[HN Gopher] Mozilla VPN ___________________________________________________________________ Mozilla VPN Author : caution Score : 624 points Date : 2020-06-18 17:09 UTC (5 hours ago) (HTM) web link (blog.mozilla.org) (TXT) w3m dump (blog.mozilla.org) | mulmen wrote: | This is a hard pass from me. | | Mozilla controls my browser. I have no interest in giving them | control over any other part of my online life. | | I like how Mozilla is run and hope other organizations emulate | them to provide these other essential services. | e12e wrote: | What an odd choice from Mozilla and Mullvad to segment this based | on geography. Can you use it while traveling outside the US? Why | not simply have a wait list? Mullvad already operates globally - | what is the reason for the geofence? Is Mozilla not able to | accept payment outside the US? (maybe not able to pay taxes?) | johnklos wrote: | Why the hell would anyone trust mozilla.org while they work | tirelessly to make money? | | Google, who are unapologetically pro-money, at least listened to | feedback about DoH. | kelnos wrote: | > _Why the hell would anyone trust mozilla.org while they work | tirelessly to make money?_ | | In what fantasy world do you live where hosting services and | building products costs zero dollars? Not sure how Mozilla | could operate at all without making money. | johnklos wrote: | Downvote without a response. Seriously - where does this | magical trust come from, when we've seen Mozilla do what's | against the interests of normal people in favor of doing what | they can do to make money or to push traffic towards people who | make money? | sequoia wrote: | "For example, over 70% of early Beta-testers say that the VPN | helps them feel empowered, safe, and independent while being | online." | | What have these "feelings" got to do with anything? This is a | measure of successful marketing and has nothing to do with the | product or its efficacy. | | Personally I use Windscribe and I really like it (I've used PIA & | Mullvad in the past). I use it for watching US Netflix and to | make it _slightly_ less easy to track me on the net (I know there | are many other ways). I also like the idea of not having my IP or | the gov 't spy on me _as easily_. | abvdasker wrote: | I would counter that how safe people _feel_ , and to what | extent they have an expectation of privacy online will | determine their behavior. The technical effectiveness of the | product is one thing, but how users perceive it will determine | whether it offers them any real benefit. These things do | matter. | | Remember Foucault's panopticon: If someone merely thinks they | _might_ be surveilled their behavior will change in profound | ways. More concretely, if you think the government may be | spying on your browsing habits, maybe there are sites you won | 't visit or comments you won't post or videos you won't watch. | It's important not only that the product works, but that people | _feel_ it works so that they can behave more freely on the | internet. | cambalache wrote: | It sounds like a sanitary pad ad. | nprateem wrote: | People buy on emotions | bredren wrote: | What was the 500 startup guys phrase? | | A product has to get you "Made, Paid or Laid" | | Where Made was like a sense of positive promotion like a | made-man in the mob I think. | | Emotion is everything. If a product doesn't make you feel | good you'll only buy it because you have to. | Romanulus wrote: | ... and sell! | dx87 wrote: | I think "feeling" safe is an important component of a product. | Of course the product has to also be effective, but if it's | effective and people still don't trust it, then they won't use | it. A good example of a similar situation is in the US military | where we had to do yearly chemical weapons training that | involved putting on a gas mask in a room filled with tear gas. | The gas masks were already proven to work, but one purpose of | the training was to make sure people trusted their equipment to | keep them safe, making it more likely for them to use it when | needed. | untog wrote: | This is marketing copy. Criticizing it for being marketing copy | is surely a little redundant. Besides, feelings matter. If the | majority of VPN users felt that the security provided by the | VPN was not worth the effort involved in using then that would | indicate a failed product. Ignore that at your peril. | maallooc wrote: | Tech became toxic years ago. Instead of facts and data, | feelings and diversity matter. | smichel17 wrote: | === edit because I feel this comment is not substantive enough | / engages with a strawman version of your comment === | | I understand you're talking about where those feelings _come | from_ -- ie, that the feelings are more useful information when | backed by the reason for them. And you do provide some of that | in your post (privacy, watching US Netflix). But those are | things that any trustworthy VPN with US-based endpoints can | provide, so they 're not a unique selling point, which means | your recommendation basically boils down to unsubstantiated | feelings again, to which: | | === Original comment === | | I don't use a VPN and have no horse in this race, but surely | you see the irony in: | | > What have these "feelings" got to do with anything? | | Followed by | | > I use Windscribe and I really like it. | sequoia wrote: | "unsubstantiated feelings" heh, that's a pretty | ungenerous/rude way of putting it. Here's a better way: "Can | you explain why you like Windscribe? You say you've used | other providers, how is Windscribe different?" If you're not | clear on something it's always best to ask for clarification | before accusing the other party of fabrication or making | "unsubstantiated" claims. | | So why do I like Windscribe? Good question! I like the ease | of use of windscribe clients compared to other VPN clients | I've used, the fact that I can add many devices, and the fact | that it has endpoints in lots of countries. I had trouble | with both the PIA & Mullvad clients & configuration on my | desktop and phone eventually. I don't require much, as you | say VPN is a commodity product, I just want it to be easy to | use & Windscribe is and they seem committed to adding | features & fixing bugs. I also have met the team, they're | local to me, and they seem trustworthy. | | I'm not sure if you read TFA, but here's the context of what | I highlighted: | | > We started working with a small group of you and learned a | lot. With the VPN in your hands, we confirmed some of our | initial hypotheses and identified important priorities for | the future. For example, over 70% of early Beta-testers say | that the VPN helps them feel empowered, safe, and independent | while being online. | | "we confirmed some of our initial hypotheses and identified | important priorities for the future ... Beta-testers say that | the VPN helps them feel empowered, safe, and independent" | | What type of initial hypotheses might have been confirmed by | learning that people "feel empowered" by using a VPN? This is | what I don't understand. Of course users motivated enough to | try a beta VPN product like using VPNs-I'm not sure what | insight that adds. Can you help me connect the dots here? | | My feelings about a VPN provider based on personal experience | is not beta testing that "proves" a product. Mozilla suggests | here that these "feelings" prove "confirm their hypothesis" | and put numbers next to the feelings, like 70%. I am | questioning the relevancy of these numbers & it strikes me as | pseudo-scientific to put these numbers in the intro as some | sort of proof that their product has value. Throwing up | meaningless numbers like this gives me the impression of | smoke and mirrors/bullshit. | smichel17 wrote: | > "unsubstantiated feelings" heh, that's a pretty | ungenerous/rude way of putting it. | | Thank you for the feedback. It wasn't meant to be rude, but | I see now how it can be interpreted that way (particularly | with the unedited original comment below, which was | intended to be... not rude, but let's say, harsher than I'm | proud of, a few hours later). Text is hard -.- | | Asking clarifying questions instead is a good suggestion. | Your answers are good, too; if I'm ever in the vpn market, | I'll put Windscribe on my shortlist to research more | thoroughly. | | > I'm not sure if you read TFA | | I have not and do not currently intend to. I checked in | with the comments because I was curious how it would be | received. I replied to your comment because I was | frustrated at what seemed to be hypocritical criticism. I | still think your original comment is light on | detail/justificatipn, so I'm happy my reply, however rude | and imperfect, lead to your second comment, which is the | type of thing I was hoping to find when I opened the thread | :) | haunter wrote: | Every single time I start researching VPN services I end up more | confused and with more questions than before because basically | every vouched service has the same amount of negative comments | too. Like feels like the whole sector is a honeypot (lol) of | shady stuff and also they figthing against each other (or not?). | So I just wait until when turns out Mullvad is also one of the | bad guys. | miniyarov wrote: | Public VPN services should not be trusted blindly. Online | anonymity is very hard. However, you can still create your own | VPN server on cloud providers for at least have some privacy | while you are on an untrusted network. | | Because of this reason, I created https://zudvpn.com - It is a | free and open-source mobile application that's used to deploy a | private VPN server on major Cloud Providers! | | Github repo: https://github.com/zudvpn/ZudVPN | neilv wrote: | Some reasons you might get some negative vibes from looking | into consumer VPN services: | | * Some consumer VPN services have been found to be doing | sketchy things. And you can imagine the business is attractive | to people intending to do sketchy things, since it's a | powerful/lucrative position to be in right now. (In addition to | the business possibly being attractive to people just wanting | to provide a useful and honest service for a fair price.) | | * There seem to have long been referral kickbacks by some | consumer VPN services, which I assume is the cause of some of | the huge amounts of noise on the Web and such about them (e.g., | search hits on some non-VPN topics, such as some home theatre | search terms, overwhelmed by SEO articles, the purpose of which | is to then herd the reader towards particular VPN services with | a kickback). Even some endorsements by organizations might | essentially be more about revenue than about merits. | | * I speculate that it doesn't help if one of the main | historical uses of consumer VPNs has been for activity that | would be considered copyright-violating in the US (e.g., | unauthorized trading of video files, or circumventing region | restrictions). Without making any moral judgments, I think it's | fair to say that constitutes "conscious rule-breaking" for | some, so I wouldn't be surprised if there's an disproportionate | culture of rule-breaking around the whole space. | pipermerriam wrote: | I use ProtonVPN. Same company as ProtonMail. Highly reputable | with a business model around doing privacy and encryption well. | helloooooooo wrote: | NordVPN shares offices in Estonia with ProtonVPN. For that | reason I find it sketchy. | nix23 wrote: | >NordVPN shares offices in Estonia with ProtonVPN | | What really? Some proof for that? ProtonVPN and ProtonMail | is located in Switzerland Geneve, i dont see any open | positions for estonia | | https://careers.protonmail.com/ | gzer0 wrote: | I would like to read more about this, do you have a source? | | I cannot find anything reliable that suggests this! Thanks. | E5JBK7UJPT wrote: | https://www.reddit.com/r/ProtonVPN/comments/8ww4h2/proton | vpn... | rmrfstar wrote: | Link. Please. | jorge-d wrote: | IMHO ProtonVPN (and Mail) are the perfect honeypots | nix23 wrote: | I call that bullshit until you have a single proof for | that. | | Everything is opensource, the data s are located in | Switzerland on there own hardware. They have open | communication and a yearly transparency report: | | https://protonmail.com/blog/transparency-report/ | _threads wrote: | How/why? | [deleted] | gzer0 wrote: | ProtonVPN provides the source code for their desktop and | mobile clients in their GitHub organization [1]. Yes open | source != safe; however this level of transparency is at | least a step in the right direction. | | They also have regularly been audited by independent | organizations that are openly available for the public to | see their compliance [2][3][4][5][6]. | | Do you have any evidence to suggest that they are | honeypots? | | [1] https://github.com/ProtonVPN | | [2] https://protonvpn.com/blog/wp- | content/uploads/2020/01/Proton... | | [3] https://protonvpn.com/blog/wp- | content/uploads/2020/01/Proton... | | [4] https://protonvpn.com/blog/wp- | content/uploads/2020/01/Proton... | | [5] https://protonvpn.com/blog/wp- | content/uploads/2020/01/Proton... | | [6] https://protonvpn.com/blog/open-source/ | 29athrowaway wrote: | And how do you know if what they built is exactly what's | in that source? | cambalache wrote: | Hehe, exactly, oldest trick in the trade | gzer0 wrote: | You seem to not have read my comment. I said open source | != safe or trusted. | | You can download the entire repository, and self compile | yourself after you inspect the code. | Jonnax wrote: | Ask yourself why you want a VPN. | | Is it to avoid your ISP collecting browsing data off you and | selling it? | | Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS might be good | enough. | | Is it to watch geo region blocked videos? | | Then pretty much any service will work for you. Except that | video streaming sites have caught on and blocked hosting | provider IP blocks. So that might require you to shop around. | | Do you want the most privacy or want to get around blocking? | | Then get a VM from a provider and configure a VPN to it. | Wireguard works fine. | | Want to do something illegal? | | Don't expect a VPN to save you. | jcul wrote: | Though the last option doesn't give you anonymity. It just | gives you privacy from your ISP. Any services you connect to | can tie you to the IP of your VM. Sometimes the shared IP of | a VPN provider might be desirable. | 29athrowaway wrote: | Your ISP can sniff your DNS traffic as it is just a plaintext | protocol. | Maximus9000 wrote: | > Is it to avoid your ISP collecting browsing data off you | and selling it? Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS | might be good enough. | | Wouldn't your ISP still see what IP's you are visiting? Then, | your ISP could just reverse DNS that IP to get the domain | name, right? | sriram_sun wrote: | This time when I changed internet service providers from | Cox to AT&t fiber, I was shocked to find that I could not | change my DNS to point to the OpenDNS servers! | ahnick wrote: | AT&T requires you to use their DNS? Did you try doing DoH | to bypass? | vocatus_gate wrote: | Not necessarily, many sites are hosted on the same VPS, or | the IP could just be one of 5000 CloudFlare servers serving | up the page you requested. | offmycloud wrote: | Maybe, but most ISPs are lazy/cheap and can't do a full- | take packet capture of all customers data at the same time. | The ones that I have seen usually have a custom or logging | DNS server that associates each domain request with a | customer account. So yes, in many cases, changing your DNS | server is enough to avoid the larger DNS sniffing | operations. You should also use an IP check query to make | sure that you are really using the DNS server you think, | and that you're not being DNATed back to your ISP's DNS | server. | Skunkleton wrote: | DNS is super trivial to redirect. I've been on ISPs that | redirect _all_ DNS traffic to their servers regardless of | where it was sent. The best solution here is to switch to | DoH. Of course then your DoH provider gets to log all of | that sweet info instead. | Spivak wrote: | Not if you run your own DoH endpoint on a VPS! | Skunkleton wrote: | I have my own unbound running on a VPS. My network | intercepts all port 53 traffic, filters out ad servers, | and then forwards over wireguard to my VPS. I should | probably enable DoH as well. I'm feeling kind of lazy | about it though. | sigio wrote: | Most ISP's wouldn't care... and they shouldn't | cgb223 wrote: | > Is it to avoid your ISP collecting browsing data off you | and selling it? Perhaps using 8.8.8.8 or 1.1.1.1 as your DNS | might be good enough. | | 8.8.8.8 is Google's DNS so you're really just trading being | tracked by an ISP to a giant advertising company... | jwilk wrote: | And then it's a shitty trade, because your ISP still can | track you without much difficulty. | kd913 wrote: | Not just track you, some ISPs will simply redirect all | UDP port 53 DNS packets to their own DNS anyway. | jefftk wrote: | The privacy policy for 8.8.8.8 is actually really good: | https://developers.google.com/speed/public-dns/privacy I | wish more google products were so explicit in what they log | and for what purposes. | | (Disclosure: I work for Google) | johnklos wrote: | Not related to this thread: Do you have any way to | communicate with actual humans inside of Google who can | do anything? There are demonstrable issues with 8.8.8.8, | yet I cannot get anything but the occasional form | response from every address I've tried. | jefftk wrote: | If you wanted to describe what was wrong, in a way that I | can reproduce it, I could file a bug, yeah | deepbreath wrote: | Could you point what you believe to be the issues in the | thread? | beagle3 wrote: | As long as you don't use encrypted DNS (e.g. DoH) it doesn't | matter which DNS server you use - the ISP sees your requests | and the replies, and the sees you accessing the returned IP | within 10 seconds. | | Also, unless it's behind Cloudflare. Most nontrivial sites | today have a unique IP so even with DoH there's a good | probability any specific site will be identified. | | If you want your ISP to stay ignorant of where you surf, you | MUsT have a VPN. | kd913 wrote: | Just FYI just setting your DNS to 8.8.8.8 or 1.1.1.1 may not | do that much. Not only is DNS in plaintext, but some ISPs | simply redirect all port 53 DNS requests to their own DNS. | | If you want privacy with your DNS, you should setup DoH using | dnscrypt-proxy or perhaps DNS over TLS. | | Personally, I think a better strategy with this whole vpn | aspect is to just setup a vpn with pis in various countries + | pihole. At least that way I know what the setup is happening | in each locations and what expectations of privacy I can | expect. | eli wrote: | T-Mobile US was definitely doing this at one point: | silently rerouting popular third-party DNS services back to | their servers | __turbobrew__ wrote: | Unless you are using a VPN/Wireguard/Proxy your ISP can | simply look at the source address on the IP packets and do | a reverse IP lookup to find out what site you are | accessing. Doesn't matter if you are using DoH, DNS over | TLS, DNSCRYPT, etc.... | | At a conference I was talking to one of the OpenDNS | engineers on the DoH project and when I asked "so how does | DoH help snooping if people can just look at IP headers?" | they conceded that it really doesn't help if someone is | determined to snoop. | xrisk wrote: | Doesn't work with a large number of sites because of | Cloudflare. | | Edit: it _is_ easy to read the destination address from | TCP packets though. | __turbobrew__ wrote: | Yea, you are correct. I got it mixed up, your ISP would | look at the destination address of outgoing packets from | your home. | rakoo wrote: | Additional use case: you want to self host at home ? A VPN | will give you a public, stable IP address without having to | fiddle with your router and opening ports and NAT-punching | and friends | [deleted] | badRNG wrote: | >Want to do something illegal? Don't expect a VPN to save | you. | | I'm not condoning piracy, but VPNs are generally a foolproof | way to avoid DMCA letters from your ISP. Privacy means | something different to every individual, everyone's threat | model is different. And many models can benefit from a VPN; | journalists, activists, and many others might find benefit | from using a VPN. | resfirestar wrote: | Yeah, I think "VPNs won't protect you from the law" is far | too broad a brush to paint with. There's no credible | evidence that these services won't prevent a court or | regular law enforcement from tracing an IP to a name | without some specific arrangement to unmask you beforehand | (there's a specific case where Private Internet Access | replied to a subpoena saying they had nothing to provide), | so people worried about that might benefit from a VPN, but | of course it does nothing for the rest of the threat model. | Torrents are pretty much the perfect crime in that it's a | simple exchange of bits between parties that have nothing | to do with each other, most other types of illegal activity | involve myriad other ways to get caught that have nothing | to do with a VPN. People who rely on VPNs alone to protect | them from getting prosecuted for things like hacking and | people who say VPNs are useless are wrong in exactly the | same way: they don't have a complete/realistic threat | model. | thesuitonym wrote: | I used to work at an ISP, and once a month I would stuff | envelopes with DMCA letters. I can assure you, that the | only thing your ISP is doing with this letters is laughing | at whatever porn you downloaded. They're just a scare | tactic, and if you get one, you can almost certainly ignore | it. | connicpu wrote: | Didn't Cox recently lose a big lawsuit for not actually | doing anything to punish repeat DMCA offenders? I'd be | cautious about assuming those letters are still harmless | today. | CameronNemo wrote: | I've had a connection shut off because of three letters. | Spectrum. | driverdan wrote: | This varies between ISPs. Some will shut off your | connection after a certain number of DMCA letters. | Jonnax wrote: | Are DMCA letters still a thing? | | It seems like Torrenting died out significantly over the | last 5 years. | DarkCrusader2 wrote: | Just go to any popular torrent site and see the number of | people in the swarm. A little harder for less popular | stuff but nowhere near dying out. | throwaway8941 wrote: | Maybe in the US. Definitely not in ex-USSR. I don't know | of any single person who's paying for anything other than | Steam games (and that's only because they have prices | adjusted to our ridiculous wages.) | cube00 wrote: | They're too busy working through Twitch at the moment. | ryantgtg wrote: | Can't wait for the "you don't need a VPN" folks to | acknowledge that they don't understand why lots of people | actually use VPNs. It's DMCA, man. DMCA. | dingaling wrote: | Rather ironic that people pay for VPN services to access | content that they won't pay for. | | Just don't bother with Big Media content and they won't | need a VPN... | | There's plenty to do in life other than torrenting the | latest HBO series. | Dylan16807 wrote: | They'll go after you for downloading something you | already paid for, or was free to begin with. | ryantgtg wrote: | Rather, it is used for accessing content that you can't | pay for, given that Amazon Prime, Disney+, HBO Go, and | I'm sure many more are (or were in the past) simply not | supported on linux devices. | | And, "Plenty to do in life" is a value judgment, and | isn't relevant to this discussion. | TulliusCicero wrote: | I moved to Germany and apparently they're still very much | a thing here. Torrenting popular shows sans VPN is -- at | least according to Germans on reddit -- an easy way to | get sued, and forced to pay hundreds of euros. | | Obviously, I have no interest in testing this out myself, | so I take their word for it. | laingc wrote: | I lived in Germany for years, and this is absolutely the | case. Don't mess with torrents in Germany without a VPN. | | Except for those Linux ISOs, of course. | Eremotherium wrote: | I got C&D from Daedalic Entertainment. They demanded 1.1k | or something along the lines. I was on welfare at the | time, so a lawyer was not within my means,so I objected. | I'm not sure what happened next because I probably didn't | open the letter from the court (getting a manila envelope | is fucking scary in addition to the stress of already | being broke) but they seemed to have got a verdict | against me and suddenly I owed over 2k. That being said I | got a few letters from lawyers and replied with a legal | note promising not to do it again (with any clause | concerning automatic fines removed) and beat them by | simply ignoring their demands afterwards. So it's | entirely possible that I simply fucked myself with | Daedalic by not opening their first letter and replying | with a note. I haven't pirated in years but have gotten a | VPN and will start back up because the fragmentation in | the streaming space pisses me off too much especially | since there's stuff I can't legally get here. | ocdtrekkie wrote: | I got one about a month ago (United States, the smallest | of the three ISPs available in my area). My ISP had a | screwy way of injecting the complaint, which I almost | missed. I had to call them and actually request the | complaint be sent by mail so I could see the details, | which I don't understand why they didn't do in the first | place... They actually served it to a guest in my house, | who thankfully told me about it, so I could investigate. | flatiron wrote: | i torrent from home, i also work from home. | | i just never wanted my job to hire some dumb IT | consulting firm to do some cross between IPs on a swam | and IPs VPNing in as a "threat analysis" and my dumb name | getting dragged into an office. I know it's far fetched, | but $40 a year of PIA keeps my mind at ease. | jasonjayr wrote: | It goes w/o saying but most if not all the cloud providers | map IP to account, so using a VPS may have get your account | sanctioned or revoked. | | Defiantly don't spin up these VPN/VPSs on an account you | don't mind losing. | xrisk wrote: | Have received DMCA