FRESH

Hacker News

Home

Who Owns, Operates, and Develops Your VPN Matters

197 points by sdsantos

by fujigawa

16 subcomments

Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.
I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".
Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."

by aborsy

6 subcomments

Do people here trust their ISPs more than their VPN providers? That’s the question!
On the other hand, as far as privacy from the end point is concerned, users can be identified regardless of IP addresses. Visit fingerprint.com, you will get an identifier, then connect to a privacy VPN and change servers once in a while. The website will identify you, tell you are the same user visited last week from such location, and the number of times you visited.
Browsers (except Tor) send so much data that accurate identification is possible without IP address. And services could refuse to work if users don’t provide the required information, although that info could be randomized.

by dongcarl

1 subcomments

I'm surprised no one has mentioned iCloud Relay-style Multi-Party Relays yet: https://www.privacyguides.org/articles/2024/11/17/where-are-...
It greatly improves on the existing VPN trust model by separating the "who" (connecting IP, potential payment info, etc.), from the "what" (IP traffic). You no longer have a trust a single entity not being malicious or compromised.
Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.

by tetris11

3 subcomments

MullvadVPN seem to be pretty decent at the moment, but it looks like they're laying down a worldwide VPN infrastructure of sorts that other VPN companies can rent (similar to phone networks)
This makes me feel a little uneasy of their unstated longterm goals (corner the entire market), but I do think they are the most trustworthy out there right now

by tashian

1 subcomments

The notion of "zero trust" shouldn't just mean corporations not having to inherently trust users and networks. It should also mean users not having to inherently trust corporations.
VPN providers all run the same two or three VPN protocols, all with similar security guarantees and privacy limitations.
I've been playing with MASQUE relays over the last year. Apple's iCloud Private Relay is a MASQUE relay (two, actually). MASQUE can offer genuine privacy improvements via traffic separation, preventing any single party from correlating the traffic source and destination.
Some of the privacy concerns of VPN users can be mitigated with better technology. And relays are built into Apple operating systems today. I'm surprised that they aren't very widely deployed yet.

0 subcomment

by mikewarot

0 subcomment

I've always assumed that commercial VPN service providers were intelligence agency fronts. One only has to look back on the CIA's Swiss front company[1] selling encryption equipment for decades[2] to our supposed allies to become sufficiently cynical.
I assume similar Wikipedia entries will appear in the future about some, if not most of today's VPN providers.
[1] https://en.wikipedia.org/wiki/Crypto_AG
[2] https://en.wikipedia.org/wiki/Operation_Rubicon

by 1vuio0pswjnm7

0 subcomment

https://web.archive.org/web/20250904091545if_/https://www.op...

by vincnetas

4 subcomments

How realistic is possibility that some VPN providers use clients (computers of person who installed VPN) to just be able to crawl (or rent crawl infra) sites and make it look like regular residential traffic? (This is speculation i heard somewhere)
Like reverse VPN :) on one side makes client look like he's accessing internet from VPN exit location, and on the other end allowing for money someone to pretend that he's a residential client.

by try_the_bass

1 subcomments

My pet theory for a while now has been that all of the biggest VPNs are secretly run by the NSA or other equivalent nation-state organizations.

by 1vuio0pswjnm7

0 subcomment

Interesting how the comments heading this thread ignore the effect of VPNs on surveillance and data collection for the benefit of online advertising, i.e., the stuff that so-called "tech" companies rely on as a "business model"
Must be that these so-called "tech" companies have no problem figuring out who is the ad target behind each VPN IP address, fingerprinting them and tracking their online behaviour acrosss every computer they use
TIL VPNs actually have _no impact_ on the data collection and ad services "business model"

by can16358p

0 subcomment

I'd love to know how many people use VPNs because of "fear of being hacked" (hack covering everything non tech-savvy here).
Almost everyone I know use VPNs only to bypass restrictions, not for fear or privacy.

by arewethereyeta

2 subcomments

That's why we sell only the service [1] and point our users to the default app install (Wireguard in our case). Ever since Holla VPN and the entire Brightdata/Luminati clusterf~ VPNs are a risky business for users. Most of them are proxy nodes underneath, they rent you datacenter IPs while they sell your residential internet to third parties.
[1] https://www.anonymous-proxies.net/products/

by username135

1 subcomments

Ive been a proton supporter since email. I like theor product suite. I use a vpn for all the reasons listed here, but mostly for obfuscating my traffic (and torrenting).

by CGMthrowaway

2 subcomments

What is this list that doesnt include NordVPN and ExpressVPN?

by mlhpdx

0 subcomment

I’ve been keen to point out there is more utility in the technology underlying VPNs than the VPN functionality itself. The WireGuard handshake and transport encryption are lightweight and secure and I added support for it to my service as an option to secure data in flight. It’s getting used by developers and enterprises, not consumers.
IPSec perhaps less so since it is more complicated and open to insecure configurations (transport mode).

by Terr_

1 subcomments

I'd like to point out that a regime may find it worthwhile to compromise more kinds/sizes of VPNs than we might expect.
The evil regime doesn't need to have a popular evil VPN that everybody uses... it may be enough to operate (or hack) a smaller VPN which can unmask enough dissidents that their friend-groups can be found by other means.

