outside the USA where geographic restrictions and censorship may come into play, here commercial VPN services are mostly used to avoid getting a copyright nastygram from your ISP when using P2P networks for pirating. For that use case, a VPN absolutely is still necessary, because the RIAA/MPAA and their lawyers absolutely have stepped up their game in sending out copyright violation notices.

Of course, I can’t see a major television network wanting to include that little bit of info in their article.

Re:

[Canberra1]

Some countries like UK, Australia, NZ and Canada have draconian user discovery laws, requiring the local ISP to cough up and soon - to co-operate. If they cant decrypt, traffic analysis tells them plenty. Using a vpn and wireguard as least means the snoops have to work harder, and have gaps and legal uncertainty going forward. Knowing their 'Capture Ratio' is declining, and collection effort costs increase gives one a warm fuzzy feeling. The observation is now email T2A is dead, and easy to track hard devic

You certainly can't trust any VPN

[Rosco P. Coltrane]

That's one thing that's been certain for years.

VPN are good enough to evade IP geolocation. Beyond that... Well you know, being tracked, sold out, monetized or having your creds lost to hackers by your ISP or by your VPN? That's the agony of choice.

Translation

[PPH]

Your use of VPNs to obfuscate your location is messing up our value to advertisers.

"In recent years"?

[93 Escort Wagon]

Maybe I'll be charitable and assume the writer meant "https by default" rather than https in general - which has been around next to forever (in internet years) [ietf.org]. But, still - I expect that most of those "millions of people" who use VPNs are not really doing it for security reasons; they're doing it to get a geofenced media.

Lord knows, anyone trusting a cheap VPN provider to provide "security" is not really thinking things through.

Re:

[danskal]

Yeah, if you're going to clarify why VPN is security snake-oil, don't add your own browser snake-oil. Https has been around since last millennium. About a thousand years in internet time.

Two things have changed.... ubiquitous SSL/TLS on web servers, and HTTPS by default in browsers: even if you deliberately choose http:/// [http] the browser will switch to https:/// [https] if it's available on the server.

It is not about only traffic encryption

[mordred99]

While one of the benefits of VPN is traffic encryption, it is also about some other things. Geolocation is a thing. If you are doing anything legally questionable, or even legal but intentional (like penetration testing a client), VPNs still make sense as it basically makes your traffic look like it is coming from some place else. It is annoying as fuck to me that I browse to a site, even with noscript and 4 other privacy add-ons, the site knows where I live based on my IP, and makes assumptions of the closest stores, and inventory when I browse for information. This is not helpful to me most of the time and if I actually want to buy something, I will sign in and you can get that info then. Even telling the browser to block all requests for access to location, doesn't stop sites from doing that.

I have a VM setup for all my "alternate" browsing that is where my VPN is installed. I do all my p2p, all my other things in that VM. I don't care as much if the home depot knows I am in my city and browsing storm doors. There are some things that I want to keep private however and those things I use that VM and VPN.

No need to whisper, police say

[AcidFnTonic]

With the recent Advent of Technology that can replace ears, the police have just announced that it's no longer worthwhile to whisper when discussing illegal activities. You should now be shouting it out loud.

VPNs are useful....for some things.

[dave314159259]

VPNs are useful in the following scenarios:

1. 1. When you need secure network-level access to a remote resource (like a work network).
2. 2. When your ISP is evil. (anywhere from monitoring specifics of traffic you'd rather not be monitored, to MITM-ing DNS queries and SSL certificates.
3. 3. When you travel and may use a coffee shop wifi network, and either the coffee shop or their network provider is evil.
4. 4. When you want to appear to be located in a different geographic region.

When using a VPN, you are basically

Re:

[Todd Knarr]

Not just whether the coffee shop or their provider is evil, but whether they've been compromised. Someone can remotely compromise the shop's router and set up a proxy with a wildcard certificate that'll MiTM all SSL traffic without ever setting foot on the same continent. If the router is vulnerable at all, a botnet has undoubtedly already compromised it.

For cases where you're worried about the VPN provider tracking or intercepting information, it's feasible to get a low-end VM and run one of the turnkey VP

Comcast

[byronivs]

It came from NBC News, that's NBC, that's Comcast, Universal. These other parties are interested in "other stuff". This has got MPAA and ISP interests all over it. And they also run a streaming service now with original content. Caution is required here to determine the intent of the reporting of this. I didn't RTFA, nor the TFS. It's all suspect to me because Comcast is involved. Keep your VPN until someone else confirms the meat of it.

Re:

[jmccue]

Yes, from the owners of COMCAST. If you use a VPN on their network, they cannot see what sites you are visiting. So they are loosing some $ because they cannot sell your info.

Re:

[gweihir]

Yes, from the owners of COMCAST. If you use a VPN on their network, they cannot see what sites you are visiting. So they are loosing some $ because they cannot sell your info.

That makes a lot of sense. Especially as they apparently are allowed to sniff your traffic. In Europe that would be a criminal act without a court order. With encrypted connections they still see where you are going most of the time.

Security leaks

[fluffernutter]

For total protection without a VPN you need to check every single service you go to in order to ensure it is encrypted, and be diligent about doing it all the time, because if you are serious about security, one unencrypted site or networking command can compromise the whole thing. If you use a VPN, you start the client and you are reasonably safe until you stop the client. Unless you aren't sure where your VPN is coming from, why wouldn't you just use that extra level of protection?

I don't give a fuck to the man-in-the-middle

[nospam007]

I don't want the man on the end to know who I am.

Uses for VPNs in 2022

[williamyf]

The NBC commentard seems to forget that the USoA is not the world.

+ The dominant ISP in these parts (and in many other countries is the same) is owned by the Govt. This ISP is known to spy on people (mostly PEPs, but you can never known when you are a target), including, but not limited to MitM attacks. A VPN is great in that situation.

