-1

I've been considering a VPN tunnel, specifically PIA.

These types of companies make bold claims of complete anonymity and privacy, with no one in the world (ISP's, governments, school or corporate network monitors, no one) being able to know the contents of your web traffic.

Simply put, are there any hidden gotchas? How can such a thing exist for such a relatively low price and truly be that secure?

And of course, let's ignore the gotchas of "VPN's log your traffic" (let's assume you've chosen one that doesn't) and "the encryption could always be broken" (let's take difficult to execute exploits off the table).

I'm concerned about this for a variety of reasons. I don't want to be profiled by corporations; I have political and social leanings that I don't want to be uncovered both by governments and just anybody; I don't want my peer-to-peer activity throttled or inspected; etc etc. I just don't want my activity used against me by anybody.

I of course am doing only ethical things :)

A narrower version (tell me if I should ask a separate question): are VPN's effective at hiding activity from "localized" gateways like an ISP or a school/corporate network?

blaineh
  • 99
  • 3
  • 1
    Have you searched for [VPN privacy](https://security.stackexchange.com/questions/tagged/vpn+privacy) on this site? There are many similar questions. – Neil Smithline May 31 '16 at 20:09
  • Exactly what do you mean by "completely private"? Are you worried about the NSA or other nation states snooping you? Are you asking if you can download with impunity but not worried about the NSA? Other? – Neil Smithline May 31 '16 at 20:11
  • Your 'narrow version' edit significantly changed the question and rendered both existing answers invalid. It may have made more sense to close the question and create a new one. – Neil Smithline Jun 01 '16 at 01:13

2 Answers2

3

The hidden gotchas are pretty much the ones you already described on your question:

  • Trust that your vpn tunnel will not log your actions;
  • Also, that they use strong cryptography(you have to look at specs on each tunnnel provider);
  • Trust they are not using any compromised network equipment(also, research the truth behind those stories);
  • Trust that they will go to the internet after some hop count on their servers(it will not be so obvious to have an internet IP on the same contry you are);
  • Trust that this hop-scramble, tor-like will be also encrypted;
  • Trust that the tunnel provider have a good security policy when laying off employees.
  • Research if the last point of contact between the VPN provider and the internet will be on a country that is not a champion on Internet Censorship(surveillance).

Basically, whenever you see the "complete anonymity and privacy" banner, you will have to trust them(or not).

Answering your short question: Yes, they an effective way to hide your activity from your gateway/ISP. But you will need other tools like a secure browser that would not allow scripts to get your real IP address. If you access a site where login is required, and this site see that you are logged in using a well known VPN ip, and the same site get the information about your real ip address through scripts on your web browser, it will be easy to cross-check information about you. Being hidden also depends on what kind of activity you are doing(web browsing, mailing, ssh...).

3

These claims are ridiculous.

There are plenty of threat models that aren't covered by VPN services like this:

  • VPN server is compromised.
  • Other network infrastructure within the VPN server's network segment is compromised.
  • VPN provider receives a National Security Letter or similar warrant.
  • VPN provider's network communications are monitored upstream, and a combination of content inspection, traffic analysis, and shaping are used to identify the source.
  • Employee at the VPN provider captures traffic and uses it for their own gain (direct use or sold).
  • Employee at the VPN provider is leveraged (blackmailed, bribed, etc.) into compromising traffic.

These are in addition to the problems that you already excluded from the threat model, though I'd argue that weak configuration on the crypto is not something you should exclude, as old VPN protocols can allow for a complete compromise of the connection. This also ignores the fact that most paid-for VPN solutions still provide a random certificate that you have no easy way to validate, and chances are you'll click through any certificate error regardless.

At the end of the day, VPNs are not privacy or anonymity tools. They are sold as such by people looking to make money, despite not really providing much privacy or anonymity at all. VPNs were designed from the ground up as nothing more than a mechanism to bridge LANs over long distances. They do not have the inherent capability to provide privacy or anonymity, and any such exhibited capability is entirely incidental.

If you want privacy and anonymity, use an anonymity network such as Tor and change your browsing and communications habits to achieve those goals.

Polynomial
  • 133,763
  • 43
  • 302
  • 380
  • I think you're generalized dismissal of VPN misses the fact that they are useful for torrenting copyrighted material. Something that [doesn't work well over Tor](https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea). – Neil Smithline Jun 01 '16 at 00:58
  • @NeilSmithline They're only good for that because ISPs don't care about stopping you. If they wanted to perform traffic analysis and identify you, they could quite trivially. – Polynomial Jun 01 '16 at 08:32
  • @NeilSmithline I'd also argue that people aren't looking for privacy or anonymity in such a case; they're looking for a workaround to an automated network restriction which blocks them from reaching torrent sites. – Polynomial Jun 01 '16 at 08:33