Most active commenters
  • kfreds(5)

←back to thread

Who Owns, Operates, and Develops Your VPN Matters

(www.opentech.fund)
201 points sdsantos | 16 comments | 03 Sep 25 16:51 UTC | HN request time: 0.001s | source | bottom
Show context
fujigawa ◴[03 Sep 25 17:28 UTC] No.45118394[source]
Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.

I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".

Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."

replies(16): >>45118443 #>>45118486 #>>45118558 #>>45118644 #>>45118672 #>>45118693 #>>45119064 #>>45119252 #>>45119261 #>>45119717 #>>45119817 #>>45119936 #>>45120136 #>>45120782 #>>45124630 #>>45126517 #
davepeck ◴[03 Sep 25 17:45 UTC] No.45118558[source]
Long ago, in the era of Firesheep and exploding prevalence of coffee-shop Wi-Fi, consumer VPN services were definitely valuable.

But that was long ago. Now, HTTPS is the norm. The only use cases for consumer VPNs today seem to be (1) "pretend I'm in a different geography so I can stream that show I wanted to see" and (2) "torrent with slightly greater impunity".

I live in Seattle and Mullvad VPN seems to have bought approximately all of the ad space on public transit over the past couple months. Their messaging is all about "freeing the internet" and fighting the power. It's deeply silly and, I worry, probably quite good at attracting new customers who have no need for (or understanding of) VPNs whatsoever.

replies(11): >>45118660 #>>45118872 #>>45119025 #>>45119060 #>>45119163 #>>45119222 #>>45119386 #>>45119763 #>>45120306 #>>45124719 #>>45126754 #
1. kfreds ◴[03 Sep 25 20:54 UTC] No.45120306[source]
The way I see it there's four use cases:

- protecting your privacy from your local ISP, WiFi, school, government etc

- protecting your privacy from some forms of online tracking

- circumventing censorship

- circumventing geographical restrictions

If you combine masking of your IP address with a web browser that protects you from various types of browser-based fingerprinting, you are more in control of your privacy online. You get to decide, to a greater extent, who you share very personal information with. That doesn't seem very silly.

(disclosure: I'm one of the deeply silly cofounders of Mullvad)

replies(5): >>45120417 #>>45120779 #>>45121058 #>>45126683 #>>45127892 #
2. dongcarl ◴[03 Sep 25 21:06 UTC] No.45120417[source]
Yup, when you're not using a VPN, even with encrypted DNS and HTTPS, you're still sending hostnames (e.g. wikileaks.org) over plaintext in TLS SNI for every HTTPS connection. I believe most firewall appliances now even prefer to use SNI for deep-packet-inspection since it's so reliable.
3. davepeck ◴[03 Sep 25 21:52 UTC] No.45120779[source]
Hi! Thanks for your deeply non-silly reply; it's nice to (virtually) meet a cofounder.

If you have time, I'd love to hear your thoughts on Mullvad's campaign here in Seattle.

For what it's worth, I suppose my perspective boils down to: the first three issues aren't issues here in town, or can be addressed in more direct ways (we have a wide choice of providers; 1st party browsers and services cover the gamut of tracking concerns; etc). Circumventing geographical restrictions is useful, but -- perhaps understandably! -- doesn't appear to be what Mullvad is advertising on the trains I ride.

replies(2): >>45123775 #>>45123905 #
4. joecool1029 ◴[03 Sep 25 22:27 UTC] No.45121058[source]
There's a niche fifth reason. Roaming between upstreams while not having open TCP connections drop. I use multiple ISP's and on mullvad I can swap which wifi/ethernet I'm on and all my connections stay up since wireguard is stateless.
replies(1): >>45123805 #
5. JdeBP ◴[04 Sep 25 05:07 UTC] No.45123775[source]
At this point I'm reminded of Tom Scott's honest VPN advertisement, contrasting how VPNs are advertised (on YouTube, at least) with the main features that they really provide.

* https://youtube.com/watch?v=WVDQEoe6ZWY

6. kfreds ◴[04 Sep 25 05:13 UTC] No.45123805[source]
Good point. That is indeed a distinct fifth reason.

Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.

latency/bandwidth: because of weird peering agreements between ISPs / ASes.

cost: there are networks where consumers pay per MB for international traffic, but not local traffic. Consumers can sometimes establish a VPN tunnel to the local data center and get an unmetered international connection, because the data center has a different agreement with the monopolistic consumer ISP.

replies(2): >>45124628 #>>45130127 #
7. kfreds ◴[04 Sep 25 05:34 UTC] No.45123905[source]
Sure!