emails from DigitalOcean for | torrenting on their boxes. Can confirm. | pickdenis wrote: | If you're going to do that kind of stuff, make sure the | provider is based in another country. That gives you a | pretty strong layer of protection against these kinds of | things. Of course, nothing is entirely foolproof... | FakeRemore wrote: | There are seedbox services that allow public torrents and | don't forward DMCA emails. | badRNG wrote: | I regularly think that claims of astroturfing are overblown, | but it is common in the "privacy" focused industry to FUD | competitors to gain market share. | | I'm immediately reminded of some shady search engine CEO going | on OAN and other fringe shows posing as a security researcher | to spread FUD about DDG to drive traffic to his site (can't | find the link for it now.) That OAN video even went around the | security industry (among compliance and less technical folk) | who were persuaded DDG was now worse than Google for consumer | privacy. | leokennis wrote: | VPN's just mean you're trusting someone else than your ISP. | Instead of your ISP seeing you go to site.com, now your ISP | sees you connecting to a VPN and the VPN sees you connecting to | site.com. | | For this reason I am highly suspicious of any VPN service that | markets itself as some "magical privacy wormhole", which is 99% | of VPN providers. | | Honest ones I know of are Encrypt.me and Mullvad, who both tell | you they should be mainly used to secure yourself on open WiFi | and to circumvent geo blocks. | | If you want a private internet connection, use TOR. | romanovcode wrote: | > You can only subscribe to the VPN from the United States | | How is this a "launch"? And also, this makes it a bit fishy if | you ask me. | devwastaken wrote: | How do we know this is safe from bad actors? If it's in the U.S. | is it safe from discovery? For example Watchtower tried to use | 'copyright Infringement' to force reddit to give a usernames IP | and account information. | https://m.youtube.com/playlist?list=PLkdgWccrJAy53-jeBxM3Pk_... | | VPN's are the only way of protecting what should be protected | speech. You have to not keep logs or anything that allows a court | to find the identity of a user. | Youden wrote: | > How do we know this is safe from bad actors? | | You don't. You never will. This is the case not just for | Mozilla but for all VPN services. | | Until there's some kind of hardware-level attestation that | verifies a server is running a particular software | installation, that's going to remain the case. | | > VPN's are the only way of protecting what should be protected | speech. | | No, if you want safety, a VPN is not the solution. VPN | providers have invested a lot of marketing in trying to tell | you otherwise but it's simply not true. | | All a VPN does is move what little trust you're forced to have | in your ISP to a different, often less-regulated ISP. | | The solution if you want privacy and/or anonymity is a | technology built for that purpose, like Tor or I2P. | r3trohack3r wrote: | Every time someone mentions a VPN provider in my techie social | circles, the "A VPN doesn't protect you" crowd piles in, usually | with links to something like: | https://gist.github.com/joepie91/5a9909939e6ce7d09e29 | | I don't understand this argument, but would like to. | | I run https://everytwoyears.org, a political non-profit focused | on ending the warrantless metadata collection of U.S. citizens' | communications. From everything I know about these programs, they | are _explicitly_ not collecting content of communications. These | programs only collect the metadata about a communication. As | citizens, we don't get to have a clear definition of "metadata" | (that is classified!) but we can assume anything that isn't the | message itself is at risk of being considered metadata, | especially if it was shared with a service provider in the normal | course of conducting business (i.e. routing a request). | | For HTTP requests, I assume the body of the request would require | a warrant before it can be persisted on a government server. The | HTTP headers, if unencrypted, _might_ be considered metadata but | I would be surprised. The IPV4 headers are more than likely | metadata. DNS queries are more than likely metadata. | | If you are trying to avoid _active_ surveillance, where your | government has a warrant, a VPN isn't going to help you. If you | are trying to avoid _active_ surveillance where your adversary | doesn't need/want a warrant to search you, a VPN isn't going to | help you. But if you are trying to avoid having your internet | activity ending up, de-anonymized, in a metadata database that | your government does bulk analysis on, a VPN does seem like it | would help. It seems like it would help a lot. | zaptheimpaler wrote: | If you assume VPNs don't keep logs forever, then a VPN is very | strong protection. Seems like all the anti VPN arguments are | predicated on the VPN keeping exhaustive logs of every request. | Given the volume of data and the incentives of businesses, i | feel like thats probably not true for many VPNs. I generally | believe them when they say they don't log, because its just | more $$$ on storage that provide 0 value to the company unless | they are required by law. | closeparen wrote: | A VPN is just a tunnel from one point to another. You'd have to | establish why the remote end is more trustworthy than the local | end. Being located in a hostile jurisdiction may be somewhat | protective, but it would also seem likely that compromising | foreign VPN services is within the NSA's wheelhouse. | weavejester wrote: | Even if you trust your ISP, and it's not required to keep | logs due to local laws, a VPN is often a good idea anyway. | Geolocation from IP address can be scarily accurate - mine | identifies me to within a mile radius of where I live. | deepbreath wrote: | If nothing else, it significantly reduces the entropy of your | IP when websites are fingerprinting you, especially if your | ISP assigns you a static IP. | | Even if you don't have a static IP, I suspect the entropy of | your /24 (IPv4) is also a lot smaller when over VPN. | abofh wrote: | Do you understand the words you're using? | wongarsu wrote: | Unless I set up my own VPN I'll share a VPN server and IP | with other people. That makes my traffic inherently more | anonymous once it has left the VPN server, since you can't | correlate traffic to a single person anymore. So even if | traffic in the data center is analyzed, that's better than my | ISP analyzing traffic. | | Thus we only have to establish that the VPN provider is at | least as trustworthy as my ISP. That's a pretty low bar to | clear in many places. I have no doubt some VPNs are operated | by nefarious actors (no better way to collect high quality | data), but I don't think that's a concern with Mozilla. | closeparen wrote: | You should expect that the government can compel a VPN | provider to correlate traffic to subscriber information | exactly the same way it does with a residential ISP. | wongarsu wrote: | Sure, but the set of governments that can compel my ISP | might be different from the set of governments that can | compel my VPN. I don't care about all governments | equally, and my own government has a disproportional | impact on me compared to most other governments. | r3trohack3r wrote: | Agreed. | | I think the key for me is that, at least under the original | Presidential Surveillance Program, the providers that | participated were not compelled to share their user's | metadata. They shared it willingly, regularly, and in bulk. | There is reference to a service provider backing out of this | agreement a few years later, telling the NSA they would feel | more comfortable sharing the data if it were compelled. | | It's not clear if this has changed since 2013. But assuming | Mozilla, or Mullvad, isn't compelled to share _all of their | data_ it seems unlikely that they would willingly give that | up to a government surveillance program. | | I think ISPs have demonstrated they aren't trustworthy. For | most people in the U.S., it seems, finding someone more | trustworthy than their ISP is literally anyone who isn't | admitting that they collect and share their private data. I | would be surprised if Mozilla doesn't clear this bar. | yurlungur wrote: | I'm not qualified to analyze the technical details but I have | some more practical grievances with VPNs. I paid for ExpressVPN | for 1yr on going and found it disappointing despite being | advertised as the expensive but good option. | | First, geo blocking often catches it or provider has moved to | other means to verify address. I don't use Netflix but for | certain streaming sites in Japan that I use and BBC express | does nothing. | | Second, it doesn't get pass GFW whereas shadowsocks based | solution does. | | Overall it seems the only benefits are getting better speed | sometimes and theoretical privacy benefits. | koheripbal wrote: | I think you are correct that VPNs are a sort of half-solution. | | There are a lot of people that think anything less than 100% | isn't worth your time, so they suggest TOR - but TOR has all | sorts of annoying limitations that preclude daily usage. | Absolute solutions are seldom worth the 10x extra effort they | frequently require. | | Another set of half-solutions can be seen here which will make | you more secure... | | https://www.cloudflare.com/ssl/encrypted-sni/ | | ESNI, DoH, DNSSEC, and TLS1.3 are fairly easy to setup - and | worth your time . | | Using Firefox with uBlock Origin & PrivacyBadger plus the above | gets me to a good enough place. | | Illegal stuff on the other hand -> TOR. | | The problem with doing illegal stuff with only half-protections | is that the authorities don't need to use the metadata to | _prove_ your guilt. After they raid your house they 'll have | all the parallel construction they need to make it stick. | ...then again if you're just buying personal use amounts of | drugs - no one at the FBI cares. | r3trohack3r wrote: | I think you cut right to the core of where I get lost in the | VPN argument. | | Tunneling (even through TOR) isn't sufficient if you have | someone well funded, highly skilled, and very motivated to | watch you. I would posit that purely technical solutions will | never solve human problems. Perfect, unbreakable, encryption | can be trivially passed with a set of cleverly placed jumper | cables. | | The key, in my opinion, is trying to align technology with | the laws that (mostly) already successfully protect us from | jumper cable wielding adversaries. | | From my understanding, The U.S. government interprets | "metadata" as having no societal expectation of privacy and | therefor they don't need a warrant to collect it. These | questionable metadata collection programs seem like they can | be effectively thwarted through half measures, like E2E | encryption of the metadata (use HTTPS and DNS over HTTPS), | obfuscation of the metadata through tunneling (use VPNs), | etc. | | Some metadata I don't have a good answer for, like location | data when my cellphone pings the local towers. I can chose to | share my location data w/ the tower so it can route calls to | me, and submit to that possibly ending up in a government | database, or I can keep my phone from talking to the cell | tower being unable to send/receive calls. I don't see a half | measure... | fataliss wrote: | Do you have a good write up on how to get all that setup by | any chance? Also, any body has a comparison of Brave vs | Firefox when it comes to privacy? | julesallen wrote: | https://www.androidpolice.com/2020/06/07/brave-browser- | caugh... | | I was using Brave until this story came out and switched | over to Vivaldi for the stuff that absolutely demands the | Blink engine. | | Point one, if they _repeatedly_ continue to do this kind of | thing, what kind of stuff are they also getting away with? | Or what's the next big surprise around the corner? | | The second point is I really no prefer Vivaldi as things | like sync work (it's been broken for a long time in Brave) | and there's more exposed in the prefs for techie types who | like to tinker with that kind of thing. | | Firefox continues to be the every day browser and it keeps | getting better as time goes on (another +1 for take my | money for email, calendar, file storage, etc.). | r3trohack3r wrote: | Not complete coverage, but I setup a piphole w/ DNS over | HTTPS a while back and documented it here: https://github.c | om/retrohacker/knowledge/blob/master/pi/piho... | | This has the added benefit of being good for the whole | network (your whole house) including gaming systems and | smart TVs. | miniyarov wrote: | This is very totally legit that public VPN services are | complete trash. Online anonymity is very hard. However, you can | still create your own VPN server on cloud providers for at | least have some privacy while you are on an untrusted network. | | Because of this reason, I created zudvpn.com - It is a free and | open-source mobile application that's used to deploy a private | VPN server on major Cloud Providers! | | Github repo: