Re: [gentoo-user] About to have fiber internet and need VPN info

[Michael <confabulate@kintzios.com>]

[-- Attachment #1: Type: text/plain, Size: 3448 bytes --]

On Sunday, 7 August 2022 19:27:42 BST Rich Freeman wrote:
> On Sun, Aug 7, 2022 at 11:36 AM Michael <confabulate@kintzios.com> wrote:
> > The best a well configured VPN tunnel can offer is a secure connection
> > between client and VPN server, which is handy if you are out and about
> > using untrusted and insecure WiFi hotspots.
> > 
> > The only other reason for using a VPN service is to present a different
> > geolocation for the purpose of overcoming country-specific website
> > restrictions.
> 
> I think ONLY is a bit strong here.  A VPN effectively makes it
> impossible for your ISP to know who you're talking to, and it obscures
> your IP from hosts you are connecting to.

Yes, fair point.  I was thinking why would you go to such an effort just to 
obscure your comms from your ISP.  I'm not saying there aren't use cases 
supporting this endeavor.  I was thinking more about political activists 
operating under oppressive regimes where state-level surveillance would be the 
threat model.  In this case I would think state actors wouldn't rely on ISPs 
alone to share such information, although ISP's data would be tapped into for 
good measure.


> Sure, there are ways to defeat this, but most of them are only
> applicable for state-level actors, and the methods available to
> ordinary companies can only identify at best a unique browser profile,
> which only lets them correlate traffic with those they share info with
> to the degree that you use a single browser profile across those
> platforms.  For non-web traffic there are generally fewer attacks
> available.  Many of the attacks that are often cited like DNS-based
> attacks are not that difficult to prevent (eg by ensuring your DNS
> traffic goes out over the VPN).

Yes, careful VPN implementations would guard against DNS leaks and the like.


> If there are sites you browse using a different browser profile
> (ideally on a VM/etc), and you never use that browser profile for
> ecommerce or activity associated with your normal social media
> accounts, then it is unlikely that those sites will actually be able
> to identify you.
> 
> Really the biggest pain with the VPNs is the number of websites that
> actively try to block connections from them or flood you with
> CAPTCHAs.  Many more mainstream social media sites/etc also
> effectively require association with a mobile phone number, or trigger
> this behavior if they don't like your IP address.  Obviously VPNs can
> be abused to attack hosts or evade bans and generally cause trouble,
> which is a frustration for those who simply don't want companies to
> know who you are.
> 
> Bottom line is that just because the NSA can track your connections
> doesn't mean that every random webserver on the planet can do so.  The
> few government agencies that are likely to be that well-connected are
> also very interested in keeping the extent of their capabilities
> hidden from each other, and so when they intercept your data they're
> going to guard it even more carefully than you would.

I would sincerely hope so.  Can't vouch their contractors and subcontractors 
would do the same in all cases though.


> A solution doesn't need to be able to defeat the NSA to be useful.

ACK.  It boils down to use cases and requirements.  I suppose people who seek 
to avoid state surveillance would probably use multilayered encryption and 
steganography, or better stay off the Internet all together?  ;-)

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]