  + Here, people do not have much money, and data plans here are costly and heavily capped, so they tend to try and get free WiFi, with the known risks (MitM attacks in particular). A VPN can help you a lot with that.
PS: the Govt. here runs one of the largest Free WiFi NWs, so even if you have an alternative ISP at home, when you are out and about, you are game for spying and MitM.

+ The dominant ISP here censors many sites disenting to the Govt. and the Govt. agency analogous to the FCC forces the other ISPs to censor the same sites too (I am certain this is true in many other parts). To evade that censorship, a VPN is a useful tool.

+ Also, most of the media here (by number of open RF tv channels, radio stations, as well as newspapers) is dominated by Govt. media, so, evading censorship and geting alernatives, is doubly important.

+ I guess this one is true all over the world, but ISPs thend to gather metadata about what you do online. If you are not OK with that, a VPN will mask your online habits supper well, the only thing your ISP will know about your browsing, is that you love a certain VPN.

Need more reasons to use a VPN in 2022?

Beyond pranks

[manu0601]

"Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop," he said. "I don't know of them ever being used outside of pranks

An industrial spy looking for a specific target would do that too.

Re:

[gweihir]

Indeed. And that "coffee shop" may well be your home or company where the attacker got in via an insecure or wrongly configured router or the like.

"Powered by Admiral"

[SoundGuyNoise]

NBC News website pops up the Admiral bug that begs us to disable and any all ad blockers. That along with the gist of this article tells us a lot.

VPNs are definitely useful...

[jonwil]

VPNs (even the big name commercial VPNs like Surfshark, NordVPN etc that every YouTuber seems to have sponsorship from these days for whatever reason) are definitely useful, just not for the things that people think they are (or that the VPN providers claim they are).

They are useful for:
1.To get around censorship and site blocking by ISPs or other entities between you and the place you want to visit

2.To make your connection look like its comming from a specific country or network in order to access things t

Re:

[gweihir]

They are NOT useful for hiding credit card numbers, phone numbers, addresses or other private/personal information from attackers.

If the site you are visiting uses HTTPS then that's already hiding the information and the VPN is adding no extra security. If the site you are visiting isn't using HTTPS then any security the VPN may be providing will not protect that data.

Not quite accurate. First, sniffing for credit-card numbers and private information is typically done close to the client, on a compromised client or on a compromised server. For sniffing close to the client (access router, for example) a VPN from the client helps for the case that something is not encrypted. For the other two cases, it does not help, so it is not suitable as the only mechanisms. It does increase your security level for this use case though.

Also remember that your credit-card number, etc. m

so much wrong...

[Espectr0]

...in that article. browsers did not "add https". web servers kept migrating their sites to https. what some browsers did is alert the user when they were visiting http sites and in some cases, attempting to force https usage on sites when possible.

article doesn't even mention encrypted DNS, which is something that browsers DID add and can be useful for privacy reasons (although there are some concerns about the dns server now potentially invading your privacy as well

Re:

[bussdriver]

Yes, the article is embarrassingly bad but isn't NBC still owned by Comcast (ISP)? Seems like another corporate hack got into their news division; they have more competent staff that are capable of talking about basic internet technology.

Aren't ISPs still upset about VPNs preventing them from monitoring your internet usage? Comcast wasn't happy about DNS alternatives either.

Complete bullshit

[gweihir]

VPNs serve several purposes. One is evading geo-restrictions i.e. artificial trade barriers. Another is preventing traffic analysis and for that encryption of individual data-streams does not help one bit. Then there is the securing of the last mile and not all traffic is encrypted. With a VPN you get at least an entry-point to the Internet that is not under control of an attacker. Well, hopefully.

This "advice" by NBC is both incompetent and may endanger you. I am a bit disappointed to see Nick Weaver in t

as usual they miss the point of a VPN for most

[bloodhawk]

Could not give a shit about the security angle. I use a VPN to get around Geo Fencing, Torrenting, government ISP meta data collection of what sites, when and where I access them. VPN hasn't really been a security tool except in the corporate world for a while now.

VPNs are a fad

[peterww]

Vpns came into vogue for two reasons: trying to get around streaming service regional restrictions, and privacy paranoia. If you use secure websites, they really do nothing for your security or privacy. I'm hopeful that people become less privacy-obsessed now.

Re:

[bloodhawk]

bullshit, without a VPN it doesn't matter that the content is secure, ISP's governments and MIAA Mafia will be able to see exactly what sites you access and when. VPN's if anything are more essential than ever if you want privacy as secure websites don't do shit to protect you from your government or your ISP/DNS provider snooping/selling your data etc.

So much mos-information and stupidity...

[Kelxin]

VPNs serve a menagerie of purposes between punching through firewalls such as China's or a school, accessing geo locked content, testing search engine results from different geo locations, privacy, better encryption than SSL, double layer (or more) encryption, IP restricting access to specific devices over VPN, network joining over long distances to provide direct access to network resources, and in many cases, much lower ping and higher throughput for specific things. This isn't a definitive list either

Sponsered Content

[DarkRookie2]

Google paid NBC for the story.

Re:

[narcc]

Run your own VPN and this bonus attack vector magically disappears!

Won't that just make you easier to track?

Re: there are other use cases

[mr.morbo]

My use case is government mandated spying. Or the avoiding thereof.

My government (with extremely dubious legality and they seem to drop cases that challenges it) demanded that all communications be logged and provided to the government without a warrant at any time the government asks.

You can bet your bottom dollar they ask for * once a week and archive it forever.

So I use a VPN. All the criminals that run the country can see is that I use a VPN. Nothing more. Because fuck them, that's why.