←back to thread

Who Owns, Operates, and Develops Your VPN Matters

(www.opentech.fund)
201 points sdsantos | 6 comments | 03 Sep 25 16:51 UTC | HN request time: 0.207s | source | bottom
Show context
fujigawa ◴[03 Sep 25 17:28 UTC] No.45118394[source]
Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.

I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".

Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."

replies(16): >>45118443 #>>45118486 #>>45118558 #>>45118644 #>>45118672 #>>45118693 #>>45119064 #>>45119252 #>>45119261 #>>45119717 #>>45119817 #>>45119936 #>>45120136 #>>45120782 #>>45124630 #>>45126517 #
davepeck ◴[03 Sep 25 17:45 UTC] No.45118558[source]
Long ago, in the era of Firesheep and exploding prevalence of coffee-shop Wi-Fi, consumer VPN services were definitely valuable.

But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".

I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.

replies(11): >>45118660 #>>45118872 #>>45119025 #>>45119060 #>>45119163 #>>45119222 #>>45119386 #>>45119763 #>>45120306 #>>45124719 #>>45126754 #
1. elondaits ◴[03 Sep 25 18:53 UTC] No.45119222[source]
What about a malicious DNS (on a public spoofed or hacked WiFi) that forwards you to a lookalike domain? Unfortunately many times public WiFi doesn’t work with Google’s or Cloudflare’s DNS servers (I think the Deutsche Bahn’s WiFi was such a case, if I remember correctly, but I know I came across a few on the last few years while traveling). I don’t think there’s anything protecting against that when you’re using a browser.

Sometimes circumstances force one to connect to a public WiFi (e.g. airports, where WiFi is always super dodgy).

replies(3): >>45119475 #>>45119687 #>>45119736 #
2. hiatus ◴[03 Sep 25 19:17 UTC] No.45119475[source]
HSTS solves this to some extent. If you've visited the domain in the past (or the site operator submitted to the HSTS preload list), a different certificate presented would be flagged by your browser.
replies(1): >>45119932 #
3. raquuk ◴[03 Sep 25 19:43 UTC] No.45119687[source]
I don't think a malicous DNS Server can redirect your request to a domain that does not result in a certificate warning when using HTTPS.

With browsers adopting DoH, a public WiFi should not be able to interfere with DNS much.

4. michaelt ◴[03 Sep 25 19:48 UTC] No.45119736[source]
Your better websites use "HSTS Preloading" to ensure users always get sent to the https version of the site - in which case even if the attacker redirected the DNS resolution, you'd just get an SSL error as the attacker wouldn't have a valid certificate.

Of course, an astonishing number of (even important, high-profile) websites don't bother with HSTS preloading ¯\_(ツ)_/¯

5. mr_mitm ◴[03 Sep 25 20:15 UTC] No.45119932[source]
Not a different certificate, but one signed by an untrusted authority. HSTS won't let you bypass it.

There used to be a Firefox addon that could warn you if the actual certificate changed, but it died with manifest addons.

replies(1): >>45120607 #
6. arielcostas ◴[03 Sep 25 21:29 UTC] No.45120607{3}[source]
It isn't too useful nowadays, is it? With most websites' certificates being from Let's Encrypt or similar CAs automated via ACME and up to 90-day certs; and this getting reduced in the future to only 47 days. Every month you'd need to accept any website's new certificate.

Also, does HSTS have something to do with the authority? AFAIK it only forces the browser to use HTTPS and never plain HTTP for that domain, but if you switch from a legit Let's Encrypt to a legit ZeroSSL cert, HSTS won't care about it; only the browser if you have a not-trusted certificate from another CA (or self-signed).