[HN Gopher] Mozilla VPN
___________________________________________________________________
Mozilla VPN
Author : caution
Score : 624 points
Date : 2020-06-18 17:09 UTC (5 hours ago)
(HTM) web link (blog.mozilla.org)
(TXT) w3m dump (blog.mozilla.org)
| mulmen wrote:
| This is a hard pass from me.
|
| Mozilla controls my browser. I have no interest in giving them
| control over any other part of my online life.
|
| I like how Mozilla is run and hope other organizations emulate
| them to provide these other essential services.
| e12e wrote:
| What an odd choice from Mozilla and Mullvad to segment this based
| on geography. Can you use it while traveling outside the US? Why
| not simply have a wait list? Mullvad already operates globally -
| what is the reason for the geofence? Is Mozilla not able to
| accept payment outside the US? (maybe not able to pay taxes?)
| johnklos wrote:
| Why the hell would anyone trust mozilla.org while they work
| tirelessly to make money?
|
| Google, who are unapologetically pro-money, at least listened to
| feedback about DoH.
| kelnos wrote:
| > _Why the hell would anyone trust mozilla.org while they work
| tirelessly to make money?_
|
| In what fantasy world do you live where hosting services and
| building products costs zero dollars? Not sure how Mozilla
| could operate at all without making money.
| johnklos wrote:
| Downvote without a response. Seriously - where does this
| magical trust come from, when we've seen Mozilla do what's
| against the interests of normal people in favor of doing what
| they can do to make money or to push traffic towards people who
| make money?
| sequoia wrote:
| "For example, over 70% of early Beta-testers say that the VPN
| helps them feel empowered, safe, and independent while being
| online."
|
| What have these "feelings" got to do with anything? This is a
| measure of successful marketing and has nothing to do with the
| product or its efficacy.
|
| Personally I use Windscribe and I really like it (I've used PIA &
| Mullvad in the past). I use it for watching US Netflix and to
| make it _slightly_ less easy to track me on the net (I know there
| are many other ways). I also like the idea of not having my IP or
| the gov 't spy on me _as easily_.
| abvdasker wrote:
| I would counter that how safe people _feel_ , and to what
| extent they have an expectation of privacy online will
| determine their behavior. The technical effectiveness of the
| product is one thing, but how users perceive it will determine
| whether it offers them any real benefit. These things do
| matter.
|
| Remember Foucault's panopticon: If someone merely thinks they
| _might_ be surveilled their behavior will change in profound
| ways. More concretely, if you think the government may be
| spying on your browsing habits, maybe there are sites you won
| 't visit or comments you won't post or videos you won't watch.
| It's important not only that the product works, but that people
| _feel_ it works so that they can behave more freely on the
| internet.
| cambalache wrote:
| It sounds like a sanitary pad ad.
| nprateem wrote:
| People buy on emotions
| bredren wrote:
| What was the 500 startup guys phrase?
|
| A product has to get you "Made, Paid or Laid"
|
| Where Made was like a sense of positive promotion like a
| made-man in the mob I think.
|
| Emotion is everything. If a product doesn't make you feel
| good you'll only buy it because you have to.
| Romanulus wrote:
| ... and sell!
| dx87 wrote:
| I think "feeling" safe is an important component of a product.
| Of course the product has to also be effective, but if it's
| effective and people still don't trust it, then they won't use
| it. A good example of a similar situation is in the US military
| where we had to do yearly chemical weapons training that
| involved putting on a gas mask in a room filled with tear gas.
| The gas masks were already proven to work, but one purpose of
| the training was to make sure people trusted their equipment to
| keep them safe, making it more likely for them to use it when
| needed.
| untog wrote:
| This is marketing copy. Criticizing it for being marketing copy
| is surely a little redundant. Besides, feelings matter. If the
| majority of VPN users felt that the security provided by the
| VPN was not worth the effort involved in using then that would
| indicate a failed product. Ignore that at your peril.
| maallooc wrote:
| Tech became toxic years ago. Instead of facts and data,
| feelings and diversity matter.
| smichel17 wrote:
| === edit because I feel this comment is not substantive enough
| / engages with a strawman version of your comment ===
|
| I understand you're talking about where those feelings _come
| from_ -- ie, that the feelings are more useful information when
| backed by the reason for them. And you do provide some of that
| in your post (privacy, watching US Netflix). But those are
| things that any trustworthy VPN with US-based endpoints can
| provide, so they 're not a unique selling point, which means
| your recommendation basically boils down to unsubstantiated
| feelings again, to which:
|
| === Original comment ===
|
| I don't use a VPN and have no horse in this race, but surely
| you see the irony in:
|
| > What have these "feelings" got to do with anything?
|
| Followed by
|
| > I use Windscribe and I really like it.
| sequoia wrote:
| "unsubstantiated feelings" heh, that's a pretty
| ungenerous/rude way of putting it. Here's a better way: "Can
| you explain why you like Windscribe? You say you've used
| other providers, how is Windscribe different?" If you're not
| clear on something it's always best to ask for clarification
| before accusing the other party of fabrication or making
| "unsubstantiated" claims.
|
| So why do I like Windscribe? Good question! I like the ease
| of use of windscribe clients compared to other VPN clients
| I've used, the fact that I can add many devices, and the fact
| that it has endpoints in lots of countries. I had trouble
| with both the PIA & Mullvad clients & configuration on my
| desktop and phone eventually. I don't require much, as you
| say VPN is a commodity product, I just want it to be easy to
| use & Windscribe is and they seem committed to adding
| features & fixing bugs. I also have met the team, they're
| local to me, and they seem trustworthy.
|
| I'm not sure if you read TFA, but here's the context of what
| I highlighted:
|
| > We started working with a small group of you and learned a
| lot. With the VPN in your hands, we confirmed some of our
| initial hypotheses and identified important priorities for
| the future. For example, over 70% of early Beta-testers say
| that the VPN helps them feel empowered, safe, and independent
| while being online.
|
| "we confirmed some of our initial hypotheses and identified
| important priorities for the future ... Beta-testers say that
| the VPN helps them feel empowered, safe, and independent"
|
| What type of initial hypotheses might have been confirmed by
| learning that people "feel empowered" by using a VPN? This is
| what I don't understand. Of course users motivated enough to
| try a beta VPN product like using VPNs-I'm not sure what
| insight that adds. Can you help me connect the dots here?
|
| My feelings about a VPN provider based on personal experience
| is not beta testing that "proves" a product. Mozilla suggests
| here that these "feelings" prove "confirm their hypothesis"
| and put numbers next to the feelings, like 70%. I am
| questioning the relevancy of these numbers & it strikes me as
| pseudo-scientific to put these numbers in the intro as some
| sort of proof that their product has value. Throwing up
| meaningless numbers like this gives me the impression of
| smoke and mirrors/bullshit.
| smichel17 wrote:
| > "unsubstantiated feelings" heh, that's a pretty
| ungenerous/rude way of putting it.
|
| Thank you for the feedback. It wasn't meant to be rude, but
| I see now how it can be interpreted that way (particularly
| with the unedited original comment below, which was
| intended to be... not rude, but let's say, harsher than I'm
| proud of, a few hours later). Text is hard -.-
|
| Asking clarifying questions instead is a good suggestion.
| Your answers are good, too; if I'm ever in the vpn market,
| I'll put Windscribe on my shortlist to research more
| thoroughly.
|
| > I'm not sure if you read TFA
|
| I have not and do not currently intend to. I checked in
| with the comments because I was curious how it would be
| received. I replied to your comment because I was
| frustrated at what seemed to be hypocritical criticism. I
| still think your original comment is light on
| detail/justificatipn, so I'm happy my reply, however rude
| and imperfect, lead to your second comment, which is the
| type of thing I was hoping to find when I opened the thread
| :)
| haunter wrote:
| Every single time I start researching VPN services I end up more
| confused and with more questions than before because basically
| every vouched service has the same amount of negative comments
| too. Like feels like the whole sector is a honeypot (lol) of
| shady stuff and also they figthing against each other (or not?).
| So I just wait until when turns out Mullvad is also one of the
| bad guys.
| miniyarov wrote:
| Public VPN services should not be trusted blindly. Online
| anonymity is very hard. However, you can still create your own
| VPN server on cloud providers for at least have some privacy
| while you are on an untrusted network.
|
| Because of this reason, I created https://zudvpn.com - It is a
| free and open-source mobile application that's used to deploy a
| private VPN server on major Cloud Providers!
|
| Github repo: https://github.com/zudvpn/ZudVPN
| neilv wrote:
| Some reasons you might get some negative vibes from looking
| into consumer VPN services:
|
| * Some consumer VPN services have been found to be doing
| sketchy things. And you can imagine the business is attractive
| to people intending to do sketchy things, since it's a
| powerful/lucrative position to be in right now. (In addition to
| the business possibly being attractive to people just wanting
| to provide a useful and honest service for a fair price.)
|
| * There seem to have long been referral kickbacks by some
| consumer VPN services, which I assume is the cause of some of
| the huge amounts of noise on the Web and such about them (e.g.,
| search hits on some non-VPN topics, such as some home theatre
| search terms, overwhelmed by SEO articles, the purpose of which
| is to then herd the reader towards particular VPN services with
| a kickback). Even some endorsements by organizations might
| essentially be more about revenue than about merits.
|
| * I speculate that it doesn't help if one of the main
| historical uses of consumer VPNs has been for activity that
| would be considered copyright-violating in the US (e.g.,
| unauthorized trading of video files, or circumventing region
| restrictions). Without making any moral judgments, I think it's
| fair to say that constitutes "conscious rule-breaking" for
| some, so I wouldn't be surprised if there's an disproportionate
| culture of rule-breaking around the whole space.
| pipermerriam wrote:
| I use ProtonVPN. Same company as ProtonMail. Highly reputable
| with a business model around doing privacy and encryption well.
| helloooooooo wrote:
| NordVPN shares offices in Estonia with ProtonVPN. For that
| reason I find it sketchy.
| nix23 wrote:
| >NordVPN shares offices in Estonia with ProtonVPN
|
| What really? Some proof for that? ProtonVPN and ProtonMail
| is located in Switzerland Geneve, i dont see any open
| positions for estonia
|
| https://careers.protonmail.com/
| gzer0 wrote:
| I would like to read more about this, do you have a source?
|
| I cannot find anything reliable that suggests this! Thanks.
| E5JBK7UJPT wrote:
| https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/proton
| vpn...
| rmrfstar wrote:
| Link. Please.
| jorge-d wrote:
| IMHO ProtonVPN (and Mail) are the perfect honeypots
| nix23 wrote:
| I call that bullshit until you have a single proof for
| that.
|
| Everything is opensource, the data s are located in
| Switzerland on there own hardware. They have open
| communication and a yearly transparency report:
|
| https://protonmail.com/blog/transparency-report/
| _threads wrote:
| How/why?
| [deleted]
| gzer0 wrote:
| ProtonVPN provides the source code for their desktop and
| mobile clients in their GitHub organization [1]. Yes open
| source != safe; however this level of transparency is at
| least a step in the right direction.
|
| They also have regularly been audited by independent
| organizations that are openly available for the public to
| see their compliance [2][3][4][5][6].
|
| Do you have any evidence to suggest that they are
| honeypots?
|
| [1] https://github.com/ProtonVPN
|
| [2] https://protonvpn.com/blog/wp-
| content/uploads/2020/01/Proton...
|
| [3] https://protonvpn.com/blog/wp-
| content/uploads/2020/01/Proton...
|
| [4] https://protonvpn.com/blog/wp-
| content/uploads/2020/01/Proton...
|
| [5] https://protonvpn.com/blog/wp-
| content/uploads/2020/01/Proton...
|
| [6] https://protonvpn.com/blog/open-source/
| 29athrowaway wrote:
| And how do you know if what they built is exactly what's
| in that source?
| cambalache wrote:
| Hehe, exactly, oldest trick in the trade
| gzer0 wrote:
| You seem to not have read my comment. I said open source
| != safe or trusted.