https://github.com/zudvpn/ZudVPN | RealStickman_ wrote: | Why would a VPS server be any more secure than a VPN | provider? They have the same ability to view outgoing traffic | and can very easily log the source ip address. | miniyarov wrote: | http://zudvpn.com does not provide complete anonymity. The | idea is that you control your own server and you make sure | that nobody is logging your every move. Even though public | VPNs claim that they don't log, you should not blindly | trust them. | | Check GH repo to see how https://ZudVPN.com generates SSH | key on your phone and locks the VPN server with the key | that is only available for you. | Spooky23 wrote: | I doubt it, unless you run the VPN. Governments have the same | ability to leverage things like trackers, etc. | | A public VPN service is good for localized privacy. Even a | cheap Ubiquity setup will be able to tell about your habits. | It's probably good enough to avoid the attention of a civil or | informal inquiry (DMCA, employer, etc). | r3trohack3r wrote: | > Governments have the same ability to leverage things like | trackers | | It's not clear to me whether the methods trackers use to de- | anonymize you are considered "content" or "metadata", and | whether the U.S. government would need a warrant to access | tracker information. | | Do you have thoughts? | Spooky23 wrote: | You can buy the data on the market without a warrant. | | VPNs seems like a really obvious bypass of controls and | surveillance capability. I'm sure the folks at NSA, et al | thought of it too. | edw wrote: | There's a lot of gross stuff that your ISPs (which includes | your mobile phone provider) do to further monetize your | relationship with them, and having a VPN can negate that. | | ISPs can observe your DNS lookups to their servers and assemble | a profile on you based on the domain names you look up, and put | you into a series of audiences that marketers can then use (for | a fee) for ad targeting. | | ISPs can also observer your DNS lookups to Google's or anyone | else's public DNS servers. | | ISPs can snoop on your unencrypted traffic, proxy it, and | inject headers into HTTP responses to facilitate (you guessed | it) the creation and sale of audience data to advertisers. | | ISPs can transcode (and downsample) multimedia content to | decongest their pipes or airwaves. | | If you are a spy or a member of a disfavored political group, | you should almost appreciate the scummy practices of ISPs, as | it drives a bunch of non-spies and people not associated with | disfavored political groups to adopt privacy-enhancing | technologies. | | If I worked at the NSA or CIA or FSB or Mossad or wherever, I | would highly encourage lawmakers to enact laws to protect | consumer privacy in order to drastically reduce the perceived | need for people not in the above groups (et alia) to adopt VPNs | and other technologies; there would be fewer "boring" people | using such technologies, giving the needles a lot less haystack | to get lost in. | Kelamir wrote: | > ISPs can also observer your DNS lookups to Google's or | anyone else's public DNS servers. | | edw, could you elaborate on that, please? I thought changing | to public DNS servers like OpenDNS provides some security | from ISP tracking. | stuuuuuuuuu wrote: | Traffic between you and the public DNS servers isn't | encrypted, so your ISP can still read it. | | (I suppose this is one of the problems that DNS-over-HTTPS | is designed to fix.) | Kelamir wrote: | Thank you for the answer, stuuuuuuuuu! I'll look into it. | | ... | | DNS-over-HTTPS can be enabled in Firefox via Network | settings, turns out. | _jal wrote: | In addition to the lack of encryption mentioned, some ISPs | transparently intercept DNS requests and reply to them with | their own. | | Test your own ISP: try something like | | nslookup news.ycombinator.com 1.2.3.4 | | If you get a response, your ISP is gaslighting you. | ccktlmazeltov wrote: | Most people use a VPN because it lets them have a different | geolocation (to watch Netflix in a different country, access | thepiratebay, etc.) | | If you do use a VPN to mask your traffic, there are two | questions to ask yourself: | | 1. who are you masking your traffic from? | | 2. can you trust the VPN network more? | | In general, you cannot trust a VPN network more, and HTTPS is | the solution as it provides end-to-end encryption with some | important caveats (web PKI) | | Running your own VPN is not a good solution either, because who | owns the servers where your VPN is running? | tafl wrote: | Yeah I've heard this one before. | | I use Mullvad, paid using BTC that came straight from a | tumbler. I don't use it for any nefarious reasons, just wanted | to see how such a setup would work. It was surprisingly | painless. I think it took 15 minutes in total from moving my | btc to the tumbler and having the tumbler move the btc to my | Mullvad account. | | Am I 100% secure? No, they know what IP I'm connecting from. Is | my name attached to the VPN? No, not even close. I suppose if I | wanted to further improve my security I wouldn't use my own | home network, but public wifi's nearby. | | But again, I didn't do it to stay "safe" or anonymous. Just | wanted to see how the process would actually be. | Shank wrote: | > I use Mullvad, paid using BTC that came straight from a | tumbler. I don't use it for any nefarious reasons, just | wanted to see how such a setup would work. | | > But again, I didn't do it to stay "safe" or anonymous. | | I sincerely hope that you're trying to stay safe if you're | admitting to money laundering on a public forum. | cyberpunk wrote: | Tumbling coins has nothing to do with money laundering, | it's just a way to anonymize them.... | ryanlol wrote: | Tumbling coins has everything to do with money | laundering. Of course, the source of the funds isn't | necessarily illicit. | crazygringo wrote: | Money laundering is turning dirty money into clean, that | appears legitimate, taxable etc. If the source isn't | illicit, it isn't laundering because there's nothing to | clean. | | Tumbling coins is just obscuring their origin. | | The two don't inherently have anything to do with each | other. | | Even if you tumble "dirty" coins, you've got to explain | to the IRS the source of income behind the new coins. | Tumbling, in and of itself, doesn't achieve that. | tafl wrote: | Like cyberpunk said. It's not money laundering, it's a way | of anonymising the bitcoins. | hendersoon wrote: | He's actually technically correct, as that is the very | definition of money laundering. The difference is | (assumedly) the money he's laundering wasn't obtained via | illegal means. | jchw wrote: | Please take notes from Mullvad and give some basic transparency | about the data centers and whether the servers are rented or | owned and etc. Stuff like that goes a long way for people who are | genuinely serious about privacy. | gver10 wrote: | > Although there are a lot of VPNs out there, we felt like you | deserve a VPN with the Mozilla name behind it. | ayoisaiah wrote: | I won't be switching to this. I've been paying EUR4.99 monthly | for Blokada VPN on Android. It's pretty reliable and offers ad | blocking as well. Also supports up to 5 devices. | nix23 wrote: | Nice, witch shady Marketing-Firm are you working for? | | Any point's for 'Blokada' being more trustworthy than AT&T ;) | ayoisaiah wrote: | Just a happy user :) | | Blokada is pretty popular for Ad blocking on Android. And | it's open source too: https://github.com/blokadaorg/blokada | nix23 wrote: | Nice...sorry for the aggressive tone, sounded like a | advertisement, have fun ;) | flyGuyOnTheSly wrote: | What is the main benefit of using a VPN? | | I download music, movie, tv, etc files via torrent using my | Canadian IP address and I have never seen anything more than an | email from my ISP saying essentially "so and so company thinks | you downloaded their material, don't do that ok?". | | Is the general public so afraid of getting the odd email that | paying $5/$10 month to make them disappear is a good deal for | them? | | Why wouldn't people just use TOR for free? It was extremely fast | the last I checked. | flatiron wrote: | tor begs you not to use their service for torrenting. it would | also be a lot slower than a VPN | | i use a VPN (to Montreal since it supports port forwarding) | because i work from home and i don't want my IP that VPNs to | work for a major company also being part of a torrent swarm. | Havoc wrote: | Can you select the region of exit node? Cloudflare VPN and | lastpass geolocking was a bad combo... | AdmiralAsshat wrote: | Forget the VPN--I already have a VPN provider and I have no | interest in changing. Offer a paid e-mail service, on the other | hand, and I'd sign on up Day 1. | xii22 wrote: | I've heard good things from HEY[1]; I've been thinking about | using their trial | | [1]https://hey.com/ | kilroy123 wrote: | Hey looks great and I trust it will be around for a while. | Unlike inbox from Google. | | I would 100% sign up for hey if I didn't migrate to Fastmail | this year. | qchris wrote: | I second this wholeheartedly. I would be happy paying at least | the $5/mo that they're charging for the VPN to have web-based | access to privacy-respecting email service tied to a name I | tend to trust like Mozilla (hopefully with a fairly vanilla | domain name that doesn't get weird looks). | | Purism's Librem One suite [0] comes the closest, but I just | don't have the trust in them that I'd want before pulling the | trigger. They have a history of making grand claims with sub- | par delivery, which just doesn't cut it for a service like a | primary email provider. They've claimed plans to add features | like file storage for ages now with no updates. Email is just | too important a part of daily life to risk it. | | [0] https://librem.one/ | numbsafari wrote: | This right here. And a hosted suite of productivity tools that | have documented, public formats that contain all of your data | (and not just a link to the cloud-hosted copies). | | Amazing that GSuite's only real competitor in 2020 in | Office365. | dublinben wrote: | Would you consider Zoho a "real" competitor? | | https://www.zoho.com/ | j_koreth wrote: | Would a Nextcloud instance work? | cecida wrote: | I've checked out Nextcloud a few times, but it really needs | a sizeable and trustworthy brand that would host it for | you, allow you to point a custom domain at it, and provide | zero config email/calendering out of the box. | | I'd trust Mozilla. | [deleted] | 29athrowaway wrote: | If Mozilla cares about privacy then why does this exist: | https://developer.mozilla.org/en-US/docs/Web/API/Beacon_API | gruez wrote: | * you can disable it | | * sites can already do the same thing with javascript. this | simply standardizes it, AND makes it easier to block (since | it's a different request type rather than being lumped with | other xhr). | userbinator wrote: | This is what they should've done _instead_ of that user-hostile | DoH thing (which is already itself a sort of VPN but for DNS | traffic only.) | RandomBacon wrote: | It uses Mullvad, and is the same price as Mullvad. I am assuming | Mozilla gets a cut. When my current Mullvad subscription expires, | I will switch over. | vpnwire wrote: | I've been speedtesting a few VPN networks, and the biggest | surprise has been how fast Mullvad + Wireguard are. I need to | try NordLynx (NordVPN's flavor of Wireguard) for more of an | apples-to-apples comparison, but at least on the speed metric, | it looks like Mozilla chose a good partner. | | Making deeper data exploration possible is a work in progress, | but you can see what I have so far here: https://vpnwire.co | maxisme wrote: | Is Mullvad the only provider you are using with WireGuard? | notRobot wrote: | Indeed. Can someone explain why it's not available outside of | the US, though? I don't see the logic behind that. | LeoPanthera wrote: | It's less flexible than Mullvad. This new service is Wireguard- | only, and as far as I can tell, requires you to use their | custom app. | | Mullvad additionally supports OpenVPN and other protocols, and | is client-agnostic. | e12e wrote: | > Wireguard-only | | That's great - less features and options are a plus for vpn | services. | | > requires you to use their custom app. | | Sounds odd, if it's just using wireguard. | toomuchtodo wrote: | Might be opinionated to support a high quality user | experience. | | Guard rails can be good depending on your audience. | pgt wrote: | If Mozilla launched Momail or Firemail, I'd pay for it before | paying for HEY or Fastmail. | MattGaiser wrote: | Isn't $4.99 pricey for a VPN? I pay about 3 for Nord. | [deleted] | solarkraft wrote: | Nord locks locks you into an eternal contract and has a pretty | bad reputation for multiple reasons. | ternaryoperator wrote: | >Nord locks locks you into an eternal contract | | What do you mean? I paid NordVPM for a 2-year contract, which | expires in a few weeks. What does "locks locks" refer to? | solarkraft wrote: | Sorry, it was meant to be a single "locks". And yep, I'm | referring to that type of contract. | robrtsql