tbh, I haven’t had any issues when using some services recommended by PG while using a VPN, but Tor users may faced issues. I recall when Startpage was recommended on the website it used to block any proxy aggressively. So, it will be great if all services recommended doesn’t block any proxies.
1 Like
100% agree, this should be a criterium for all services
This is a great idea, but as a developer, I’m concerned about potential challenges, such as preventing DDoS attacks or other forms of abuse. To be honest, I’m not entirely sure how to handle these issues effectively. I suspect that many services avoid using Tor or proxies because it’s difficult to detect DDoS attacks or abuse in those environments.
OBS: I think implementing a rate limit could help manage these types of protocols and mitigate DDoS attacks. However, there’s a risk of degrading the user experience, which might only partially “avoid” DDoS issues.
1 Like
I think this is a bad idea. Any criteria that requires the service also works with Tor is going to massively limit what PG can recommend, which will only benefit the minority of users whose threat model requires Tor.
2 Likes
PG recommends using a VPN in general, and not just for people with specific threat models.
Should I use a VPN? Yes, almost certainly. A VPN has many advantages, including: (…)
So if a recommended service doesn’t work with a VPN, either by requiring endless captchas or straight up not blocking you, then that service shouldn’t really be recommended, right? Because you’ll have to turn off your VPN to use the service and they you’ll end up not not using your VPN at all - against the general PG recommendation.
I’m also not sure which services - if any - are really excluded by this. I’ve had some problem using Google Search behind a VPN, but DuckDuckGo or Brave Search still work, for example. (Brave Search has a PoW “captcha” that doesn’t require any interaction.)
edit: another argument is that many people live in countries with heavy Internet censorship and simply have to use a VPN or Tor to access the wider Internet and the recommended privacy services.
4 Likes
I think this is a slippery slope.
This assumes all services will work / not work the same for all VPN providers.
What if a service works for one of the recommended VPNs but not all of them? Is PG now supposed to recommend you pay for a subscription to multiple providers?
What is the process for proving a service is not working due to the VPN? Is someone going to test to make sure every server on that VPN has the same issue with that service?
requires wasm which is blocked by default in tor/mullvad browser at safer and higher as well as vanadium, mulch, mull, and cromite
I think testing with Tor is a better way to test it. The exit nodes are public so everyone knows their IPs. If a website refuses to work with Tor then it might also block known VPNs but maybe not. On PG we could add a warning banner like “This service is known to block Tor users and might block users of some VPNs as well.”
Interesting, I didn’t know that. I think they have a “traditional captcha” too which you can request during the PoW captcha. I guess having a captcha is not really a problem as long as it’s:
- not every single time (e.g. a new captcha for every single search query even if just minutes apart)
- actually solvable (e.g. NOT using Google ReCaptcha because those will sometimes just tell you straight up “We’re sorry, but your computer or network may be sending automated queries. To protect our users, we can’t process your request right now.” without any way to prove that you’re a human).
I just don’t see a good argument for why a website would need to block Tor exit nodes or VPNs without any workaround like a captcha or login wall. Especially for privacy services that should be well aware that a lot of their customers are using a VPN or Tor.
1 Like
I am a bit confused.
Even by your own admission this seems like a pretty poor way to test if a VPN even meets the standard your advocating for.
I replied to a comment from you that was specifically about VPNs but your response seems to be more about Tor. I don’t think the two should be conflated. Requiring all services also work with Tor is a more stringent standard then VPNs. Although my conclusion about the two are the same, that is, neither should be a criteria for a service to reccommended.
I don’t necessarily have anything against doing this. I think this could be done as a benefit to people who use Tor or who use VPNs for all activities. This seems like a much better option then making compatability with Tor or VPNs a requirment.
I guess a good way to test for VPNs would be to use one of the popular, free VPNs like the free tier of ProtonVPN or the Opera VPN. These only give you a couple of free servers so their IP addresses are probably in all the VPN blacklists.
I agree with the sentiment here, particularly the focus on threat modeling.
For example, a threat model for a service like privacy.com does not involve achieving anonymity. Rather, privacy.com protects against the threat of Public Exposure, specifically, limiting the amount of information you provide to merchants online.
Using Tor (or even a VPN) while applying for privacy.com not only doesn’t provide any privacy benefit—you are asked for PII anyway when opening an account[1] due to federal AML law—but it may be counterproductive because it can trigger any fraud detection that may block you from using the service.
There was a similar banner for the Startpage recommendation which was then removed after they added an onion service. Do note, though, that usage of Tor with Startpage or any other recommended search engine does make sense if your threat model calls for anonymity, particularly to disassociate your searches with identifiers like IP addresses.
However, as with the example I outlined with privacy.com, this is not the case for all service providers that are recommended on the site.
All in all, I’m marking this idea—which proposes a blanket criterion be applied to all services— as rejected for the reasons I stated above and the concerns raised by @Parish2555.
Again, this is okay because it fits the above threat model: you are entrusting your information with privacy.com rather than a number of merchants. ↩︎
3 Likes
Counterargument - at least for a VPN: if you keep encountering issues with websites blocking the VPN, you’re more likely to turn your VPN off altogether. Because nobody will want to keep track of which websites they can use with a VPN and which ones not. And as PG says, using a VPN is recommended for pretty much anyone but never with the expectation that it makes you anonymous.
And the second argument would be for countries where a VPN is required because vast parts of the Internet are blocked otherwise. So while I kind of get why websites are wary of Tor users, there’s very legitimate reasons to use a VPN and I’d say blocking VPNs is somewhat suspicious behaviour (e.g. Reddit now having a login wall for VPN users because they want to track what you’re reading).
1 Like