|
| You can download the entire repository, and self compile
| yourself after you inspect the code.
| Jonnax wrote:
| Ask yourself why you want a VPN.
|
| Is it to avoid your ISP collecting browsing data off you and
| selling it?
|
| Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good
| enough.
|
| Is it to watch geo region blocked videos?
|
| Then pretty much any service will work for you. Except that
| video streaming sites have caught on and blocked hosting
| provider IP blocks. So that might require you to shop around.
|
| Do you want the most privacy or want to get around blocking?
|
| Then get a VM from a provider and configure a VPN to it.
| Wireguard works fine.
|
| Want to do something illegal?
|
| Don't expect a VPN to save you.
| jcul wrote:
| Though the last option doesn't give you anonymity. It just
| gives you privacy from your ISP. Any services you connect to
| can tie you to the IP of your VM. Sometimes the shared IP of
| a VPN provider might be desirable.
| 29athrowaway wrote:
| Your ISP can sniff your DNS traffic as it is just a plaintext
| protocol.
| Maximus9000 wrote:
| > Is it to avoid your ISP collecting browsing data off you
| and selling it? Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS
| might be good enough.
|
| Wouldn't your ISP still see what IP's you are visiting? Then,
| your ISP could just reverse DNS that IP to get the domain
| name, right?
| sriram_sun wrote:
| This time when I changed internet service providers from
| Cox to AT&t fiber, I was shocked to find that I could not
| change my DNS to point to the OpenDNS servers!
| ahnick wrote:
| AT&T requires you to use their DNS? Did you try doing DoH
| to bypass?
| vocatus_gate wrote:
| Not necessarily, many sites are hosted on the same VPS, or
| the IP could just be one of 5000 CloudFlare servers serving
| up the page you requested.
| offmycloud wrote:
| Maybe, but most ISPs are lazy/cheap and can't do a full-
| take packet capture of all customers data at the same time.
| The ones that I have seen usually have a custom or logging
| DNS server that associates each domain request with a
| customer account. So yes, in many cases, changing your DNS
| server is enough to avoid the larger DNS sniffing
| operations. You should also use an IP check query to make
| sure that you are really using the DNS server you think,
| and that you're not being DNATed back to your ISP's DNS
| server.
| Skunkleton wrote:
| DNS is super trivial to redirect. I've been on ISPs that
| redirect _all_ DNS traffic to their servers regardless of
| where it was sent. The best solution here is to switch to
| DoH. Of course then your DoH provider gets to log all of
| that sweet info instead.
| Spivak wrote:
| Not if you run your own DoH endpoint on a VPS!
| Skunkleton wrote:
| I have my own unbound running on a VPS. My network
| intercepts all port 53 traffic, filters out ad servers,
| and then forwards over wireguard to my VPS. I should
| probably enable DoH as well. I'm feeling kind of lazy
| about it though.
| sigio wrote:
| Most ISP's wouldn't care... and they shouldn't
| cgb223 wrote:
| > Is it to avoid your ISP collecting browsing data off you
| and selling it? Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS
| might be good enough.
|
| 8.8.8.8 is Google's DNS so you're really just trading being
| tracked by an ISP to a giant advertising company...
| jwilk wrote:
| And then it's a shitty trade, because your ISP still can
| track you without much difficulty.
| kd913 wrote:
| Not just track you, some ISPs will simply redirect all
| UDP port 53 DNS packets to their own DNS anyway.
| jefftk wrote:
| The privacy policy for 8.8.8.8 is actually really good:
| https://developers.google.com/speed/public-dns/privacy I
| wish more google products were so explicit in what they log
| and for what purposes.
|
| (Disclosure: I work for Google)
| johnklos wrote:
| Not related to this thread: Do you have any way to
| communicate with actual humans inside of Google who can
| do anything? There are demonstrable issues with 8.8.8.8,
| yet I cannot get anything but the occasional form
| response from every address I've tried.
| jefftk wrote:
| If you wanted to describe what was wrong, in a way that I
| can reproduce it, I could file a bug, yeah
| deepbreath wrote:
| Could you point what you believe to be the issues in the
| thread?
| beagle3 wrote:
| As long as you don't use encrypted DNS (e.g. DoH) it doesn't
| matter which DNS server you use - the ISP sees your requests
| and the replies, and the sees you accessing the returned IP
| within 10 seconds.
|
| Also, unless it's behind Cloudflare. Most nontrivial sites
| today have a unique IP so even with DoH there's a good
| probability any specific site will be identified.
|
| If you want your ISP to stay ignorant of where you surf, you
| MUsT have a VPN.
| kd913 wrote:
| Just FYI just setting your DNS to 8.8.8.8 or 1.1.1.1 may not
| do that much. Not only is DNS in plaintext, but some ISPs
| simply redirect all port 53 DNS requests to their own DNS.
|
| If you want privacy with your DNS, you should setup DoH using
| dnscrypt-proxy or perhaps DNS over TLS.
|
| Personally, I think a better strategy with this whole vpn
| aspect is to just setup a vpn with pis in various countries +
| pihole. At least that way I know what the setup is happening
| in each locations and what expectations of privacy I can
| expect.
| eli wrote:
| T-Mobile US was definitely doing this at one point:
| silently rerouting popular third-party DNS services back to
| their servers
| __turbobrew__ wrote:
| Unless you are using a VPN/Wireguard/Proxy your ISP can
| simply look at the source address on the IP packets and do
| a reverse IP lookup to find out what site you are
| accessing. Doesn't matter if you are using DoH, DNS over
| TLS, DNSCRYPT, etc....
|
| At a conference I was talking to one of the OpenDNS
| engineers on the DoH project and when I asked "so how does
| DoH help snooping if people can just look at IP headers?"
| they conceded that it really doesn't help if someone is
| determined to snoop.
| xrisk wrote:
| Doesn't work with a large number of sites because of
| Cloudflare.
|
| Edit: it _is_ easy to read the destination address from
| TCP packets though.
| __turbobrew__ wrote:
| Yea, you are correct. I got it mixed up, your ISP would
| look at the destination address of outgoing packets from
| your home.
| rakoo wrote:
| Additional use case: you want to self host at home ? A VPN
| will give you a public, stable IP address without having to
| fiddle with your router and opening ports and NAT-punching
| and friends
| [deleted]
| badRNG wrote:
| >Want to do something illegal? Don't expect a VPN to save
| you.
|
| I'm not condoning piracy, but VPNs are generally a foolproof
| way to avoid DMCA letters from your ISP. Privacy means
| something different to every individual, everyone's threat
| model is different. And many models can benefit from a VPN;
| journalists, activists, and many others might find benefit
| from using a VPN.
| resfirestar wrote:
| Yeah, I think "VPNs won't protect you from the law" is far
| too broad a brush to paint with. There's no credible
| evidence that these services won't prevent a court or
| regular law enforcement from tracing an IP to a name
| without some specific arrangement to unmask you beforehand
| (there's a specific case where Private Internet Access
| replied to a subpoena saying they had nothing to provide),
| so people worried about that might benefit from a VPN, but
| of course it does nothing for the rest of the threat model.
| Torrents are pretty much the perfect crime in that it's a
| simple exchange of bits between parties that have nothing
| to do with each other, most other types of illegal activity
| involve myriad other ways to get caught that have nothing
| to do with a VPN. People who rely on VPNs alone to protect
| them from getting prosecuted for things like hacking and
| people who say VPNs are useless are wrong in exactly the
| same way: they don't have a complete/realistic threat
| model.
| thesuitonym wrote:
| I used to work at an ISP, and once a month I would stuff
| envelopes with DMCA letters. I can assure you, that the
| only thing your ISP is doing with this letters is laughing
| at whatever porn you downloaded. They're just a scare
| tactic, and if you get one, you can almost certainly ignore
| it.
| connicpu wrote:
| Didn't Cox recently lose a big lawsuit for not actually
| doing anything to punish repeat DMCA offenders? I'd be
| cautious about assuming those letters are still harmless
| today.
| CameronNemo wrote:
| I've had a connection shut off because of three letters.
| Spectrum.
| driverdan wrote:
| This varies between ISPs. Some will shut off your
| connection after a certain number of DMCA letters.
| Jonnax wrote:
| Are DMCA letters still a thing?
|
| It seems like Torrenting died out significantly over the
| last 5 years.
| DarkCrusader2 wrote:
| Just go to any popular torrent site and see the number of
| people in the swarm. A little harder for less popular
| stuff but nowhere near dying out.
| throwaway8941 wrote:
| Maybe in the US. Definitely not in ex-USSR. I don't know
| of any single person who's paying for anything other than
| Steam games (and that's only because they have prices
| adjusted to our ridiculous wages.)
| cube00 wrote:
| They're too busy working through Twitch at the moment.
| ryantgtg wrote:
| Can't wait for the "you don't need a VPN" folks to
| acknowledge that they don't understand why lots of people
| actually use VPNs. It's DMCA, man. DMCA.
| dingaling wrote:
| Rather ironic that people pay for VPN services to access
| content that they won't pay for.
|
| Just don't bother with Big Media content and they won't
| need a VPN...
|
| There's plenty to do in life other than torrenting the
| latest HBO series.
| Dylan16807 wrote:
| They'll go after you for downloading something you
| already paid for, or was free to begin with.
| ryantgtg wrote:
| Rather, it is used for accessing content that you can't
| pay for, given that Amazon Prime, Disney+, HBO Go, and
| I'm sure many more are (or were in the past) simply not
| supported on linux devices.
|
| And, "Plenty to do in life" is a value judgment, and
| isn't relevant to this discussion.
| TulliusCicero wrote:
| I moved to Germany and apparently they're still very much
| a thing here. Torrenting popular shows sans VPN is -- at
| least according to Germans on reddit -- an easy way to
| get sued, and forced to pay hundreds of euros.
|
| Obviously, I have no interest in testing this out myself,
| so I take their word for it.
| laingc wrote:
| I lived in Germany for years, and this is absolutely the
| case. Don't mess with torrents in Germany without a VPN.
|
| Except for those Linux ISOs, of course.
| Eremotherium wrote:
| I got C&D from Daedalic Entertainment. They demanded 1.1k
| or something along the lines. I was on welfare at the
| time, so a lawyer was not within my means,so I objected.
| I'm not sure what happened next because I probably didn't
| open the letter from the court (getting a manila envelope
| is fucking scary in addition to the stress of already
| being broke) but they seemed to have got a verdict
| against me and suddenly I owed over 2k. That being said I
| got a few letters from lawyers and replied with a legal
| note promising not to do it again (with any clause
| concerning automatic fines removed) and beat them by
| simply ignoring their demands afterwards. So it's
| entirely possible that I simply fucked myself with
| Daedalic by not opening their first letter and replying
| with a note. I haven't pirated in years but have gotten a
| VPN and will start back up because the fragmentation in
| the streaming space pisses me off too much especially
| since there's stuff I can't legally get here.
| ocdtrekkie wrote:
| I got one about a month ago (United States, the smallest
| of the three ISPs available in my area). My ISP had a
| screwy way of injecting the complaint, which I almost
| missed. I had to call them and actually request the
| complaint be sent by mail so I could see the details,
| which I don't understand why they didn't do in the first
| place... They actually served it to a guest in my house,
| who thankfully told me about it, so I could investigate.
| flatiron wrote:
| i torrent from home, i also work from home.
|
| i just never wanted my job to hire some dumb IT
| consulting firm to do some cross between IPs on a swam
| and IPs VPNing in as a "threat analysis" and my dumb name
| getting dragged into an office. I know it's far fetched,
| but $40 a year of PIA keeps my mind at ease.
| jasonjayr wrote:
| It goes w/o saying but most if not all the cloud providers
| map IP to account, so using a VPS may have get your account
| sanctioned or revoked.
|
| Defiantly don't spin up these VPN/VPSs on an account you
| don't mind losing.