wrote: | It is a bit pricey compared to the competition (lots of VPNs | out there that cost ~$3/month) but apparently Mullvad is the | VPN provider for this offering, and they cost $5 a month | because they are considered one of the 'best' VPNs in terms of | privacy (for example, they will accept cash payments: | https://en.wikipedia.org/wiki/Mullvad#Privacy ). | TurkishPoptart wrote: | Is it at all slow? I've found a lot of VPNs actually slow | down my connection which makes me less willing to try them. | tobsmagoats wrote: | Price is in line with Mullvad which they are piggybacking off | of. Nord has an iffy past and they advertise a lot(often | exaggerated claims) which is a red flag for me. | DCKing wrote: | Come on Mozilla, hurry up! I want to give you money for goods and | services (I also donate monthly [1]), but I'm not that interested | in a VPN (I can and do also pay Mullvad). | | Give me that real internet stuff - email, calendar, file sync, | chat(?) - give me Firefox Premium. Bundle in the Lockwise | password manager. I'd pay good money to see a company fill the | void of paid, privacy first essential internet services and I | think Mozilla is one of the foremost existing players to pull it | off. They've started talking about Firefox Premium a while ago | now [2] and it's obviously not easy to build all of this in a | lean way, but I'll happily pitch in. If only to help make Firefox | development less dependant on Google or Yahoo. | | [1]: https://donate.mozilla.org/ | | [2]: https://www.theverge.com/2019/6/10/18660344/firefox- | subscrip... | jean- wrote: | I'm a Fastmail and Google Suite paying customer. I would SO | transition to a "Firefox Suite" email+calendar service if | Mozilla provided one. | TheKarateKid wrote: | Paying for a browser in this day and age would really bring | Mozilla full-circle back to Netscape in the 90's. | | Time for them to reclaim the throne. | j1elo wrote: | I was just about to change to something different from | LastPass, pretty much convinced about Bitwarden from previous | HN mentions, until you mentioned Lockwise :-) care to share | some pros and cons or comparison between these two? | zdragnar wrote: | There is also always https://www.passwordstore.org/ it is a | bit more work to get everything set up, but I now have an | encrypted git repo of my passwords with clients on my laptop | and android phone. I cant speak to ios or macos, but there is | a distinct lack of good windows gui client, which is the | biggest con. | | The major pro for me is that I know exactly how it is | encrypted end to end, and have control over how and where it | is stored, and can move the storage as I please, all entirely | for free. | staplers wrote: | Currently using both, Bitwarden is much more robust, | customizable, and safe (audited by 3rd party). Lockwise is | great if you want a simple pw manager for browsing online but | Bitwarden is like a "life" manager that can store addresses, | credit cards, notes, passwords, etc. | calvinmorrison wrote: | I can offer up 1password comments. It has a good native app | for osx. I don't use osx. It offers a CLI tool that spits out | json. I wish it would just integrate with pass(1). The | Firefox add-on is close enough to abysmal that I use thier | website making it inconvenient. It doesn't work with regular | http auth so you have to copy the fields in manually then | refresh. | | Otherwise it's fine. The multiple Vaults is great to share | passwords among family or maybe your co-workers. It has | features like TOTP and supports many types of other fields. | | 4/10 on usability 10/10 on its core feature set. Probably a | 9/10 on osx. | rubyfan wrote: | What products and services do you want from Mozilla? | VWWHFSfQ wrote: | > email, calendar, file sync, chat(?) - give me Firefox | Premium | hendersoon wrote: | Mozilla VPN literally _is_ rebranded Mullvad. So if you want to | contribute to Mozilla, should be a pretty easy switch for you. | specialist wrote: | If Firefox integrated with Keychain, it'd probably be my | default browser again. I'd happily pay. | | Once Keychain got good enough, I transitioned to Safari 98% and | dropped 1Password. iCloud syncing is nice too. | | -- | | Anecdotally, it just seems like a lot of web sites are poorly | tested against Safari, so I run into weird stuff. Also, Safari | now inevitably abends, seemingly after binging YouTube. | | I favor Safari, mostly because of lower power consumption. I | have only positive things to say about Firefox. I've always | liked it and I've read they keep improving the power stuff. If | I ever do front end work again, I'll definitely go back to | 50/50. | | -- | | Leaving gmail is on my to do list. I've just been too lazy to | follow thru. I dunno why, but if Mozilla partnered with | FastMail, I'd be more motivated. Probably for bragging rights, | virtue signaling. | rhlsthrm wrote: | Totally agree. I feel like I trust Safari in terms of privacy | as well, and it works so well in the walled garden of | iOS/macos. I really hope they get it up to date with the | latest web standards, it's a joy to use otherwise. | stiray wrote: | > If only to help make Firefox development less dependant on | Google or Yahoo. | | Omg, my thoughts exactly! I dont want services... I dont want | anything except that with the donations they will break away | from google. That is it. And I bet a lot of us here would | gladly donate, I donate to EFF while mozilla could in theory | have more impact. | devalgo wrote: | Let them stay in the Niche maybe? I'd rather have a really | great safe browser than half a dozen half baked products from | the same company. | lukashrb wrote: | 100% this. I'm currently waiting for the ProtonMail calendar | and still looking for an easy file sync solution. I tried | syncthing today but it's really not that comfortable to use.... | gnulinux wrote: | I want this and want to pay for this. Hoping this will be a | real product soon. | JoshTriplett wrote: | I'd pay _at least_ $10 /month or $99/year for Firefox Accounts, | just as they stand today, because they give me at least that | much value. Integrate full 2FA into Lockwise, so that I have | 2FA that'll never die with a broken phone, and I'd pay more. | Add a secure calendar I can use with friends and family, and | I'd pay more. (I'd hesitate to say email, just because running | that is a can of worms I wouldn't wish on my worst enemy, but | I'd absolutely pay for that too.) I would love to have _all_ of | my major services tied into my Firefox Account, with the same | level of security, privacy, and trust I 've come to expect. | [deleted] | bobajeff wrote: | I still want Mozilla to release a Android keyboard. | jtrip wrote: | I believe the 'AnySoftKeyboard' is a good opensource | alternative for Android, no? | vorticalbox wrote: | Me to currently using swift key as it came preinstalled but | its owned by Microsoft. | | I use net guard to stop basically everything in my phone from | contacting the Internet. | test002 wrote: | /me wonders which Mozilla marketing person is responsible for | planting this comment to justify value. Firefox accounts has a | loooong ways to go. There's no webauthn support ( Mozilla's own | standard ) and no recovery process. Clear disconnect between | value and reality. | onyva wrote: | Agree. I'm currently on Proton but I'd like to see Mozilla | bundle the essentials, with vpn and mail as the basics. | | Also, consider if possible affordability for students and | senior, who might not be able to afford a subscription. Maybe | limited bandwidth for free w/o subscription? Something like | ProtonVPN provided. | somurzakov wrote: | internet scale email, calendar, password manager, OpenID auth | provider, VPN, browser + integrated search via DDG = | everybody's dream | belzebalex wrote: | I know upvote already exists, but I deeply want to +1 on this | one. If Mozilla does it, I'd be a happy customer to. | [deleted] | petejodo wrote: | I don't have much too add, I'm just replying in case Mozilla | devs see this. I want this so much as well! I don't mind the | VPN though. I pay for it now even though I run mostly Linux | qchris wrote: | I'm in exactly the same boat. Paying for the VPN to use on | exactly one device because everything else is Linux, and | would happily put more money towards it if they offered a | paid equivalent to GSuite that was privacy-respecting. | 91edec wrote: | I've wanted email so bad. Using protonmail til the day Mozilla | decides to go down the email route. | lub wrote: | > chat | | This already exists: https://chat.mozilla.org/ | | You can use it with your Firefox account. | typon wrote: | Only Mozilla can make me pay for Google services like | Email/Calendar etc. I think I subconsciously trust the brand | more than most internet companies out there. | shafyy wrote: | And the Basecamp guys with Hey :-) | lilyball wrote: | How about FastMail? They have a stellar email service. They | also offer contacts and calendars, though I don't personally | use those (I use iCloud for that). | PhilippGille wrote: | Wasn't there a privacy problem because of the Australian | encryption law [1] and the company being based in | Australia? | | [1] https://news.ycombinator.com/item?id=18636076 | ObsoleteNerd wrote: | It's just as private as Gmail, which is the comparison in | question. | | If you want secure, you wouldn't be using email in the | first place. | wpietri wrote: | Having recently moved my personal domains to FastMail, I'm | a big fan. It's solid, reliable, and reasonably priced. I | would have happily paid for Mozilla/Thunderbird mail | hosting had that been available. | neuronic wrote: | Yep, migrated from Gmail and very happily so :) | mderazon wrote: | I want to migrate from Gmail but I have my Gmail address | tied up to so many things. How do you make the move ? | 867-5309 wrote: | a bit like a physical address - forward the mail on for x | months and then cut off completely | dsissitka wrote: | That's what I did and it worked well for me for the most | part. I ended up keeping Gmail around for the occasional | service that doesn't work well with Fastmail. Off the top | of my head I've had issues with: | | - Frontier | | - Green Man Gaming | | - Paperspace | | - Rainway | | - SquareTrade | wjdp wrote: | FastMail can pull from gmail. My account pulls from all | emails I use minus work and can send on those addresses | so. It also supports having a different signature | depending on which address I'm sending from. | | See https://www.fastmail.com/help/account/migratetofastma | il.html | | No connection to them, just a happy customer! | archenary wrote: | I did this recently. It's pretty straightforward. | | First, do a one-time import from Gmail. Fastmail has an | import tool that does this over OAuth. Took me ~45 | minutes to import ~50,000 emails. | | Next, setup IMAP and SMTP on Fastmail for your Gmail | account. This way, you can continue to receive and reply | to emails sent to Gmail, using Fastmail as the client. | When replying to an email, Fastmail defaults to the right | sender (identity) based on whom the email is sent to | (abc@fastmail.com or abc@gmail.com). | | An alternative is to setup email forwarding in Gmail, so | you get a copy of emails sent to your old address. | | If you don't have a custom domain, I highly recommend | getting one and use that going forward. There might come | a day when you want to migrate off Fastmail. With a | custom domain, you just need to update the MX records. | benhurmarcel wrote: | I went through all accounts in my password manager and | changed it. Not so bad. It doesn't need to be done | quickly. | wyclif wrote: | I would make this Step #1 to the 5 or 6-step processes | outlined above. Gets most of the important migration out | of the way with a little work the first day. | CalRobert wrote: | Get your own domain, use it for all your email, and in | five or so years gmail will be nothing but spam, | basically. | ocdtrekkie wrote: | I set up my own domain, and forwarded emails from it to | my Gmail account. Over a year and a half, every time I | logged into something, I updated the email address to my | own. | | Eventually, when I jumped to FastMail, I repointed my | domain name to it, and most of my new emails started | coming over automatically, since the email address is now | something I control. I monitored Gmail for a while | regularly to catch straggler services. (I chose not to | forward to avoid complacency with stuff going to Gmail | before reaching my FastMail account.) | dmit wrote: | Here are the steps I've been following: | | 1) Sign up for Fastmail. | | 2) Sync all mail from GMail account to Fastmail (via the | Fastmail web UI; you grant FM access to your GMail data | through OAuth - once sync is complete you can revoke this | access). | | 3) Set up an auto-forward rule in GMail for all incoming | mail to go to your Fastmail address. | | 4) Set up a rule in Fastmail to put all incoming mail | sent to your GMail address into a separate folder (or | labeled with a special label if you're signed up for | Fastmail's label beta). Any time you get email in that | folder, that's a task for you to either