I have Nord, but it gives me problems, so I’ve switched mostly to Hotspot Shield, which I get through my Dashlane subscription. I’m fairly happy with it, more so than Nord.
- Use of other Wi-Fi networks that you don’t fully trust (airports, hotels, shops, etc.)
- People who live in certain US states have more of an interest in VPNs than other states
- Me hearties, use a VPN when ye sail the seven seas, me cap’n says (or so I hear)
Have used Global Protect via institutional site license in recent years, but for personal have been trying NordVPN in the last year+. In that time I have really noticed the growing number of sites that react to use of VPN clients (as in, errors or outright blocking by the site or company). Some sites respond as if you are a bot. Others are probably using that as an excuse to make you stop VPN use. Then of course there are many sites/domains that simply fail with no helpful messages or feedback making troubleshooting very difficult.
While in Canada last year, we were unable to even load basic web pages (ie. blank page with spinning status icon that never stops) with NordVPN or Global Protect enabled. Disabling VPN instantly restored internet loading. Uncertain if this was a problem with the ISP or local WiFi hardware as we did not have access to technical resources or personnel who understood anything beyond account and password info.
I use le VPN. Very stable and effective for my use, which is mostly UK to France and the reverse, and UK to US. Good reviews.
People mention this a lot, but I question if it’s really necessary. Every potentially sensitive activity (e.g. accessing banking/investment accounts) today is going to involve an encrypted HTTPS session, which third-parties won’t be able to intercept.
Someone snooping on your traffic would see what servers you’re connecting to (so they would know that you’re connecting to the bank), but they wouldn’t be able to see what you’re communicating with those servers.
I don’t think @ace is recommending anything on the list. The purpose (as it seems to me) is to generate data about what TidBITS users are using.
I think it would be wrong to omit a popular service, even if they are not trustworthy or are operated by governments or criminal syndicates. If people are using them, that’s valuable information, and we can discuss it when the results are presented.
3 Likes
I’d say many users of VPNs do so for security and privacy, especially if it is important to obscure both their data and their actions.
1 Like
For my personal-business I use StrongVPN (encrypt.me). For my client-provided MBP, I must use Cisco VPN with a “dongle.”
I have Proton VPN, but I use it sparingly. For my personal devices, I use an always-on Wireguard VPN back to my Firewalla router, so my traffic is always coming from my house. If I had a reason for point-to-point, I’d probably use Tailscale. I do have my Firewalla using the Proton VPN for Unbound DNS over VPN, though.
For work, I’ve used Cisco AnyConnect for years and across two companies (although the previous company was moving towards ZScaler Private Access, which is an always-on VPN solution for a portion of the “zero trust” equation).
Thank you for that. I used to use a VPN precisely for accessing banks, but I stopped when I read something like you just said. But that reason keeps getting repeated, and I appreciate confirmation that protecting bank information is not a reason to use a VPN.
(Confirmation, noun. Agreeing with what I believe.)
1 Like
This is true if it were not for not-fully-HTTPS sites and various attacks, such as:
- Sites that only use HTTPS for the login page. An observer of the subsequent HTTP traffic can steal the session cookie
- SSL stripping attacks that force HTTPs to HTTP, with a site that doesn’t use HSTS.
- SSL downgrade attacks that force the security down to a less secure algorithm, which can be cracked by observing enough of the traffic
If you’re in a VPN you don’t have to worry about this. Assuming, of course, that the VPN is secure!
Bonus fun fact: Encryption algorithms and key lengths that are secure today may not be secure in the future. This is why the NSA is known? believed? to hoover up Internet traffic and store it away. They may not be able to decrypt it today, but someday they will.
1 Like
Good suggestions, everyone, though it will take me a bit longer to incorporate them and open the poll. As @Shamino says, the poll is to see what TidBITS readers are currently doing; I’ll address some of the other stuff in the results.
1 Like
I’ve used Privado VPN for several years from both Europe and PR China. It has sometimes jumped the Great Firewall when Nord VPN couldn’t, and vice-versa. Maybe include it?
HTTPS will not prevent a spy from knowing what sites you are visiting, but it will prevent them from seeing the contents of your session.
For me, that’s fine. I really don’t care if someone knows that I have dozens of connections per day to Duck Duck Go (my preferred search engine) or the various other sites I visit (my bank, various podcasts, news outlets and comic strips).
But for someone who is under much closer scrutiny (e.g. public figures or dissidents), that metadata may be compromising.
Are there sites that still do this? I would like to think that financial institutions don’t. Firefox seems to do a good job guarding against this:
- It puts a large “Not Secure” message in the location of any HTTP site. I check the location bar for the secure-padlock icon for sites where it matters, and I double-check the certificate before making purchases from a site I don’t frequently visit.
- I used to occasionally see pop-up warnings about mixed HTTP/HTTPS pages. I don’t see those any more, but maybe the browser isn’t generating the warnings?
Most browsers these days have disabled the older insecure ciphers, forcing you to explicitly enable them. And I think the oldest of them have actually been deleted from the software.
Do you know of any major browsers that still allow these old ciphers by default?
If they want to decode my traffic 20 years from now in order to find out what I saw when checking my bank’s transaction history today, or what comic strips I’ve been reading, they’re welcome to waste their time and money on worthless data.
Cloudflare Warp Overview · Cloudflare WARP client docs
I’m not sure that we need to go through this exercise. RestorePrivacy (now CyberInsider) has done an excellent job of reviewing each VPN and pointing out it’s pro’s and con’s, including which one’s may be less than secure.
1 Like
If your concern is having your communications intercepted by hackers (e.g. when using public networks, such as in a café), VPN’s are more or less an anachronism that have been made superfluous by current technology:
Are VPN’s Worth it?
https://www.nytimes.com/2021/10/06/technology/personaltech/are-vpns-worth-it.html
The Washington Post Says There’s ‘No Real Reason’ to Use a VPN
https://www.washingtonpost.com/technology/2023/02/17/dont-use-a-vpn/
Why VPNs are a WASTE of Your Money (usually…)
Follow up:
There ARE some (rare) instances where a user might still benefit from having a VPN. A VPN is useful if you want to access content that is restricted to only a certain geographical area (e.g. if you live in China and want to view Western news sites, or you live in an area that has blacked out coverage of a sporiting event, etc.). It’s useful if you are in a totalitarian country and you are concerned about your government eavesdropping on you. Finally, a VPN is useful if you are doing illegal things on the Internet (like downloading pirated videos or music) and don’t want to be traced and caught, especially by your own ISP (your ISP nominally knows what sites you visit, but not what you do there). But I doubt that many users fall in any of those categories.
2 Likes