| xrisk wrote:
| Have received DMCA emails from DigitalOcean for
| torrenting on their boxes. Can confirm.
| pickdenis wrote:
| If you're going to do that kind of stuff, make sure the
| provider is based in another country. That gives you a
| pretty strong layer of protection against these kinds of
| things. Of course, nothing is entirely foolproof...
| FakeRemore wrote:
| There are seedbox services that allow public torrents and
| don't forward DMCA emails.
| badRNG wrote:
| I regularly think that claims of astroturfing are overblown,
| but it is common in the "privacy" focused industry to FUD
| competitors to gain market share.
|
| I'm immediately reminded of some shady search engine CEO going
| on OAN and other fringe shows posing as a security researcher
| to spread FUD about DDG to drive traffic to his site (can't
| find the link for it now.) That OAN video even went around the
| security industry (among compliance and less technical folk)
| who were persuaded DDG was now worse than Google for consumer
| privacy.
| leokennis wrote:
| VPN's just mean you're trusting someone else than your ISP.
| Instead of your ISP seeing you go to site.com, now your ISP
| sees you connecting to a VPN and the VPN sees you connecting to
| site.com.
|
| For this reason I am highly suspicious of any VPN service that
| markets itself as some "magical privacy wormhole", which is 99%
| of VPN providers.
|
| Honest ones I know of are Encrypt.me and Mullvad, who both tell
| you they should be mainly used to secure yourself on open WiFi
| and to circumvent geo blocks.
|
| If you want a private internet connection, use TOR.
| romanovcode wrote:
| > You can only subscribe to the VPN from the United States
|
| How is this a "launch"? And also, this makes it a bit fishy if
| you ask me.
| devwastaken wrote:
| How do we know this is safe from bad actors? If it's in the U.S.
| is it safe from discovery? For example Watchtower tried to use
| 'copyright Infringement' to force reddit to give a usernames IP
| and account information.
| https://m.youtube.com/playlist?list=PLkdgWccrJAy53-jeBxM3Pk_...
|
| VPN's are the only way of protecting what should be protected
| speech. You have to not keep logs or anything that allows a court
| to find the identity of a user.
| Youden wrote:
| > How do we know this is safe from bad actors?
|
| You don't. You never will. This is the case not just for
| Mozilla but for all VPN services.
|
| Until there's some kind of hardware-level attestation that
| verifies a server is running a particular software
| installation, that's going to remain the case.
|
| > VPN's are the only way of protecting what should be protected
| speech.
|
| No, if you want safety, a VPN is not the solution. VPN
| providers have invested a lot of marketing in trying to tell
| you otherwise but it's simply not true.
|
| All a VPN does is move what little trust you're forced to have
| in your ISP to a different, often less-regulated ISP.
|
| The solution if you want privacy and/or anonymity is a
| technology built for that purpose, like Tor or I2P.
| r3trohack3r wrote:
| Every time someone mentions a VPN provider in my techie social
| circles, the "A VPN doesn't protect you" crowd piles in, usually
| with links to something like:
| https://gist.github.com/joepie91/5a9909939e6ce7d09e29
|
| I don't understand this argument, but would like to.
|
| I run https://everytwoyears.org, a political non-profit focused
| on ending the warrantless metadata collection of U.S. citizens'
| communications. From everything I know about these programs, they
| are _explicitly_ not collecting content of communications. These
| programs only collect the metadata about a communication. As
| citizens, we don't get to have a clear definition of "metadata"
| (that is classified!) but we can assume anything that isn't the
| message itself is at risk of being considered metadata,
| especially if it was shared with a service provider in the normal
| course of conducting business (i.e. routing a request).
|
| For HTTP requests, I assume the body of the request would require
| a warrant before it can be persisted on a government server. The
| HTTP headers, if unencrypted, _might_ be considered metadata but
| I would be surprised. The IPV4 headers are more than likely
| metadata. DNS queries are more than likely metadata.
|
| If you are trying to avoid _active_ surveillance, where your
| government has a warrant, a VPN isn't going to help you. If you
| are trying to avoid _active_ surveillance where your adversary
| doesn't need/want a warrant to search you, a VPN isn't going to
| help you. But if you are trying to avoid having your internet
| activity ending up, de-anonymized, in a metadata database that
| your government does bulk analysis on, a VPN does seem like it
| would help. It seems like it would help a lot.
| zaptheimpaler wrote:
| If you assume VPNs don't keep logs forever, then a VPN is very
| strong protection. Seems like all the anti VPN arguments are
| predicated on the VPN keeping exhaustive logs of every request.
| Given the volume of data and the incentives of businesses, i
| feel like thats probably not true for many VPNs. I generally
| believe them when they say they don't log, because its just
| more $$$ on storage that provide 0 value to the company unless
| they are required by law.
| closeparen wrote:
| A VPN is just a tunnel from one point to another. You'd have to
| establish why the remote end is more trustworthy than the local
| end. Being located in a hostile jurisdiction may be somewhat
| protective, but it would also seem likely that compromising
| foreign VPN services is within the NSA's wheelhouse.
| weavejester wrote:
| Even if you trust your ISP, and it's not required to keep
| logs due to local laws, a VPN is often a good idea anyway.
| Geolocation from IP address can be scarily accurate - mine
| identifies me to within a mile radius of where I live.
| deepbreath wrote:
| If nothing else, it significantly reduces the entropy of your
| IP when websites are fingerprinting you, especially if your
| ISP assigns you a static IP.
|
| Even if you don't have a static IP, I suspect the entropy of
| your /24 (IPv4) is also a lot smaller when over VPN.
| abofh wrote:
| Do you understand the words you're using?
| wongarsu wrote:
| Unless I set up my own VPN I'll share a VPN server and IP
| with other people. That makes my traffic inherently more
| anonymous once it has left the VPN server, since you can't
| correlate traffic to a single person anymore. So even if
| traffic in the data center is analyzed, that's better than my
| ISP analyzing traffic.
|
| Thus we only have to establish that the VPN provider is at
| least as trustworthy as my ISP. That's a pretty low bar to
| clear in many places. I have no doubt some VPNs are operated
| by nefarious actors (no better way to collect high quality
| data), but I don't think that's a concern with Mozilla.
| closeparen wrote:
| You should expect that the government can compel a VPN
| provider to correlate traffic to subscriber information
| exactly the same way it does with a residential ISP.
| wongarsu wrote:
| Sure, but the set of governments that can compel my ISP
| might be different from the set of governments that can
| compel my VPN. I don't care about all governments
| equally, and my own government has a disproportional
| impact on me compared to most other governments.
| r3trohack3r wrote:
| Agreed.
|
| I think the key for me is that, at least under the original
| Presidential Surveillance Program, the providers that
| participated were not compelled to share their user's
| metadata. They shared it willingly, regularly, and in bulk.
| There is reference to a service provider backing out of this
| agreement a few years later, telling the NSA they would feel
| more comfortable sharing the data if it were compelled.
|
| It's not clear if this has changed since 2013. But assuming
| Mozilla, or Mullvad, isn't compelled to share _all of their
| data_ it seems unlikely that they would willingly give that
| up to a government surveillance program.
|
| I think ISPs have demonstrated they aren't trustworthy. For
| most people in the U.S., it seems, finding someone more
| trustworthy than their ISP is literally anyone who isn't
| admitting that they collect and share their private data. I
| would be surprised if Mozilla doesn't clear this bar.
| yurlungur wrote:
| I'm not qualified to analyze the technical details but I have
| some more practical grievances with VPNs. I paid for ExpressVPN
| for 1yr on going and found it disappointing despite being
| advertised as the expensive but good option.
|
| First, geo blocking often catches it or provider has moved to
| other means to verify address. I don't use Netflix but for
| certain streaming sites in Japan that I use and BBC express
| does nothing.
|
| Second, it doesn't get pass GFW whereas shadowsocks based
| solution does.
|
| Overall it seems the only benefits are getting better speed
| sometimes and theoretical privacy benefits.
| koheripbal wrote:
| I think you are correct that VPNs are a sort of half-solution.
|
| There are a lot of people that think anything less than 100%
| isn't worth your time, so they suggest TOR - but TOR has all
| sorts of annoying limitations that preclude daily usage.
| Absolute solutions are seldom worth the 10x extra effort they
| frequently require.
|
| Another set of half-solutions can be seen here which will make
| you more secure...
|
| https://www.cloudflare.com/ssl/encrypted-sni/
|
| ESNI, DoH, DNSSEC, and TLS1.3 are fairly easy to setup - and
| worth your time .
|
| Using Firefox with uBlock Origin & PrivacyBadger plus the above
| gets me to a good enough place.
|
| Illegal stuff on the other hand -> TOR.
|
| The problem with doing illegal stuff with only half-protections
| is that the authorities don't need to use the metadata to
| _prove_ your guilt. After they raid your house they 'll have
| all the parallel construction they need to make it stick.
| ...then again if you're just buying personal use amounts of
| drugs - no one at the FBI cares.
| r3trohack3r wrote:
| I think you cut right to the core of where I get lost in the
| VPN argument.
|
| Tunneling (even through TOR) isn't sufficient if you have
| someone well funded, highly skilled, and very motivated to
| watch you. I would posit that purely technical solutions will
| never solve human problems. Perfect, unbreakable, encryption
| can be trivially passed with a set of cleverly placed jumper
| cables.
|
| The key, in my opinion, is trying to align technology with
| the laws that (mostly) already successfully protect us from
| jumper cable wielding adversaries.
|
| From my understanding, The U.S. government interprets
| "metadata" as having no societal expectation of privacy and
| therefor they don't need a warrant to collect it. These
| questionable metadata collection programs seem like they can
| be effectively thwarted through half measures, like E2E
| encryption of the metadata (use HTTPS and DNS over HTTPS),
| obfuscation of the metadata through tunneling (use VPNs),
| etc.
|
| Some metadata I don't have a good answer for, like location
| data when my cellphone pings the local towers. I can chose to
| share my location data w/ the tower so it can route calls to
| me, and submit to that possibly ending up in a government
| database, or I can keep my phone from talking to the cell
| tower being unable to send/receive calls. I don't see a half
| measure...
| fataliss wrote:
| Do you have a good write up on how to get all that setup by
| any chance? Also, any body has a comparison of Brave vs
| Firefox when it comes to privacy?
| julesallen wrote:
| https://www.androidpolice.com/2020/06/07/brave-browser-
| caugh...
|
| I was using Brave until this story came out and switched
| over to Vivaldi for the stuff that absolutely demands the
| Blink engine.
|
| Point one, if they _repeatedly_ continue to do this kind of
| thing, what kind of stuff are they also getting away with?
| Or what's the next big surprise around the corner?
|
| The second point is I really no prefer Vivaldi as things
| like sync work (it's been broken for a long time in Brave)
| and there's more exposed in the prefs for techie types who
| like to tinker with that kind of thing.
|
| Firefox continues to be the every day browser and it keeps
| getting better as time goes on (another +1 for take my
| money for email, calendar, file storage, etc.).
| r3trohack3r wrote:
| Not complete coverage, but I setup a piphole w/ DNS over
| HTTPS a while back and documented it here: https://github.c
| om/retrohacker/knowledge/blob/master/pi/piho...
|
| This has the added benefit of being good for the whole
| network (your whole house) including gaming systems and
| smart TVs.
| miniyarov wrote:
| This is very totally legit that public VPN services are
| complete trash. Online anonymity is very hard. However, you can
| still create your own VPN server on cloud providers for at
| least have some privacy while you are on an untrusted network.
|
| Because of this reason, I created zudvpn.com - It is a free and
| open-source mobile application that's used to deploy a private
| VPN server on major Cloud Providers!
|
| Github repo: https://github.com/zudvpn/ZudVPN
| RealStickman_ wrote:
| Why would a VPS server be any more secure than a VPN
| provider? They have the same ability to view outgoing traffic
| and can very easily log the source ip address.