unsubscribe or | update the corresponding account to your new email | address. | | I'm currently in month #10 of migration. Most commonly | used accounts were updated during the first couple of | weeks. But be careful that the tail of services that are | still configured to use your old email address tends to | be long, and in my experience those are some of the more | important emails that you don't want to miss. The ones | that are only sent once every couple years. | | Also, it really helps if you've been using GMail with a | personal domain name (e.g. through Google Apps). In this | case migrating is a matter of pointing the MX DNS records | to Fastmail's servers. Bonus points: Fastmail allows | wildcard recipients, so if you prefer to have unique | addresses for each service you sign up for, you don't | even need to set up a separate xyz@example.com alias. | Just register with <whatever>@example.com and you'll get | all email delivered to that address in your inbox, _and_ | you 'll be able to specify it as the sender's address if | you decide to reply to some of those mails. Having a | separate email address for each web service also makes | looking up who leaked what on haveibeenpwned.com more | fun. | michaelbuckbee wrote: | Very happy Fastmail user. Not so happy that so many | different services don't interoperate with it. Things like | Calendly or many standalone Calendar apps. | | Seems like it is Apple, Google, Outlook or nothing. | deadbunny wrote: | Maybe I'm missing something but doesn't Fastmail use open | standards? For example I access my Fastmail calendar on | my phone and desktop using caldav. | | Isn't it down to the app to support those standards? | godzillabrennus wrote: | I've used Fastmail for years now on a work account. It's | best feature is that it's not Google. | | First, no phone support. Hardly acceptable when even Google | has this. | | Second, no collaboration suite like Drive/Docs. | | Third, no addons I'm accustomed to having in my daily | driver email suite. Things I miss include schedule to send | later, default reply all, and no priority inbox. | | Im stuck using Google for email and maps. I hate google and | want to get off them entirely but Gsuite with 1Tb of disk | space for my single user personal domain is so powerful and | so cheap it's impossible for me to switch without giving up | too much. | | Google maps I think has some real competition at least. I'm | hopeful Apple Maps gets continued improvements so it can | get the job done well enough I can drop Google maps this | year. | stilisstuk wrote: | I feel a bit different: Email is a standard. You are | talking about an app. Send later is the job of the | application,not the standard. Same with reply all. | Intelligent priority inbox is _hard_ but i. Principle the | same. | | When you use gmail you conflate the standard with the | app. | afiori wrote: | The point of these discussions is that the standard (IMAP | specifically) is inadequate to a lot of modern use. | | One good thing that Fastmail is doing is promoting a | REST-like IMAP alternative ( https://jmap.io/ ) that | makes it easier[1] to go back to the distinction | application/protocol. | | [1] by this I mean that implementing an app like gmail | over IMAP would be a terrible idea, while JMAP would be | at least a bit better (it also adds browser support as it | allows HTTP as transport layer) | benhurmarcel wrote: | With Fastmail you're essentially buying the app as much | as the service. | | If you want reliable email service without the nice app, | there are much cheaper alternatives. | r8deoh wrote: | Such as? | lilyball wrote: | I largely agree with this, except that "Send Later" | really does want some form of server support so it will | happen even if you quit the app (especially on mobile). | That said, there are third-party apps that do this, such | as Spark (though they require storing your credentials on | their servers). | | Priority inbox is also something that can be done client- | side. FWIW FastMail does actually have internal flags for | "$ismailinglist" and "$isnotification" that you can | access via advanced search, but they don't have any | intelligent customization of these flags, no way to tell | FastMail "hey this email was categorized wrong". You can | write a Sieve script that adds/removes the flags yourself | but that only works for stuff you can detect in a sieve | script, i.e. no ML. Still, it's better than nothing when | using the web app. | gdrulia wrote: | I'm not sure what do you mean by saying "no phone | support"? Fastmail has apps for Android and iOS. I use | iOS one and it's quite alright. | | Did I not understand you statement correctly? Like did | you mean that you cannot set it up with other mail apps | on the phone? | Arnavion wrote: | Customer support via phone call. | abofh wrote: | How often are you calling support? The only time I've | needed them was when I was locked out of the admin | account, and there was no way to reach a human. | Quekid5 wrote: | Indeed. I've been using FastMail for email (only) for a | couple of years at this point, and I've literally _never_ | had to contact their support. | | It just works. | | (I'd actually be more worried about the AU legislation | about permissible snooping, but... and I can't believe | I'm saying this... It works well enough that I don't | care. Most providers have learned to not send actual | sensitive info by email.) | gdrulia wrote: | Thanks, this didn't even occur to me. | archenary wrote: | Happy Fastmail user here. I love it for the snappy web | client. It's only after I switched that I realized how slow | Gmail felt. | sigmonsays wrote: | I'd like to echo similar feedback. After I dropped gmail | and went to fastmail i noticed it to be MUCH faster. | gmail is my primary personal account. I really | appreciated taking control of e-mail again. | | i'm happily paying for e-mail and tend to think putting | money down ensures I keep myself honest and maintain a | workflow. Now I only save e-mails that are important to | me, instead of archiving everything. | mistahchris wrote: | I'm also a very happy fastmail user. I don't use the | calendar or contacts feature either. But I use the webapp a | lot on mobile and it's quite good. I don't even need to | download the native app for my phone. | beervirus wrote: | Indeed. I feel about Mozilla the way I felt about Google a | decade or two ago. | Vysero wrote: | Wait... why are you encouraging them to charge for it? | kyawzazaw wrote: | it ensures that they have a sustainable revenue stream and | won't cave into selling data or shutting down | rubber_duck wrote: | Because running it is not free and paying for it directly is | the best way to align interests - you are the customer | instead of being the product for advertising and analytics. | kawsper wrote: | I wish Mozilla would also offer a DNS-over-TLS service instead of | just offloading it to Cloudflare or NextDNS. | dx87 wrote: | Can't wait for this. The PIA extension stopped working in Firefox | months ago, and PIA said they have no ETA for a fix. | notRobot wrote: | PIA was also acquired by a malware company: | https://news.ycombinator.com/item?id=21679682 | merge wrote: | an alternative is also the https://librem.one/ services run by | Purism. VPN, Email and more. All server and client code is at | source.puri.sm and it's mostly only rebranded "standard tools". | solarkraft wrote: | It's a rebranding of Mullvad. I'm happy with Mullvad itself, and | while I think Firefox is the most important browser I'm not very | happy about Mozilla arguably destroying its brand and seemingly | pivoting away from maintaining it. I'd directly pay for the | development of FF, but not Mozilla's "btw, we now sell $completel | y_unrelated_product_without_even_an_ethical_business_model". | | They seem to be relatively safe from forking though, because | apparently the code base is too much of a mess. Yay. | orra wrote: | You say that, but not enough people _do_ directly pay for the | development of Firefox. Of course, you are welcome to donate to | the Mozilla Foundation. | | Also, your complaint about an ethical business model seems | unfounded, especially in this instance. | wasmitnetzen wrote: | > you are welcome to donate to the Mozilla Foundation. | | Which does not pay for the development of Firefox. | orra wrote: | The Mozilla Foundation annual financial statement include | its subsidiary Mozilla Corporation. And most of the | Foundation's expenditure is staff costs, for the Firefox | project. | | If that doesn't satisfy you, note that targetted donations | are also a thing. | RandomBacon wrote: | Unless everyone does targeted donations, it's pointless. | It's like adding water to one end of a pool and expecting | the water level at only that end to rise. If only a small | percentage of donators ear mark their donation to Project | A, then the less money will come out of the general fund | for Project A and more from the general fund will go to | Project B. The money you just donated didn't increase the | budget for Project A, instead the organization just | increased the budget for project B. | | In other words, targeted donations are not a targeted | budget increase. | solarkraft wrote: | > Also, your complaint about an ethical business model seems | unfounded, especially in this instance. | | I have no concern about the VPN service itself since it's | Mullvad which I like, but the devaluation of the branding | (which I consider a long term problem). | | Look at stuff like Firefox Send and Pocket. The latter is | proprietary (holy shit, how is that ethical?) and the former | bugs you with in-page pop-ups to get an account when you try | to change the settings that looks either very stupid or | malicious (and they invested a lot of money). I thought it | was a bug at first. | | They may sound like specific petty issues, but I consider | them symptoms of a gigantic systemic problem. | | I am aware of Mozilla's financial struggle, but don't think | this is a good way to solve it, or much of a viable one at | all. I fear it will completely dilute the Firefox brand, lose | core user's trust (what they have left, anyway) and result in | barely any revenue. It may well result in the permanent ruin | of the Firefox ( _the browser_ ) project, especially since it | appears to be 100% dependent on Mozilla because of its high | entry barrier. | | I do see the _idea_ behind the pivot I think, which is | banking on the rising popularity of privacy, but honestly I | don 't think they even have much of a good reputation on that | front. The wide public doesn't know ("Mozilla is like Google, | right?") and the techies have been burned too often. Neither | do they explain much in their surprisingly widely deployed | phsyical ads (how much did that cost?). | champagnepapi wrote: | "Mullvad respects your privacy and has committed to not keep logs | of any kind." How sure can we be here? | kfreds wrote: | Every time the VPN service industry is discussed on HN there is a | barrage of comments that use keywords like "honeypot", "snake | oil", and "shady". I'm not denying that the industry has | problems, but in this thread I'd like to focus on how we can | improve it. | | Please tell me - What makes a VPN provider trustworthy, and how | do you _know_? | | Personally I believe a trustworthy provider is _characterized_ by | consistent actions that show transparency, honesty, and | conscientiousness. Nevertheless, such consistent action doesn't | actually prove trustworthiness. | | A good VPN honeypot, or reseller of your network traffic, is | publicly indistinguishable from a trustworthy one. So what can | the users do? What tools, technology, process, or ecosystem do | they need to tell honest and dishonest apart? What do we need to | build? | | We all recognize that VPN providers are in a great position of | power over their users. How do we tilt the scales in the users' | favor? What are _strong_ signals of trustworthiness? | | Disclosure: I co-founded Mullvad. | maxisme wrote: | Sorry to go on a tangent (I believe it is word of mouth and | actions of the company like you say): | | What is the deal with Mullvad and Firefox? Are they completely | using your services but with their name on it? Would you rather | a client directly or through Firefox (bit cheaper now in $ )? | RcouF1uZ4gsC wrote: | deleted | agency wrote: | FTA: "we are [...] committing to never track your browsing | activities" | | But based on your comment it seems like you harbor a deep | distrust for Mozilla, in which case obviously you shouldn't use | their products? | notRobot wrote: | Yeah this comment makes no sense. That would be terrible | publicity for Mozilla. | | Also, Reddit uses HTTPS (like every other mainstream website) | so Mozilla/Mullvad can't see what you're posting or even what | your username is. | Jonnax wrote: | Essentially their former CEO was/is against gay marriage and | donated to some organisation that was campaigning against it. | | People found out, some employees weren't happy also some | sites put up a message when Firefox users visited. | | OkCupid (a dating site) straight up blocked Firefox