Regarding tracking concerns, masking your IP address is a necessary but insufficient first step to improving your privacy online. ISPs typically don't allow their users to do that per-device in a UX-friendly way. Protecting against browser fingerprinting is something that Mullvad Browser does quite well, thanks to it being a fork of Tor Browser.

As for circumventing geo restrictions, you're absolutely right. We make an effort to get it to work, but ultimately privacy and censorship is much more of a priority for us. That's why we don't advertise it.

Finally, the campaign isn't just about getting more customers. We started Mullvad for political reasons, and now we have the resources to spread that message further. Governments around the world are warming up to the idea of mandatory device-side mass surveillance and backdooring E2E encryption. We're trying to build public opinion against that.

replies(1): >>45124127 #
8. roywashere ◴[04 Sep 25 06:14 UTC] No.45124127{3}[source]
I’m surely happy to not live in the UK at the moment. And Indonesia of course. If I would live in one of these countries I’d be using VPN. And maybe in the (not so distant) future this is preferable in the US too.

> We're trying to build public opinion against that.

Good on you!

But to be honest; it seems that it would be in Mullvads interest if the US starts requiring “open encryption” for internet services! Then more people would feel the need for VPNs

replies(1): >>45125118 #
9. dmurray ◴[04 Sep 25 07:37 UTC] No.45124628{3}[source]
How about a seventh: in solidarity with people who are facing censorship or oppression.

Like, if only dissidents and malcontents use a VPN (or TOR or HTTPS or E2E encrypted messaging apps) then if you want to reduce dissent, you can just round up all the VPN users and have them shot. If everyone uses VPNs for normal internet use, that becomes impractical.

replies(1): >>45126080 #
10. kfreds ◴[04 Sep 25 08:52 UTC] No.45125118{4}[source]
Actually, no. Our goal is to make mass surveillance and censorship ineffective, not maximizing profit to our shareholders. If there was a big red button we could push that accomplishes our goal and makes Mullvad obsolete in the process, we'd push it. There's an abundance of problems to solve in the world. It'd be nice if we could figure out how to get rid of some and move on to other problems.
11. robertlagrant ◴[04 Sep 25 11:30 UTC] No.45126080{4}[source]
If you're willing to shoot people, you can just make VPNs illegal and wait 30 days.
12. Y_Y ◴[04 Sep 25 12:52 UTC] No.45126683[source]
> I'm one of the deeply silly cofounders of Mullvad

Cool.

Also funny, but it would be nice if you addressed the specific objection. Here are some of the new ads: https://mullvad.net/en/blog/advertising-that-targets-everyon... . Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?

replies(2): >>45127773 #>>45130603 #
13. const_cast ◴[04 Sep 25 14:36 UTC] No.45127773[source]
Advertisement targeting is a risk. Even just leaking your IP to various services introduces risks and being able to build profiles on your activities online introduces risk.

Usually the risk is you spend money you wouldn't have otherwise spend, but those profiles can also be used for future nefarious reasons. You're basically just relying on everyone running analytics to be good people, forever. Remember, anything on the internet is forever. And, even if they are, you're still relying on them having perfect security, forever. If a database breach happens and people now know everything data brokers and analytics services know... that's a problem.

IMO, nobody should browse the web without a reliable and trustworthy VPN, at all.

14. westmeal ◴[04 Sep 25 14:45 UTC] No.45127892[source]
Thanks for running the service guys, I appreciate it
15. latchkey ◴[04 Sep 25 17:55 UTC] No.45130127{3}[source]
> Here's a sixth one: for some users it can improve latency, bandwidth and/or even cost.

I find that using a VPN over starlink is quite a different experience than terrestrial. I can VPN through another country and the speed isn't affected nearly as much. My guess is that the route is satellite to satellite, so it is much faster.

16. kfreds ◴[04 Sep 25 18:31 UTC] No.45130603[source]
> it would be nice if you addressed the specific objection

I'm pretty sure I did. I'll happily answer yours as well.

> Do you think they appeal more to consumers who are seeking "it keeps me vaguely secure", or it helps me watch Venezuelan Netflix and avoid some kinds of targeted advertising personalisation?

Between those two options, definitely "it keeps me vaguely secure". None of the ads you link to are intended for customers that want to circumvent geographical restrictions. We don't market to that customer segment.