| miniyarov wrote:
| http://zudvpn.com does not provide complete anonymity. The
| idea is that you control your own server and you make sure
| that nobody is logging your every move. Even though public
| VPNs claim that they don't log, you should not blindly
| trust them.
|
| Check GH repo to see how https://ZudVPN.com generates SSH
| key on your phone and locks the VPN server with the key
| that is only available for you.
| Spooky23 wrote:
| I doubt it, unless you run the VPN. Governments have the same
| ability to leverage things like trackers, etc.
|
| A public VPN service is good for localized privacy. Even a
| cheap Ubiquity setup will be able to tell about your habits.
| It's probably good enough to avoid the attention of a civil or
| informal inquiry (DMCA, employer, etc).
| r3trohack3r wrote:
| > Governments have the same ability to leverage things like
| trackers
|
| It's not clear to me whether the methods trackers use to de-
| anonymize you are considered "content" or "metadata", and
| whether the U.S. government would need a warrant to access
| tracker information.
|
| Do you have thoughts?
| Spooky23 wrote:
| You can buy the data on the market without a warrant.
|
| VPNs seems like a really obvious bypass of controls and
| surveillance capability. I'm sure the folks at NSA, et al
| thought of it too.
| edw wrote:
| There's a lot of gross stuff that your ISPs (which includes
| your mobile phone provider) do to further monetize your
| relationship with them, and having a VPN can negate that.
|
| ISPs can observe your DNS lookups to their servers and assemble
| a profile on you based on the domain names you look up, and put
| you into a series of audiences that marketers can then use (for
| a fee) for ad targeting.
|
| ISPs can also observer your DNS lookups to Google's or anyone
| else's public DNS servers.
|
| ISPs can snoop on your unencrypted traffic, proxy it, and
| inject headers into HTTP responses to facilitate (you guessed
| it) the creation and sale of audience data to advertisers.
|
| ISPs can transcode (and downsample) multimedia content to
| decongest their pipes or airwaves.
|
| If you are a spy or a member of a disfavored political group,
| you should almost appreciate the scummy practices of ISPs, as
| it drives a bunch of non-spies and people not associated with
| disfavored political groups to adopt privacy-enhancing
| technologies.
|
| If I worked at the NSA or CIA or FSB or Mossad or wherever, I
| would highly encourage lawmakers to enact laws to protect
| consumer privacy in order to drastically reduce the perceived
| need for people not in the above groups (et alia) to adopt VPNs
| and other technologies; there would be fewer "boring" people
| using such technologies, giving the needles a lot less haystack
| to get lost in.
| Kelamir wrote:
| > ISPs can also observer your DNS lookups to Google's or
| anyone else's public DNS servers.
|
| edw, could you elaborate on that, please? I thought changing
| to public DNS servers like OpenDNS provides some security
| from ISP tracking.
| stuuuuuuuuu wrote:
| Traffic between you and the public DNS servers isn't
| encrypted, so your ISP can still read it.
|
| (I suppose this is one of the problems that DNS-over-HTTPS
| is designed to fix.)
| Kelamir wrote:
| Thank you for the answer, stuuuuuuuuu! I'll look into it.
|
| ...
|
| DNS-over-HTTPS can be enabled in Firefox via Network
| settings, turns out.
| _jal wrote:
| In addition to the lack of encryption mentioned, some ISPs
| transparently intercept DNS requests and reply to them with
| their own.
|
| Test your own ISP: try something like
|
| nslookup news.ycombinator.com 1.2.3.4
|
| If you get a response, your ISP is gaslighting you.
| ccktlmazeltov wrote:
| Most people use a VPN because it lets them have a different
| geolocation (to watch Netflix in a different country, access
| thepiratebay, etc.)
|
| If you do use a VPN to mask your traffic, there are two
| questions to ask yourself:
|
| 1. who are you masking your traffic from?
|
| 2. can you trust the VPN network more?
|
| In general, you cannot trust a VPN network more, and HTTPS is
| the solution as it provides end-to-end encryption with some
| important caveats (web PKI)
|
| Running your own VPN is not a good solution either, because who
| owns the servers where your VPN is running?
| tafl wrote:
| Yeah I've heard this one before.
|
| I use Mullvad, paid using BTC that came straight from a
| tumbler. I don't use it for any nefarious reasons, just wanted
| to see how such a setup would work. It was surprisingly
| painless. I think it took 15 minutes in total from moving my
| btc to the tumbler and having the tumbler move the btc to my
| Mullvad account.
|
| Am I 100% secure? No, they know what IP I'm connecting from. Is
| my name attached to the VPN? No, not even close. I suppose if I
| wanted to further improve my security I wouldn't use my own
| home network, but public wifi's nearby.
|
| But again, I didn't do it to stay "safe" or anonymous. Just
| wanted to see how the process would actually be.
| Shank wrote:
| > I use Mullvad, paid using BTC that came straight from a
| tumbler. I don't use it for any nefarious reasons, just
| wanted to see how such a setup would work.
|
| > But again, I didn't do it to stay "safe" or anonymous.
|
| I sincerely hope that you're trying to stay safe if you're
| admitting to money laundering on a public forum.
| cyberpunk wrote:
| Tumbling coins has nothing to do with money laundering,
| it's just a way to anonymize them....
| ryanlol wrote:
| Tumbling coins has everything to do with money
| laundering. Of course, the source of the funds isn't
| necessarily illicit.
| crazygringo wrote:
| Money laundering is turning dirty money into clean, that
| appears legitimate, taxable etc. If the source isn't
| illicit, it isn't laundering because there's nothing to
| clean.
|
| Tumbling coins is just obscuring their origin.
|
| The two don't inherently have anything to do with each
| other.
|
| Even if you tumble "dirty" coins, you've got to explain
| to the IRS the source of income behind the new coins.
| Tumbling, in and of itself, doesn't achieve that.
| tafl wrote:
| Like cyberpunk said. It's not money laundering, it's a way
| of anonymising the bitcoins.
| hendersoon wrote:
| He's actually technically correct, as that is the very
| definition of money laundering. The difference is
| (assumedly) the money he's laundering wasn't obtained via
| illegal means.
| jchw wrote:
| Please take notes from Mullvad and give some basic transparency
| about the data centers and whether the servers are rented or
| owned and etc. Stuff like that goes a long way for people who are
| genuinely serious about privacy.
| gver10 wrote:
| > Although there are a lot of VPNs out there, we felt like you
| deserve a VPN with the Mozilla name behind it.
| ayoisaiah wrote:
| I won't be switching to this. I've been paying EUR4.99 monthly
| for Blokada VPN on Android. It's pretty reliable and offers ad
| blocking as well. Also supports up to 5 devices.
| nix23 wrote:
| Nice, witch shady Marketing-Firm are you working for?
|
| Any point's for 'Blokada' being more trustworthy than AT&T ;)
| ayoisaiah wrote:
| Just a happy user :)
|
| Blokada is pretty popular for Ad blocking on Android. And
| it's open source too: https://github.com/blokadaorg/blokada
| nix23 wrote:
| Nice...sorry for the aggressive tone, sounded like a
| advertisement, have fun ;)
| flyGuyOnTheSly wrote:
| What is the main benefit of using a VPN?
|
| I download music, movie, tv, etc files via torrent using my
| Canadian IP address and I have never seen anything more than an
| email from my ISP saying essentially "so and so company thinks
| you downloaded their material, don't do that ok?".
|
| Is the general public so afraid of getting the odd email that
| paying $5/$10 month to make them disappear is a good deal for
| them?
|
| Why wouldn't people just use TOR for free? It was extremely fast
| the last I checked.
| flatiron wrote:
| tor begs you not to use their service for torrenting. it would
| also be a lot slower than a VPN
|
| i use a VPN (to Montreal since it supports port forwarding)
| because i work from home and i don't want my IP that VPNs to
| work for a major company also being part of a torrent swarm.
| Havoc wrote:
| Can you select the region of exit node? Cloudflare VPN and
| lastpass geolocking was a bad combo...
| AdmiralAsshat wrote:
| Forget the VPN--I already have a VPN provider and I have no
| interest in changing. Offer a paid e-mail service, on the other
| hand, and I'd sign on up Day 1.
| xii22 wrote:
| I've heard good things from HEY[1]; I've been thinking about
| using their trial
|
| [1]https://hey.com/
| kilroy123 wrote:
| Hey looks great and I trust it will be around for a while.
| Unlike inbox from Google.
|
| I would 100% sign up for hey if I didn't migrate to Fastmail
| this year.
| qchris wrote:
| I second this wholeheartedly. I would be happy paying at least
| the $5/mo that they're charging for the VPN to have web-based
| access to privacy-respecting email service tied to a name I
| tend to trust like Mozilla (hopefully with a fairly vanilla
| domain name that doesn't get weird looks).
|
| Purism's Librem One suite [0] comes the closest, but I just
| don't have the trust in them that I'd want before pulling the
| trigger. They have a history of making grand claims with sub-
| par delivery, which just doesn't cut it for a service like a
| primary email provider. They've claimed plans to add features
| like file storage for ages now with no updates. Email is just
| too important a part of daily life to risk it.
|
| [0] https://librem.one/
| numbsafari wrote:
| This right here. And a hosted suite of productivity tools that
| have documented, public formats that contain all of your data
| (and not just a link to the cloud-hosted copies).
|
| Amazing that GSuite's only real competitor in 2020 in
| Office365.
| dublinben wrote:
| Would you consider Zoho a "real" competitor?
|
| https://www.zoho.com/
| j_koreth wrote:
| Would a Nextcloud instance work?
| cecida wrote:
| I've checked out Nextcloud a few times, but it really needs
| a sizeable and trustworthy brand that would host it for
| you, allow you to point a custom domain at it, and provide
| zero config email/calendering out of the box.
|
| I'd trust Mozilla.
| [deleted]
| 29athrowaway wrote:
| If Mozilla cares about privacy then why does this exist:
| https://developer.mozilla.org/en-US/docs/Web/API/Beacon_API
| gruez wrote:
| * you can disable it
|
| * sites can already do the same thing with javascript. this
| simply standardizes it, AND makes it easier to block (since
| it's a different request type rather than being lumped with
| other xhr).
| userbinator wrote:
| This is what they should've done _instead_ of that user-hostile
| DoH thing (which is already itself a sort of VPN but for DNS
| traffic only.)
| RandomBacon wrote:
| It uses Mullvad, and is the same price as Mullvad. I am assuming
| Mozilla gets a cut. When my current Mullvad subscription expires,
| I will switch over.
| vpnwire wrote:
| I've been speedtesting a few VPN networks, and the biggest
| surprise has been how fast Mullvad + Wireguard are. I need to
| try NordLynx (NordVPN's flavor of Wireguard) for more of an
| apples-to-apples comparison, but at least on the speed metric,
| it looks like Mozilla chose a good partner.
|
| Making deeper data exploration possible is a work in progress,
| but you can see what I have so far here: https://vpnwire.co
| maxisme wrote:
| Is Mullvad the only provider you are using with WireGuard?
| notRobot wrote:
| Indeed. Can someone explain why it's not available outside of
| the US, though? I don't see the logic behind that.
| LeoPanthera wrote:
| It's less flexible than Mullvad. This new service is Wireguard-
| only, and as far as I can tell, requires you to use their
| custom app.
|
| Mullvad additionally supports OpenVPN and other protocols, and
| is client-agnostic.
| e12e wrote:
| > Wireguard-only
|
| That's great - less features and options are a plus for vpn
| services.
|
| > requires you to use their custom app.
|
| Sounds odd, if it's just using wireguard.
| toomuchtodo wrote:
| Might be opinionated to support a high quality user
| experience.
|
| Guard rails can be good depending on your audience.
| pgt wrote:
| If Mozilla launched Momail or Firemail, I'd pay for it before
| paying for HEY or Fastmail.
| MattGaiser wrote:
| Isn't $4.99 pricey for a VPN? I pay about 3 for Nord.