users | saying that they prefer users to use other browsers. | | So as Mozilla is a company. They decided to get rid of the | CEO. Because he was now bad for business. | | However for some people in the tech world. This was an | unforgivable sin: an attack on free speech. | opendomain wrote: | I think this was a setup. | | Brendan Eich is the creator of JavaScript and was the CTO | of Mozilla. | | He is intelligent and works hard on open source. However, | he HAD opposed same sex marriage. | | While he was CTO of Mozilla, no one cared. When he became | CEO, there was a smear campaign to get rid of him. | | I respect his contributions, but not his politics. He has | the freedom to say what he believes - I still use Firefox. | IMHO this was just an excuse to get ride of him as CEO. | kelnos wrote: | Yeah, I never really understood all the animosity against | Mozilla or Firefox around this. | | IMO giving money toward homophobic causes is | reprehensible, and Eich sounds like someone I wouldn't | want to be friends with or work with, but he is not | Mozilla and Mozilla is not him. | | > _He has the freedom to say what he believes ... IMHO | this was just an excuse to get [rid] of him as CEO._ | | I support the right of employees to hold their executives | to high standards, even (especially?) when those | standards aren't directly related to the work they do. It | was a messy situation and perhaps not handled perfectly, | but I don't see anything wrong with the end result being | his resignation. Yes, the timing was suspicious (I would | have been uncomfortable reporting to him "even" as a | CTO), but I would argue more along the lines of "took you | long enough" instead of "why is this suddenly an issue | now?" | | > _... but not his politics_ | | I really dislike seeing things like this phrased as | "politics". Treating other people with respect and giving | them equal rights isn't politics, it's basic human | decency. I hope in 50 years we look back at this time | period and are appalled at how we treated our fellow | humans. | [deleted] | devwastaken wrote: | As long as there's no leaks over http traffic of course. | Advertisers are great at data exfiltration. | LeoPanthera wrote: | > promote legal views that Mozilla disagrees with | | How would they know? | simias wrote: | The parent is transparently concern trolling so it's not | worth engaging with, but to answer your question it's | important to remember that VPN providers have access to all | of your traffic. Even if you use HTTPS and other encrypted | standards you can probably infer a lot of personal | information about a user by just monitoring when and where | they connect to. | | It's even arguably a bit worse than an ISP because any given | internet connection may be shared across many users, and | users often move between several connections managed by | different entities. VPN on the other hand are generally | personal and keeps tracking you regardless of whether you use | your home connection, mobile data or a free WiFi connection. | LeoPanthera wrote: | I know this, I only asked because Mozilla, like most other | VPN providers, promise not to snoop on your traffic, so | OP's concern boils down to "but what if they're lying?", | and you could ask that about virtually any service. | satoshivpn wrote: | What good is a VPN if you have to reveal all of your personally | identifiable information to the vendor? | | You're better off using Mullvad directly--it looks like they | don't require you to fork over personal information to use their | service. | | Shameless plug: SatoshiVPN (https://satoshivpn.com) gives you | access to your own private and anonymous VPN server with Outline | pre-installed, no questions asked. Payments in Bitcoin only. | dewey wrote: | > What good is a VPN if you have to reveal all of your | personally identifiable information to the vendor? | | Because most peoples threat model doesn't include actors that | can force a VPN provider to give up their data. They just use | it because it's making it easier to not get data stolen in a | coffee shop and watch US Netflix. | satoshivpn wrote: | If you have two equally great user experiences and in one | case you have to share your personal information, and in | another you don't, which would you choose? | dewey wrote: | The one where the company behind has a good reputation and | seems trustworthy. Like Mullvad where their real address, | developers, history and open source projects are available | on the website (https://mullvad.net/en/help/no-logging- | data-policy/) and they have been around for a while without | any scandals that I'm aware of. | | If there's a new provider out with no name, company | address, audits or history and tells me they are not | sharing personal information I just have to take their word | for it. So it's not much better than the alternative if I | can't verify it. | umaar wrote: | Can you comment on the pricing? Am I understanding correctly | that 1 year of your VPN service costs $195 USD? | satoshivpn wrote: | That's correct. Or, $1 for 1 day. Or, 1 hour for free. | miniyarov wrote: | Public VPN services should not be trusted blindly. Online | anonymity is very hard. However, you can still create your own | VPN server on cloud providers for at least have some privacy | while you are on an untrusted network. | | Because of this reason, I created https://zudvpn.com - It is a | free and open-source mobile application that's used to deploy a | private VPN server on major Cloud Providers! | | Github repo: https://github.com/zudvpn/ZudVPN | r3trohack3r wrote: | Assuming Mozilla isn't compelled by law to share it's entire | database of user information on a rolling basis without a | warrant, I suspect (in the U.S.) it would be somewhat effective | at shielding yourself from bulk metadata collection (government | mass surveillance) of your online communications by obfuscating | that metadata. | | Compare this to your ISP and telecom providers. A subset of the | larger providers willingly handed over the communication | metadata of their users without warrant. | satoshivpn wrote: | You know what they say about assumptions. | r3trohack3r wrote: | We know as of 2013 this was the case. Participating in the | government's bulk metadata collection was voluntary. 2013 | is a long time ago though. | asimpletune wrote: | Might want to make pricing easier to find. | satoshivpn wrote: | Acknowledged. Thank you! | miniyarov wrote: | Public VPN services should not be trusted blindly. Online | anonymity is very hard. However, you can still create your own | VPN server on cloud providers for at least have some privacy | while you are on an untrusted network. | | Because of this reason, I created https://zudvpn.com - It is a | free and open-source mobile application that's used to deploy a | private VPN server on major Cloud Providers! | | Github repo: https://github.com/zudvpn/ZudVPN | maxisme wrote: | But doing this will give you a static IP which will make you | even less anonymous. | badrabbit wrote: | So long as it will never have anything to do with Firefox. Using | it for work would be risky if they did that. | koolba wrote: | Who is the target market for this in the markets it actually | operates (US)? | | The only people I know that uses VPNs do so to download torrents | and evade DMCA notices. And in that case it only really works if | the VPN provider is itself located outside of US jurisdiction and | collects little to no information about you the user. | saltedonion wrote: | Given the high ethical standard of Mozilla I'm not sure how | popular this will be. | | For example, a while back there were research showing nord was | setting up users as proxies, there by making it impossible for | Netflix to block these residential ips. | | I don't think Mozilla will do this. | Semaphor wrote: | Well, they use mullvad.net (I'm a customer), and they seem | pretty trustworthy while Nord was always the opposite of | trustworthy. | lawnchair_larry wrote: | As a security person, I am somewhat baffled by the popularity of | VPNs. I have no idea why anyone would use them for general | internet usage, and I suspect the majority of VPN service users | are misinformed about what they think they are gaining. | | Any VPN subscribers want to fill me in? The only thing I can | think of is hiding the source of pirated media being shared via | bittorrent. | pomokhtari wrote: | A lot of countries block access to websites. US and EU are not | the whole world! VPN helps people to circumvent censorship. | | I use a VPN daily because without it, there is no | Twitter/HackerNews/Reddit/Youtube/... . | lawnchair_larry wrote: | Totally understood for those countries, but it's still hugely | popular in the US. That's what I'm wondering about. | aryonoco wrote: | Many ISPs in the US perform DPI, sell anonymized data to | marketing companies, slowdown YouTube/Netflix when the | backend pipes are congested, etc. If you want your ISP to | provide you with a dumb pipe and not interfere with your | traffic, a VPN is an easy solution. | hendersoon wrote: | There are four primary reasons to use a VPN. | | 1) You live in an authoritarian country where mass surveillance | is a concern. | | 2) Evading geo restrictions. Watching US Netlix while in | Europe, etc. | | 3) Evading your work's firewall so they don't know you're on | Facebook or whatever. | | 4) Piracy | aryonoco wrote: | Because my government passed a legislation that forces all ISPs | to collect all metadata and to store them and this information | is accessible to be searched by multitude of government | departments without a warrant. | | I am, in principle against this policy. When it was proposed, I | tried activism and letter writing and meeting with Senate | staffers to try and fight it. I lost, it became law with | bipartisan support from both major parties here. So now I use a | VPN. | | You find my usecase baffling? | dede4metal wrote: | I use it to stream stuff on Netflix that isn't available in my | country of residence. | maxisme wrote: | Sharing an IP address with a load of other people makes one | more anonymous. I know there are lots of different ways of | identifying someone online but it is a start. My ISP is also | behind a CGNAT so I am also sharing that IP with loads of other | people and also most ISPs don't provide static IP addresses so | you can't rely on an that either but I guess I also trust my | VPN provider to handle identifying data more than my ISP as I | haven't even given them my name (Mullvad) | milofeynman wrote: | Because in the US at least, part of ISPs business model comes | from deep packet inspection of customers websites, dns queries, | habits and subsequent selling (or using) that data. If you have | a trusted VPN you can prevent that data and privacy siphoning. | "trusted" VPN company is a discussion for another time... | Skunkleton wrote: | When you connect to a VPN you advertise the fact that you are | connected to a VPN to your local network, and hide your tunneled | traffic. The tunneled traffic emerges elsewhere, with the extra | encryption removed and proceeds as normal. Basically all a VPN | provides is a mechanism to pretend that your butt is in a | different seat. You hide your traffic from one network and expose | it on another. | | If you are on public wifi somewhere and are concerned about | traffic that isn't otherwise encrypted (DNS comes to mind), or if | your connection is in some way restricted (govt, shitty isp, | etc), then a VPN can address these issues. But you have to keep | in mind that your new network is similarly untrustworthy. | | You might argue that by hiding behind your VPN provider, you are | gaining anonymity. This might be true under the best | circumstances, but this can _very_ easily break down. For | example, the moment you load tracking_pixel.png then you are de- | anonymized. That is saying nothing about the shady practices of | the VPN providers themselves, or the governments that regulate | them. | | When people connect to a VPN, especially lay-people, there is | this feeling that the VPN is providing security, and privacy. | This is largely marketing BS designed to sell more subscriptions. | When I connect to a VPN I might be able to obscure my activity | from state actors, or avoid some coffee shops bogus DNS server. | What I can't do with a VPN is avoid literally every other form of | tracking. And of course if I connect to a VPN, then I should be | ok with those same bad-actors knowing I am connecting to a VPN. | And I should be OK with the VPN provider being able to monitor my | unencrypted traffic. And I should be ok aggregating all of my | encrypted traffic into one easy to watch place. | | So what is a VPN providing the average consumer? If you want | privacy install ad block software, https everywhere, enable DoH, | don't log into social media sites, and clear your browser's cache | frequently. If you want to avoid a state actor, then your best | hope is probably something like Tor Browser. | pythonbase wrote: | And there are countries that force users to get their VPNs | registered. | | https://www.pta.gov.pk/en/media-center/single-media/public-n... | ryanmarsh