by iszomer

0 subcomment

This goes back to that old meme from before: "There is no cloud, it's just someone else's computer."

by John23832

1 subcomments

I use tailscale with an exit node. I just need location control. Wireguard gives me that.

by leakycap

0 subcomment

With online development responsibilities, I don't find VPNs to be compatible with what I do all day.
That said, the few implementations I have test before seemed leaky and not as useful as they claim.

by jihadjihad

0 subcomment

I've been happy with AirVPN, curious to hear how others feel about them. Pretty reliable and seems good enough for my purposes, at least.

by farceSpherule

0 subcomment

VPN Comparison Table
https://docs.google.com/spreadsheets/d/1ijfqfLrJWLUVBfJZ_Yal...

by preaching5271

1 subcomments

95% of VPN companies are owned by Mossad

by nullc

0 subcomment

I don't know why anyone wouldn't assume that any VPN service is run by an intelligence service, potentially one hostile to you, or organized crime.
Consider-- people bring their traffic to you to monitor, and particularly people who are trying to conceal their identity or activities. They pay you for this, which means that if you get collateral benefit you can run at a small loss and undercut any legitimate players (if there are any!) or run levels of advertising that a legitimate business couldn't sustain. -- while its simultaneously one of the most cost effective surveillance plays you could imagine, since it's still primarily funded by the victims.
VPN services also have good deniability for their surveillance. Although (maybe!) your ISP can't surveil the VPNed traffic the VPN provider's ISP can as well as your counterparties ISP (and any other parties brought into the mix by things like third party content). And like any other electronic surveillance, parallel construction can be highly effective.
They can also be stood up by anyone, you can run any number of services. They don't require extremely extensive physical infrastructure, investment, large numbers of employees like running an ISP. You can even target particular actors or populations by using targeted advertising, though it's still most effective as a data hoovering operation.
Particularly for the intelligence actors they also have the benefit that issues like getting harassed by the state are among the complications of this business, but that is potentially less of an issue if you are the state.
And if there were an actually honest provider, they'd be a prime target for infiltration... all that interesting traffic in one place.

by pbronez

0 subcomment

Final results from the table on page 50:
Operates more transparently. No concerning findings identified.
• Mullvad (Mullvad)
• TunnelBear (TunnelBear)
• Lantern (Lantern)
• Psiphon (Psiphon)
• ProtonVPN (Proton VPN)
Operates more anonymously. Potentially concerning, but no definitive findings.
• HotVPN (HotVPN)
• LetsVPN (LetsVPN)
• Astrill VPN (Astrill VPN)
• CookieDevs (Cookie, Ciao Proxy Pro)
• VPN Super Inc (VPN - Super Unlimited Proxy)
• PureVPN (PureVPN)
• Potato VPN (Potato VPN)
Concerning and suspicious findings (users should avoid).
• Innovative Connecting (Turbo VPN - Secure VPN Proxy, Turbo VPN Lite - VPN Proxy, VPN Monster - Secure VPN Proxy)
• Autumn Breeze (SnapVPN, Signal Secure VPN - Robot VPN)
• Lemon Clove (SuperNet VPN, VPN Proxy Master Pro, VPN Proxy Master Lite)
• Matrix Mobile (Global VPN)
• ForeRaya Technologies (Melon VPN)
• Hong Kong Silence Technology (Super Z VPN)
• Yolo Mobile Technology (Touch VPN - Stable & Secure, VPN ProMaster - Secure your net)
• Wild Tech (3X VPN - Smooth Browsing, VPN Inf, Melon VPN - Secure Proxy VPN)

by idiotsecant

0 subcomment

I don't use a VPN for anything that would get me in the cross hairs of a nation-state. I use it to trade crypto outside my jurisdiction, make sure my ISP doesn't get torrenting complaints, obscure my traffic from wifi networks I don't trust, that sort of thing. None of these things have enough money or power behind them that peeling away the VPN is worth it, so it's good enough.

by rsynnott

0 subcomment

> Yolo Technology Limited
I mean, this seems like the company name equivalent of the yellow and black stripes on a wasp. It is a _warning_.

by toofy

0 subcomment

i’m not sure what this list is, why investigate vpn companies yet dont even look at nordvpn, pia, express, or others that are wildly popular yet still shady af with their real world origins?
i mean, those companies are so popular they’re almost normie household names. the couple i looked at from the papers list have a small fraction of downloads compared to the above.
i agree that we absolutely need a deeper dive and a lot more transparency on who owns these companies but i’m curious why they chose to avoid the elephants in the room.

by rasengan

2 subcomments

Shameless plug: VP.NET [1] runs in a trusted execution environment (enclave) so you can verify it is doing what it is supposed to do and not anything else!
[1] https://vp.net/l/en-US/blog/Don%27t-Trust-Verify

by ivape

0 subcomment

VPNs don’t really stop fingerprinting techniques, if anyone is using it for that.

by onetokeoverthe

0 subcomment

[dead]

by farceSpherule

1 subcomments

You get what you pay for...