| [deleted]
| solarkraft wrote:
| Nord locks locks you into an eternal contract and has a pretty
| bad reputation for multiple reasons.
| ternaryoperator wrote:
| >Nord locks locks you into an eternal contract
|
| What do you mean? I paid NordVPM for a 2-year contract, which
| expires in a few weeks. What does "locks locks" refer to?
| solarkraft wrote:
| Sorry, it was meant to be a single "locks". And yep, I'm
| referring to that type of contract.
| robrtsql wrote:
| It is a bit pricey compared to the competition (lots of VPNs
| out there that cost ~$3/month) but apparently Mullvad is the
| VPN provider for this offering, and they cost $5 a month
| because they are considered one of the 'best' VPNs in terms of
| privacy (for example, they will accept cash payments:
| https://en.wikipedia.org/wiki/Mullvad#Privacy ).
| TurkishPoptart wrote:
| Is it at all slow? I've found a lot of VPNs actually slow
| down my connection which makes me less willing to try them.
| tobsmagoats wrote:
| Price is in line with Mullvad which they are piggybacking off
| of. Nord has an iffy past and they advertise a lot(often
| exaggerated claims) which is a red flag for me.
| DCKing wrote:
| Come on Mozilla, hurry up! I want to give you money for goods and
| services (I also donate monthly [1]), but I'm not that interested
| in a VPN (I can and do also pay Mullvad).
|
| Give me that real internet stuff - email, calendar, file sync,
| chat(?) - give me Firefox Premium. Bundle in the Lockwise
| password manager. I'd pay good money to see a company fill the
| void of paid, privacy first essential internet services and I
| think Mozilla is one of the foremost existing players to pull it
| off. They've started talking about Firefox Premium a while ago
| now [2] and it's obviously not easy to build all of this in a
| lean way, but I'll happily pitch in. If only to help make Firefox
| development less dependant on Google or Yahoo.
|
| [1]: https://donate.mozilla.org/
|
| [2]: https://www.theverge.com/2019/6/10/18660344/firefox-
| subscrip...
| jean- wrote:
| I'm a Fastmail and Google Suite paying customer. I would SO
| transition to a "Firefox Suite" email+calendar service if
| Mozilla provided one.
| TheKarateKid wrote:
| Paying for a browser in this day and age would really bring
| Mozilla full-circle back to Netscape in the 90's.
|
| Time for them to reclaim the throne.
| j1elo wrote:
| I was just about to change to something different from
| LastPass, pretty much convinced about Bitwarden from previous
| HN mentions, until you mentioned Lockwise :-) care to share
| some pros and cons or comparison between these two?
| zdragnar wrote:
| There is also always https://www.passwordstore.org/ it is a
| bit more work to get everything set up, but I now have an
| encrypted git repo of my passwords with clients on my laptop
| and android phone. I cant speak to ios or macos, but there is
| a distinct lack of good windows gui client, which is the
| biggest con.
|
| The major pro for me is that I know exactly how it is
| encrypted end to end, and have control over how and where it
| is stored, and can move the storage as I please, all entirely
| for free.
| staplers wrote:
| Currently using both, Bitwarden is much more robust,
| customizable, and safe (audited by 3rd party). Lockwise is
| great if you want a simple pw manager for browsing online but
| Bitwarden is like a "life" manager that can store addresses,
| credit cards, notes, passwords, etc.
| calvinmorrison wrote:
| I can offer up 1password comments. It has a good native app
| for osx. I don't use osx. It offers a CLI tool that spits out
| json. I wish it would just integrate with pass(1). The
| Firefox add-on is close enough to abysmal that I use thier
| website making it inconvenient. It doesn't work with regular
| http auth so you have to copy the fields in manually then
| refresh.
|
| Otherwise it's fine. The multiple Vaults is great to share
| passwords among family or maybe your co-workers. It has
| features like TOTP and supports many types of other fields.
|
| 4/10 on usability 10/10 on its core feature set. Probably a
| 9/10 on osx.
| rubyfan wrote:
| What products and services do you want from Mozilla?
| VWWHFSfQ wrote:
| > email, calendar, file sync, chat(?) - give me Firefox
| Premium
| hendersoon wrote:
| Mozilla VPN literally _is_ rebranded Mullvad. So if you want to
| contribute to Mozilla, should be a pretty easy switch for you.
| specialist wrote:
| If Firefox integrated with Keychain, it'd probably be my
| default browser again. I'd happily pay.
|
| Once Keychain got good enough, I transitioned to Safari 98% and
| dropped 1Password. iCloud syncing is nice too.
|
| --
|
| Anecdotally, it just seems like a lot of web sites are poorly
| tested against Safari, so I run into weird stuff. Also, Safari
| now inevitably abends, seemingly after binging YouTube.
|
| I favor Safari, mostly because of lower power consumption. I
| have only positive things to say about Firefox. I've always
| liked it and I've read they keep improving the power stuff. If
| I ever do front end work again, I'll definitely go back to
| 50/50.
|
| --
|
| Leaving gmail is on my to do list. I've just been too lazy to
| follow thru. I dunno why, but if Mozilla partnered with
| FastMail, I'd be more motivated. Probably for bragging rights,
| virtue signaling.
| rhlsthrm wrote:
| Totally agree. I feel like I trust Safari in terms of privacy
| as well, and it works so well in the walled garden of
| iOS/macos. I really hope they get it up to date with the
| latest web standards, it's a joy to use otherwise.
| stiray wrote:
| > If only to help make Firefox development less dependant on
| Google or Yahoo.
|
| Omg, my thoughts exactly! I dont want services... I dont want
| anything except that with the donations they will break away
| from google. That is it. And I bet a lot of us here would
| gladly donate, I donate to EFF while mozilla could in theory
| have more impact.
| devalgo wrote:
| Let them stay in the Niche maybe? I'd rather have a really
| great safe browser than half a dozen half baked products from
| the same company.
| lukashrb wrote:
| 100% this. I'm currently waiting for the ProtonMail calendar
| and still looking for an easy file sync solution. I tried
| syncthing today but it's really not that comfortable to use....
| gnulinux wrote:
| I want this and want to pay for this. Hoping this will be a
| real product soon.
| JoshTriplett wrote:
| I'd pay _at least_ $10 /month or $99/year for Firefox Accounts,
| just as they stand today, because they give me at least that
| much value. Integrate full 2FA into Lockwise, so that I have
| 2FA that'll never die with a broken phone, and I'd pay more.
| Add a secure calendar I can use with friends and family, and
| I'd pay more. (I'd hesitate to say email, just because running
| that is a can of worms I wouldn't wish on my worst enemy, but
| I'd absolutely pay for that too.) I would love to have _all_ of
| my major services tied into my Firefox Account, with the same
| level of security, privacy, and trust I 've come to expect.
| [deleted]
| bobajeff wrote:
| I still want Mozilla to release a Android keyboard.
| jtrip wrote:
| I believe the 'AnySoftKeyboard' is a good opensource
| alternative for Android, no?
| vorticalbox wrote:
| Me to currently using swift key as it came preinstalled but
| its owned by Microsoft.
|
| I use net guard to stop basically everything in my phone from
| contacting the Internet.
| test002 wrote:
| /me wonders which Mozilla marketing person is responsible for
| planting this comment to justify value. Firefox accounts has a
| loooong ways to go. There's no webauthn support ( Mozilla's own
| standard ) and no recovery process. Clear disconnect between
| value and reality.
| onyva wrote:
| Agree. I'm currently on Proton but I'd like to see Mozilla
| bundle the essentials, with vpn and mail as the basics.
|
| Also, consider if possible affordability for students and
| senior, who might not be able to afford a subscription. Maybe
| limited bandwidth for free w/o subscription? Something like
| ProtonVPN provided.
| somurzakov wrote:
| internet scale email, calendar, password manager, OpenID auth
| provider, VPN, browser + integrated search via DDG =
| everybody's dream
| belzebalex wrote:
| I know upvote already exists, but I deeply want to +1 on this
| one. If Mozilla does it, I'd be a happy customer to.
| [deleted]
| petejodo wrote:
| I don't have much too add, I'm just replying in case Mozilla
| devs see this. I want this so much as well! I don't mind the
| VPN though. I pay for it now even though I run mostly Linux
| qchris wrote:
| I'm in exactly the same boat. Paying for the VPN to use on
| exactly one device because everything else is Linux, and
| would happily put more money towards it if they offered a
| paid equivalent to GSuite that was privacy-respecting.
| 91edec wrote:
| I've wanted email so bad. Using protonmail til the day Mozilla
| decides to go down the email route.
| lub wrote:
| > chat
|
| This already exists: https://chat.mozilla.org/
|
| You can use it with your Firefox account.
| typon wrote:
| Only Mozilla can make me pay for Google services like
| Email/Calendar etc. I think I subconsciously trust the brand
| more than most internet companies out there.
| shafyy wrote:
| And the Basecamp guys with Hey :-)
| lilyball wrote:
| How about FastMail? They have a stellar email service. They
| also offer contacts and calendars, though I don't personally
| use those (I use iCloud for that).
| PhilippGille wrote:
| Wasn't there a privacy problem because of the Australian
| encryption law [1] and the company being based in
| Australia?
|
| [1] https://news.ycombinator.com/item?id=18636076
| ObsoleteNerd wrote:
| It's just as private as Gmail, which is the comparison in
| question.
|
| If you want secure, you wouldn't be using email in the
| first place.
| wpietri wrote:
| Having recently moved my personal domains to FastMail, I'm
| a big fan. It's solid, reliable, and reasonably priced. I
| would have happily paid for Mozilla/Thunderbird mail
| hosting had that been available.
| neuronic wrote:
| Yep, migrated from Gmail and very happily so :)
| mderazon wrote:
| I want to migrate from Gmail but I have my Gmail address
| tied up to so many things. How do you make the move ?
| 867-5309 wrote:
| a bit like a physical address - forward the mail on for x
| months and then cut off completely
| dsissitka wrote:
| That's what I did and it worked well for me for the most
| part. I ended up keeping Gmail around for the occasional
| service that doesn't work well with Fastmail. Off the top
| of my head I've had issues with:
|
| - Frontier
|
| - Green Man Gaming
|
| - Paperspace
|
| - Rainway
|
| - SquareTrade
| wjdp wrote:
| FastMail can pull from gmail. My account pulls from all
| emails I use minus work and can send on those addresses
| so. It also supports having a different signature
| depending on which address I'm sending from.
|
| See https://www.fastmail.com/help/account/migratetofastma
| il.html
|
| No connection to them, just a happy customer!
| archenary wrote:
| I did this recently. It's pretty straightforward.
|
| First, do a one-time import from Gmail. Fastmail has an
| import tool that does this over OAuth. Took me ~45
| minutes to import ~50,000 emails.
|
| Next, setup IMAP and SMTP on Fastmail for your Gmail
| account. This way, you can continue to receive and reply
| to emails sent to Gmail, using Fastmail as the client.
| When replying to an email, Fastmail defaults to the right
| sender (identity) based on whom the email is sent to
| (abc@fastmail.com or abc@gmail.com).
|
| An alternative is to setup email forwarding in Gmail, so
| you get a copy of emails sent to your old address.
|
| If you don't have a custom domain, I highly recommend
| getting one and use that going forward. There might come
| a day when you want to migrate off Fastmail. With a
| custom domain, you just need to update the MX records.
| benhurmarcel wrote:
| I went through all accounts in my password manager and
| changed it. Not so bad. It doesn't need to be done
| quickly.
| wyclif wrote:
| I would make this Step #1 to the 5 or 6-step processes
| outlined above. Gets most of the important migration out
| of the way with a little work the first day.
| CalRobert wrote:
| Get your own domain, use it for all your email, and in
| five or so years gmail will be nothing but spam,
| basically.
| ocdtrekkie wrote:
| I set up my own domain, and forwarded emails from it to
| my Gmail account. Over a year and a half, every time I
| logged into something, I updated the email address to my
| own.