wrote: | If it's terminating at a host you don't control _it ain't | private_. | jrockway wrote: | I am surprised at how much money exists in the VPN industry. | Whenever I watch even a mildly-popular YouTube video, it always | has an advertisement for the latest VPN provider. As far as I can | tell, there is only one reason there is this much money in the | field -- to subscribe to US-based video streaming services from | outside the US. But they never ever say that that's the reason, | they always say things like "work from home securely" or "avoid | being tracked". But, of course, your IT department already has a | secure VPN for working from home, and that Facebook cookie works | regardless of what your IP address is. In general, the sell of | "you can't trust your network provider, so pay for an additional | network provider that doesn't keep logs and only accepts payment | in Bitcoins," doesn't seem particularly strong to me. Of course | you can't trust the network layer. Nobody trusts the network | layer. That is why we have TLS. (Anyone remember "wired | equivalent privacy" when WiFi was a cool and new thing? Turns out | wires don't offer much privacy.) | | So why people are buying this service confuses me. | | I am also confused at why people can run these services so | cheaply. I looked into doing it myself (I had some ideas for | actual value add), and the economics didn't seem that good. There | is a lot of software between "ifup wg0" and "collect money from | people that want a VPN". It seems expensive to write all that, | unless a "yolo" strategy of starting up openvpn and setting up a | couple NAT rules actually scales. (At the very least, you need to | be able to distribute keys to pre-built clients, and if you want | to make it smooth, you are looking at writing your own | Windows/Mac/Android/iOS clients. Then you need all the business | management software on top of that -- didn't get the Bitcoins so | delete their private key, etc.) It seems like quite a bit of work | that is quite expensive. | | But these things exist left and right and have huge advertising | budgets. So obviously I am misunderstanding something. | imglorp wrote: | I think you're right, a lot of VPN usage has to do with | circumventing some tiered, segmented, bullshit content provider | restrictions such as region or schedule or device type. | | The fact that all these people are paying for a service plus | VPN means the services are leaving money on the table. If they | would simply offer what we want, when we want, where we want | it, on the device we want, on a single service without a | hassle, many consumer would be lined up for that. | laughinghan wrote: | No, your premise is wrong, all major browsers have committed to | removing third-party cookies, or have already done so. And | after third-party cookies, your IP address is the next-easiest | way to track you across sites. | | _that Facebook cookie works regardless of what your IP address | is_ | | Firefox has been blocking third-party cookies by known | trackers, including Facebook, since last year [1]. Safari | started blocking all third-party cookies (not just known | trackers) in March [2], and Chrome committed in January to work | towards removing third-party cookies [3]. | | And of course, all major browsers have provided the option to | block third-party cookies since before IE6. I use this option, | it rarely breaks things, and it's only getting rarer--and I | don't use a VPN, so this would make me measurably harder to | track across sites. | | [1]: https://blog.mozilla.org/blog/2019/09/03/todays-firefox- | bloc... [2]: https://webkit.org/blog/10218/full-third-party- | cookie-blocki... [3]: | https://blog.chromium.org/2020/01/building-more-private-web-... | alteria wrote: | They must massively oversubscribe their services, far beyond | ISPs. The advertising probably brings in a lot of profitable | users who aren't pushing tons of BitTorrent traffic as well. | With the insanely high affiliate commission they're offering I | can't think of another way. | ipython wrote: | The conspiratorial side of me says that they have alternate | revenue streams as well. Why should only google get that | sweet cash from a steady stream of user data? | toohotatopic wrote: | 1Tbyte for $1-$0.5, that gives you 30Gbyte per day. At $5 | resale, there's some room for profits. | | If I am not mistaken, that's 10 hours of video streaming in | excellent quality per day. | TechBro8615 wrote: | The VPN providers are not paying per gb. They are paying for | IP transit, probably in the range of 50c / mbps. They make | money by oversubscribing, just like any ISP. | surround wrote: | > At Mozilla, we are working hard to build products to help you | control of your privacy and stay safe online. | | > We know that we are on the right path to building a VPN that | makes your online experience safer | | Commercial VPNs are good for censorship circumvention or location | spoofing. It is irresponsible to market VPNs as something which | "protects" you online. In reality, they do _nothing_ to improve | security, and very little to improve privacy. | | You do not need a VPN. | | https://gist.github.com/joepie91/5a9909939e6ce7d09e29 | | https://schub.io/blog/2019/04/08/very-precarious-narrative.h... | ryantgtg wrote: | The "Don't use VPN services" argument is weak because it | doesn't acknowledge one of the most common reasons for using a | VPN: avoiding DMCA notices. | surround wrote: | That's what I said. VPNs are good for "location spoofing," | i.e. changing your web-facing IP address to a different | region. VPNs are great for this purpose. | | The issue is, VPN companies (Mozilla included) are marketing | their service as one that improves your safety when it | doesn't. | ryantgtg wrote: | The value of location spoofing is to access geographically- | restricted content (like a netflix show that is available | through their service in Europe but not the US), not to | avoid DMCA notices. VPNs are valuable for avoiding DMCA | because it hides from your ISP (the entity serving you the | notice) what you are torrenting. | crazygringo wrote: | Agreed -- they provide some _tiny_ specific benefits for | security (e.g. against Wi-Fi hacking if accessing a site over | HTTP, rare these days) and privacy (no geolocating), but the | Mozilla copy says: | | > _feel empowered, safe, and independent while being online_ | | Huh? This is doing _nothing_ to protect me from _any_ of the | common attacks. It 's not wiping my cookies. It's not | anonymizing my browser fingerprinting. It's not blocking | analytics or tracking. It's _certainly_ not protecting my | credit card details or password from being hacked from a | website 's server. | | Am I more "empowered"? "Safe"? "Independent"? What is this | nonsense marketing fluff? | | To market this as being able to control my privacy or stay safe | online is just _completely_ disingenuous. Mozilla should be | ashamed for trying to imply such strong claims that are just | false. | danShumway wrote: | > In reality, they do nothing to improve security | | This is a bad take. I don't have the energy/time to go too in | depth at the moment, but I've commented in more detail in the | past. The short version: | | - HTTPS isn't perfect, sites sometimes support old encryption | protocols that can leak resource information. Most users aren't | checking packets from native apps to ensure they're being sent | over HTTPS, and browsers don't mark sites that are configured | for old SSL/TLS versions as insecure. | | - Most people aren't currently using encrypted DNS, and even as | browsers like Firefox and Chrome move to turn it on by default, | there will still be tons of older devices and native | applications that lag behind. | | - VPNs only encrypt your connection from you to the provider, | but the space between you and the provider is the part that's | most likely to be targeted by attackers. You are far more | likely to accidentally send a plaintext POST request to an | infected router than you are to be targeted by a nation-state | actor on the open web. | | - VPNs aren't just for hiding what sites you visit from your | ISP, they're also for hiding your IP address. The linked claim | that IP addresses are irrelevant is just outright wrong, IP | addresses are extremely helpful for doxing, and sites like | forums don't always secure them[0]. If you know my IP address, | you'll be able to get surprisingly close to my real address. | | A VPN on its own will not protect you or provide you with a | noticeable privacy increase. And a VPN should not be the first | thing you reach for if you're trying to improve your privacy. | But if you're already using an adblocker, if you're already | taking steps to mitigate tracking in Firefox, if you're already | disabling Javascript on most sites, if you're already avoiding | native apps that break the browser sandbox or engage in | hardware tracking, you do eventually reach a point where your | IP address is a concern you will want to address. | | Ask yourself a few questions: | | - If IP addresses don't actually matter for tracking, then why | is TOR wasting so much time and energy trying to mask them? | | - If masking an IP address doesn't provide any extra privacy, | why do some services like Google Captcha penalize shared IP | addresses? | | - If IP addresses don't matter for tracking, why are so many | sites using IP bans at all? | | The answer is that IP addresses _do_ matter, they 're just not | the _only_ thing that matters. | | ---- | | [0]: https://danshumway.com/blog/gamasutra-vulnerabilities/ | r3trohack3r wrote: | I see this take a lot. Serious question: doesn't the U.S. | government surveillance program focus on collecting | communication metadata for U.S. citizens? While it isn't clear | what that metadata includes, we do have examples of past | programs that have leaked (and the legal theory used to justify | them) to guide us. | | Given what we publicly know about these surveillance programs I | could see FISC approving bulk metadata collection for the IPv4 | header content, insecure HTTP header content, and DNS queries. | | Wouldn't using a VPN, DNS over HTTPS, and HTTPS everywhere | shield you from these bulk metadata collection programs? I run | https://everytwoyears.org, a political non-profit focused on | ending these programs, and I view VPNs as a key technical piece | of preventing these metadata collection programs from | functioning; if the security community doesn't believe they are | effective, I would really like to know! | | Another way of saying this: collecting _content_ of a | communication requires a warrant (and our mass surveillance | programs respect that from what we publicly know). Most people | that I know aren't trying to avoid active (we have a warrant to | search you) monitoring with a VPN, but trying to avoid passive | warrantless monitoring. Obscuring communication metadata | through encryption and tunneling seems to be an effective way | of doing this. | PureParadigm wrote: | If I were a government trying to gather metadata about web | usage, the first thing I'd do is set up or acquire my own VPN | company (and make it look convincing, of course). | [deleted] | surround wrote: | This is a good question and I would like to discuss it. | | If the government is able to passively collect metadata from | your ISP, couldn't they do the same thing with a VPN company? | r3trohack3r wrote: | The original form of the Presidential Surveillance Program | didn't compel service providers to share this metadata. The | providers willingly shared it. There is a reference to a | service provider backing out of the agreement several years | after it started stating they would feel more comfortable | continuing to share their data if the government compelled | them. | | This may have changed since 2013. | [deleted] | cameronperot wrote: | A little late in the game, but they're a brand I would hold in | higher regard than 99% of the other providers out there. I | believe that a lot of people misunderstand what exactly a VPN is | and what scenarios it offers benefits of use in. I personally | host my own VPN on a lowendspirit server [1] for when I'm on an | untrusted WiFi network or I need to have an IP in the US (it | comes in handy as a US citizen living abroad). I also use a VPN | sometimes when I have a dev server (hosted on the server itself) | that I'm developing/testing on since being on the same network as | the server makes things easier, e.g. having a container with an | API bound to the VPN network so that I can access it easily and | without it being public facing. | | Of course there's also the shady side of VPN use. If you're doing | that it might be beneficial to use the VPN within a VM with | strict firewall rules, i.e. only allow incoming/outgoing to/from | the VPN. Doing so allows you to only send the traffic you want to | over the VPN, thus reducing your exposure to any nefarious data | collection that the provider might be doing. | | [1] https://lowendspirit.com/ ___________________________________________________________________ (page generated 2020-06-18 23:00 UTC)