|
| Eventually, when I jumped to FastMail, I repointed my
| domain name to it, and most of my new emails started
| coming over automatically, since the email address is now
| something I control. I monitored Gmail for a while
| regularly to catch straggler services. (I chose not to
| forward to avoid complacency with stuff going to Gmail
| before reaching my FastMail account.)
| dmit wrote:
| Here are the steps I've been following:
|
| 1) Sign up for Fastmail.
|
| 2) Sync all mail from GMail account to Fastmail (via the
| Fastmail web UI; you grant FM access to your GMail data
| through OAuth - once sync is complete you can revoke this
| access).
|
| 3) Set up an auto-forward rule in GMail for all incoming
| mail to go to your Fastmail address.
|
| 4) Set up a rule in Fastmail to put all incoming mail
| sent to your GMail address into a separate folder (or
| labeled with a special label if you're signed up for
| Fastmail's label beta). Any time you get email in that
| folder, that's a task for you to either unsubscribe or
| update the corresponding account to your new email
| address.
|
| I'm currently in month #10 of migration. Most commonly
| used accounts were updated during the first couple of
| weeks. But be careful that the tail of services that are
| still configured to use your old email address tends to
| be long, and in my experience those are some of the more
| important emails that you don't want to miss. The ones
| that are only sent once every couple years.
|
| Also, it really helps if you've been using GMail with a
| personal domain name (e.g. through Google Apps). In this
| case migrating is a matter of pointing the MX DNS records
| to Fastmail's servers. Bonus points: Fastmail allows
| wildcard recipients, so if you prefer to have unique
| addresses for each service you sign up for, you don't
| even need to set up a separate xyz@example.com alias.
| Just register with <whatever>@example.com and you'll get
| all email delivered to that address in your inbox, _and_
| you 'll be able to specify it as the sender's address if
| you decide to reply to some of those mails. Having a
| separate email address for each web service also makes
| looking up who leaked what on haveibeenpwned.com more
| fun.
| michaelbuckbee wrote:
| Very happy Fastmail user. Not so happy that so many
| different services don't interoperate with it. Things like
| Calendly or many standalone Calendar apps.
|
| Seems like it is Apple, Google, Outlook or nothing.
| deadbunny wrote:
| Maybe I'm missing something but doesn't Fastmail use open
| standards? For example I access my Fastmail calendar on
| my phone and desktop using caldav.
|
| Isn't it down to the app to support those standards?
| godzillabrennus wrote:
| I've used Fastmail for years now on a work account. It's
| best feature is that it's not Google.
|
| First, no phone support. Hardly acceptable when even Google
| has this.
|
| Second, no collaboration suite like Drive/Docs.
|
| Third, no addons I'm accustomed to having in my daily
| driver email suite. Things I miss include schedule to send
| later, default reply all, and no priority inbox.
|
| Im stuck using Google for email and maps. I hate google and
| want to get off them entirely but Gsuite with 1Tb of disk
| space for my single user personal domain is so powerful and
| so cheap it's impossible for me to switch without giving up
| too much.
|
| Google maps I think has some real competition at least. I'm
| hopeful Apple Maps gets continued improvements so it can
| get the job done well enough I can drop Google maps this
| year.
| stilisstuk wrote:
| I feel a bit different: Email is a standard. You are
| talking about an app. Send later is the job of the
| application,not the standard. Same with reply all.
| Intelligent priority inbox is _hard_ but i. Principle the
| same.
|
| When you use gmail you conflate the standard with the
| app.
| afiori wrote:
| The point of these discussions is that the standard (IMAP
| specifically) is inadequate to a lot of modern use.
|
| One good thing that Fastmail is doing is promoting a
| REST-like IMAP alternative ( https://jmap.io/ ) that
| makes it easier[1] to go back to the distinction
| application/protocol.
|
| [1] by this I mean that implementing an app like gmail
| over IMAP would be a terrible idea, while JMAP would be
| at least a bit better (it also adds browser support as it
| allows HTTP as transport layer)
| benhurmarcel wrote:
| With Fastmail you're essentially buying the app as much
| as the service.
|
| If you want reliable email service without the nice app,
| there are much cheaper alternatives.
| r8deoh wrote:
| Such as?
| lilyball wrote:
| I largely agree with this, except that "Send Later"
| really does want some form of server support so it will
| happen even if you quit the app (especially on mobile).
| That said, there are third-party apps that do this, such
| as Spark (though they require storing your credentials on
| their servers).
|
| Priority inbox is also something that can be done client-
| side. FWIW FastMail does actually have internal flags for
| "$ismailinglist" and "$isnotification" that you can
| access via advanced search, but they don't have any
| intelligent customization of these flags, no way to tell
| FastMail "hey this email was categorized wrong". You can
| write a Sieve script that adds/removes the flags yourself
| but that only works for stuff you can detect in a sieve
| script, i.e. no ML. Still, it's better than nothing when
| using the web app.
| gdrulia wrote:
| I'm not sure what do you mean by saying "no phone
| support"? Fastmail has apps for Android and iOS. I use
| iOS one and it's quite alright.
|
| Did I not understand you statement correctly? Like did
| you mean that you cannot set it up with other mail apps
| on the phone?
| Arnavion wrote:
| Customer support via phone call.
| abofh wrote:
| How often are you calling support? The only time I've
| needed them was when I was locked out of the admin
| account, and there was no way to reach a human.
| Quekid5 wrote:
| Indeed. I've been using FastMail for email (only) for a
| couple of years at this point, and I've literally _never_
| had to contact their support.
|
| It just works.
|
| (I'd actually be more worried about the AU legislation
| about permissible snooping, but... and I can't believe
| I'm saying this... It works well enough that I don't
| care. Most providers have learned to not send actual
| sensitive info by email.)
| gdrulia wrote:
| Thanks, this didn't even occur to me.
| archenary wrote:
| Happy Fastmail user here. I love it for the snappy web
| client. It's only after I switched that I realized how slow
| Gmail felt.
| sigmonsays wrote:
| I'd like to echo similar feedback. After I dropped gmail
| and went to fastmail i noticed it to be MUCH faster.
| gmail is my primary personal account. I really
| appreciated taking control of e-mail again.
|
| i'm happily paying for e-mail and tend to think putting
| money down ensures I keep myself honest and maintain a
| workflow. Now I only save e-mails that are important to
| me, instead of archiving everything.
| mistahchris wrote:
| I'm also a very happy fastmail user. I don't use the
| calendar or contacts feature either. But I use the webapp a
| lot on mobile and it's quite good. I don't even need to
| download the native app for my phone.
| beervirus wrote:
| Indeed. I feel about Mozilla the way I felt about Google a
| decade or two ago.
| Vysero wrote:
| Wait... why are you encouraging them to charge for it?
| kyawzazaw wrote:
| it ensures that they have a sustainable revenue stream and
| won't cave into selling data or shutting down
| rubber_duck wrote:
| Because running it is not free and paying for it directly is
| the best way to align interests - you are the customer
| instead of being the product for advertising and analytics.
| kawsper wrote:
| I wish Mozilla would also offer a DNS-over-TLS service instead of
| just offloading it to Cloudflare or NextDNS.
| dx87 wrote:
| Can't wait for this. The PIA extension stopped working in Firefox
| months ago, and PIA said they have no ETA for a fix.
| notRobot wrote:
| PIA was also acquired by a malware company:
| https://news.ycombinator.com/item?id=21679682
| merge wrote:
| an alternative is also the https://librem.one/ services run by
| Purism. VPN, Email and more. All server and client code is at
| source.puri.sm and it's mostly only rebranded "standard tools".
| solarkraft wrote:
| It's a rebranding of Mullvad. I'm happy with Mullvad itself, and
| while I think Firefox is the most important browser I'm not very
| happy about Mozilla arguably destroying its brand and seemingly
| pivoting away from maintaining it. I'd directly pay for the
| development of FF, but not Mozilla's "btw, we now sell $completel
| y_unrelated_product_without_even_an_ethical_business_model".
|
| They seem to be relatively safe from forking though, because
| apparently the code base is too much of a mess. Yay.
| orra wrote:
| You say that, but not enough people _do_ directly pay for the
| development of Firefox. Of course, you are welcome to donate to
| the Mozilla Foundation.
|
| Also, your complaint about an ethical business model seems
| unfounded, especially in this instance.
| wasmitnetzen wrote:
| > you are welcome to donate to the Mozilla Foundation.
|
| Which does not pay for the development of Firefox.
| orra wrote:
| The Mozilla Foundation annual financial statement include
| its subsidiary Mozilla Corporation. And most of the
| Foundation's expenditure is staff costs, for the Firefox
| project.
|
| If that doesn't satisfy you, note that targetted donations
| are also a thing.
| RandomBacon wrote:
| Unless everyone does targeted donations, it's pointless.
| It's like adding water to one end of a pool and expecting
| the water level at only that end to rise. If only a small
| percentage of donators ear mark their donation to Project
| A, then the less money will come out of the general fund
| for Project A and more from the general fund will go to
| Project B. The money you just donated didn't increase the
| budget for Project A, instead the organization just
| increased the budget for project B.
|
| In other words, targeted donations are not a targeted
| budget increase.
| solarkraft wrote:
| > Also, your complaint about an ethical business model seems
| unfounded, especially in this instance.
|
| I have no concern about the VPN service itself since it's
| Mullvad which I like, but the devaluation of the branding
| (which I consider a long term problem).
|
| Look at stuff like Firefox Send and Pocket. The latter is
| proprietary (holy shit, how is that ethical?) and the former
| bugs you with in-page pop-ups to get an account when you try
| to change the settings that looks either very stupid or
| malicious (and they invested a lot of money). I thought it
| was a bug at first.
|
| They may sound like specific petty issues, but I consider
| them symptoms of a gigantic systemic problem.
|
| I am aware of Mozilla's financial struggle, but don't think
| this is a good way to solve it, or much of a viable one at
| all. I fear it will completely dilute the Firefox brand, lose
| core user's trust (what they have left, anyway) and result in
| barely any revenue. It may well result in the permanent ruin
| of the Firefox ( _the browser_ ) project, especially since it
| appears to be 100% dependent on Mozilla because of its high
| entry barrier.
|
| I do see the _idea_ behind the pivot I think, which is
| banking on the rising popularity of privacy, but honestly I
| don 't think they even have much of a good reputation on that
| front. The wide public doesn't know ("Mozilla is like Google,
| right?") and the techies have been burned too often. Neither
| do they explain much in their surprisingly widely deployed
| phsyical ads (how much did that cost?).
| champagnepapi wrote:
| "Mullvad respects your privacy and has committed to not keep logs
| of any kind." How sure can we be here?
| kfreds wrote:
| Every time the VPN service industry is discussed on HN there is a
| barrage of comments that use keywords like "honeypot", "snake
| oil", and "shady". I'm not denying that the industry has
| problems, but in this thread I'd like to focus on how we can
| improve it.
|
| Please tell me - What makes a VPN provider trustworthy, and how
| do you _know_?
|
| Personally I believe a trustworthy provider is _characterized_ by
| consistent actions that show transparency, honesty, and
| conscientiousness. Nevertheless, such consistent action doesn't
| actually prove trustworthiness.
|
| A good VPN honeypot, or reseller of your network traffic, is
| publicly indistinguishable from a trustworthy one. So what can
| the users do? What tools, technology, process, or ecosystem do
| they need to tell honest and dishonest apart? What do we need to
| build?
|
| We all recognize that VPN providers are in a great position of
| power over their users. How do we tilt the scales in the users'
| favor? What are _strong_ signals of trustworthiness?
|
| Disclosure: I co-founded Mullvad.
| maxisme wrote:
| Sorry to go on a tangent (I believe it is word of mouth and
| actions of the company like you say):
|
| What is the deal with Mullvad and Firefox? Are they completely
| using your services but with their name on it? Would you rather
| a client directly or through Firefox (bit cheaper now in $ )?
| RcouF1uZ4gsC wrote:
| deleted
| agency wrote:
| FTA: "we are [...] committing to never track your browsing
| activities"
|
| But based on your comment it seems like you harbor a deep
| distrust for Mozilla, in which case obviously you shouldn't use
| their products?
| notRobot wrote:
| Yeah this comment makes no sense. That would be terrible
| publicity for Mozilla.
|
| Also, Reddit uses HTTPS (like every other mainstream website)
| so Mozilla/Mullvad can't see what you're posting or even what
| your username is.
| Jonnax wrote:
| Essentially their former CEO was/is against gay marriage and
| donated to some organisation that was campaigning against it.
|
| People found out, some employees weren't happy also some
| sites put up a message when Firefox users visited.
|
| OkCupid (a dating site) straight up blocked Firefox users
| saying that they prefer users to use other browsers.
|
| So as Mozilla is a company. They decided to get rid of the
| CEO. Because he was now bad for business.
|
| However for some people in the tech world. This was an
| unforgivable sin: an attack on free speech.
| opendomain wrote:
| I think this was a setup.
|
| Brendan Eich is the creator of JavaScript and was the CTO
| of Mozilla.
|
| He is intelligent and works hard on open source. However,
| he HAD opposed same sex marriage.
|
| While he was CTO of Mozilla, no one cared. When he became
| CEO, there was a smear campaign to get rid of him.
|
| I respect his contributions, but not his politics. He has
| the freedom to say what he believes - I still use Firefox.
| IMHO this was just an excuse to get ride of him as CEO.
| kelnos wrote:
| Yeah, I never really understood all the animosity against
| Mozilla or Firefox around this.
|
| IMO giving money toward homophobic causes is
| reprehensible, and Eich sounds like someone I wouldn't
| want to be friends with or work with, but he is not
| Mozilla and Mozilla is not him.
|
| > _He has the freedom to say what he believes ... IMHO
| this was just an excuse to get [rid] of him as CEO._
|
| I support the right of employees to hold their executives
| to high standards, even (especially?) when those
| standards aren't directly related to the work they do. It
| was a messy situation and perhaps not handled perfectly,
| but I don't see anything wrong with the end result being
| his resignation. Yes, the timing was suspicious (I would
| have been uncomfortable reporting to him "even" as a
| CTO), but I would argue more along the lines of "took you
| long enough" instead of "why is this suddenly an issue
| now?"
|
| > _... but not his politics_
|
| I really dislike seeing things like this phrased as
| "politics". Treating other people with respect and giving
| them equal rights isn't politics, it's basic human
| decency. I hope in 50 years we look back at this time
| period and are appalled at how we treated our fellow
| humans.
| [deleted]
| devwastaken wrote:
| As long as there's no leaks over http traffic of course.
| Advertisers are great at data exfiltration.
| LeoPanthera wrote:
| > promote legal views that Mozilla disagrees with
|
| How would they know?
| simias wrote:
| The parent is transparently concern trolling so it's not
| worth engaging with, but to answer your question it's
| important to remember that VPN providers have access to all
| of your traffic. Even if you use HTTPS and other encrypted
| standards you can probably infer a lot of personal
| information about a user by just monitoring when and where
| they connect to.
|
| It's even arguably a bit worse than an ISP because any given
| internet connection may be shared across many users, and
| users often move between several connections managed by
| different entities. VPN on the other hand are generally
| personal and keeps tracking you regardless of whether you use
| your home connection, mobile data or a free WiFi connection.
| LeoPanthera wrote:
| I know this, I only asked because Mozilla, like most other
| VPN providers, promise not to snoop on your traffic, so
| OP's concern boils down to "but what if they're lying?",
| and you could ask that about virtually any service.
| satoshivpn wrote:
| What good is a VPN if you have to reveal all of your personally
| identifiable information to the vendor?
|
| You're better off using Mullvad directly--it looks like they
| don't require you to fork over personal information to use their
| service.
|
| Shameless plug: SatoshiVPN (https://satoshivpn.com) gives you
| access to your own private and anonymous VPN server with Outline
| pre-installed, no questions asked. Payments in Bitcoin only.
| dewey wrote:
| > What good is a VPN if you have to reveal all of your
| personally identifiable information to the vendor?
|
| Because most peoples threat model doesn't include actors that
| can force a VPN provider to give up their data. They just use
| it because it's making it easier to not get data stolen in a
| coffee shop and watch US Netflix.
| satoshivpn wrote:
| If you have two equally great user experiences and in one
| case you have to share your personal information, and in
| another you don't, which would you choose?
| dewey wrote:
| The one where the company behind has a good reputation and
| seems trustworthy. Like Mullvad where their real address,
| developers, history and open source projects are available
| on the website (https://mullvad.net/en/help/no-logging-
| data-policy/) and they have been around for a while without
| any scandals that I'm aware of.
|
| If there's a new provider out with no name, company
| address, audits or history and tells me they are not
| sharing personal information I just have to take their word
| for it. So it's not much better than the alternative if I
| can't verify it.
| umaar wrote:
| Can you comment on the pricing? Am I understanding correctly
| that 1 year of your VPN service costs $195 USD?
| satoshivpn wrote:
| That's correct. Or, $1 for 1 day. Or, 1 hour for free.
| miniyarov wrote:
| Public VPN services should not be trusted blindly. Online
| anonymity is very hard. However, you can still create your own
| VPN server on cloud providers for at least have some privacy
| while you are on an untrusted network.
|
| Because of this reason, I created https://zudvpn.com - It is a
| free and open-source mobile application that's used to deploy a
| private VPN server on major Cloud Providers!
|
| Github repo: https://github.com/zudvpn/ZudVPN
| r3trohack3r wrote:
| Assuming Mozilla isn't compelled by law to share it's entire
| database of user information on a rolling basis without a
| warrant, I suspect (in the U.S.) it would be somewhat effective
| at shielding yourself from bulk metadata collection (government
| mass surveillance) of your online communications by obfuscating
| that metadata.
|
| Compare this to your ISP and telecom providers. A subset of the
| larger providers willingly handed over the communication
| metadata of their users without warrant.
| satoshivpn wrote:
| You know what they say about assumptions.
| r3trohack3r wrote:
| We know as of 2013 this was the case. Participating in the
| government's bulk metadata collection was voluntary. 2013
| is a long time ago though.
| asimpletune wrote:
| Might want to make pricing easier to find.
| satoshivpn wrote:
| Acknowledged. Thank you!
| miniyarov wrote:
| Public VPN services should not be trusted blindly. Online
| anonymity is very hard. However, you can still create your own
| VPN server on cloud providers for at least have some privacy
| while you are on an untrusted network.
|
| Because of this reason, I created https://zudvpn.com - It is a
| free and open-source mobile application that's used to deploy a
| private VPN server on major Cloud Providers!
|
| Github repo: https://github.com/zudvpn/ZudVPN
| maxisme wrote:
| But doing this will give you a static IP which will make you
| even less anonymous.
| badrabbit wrote:
| So long as it will never have anything to do with Firefox. Using
| it for work would be risky if they did that.
| koolba wrote:
| Who is the target market for this in the markets it actually
| operates (US)?
|
| The only people I know that uses VPNs do so to download torrents
| and evade DMCA notices. And in that case it only really works if
| the VPN provider is itself located outside of US jurisdiction and
| collects little to no information about you the user.
| saltedonion wrote:
| Given the high ethical standard of Mozilla I'm not sure how
| popular this will be.
|
| For example, a while back there were research showing nord was
| setting up users as proxies, there by making it impossible for
| Netflix to block these residential ips.
|
| I don't think Mozilla will do this.
| Semaphor wrote:
| Well, they use mullvad.net (I'm a customer), and they seem
| pretty trustworthy while Nord was always the opposite of
| trustworthy.
| lawnchair_larry wrote:
| As a security person, I am somewhat baffled by the popularity of
| VPNs. I have no idea why anyone would use them for general
| internet usage, and I suspect the majority of VPN service users
| are misinformed about what they think they are gaining.
|
| Any VPN subscribers want to fill me in? The only thing I can
| think of is hiding the source of pirated media being shared via
| bittorrent.
| pomokhtari wrote:
| A lot of countries block access to websites. US and EU are not
| the whole world! VPN helps people to circumvent censorship.
|
| I use a VPN daily because without it, there is no
| Twitter/HackerNews/Reddit/Youtube/... .
| lawnchair_larry wrote:
| Totally understood for those countries, but it's still hugely
| popular in the US. That's what I'm wondering about.
| aryonoco wrote:
| Many ISPs in the US perform DPI, sell anonymized data to
| marketing companies, slowdown YouTube/Netflix when the
| backend pipes are congested, etc. If you want your ISP to
| provide you with a dumb pipe and not interfere with your
| traffic, a VPN is an easy solution.
| hendersoon wrote:
| There are four primary reasons to use a VPN.
|
| 1) You live in an authoritarian country where mass surveillance
| is a concern.
|
| 2) Evading geo restrictions. Watching US Netlix while in
| Europe, etc.
|
| 3) Evading your work's firewall so they don't know you're on
| Facebook or whatever.
|
| 4) Piracy
| aryonoco wrote:
| Because my government passed a legislation that forces all ISPs
| to collect all metadata and to store them and this information
| is accessible to be searched by multitude of government
| departments without a warrant.
|
| I am, in principle against this policy. When it was proposed, I
| tried activism and letter writing and meeting with Senate
| staffers to try and fight it. I lost, it became law with
| bipartisan support from both major parties here. So now I use a
| VPN.
|
| You find my usecase baffling?
| dede4metal wrote:
| I use it to stream stuff on Netflix that isn't available in my
| country of residence.
| maxisme wrote:
| Sharing an IP address with a load of other people makes one
| more anonymous. I know there are lots of different ways of
| identifying someone online but it is a start. My ISP is also
| behind a CGNAT so I am also sharing that IP with loads of other
| people and also most ISPs don't provide static IP addresses so
| you can't rely on an that either but I guess I also trust my
| VPN provider to handle identifying data more than my ISP as I
| haven't even given them my name (Mullvad)
| milofeynman wrote:
| Because in the US at least, part of ISPs business model comes
| from deep packet inspection of customers websites, dns queries,
| habits and subsequent selling (or using) that data. If you have
| a trusted VPN you can prevent that data and privacy siphoning.
| "trusted" VPN company is a discussion for another time...
| Skunkleton wrote:
| When you connect to a VPN you advertise the fact that you are
| connected to a VPN to your local network, and hide your tunneled
| traffic. The tunneled traffic emerges elsewhere, with the extra
| encryption removed and proceeds as normal. Basically all a VPN
| provides is a mechanism to pretend that your butt is in a
| different seat. You hide your traffic from one network and expose
| it on another.
|
| If you are on public wifi somewhere and are concerned about
| traffic that isn't otherwise encrypted (DNS comes to mind), or if
| your connection is in some way restricted (govt, shitty isp,
| etc), then a VPN can address these issues. But you have to keep
| in mind that your new network is similarly untrustworthy.
|
| You might argue that by hiding behind your VPN provider, you are
| gaining anonymity. This might be true under the best
| circumstances, but this can _very_ easily break down. For
| example, the moment you load tracking_pixel.png then you are de-
| anonymized. That is saying nothing about the shady practices of
| the VPN providers themselves, or the governments that regulate
| them.
|
| When people connect to a VPN, especially lay-people, there is
| this feeling that the VPN is providing security, and privacy.
| This is largely marketing BS designed to sell more subscriptions.
| When I connect to a VPN I might be able to obscure my activity
| from state actors, or avoid some coffee shops bogus DNS server.
| What I can't do with a VPN is avoid literally every other form of
| tracking. And of course if I connect to a VPN, then I should be
| ok with those same bad-actors knowing I am connecting to a VPN.
| And I should be OK with the VPN provider being able to monitor my
| unencrypted traffic. And I should be ok aggregating all of my
| encrypted traffic into one easy to watch place.
|
| So what is a VPN providing the average consumer? If you want
| privacy install ad block software, https everywhere, enable DoH,
| don't log into social media sites, and clear your browser's cache
| frequently. If you want to avoid a state actor, then your best
| hope is probably something like Tor Browser.
| pythonbase wrote:
| And there are countries that force users to get their VPNs
| registered.
|
| https://www.pta.gov.pk/en/media-center/single-media/public-n...
| ryanmarsh wrote:
| If it's terminating at a host you don't control _it ain't
| private_.
| jrockway wrote:
| I am surprised at how much money exists in the VPN industry.
| Whenever I watch even a mildly-popular YouTube video, it always
| has an advertisement for the latest VPN provider. As far as I can
| tell, there is only one reason there is this much money in the
| field -- to subscribe to US-based video streaming services from
| outside the US. But they never ever say that that's the reason,
| they always say things like "work from home securely" or "avoid
| being tracked". But, of course, your IT department already has a
| secure VPN for working from home, and that Facebook cookie works
| regardless of what your IP address is. In general, the sell of
| "you can't trust your network provider, so pay for an additional
| network provider that doesn't keep logs and only accepts payment
| in Bitcoins," doesn't seem particularly strong to me. Of course
| you can't trust the network layer. Nobody trusts the network
| layer. That is why we have TLS. (Anyone remember "wired
| equivalent privacy" when WiFi was a cool and new thing? Turns out
| wires don't offer much privacy.)
|
| So why people are buying this service confuses me.
|
| I am also confused at why people can run these services so
| cheaply. I looked into doing it myself (I had some ideas for
| actual value add), and the economics didn't seem that good. There
| is a lot of software between "ifup wg0" and "collect money from
| people that want a VPN". It seems expensive to write all that,
| unless a "yolo" strategy of starting up openvpn and setting up a
| couple NAT rules actually scales. (At the very least, you need to
| be able to distribute keys to pre-built clients, and if you want
| to make it smooth, you are looking at writing your own
| Windows/Mac/Android/iOS clients. Then you need all the business
| management software on top of that -- didn't get the Bitcoins so
| delete their private key, etc.) It seems like quite a bit of work
| that is quite expensive.
|
| But these things exist left and right and have huge advertising
| budgets. So obviously I am misunderstanding something.
| imglorp wrote:
| I think you're right, a lot of VPN usage has to do with
| circumventing some tiered, segmented, bullshit content provider
| restrictions such as region or schedule or device type.
|
| The fact that all these people are paying for a service plus
| VPN means the services are leaving money on the table. If they
| would simply offer what we want, when we want, where we want
| it, on the device we want, on a single service without a
| hassle, many consumer would be lined up for that.
| laughinghan wrote:
| No, your premise is wrong, all major browsers have committed to
| removing third-party cookies, or have already done so. And
| after third-party cookies, your IP address is the next-easiest
| way to track you across sites.
|
| _that Facebook cookie works regardless of what your IP address
| is_
|
| Firefox has been blocking third-party cookies by known
| trackers, including Facebook, since last year [1]. Safari
| started blocking all third-party cookies (not just known
| trackers) in March [2], and Chrome committed in January to work
| towards removing third-party cookies [3].
|
| And of course, all major browsers have provided the option to
| block third-party cookies since before IE6. I use this option,
| it rarely breaks things, and it's only getting rarer--and I
| don't use a VPN, so this would make me measurably harder to
| track across sites.
|
| [1]: https://blog.mozilla.org/blog/2019/09/03/todays-firefox-
| bloc... [2]: https://webkit.org/blog/10218/full-third-party-
| cookie-blocki... [3]:
| https://blog.chromium.org/2020/01/building-more-private-web-...
| alteria wrote:
| They must massively oversubscribe their services, far beyond
| ISPs. The advertising probably brings in a lot of profitable
| users who aren't pushing tons of BitTorrent traffic as well.
| With the insanely high affiliate commission they're offering I
| can't think of another way.
| ipython wrote:
| The conspiratorial side of me says that they have alternate
| revenue streams as well. Why should only google get that
| sweet cash from a steady stream of user data?
| toohotatopic wrote:
| 1Tbyte for $1-$0.5, that gives you 30Gbyte per day. At $5
| resale, there's some room for profits.
|
| If I am not mistaken, that's 10 hours of video streaming in
| excellent quality per day.
| TechBro8615 wrote:
| The VPN providers are not paying per gb. They are paying for
| IP transit, probably in the range of 50c / mbps. They make
| money by oversubscribing, just like any ISP.
| surround wrote:
| > At Mozilla, we are working hard to build products to help you
| control of your privacy and stay safe online.
|
| > We know that we are on the right path to building a VPN that
| makes your online experience safer
|
| Commercial VPNs are good for censorship circumvention or location
| spoofing. It is irresponsible to market VPNs as something which
| "protects" you online. In reality, they do _nothing_ to improve
| security, and very little to improve privacy.
|
| You do not need a VPN.
|
| https://gist.github.com/joepie91/5a9909939e6ce7d09e29
|
| https://schub.io/blog/2019/04/08/very-precarious-narrative.h...
| ryantgtg wrote:
| The "Don't use VPN services" argument is weak because it
| doesn't acknowledge one of the most common reasons for using a
| VPN: avoiding DMCA notices.
| surround wrote:
| That's what I said. VPNs are good for "location spoofing,"
| i.e. changing your web-facing IP address to a different
| region. VPNs are great for this purpose.
|
| The issue is, VPN companies (Mozilla included) are marketing
| their service as one that improves your safety when it
| doesn't.
| ryantgtg wrote:
| The value of location spoofing is to access geographically-
| restricted content (like a netflix show that is available
| through their service in Europe but not the US), not to
| avoid DMCA notices. VPNs are valuable for avoiding DMCA
| because it hides from your ISP (the entity serving you the
| notice) what you are torrenting.
| crazygringo wrote:
| Agreed -- they provide some _tiny_ specific benefits for
| security (e.g. against Wi-Fi hacking if accessing a site over
| HTTP, rare these days) and privacy (no geolocating), but the
| Mozilla copy says:
|
| > _feel empowered, safe, and independent while being online_
|
| Huh? This is doing _nothing_ to protect me from _any_ of the
| common attacks. It 's not wiping my cookies. It's not
| anonymizing my browser fingerprinting. It's not blocking
| analytics or tracking. It's _certainly_ not protecting my
| credit card details or password from being hacked from a
| website 's server.
|
| Am I more "empowered"? "Safe"? "Independent"? What is this
| nonsense marketing fluff?
|
| To market this as being able to control my privacy or stay safe
| online is just _completely_ disingenuous. Mozilla should be
| ashamed for trying to imply such strong claims that are just
| false.
| danShumway wrote:
| > In reality, they do nothing to improve security
|
| This is a bad take. I don't have the energy/time to go too in
| depth at the moment, but I've commented in more detail in the
| past. The short version:
|
| - HTTPS isn't perfect, sites sometimes support old encryption
| protocols that can leak resource information. Most users aren't
| checking packets from native apps to ensure they're being sent
| over HTTPS, and browsers don't mark sites that are configured
| for old SSL/TLS versions as insecure.
|
| - Most people aren't currently using encrypted DNS, and even as
| browsers like Firefox and Chrome move to turn it on by default,
| there will still be tons of older devices and native
| applications that lag behind.
|
| - VPNs only encrypt your connection from you to the provider,
| but the space between you and the provider is the part that's
| most likely to be targeted by attackers. You are far more
| likely to accidentally send a plaintext POST request to an
| infected router than you are to be targeted by a nation-state
| actor on the open web.
|
| - VPNs aren't just for hiding what sites you visit from your
| ISP, they're also for hiding your IP address. The linked claim
| that IP addresses are irrelevant is just outright wrong, IP
| addresses are extremely helpful for doxing, and sites like
| forums don't always secure them[0]. If you know my IP address,
| you'll be able to get surprisingly close to my real address.
|
| A VPN on its own will not protect you or provide you with a
| noticeable privacy increase. And a VPN should not be the first
| thing you reach for if you're trying to improve your privacy.
| But if you're already using an adblocker, if you're already
| taking steps to mitigate tracking in Firefox, if you're already
| disabling Javascript on most sites, if you're already avoiding
| native apps that break the browser sandbox or engage in
| hardware tracking, you do eventually reach a point where your
| IP address is a concern you will want to address.
|
| Ask yourself a few questions:
|
| - If IP addresses don't actually matter for tracking, then why
| is TOR wasting so much time and energy trying to mask them?
|
| - If masking an IP address doesn't provide any extra privacy,
| why do some services like Google Captcha penalize shared IP
| addresses?
|
| - If IP addresses don't matter for tracking, why are so many
| sites using IP bans at all?
|
| The answer is that IP addresses _do_ matter, they 're just not
| the _only_ thing that matters.
|
| ----
|
| [0]: https://danshumway.com/blog/gamasutra-vulnerabilities/
| r3trohack3r wrote:
| I see this take a lot. Serious question: doesn't the U.S.
| government surveillance program focus on collecting
| communication metadata for U.S. citizens? While it isn't clear
| what that metadata includes, we do have examples of past
| programs that have leaked (and the legal theory used to justify
| them) to guide us.
|
| Given what we publicly know about these surveillance programs I
| could see FISC approving bulk metadata collection for the IPv4
| header content, insecure HTTP header content, and DNS queries.
|
| Wouldn't using a VPN, DNS over HTTPS, and HTTPS everywhere
| shield you from these bulk metadata collection programs? I run
| https://everytwoyears.org, a political non-profit focused on
| ending these programs, and I view VPNs as a key technical piece
| of preventing these metadata collection programs from
| functioning; if the security community doesn't believe they are
| effective, I would really like to know!
|
| Another way of saying this: collecting _content_ of a
| communication requires a warrant (and our mass surveillance
| programs respect that from what we publicly know). Most people
| that I know aren't trying to avoid active (we have a warrant to
| search you) monitoring with a VPN, but trying to avoid passive
| warrantless monitoring. Obscuring communication metadata
| through encryption and tunneling seems to be an effective way
| of doing this.
| PureParadigm wrote:
| If I were a government trying to gather metadata about web
| usage, the first thing I'd do is set up or acquire my own VPN
| company (and make it look convincing, of course).
| [deleted]
| surround wrote:
| This is a good question and I would like to discuss it.
|
| If the government is able to passively collect metadata from
| your ISP, couldn't they do the same thing with a VPN company?
| r3trohack3r wrote:
| The original form of the Presidential Surveillance Program
| didn't compel service providers to share this metadata. The
| providers willingly shared it. There is a reference to a
| service provider backing out of the agreement several years
| after it started stating they would feel more comfortable
| continuing to share their data if the government compelled
| them.
|
| This may have changed since 2013.
| [deleted]
| cameronperot wrote:
| A little late in the game, but they're a brand I would hold in
| higher regard than 99% of the other providers out there. I
| believe that a lot of people misunderstand what exactly a VPN is
| and what scenarios it offers benefits of use in. I personally
| host my own VPN on a lowendspirit server [1] for when I'm on an
| untrusted WiFi network or I need to have an IP in the US (it
| comes in handy as a US citizen living abroad). I also use a VPN
| sometimes when I have a dev server (hosted on the server itself)
| that I'm developing/testing on since being on the same network as
| the server makes things easier, e.g. having a container with an
| API bound to the VPN network so that I can access it easily and
| without it being public facing.
|
| Of course there's also the shady side of VPN use. If you're doing
| that it might be beneficial to use the VPN within a VM with
| strict firewall rules, i.e. only allow incoming/outgoing to/from
| the VPN. Doing so allows you to only send the traffic you want to
| over the VPN, thus reducing your exposure to any nefarious data
| collection that the provider might be doing.
|
| [1] https://lowendspirit.com/
___________________________________________________________________
(page generated 2020-06-18 23:00 UTC)