I’m so tired of this type of misinformation. It’s to the point now where I’m beginning to think assertions like this one are intentional glowie disinfo campaigns.
(The following arguments presuppose the use of of a no-log VPN provider like Mullvad):
Your ISP can potentially know you’re using TOR without a VPN. Guess what? ISPs regularly sell data to 3rd parties and government actors. Want to wind up on some secret Palantir list? Keep feeding your ISP your info
Anyone with a packet sniffer (like Wireshark) can potentially sniff and analyze traffic on your network. Certain MITM attacks can functionally “decrypt” https traffic, totally exposing your online activities on a granular level. A good VPN will severely mitigate this risk.
Don’t want data brokers creating invasive profiles on you that can potentially be used later by authoritarian regimes and corporate predators? Use a VPN to help mitigate fingerprinting efforts. Obviously, you’ll need more than a VPN to achieve anything approximating true anonymity, but don’t make it easy for them.
If you don’t care about being spied on by corporations (and by extension, the government), then don’t worry about it. If you do care, use a solid VPN.
Indeed, and this is troubling. Age verification will not just interfere with VPNs but also Tor and other anonymizing networks.
I agree VPNs are often falsely advertised, overhyped and blindly trusted, but I disagree they are useless most of the time. The usefulness and use cases depend on each person’s situation and goals: hiding the user’s IP address, censorship circumvention, hiding Tor usage, protecting unencrypted traffic, etc.
For VPNs and many other things, I see there is “absolute trust” (is X trustworthy?) and there is “relative trust” (is X more trustworthy than Y?). The idea of “relative trust” was already mentioned in this thread several times.
For “absolute trust,” I have no expertise in evaluating VPNs, but some criteria include how the VPN provide responds to policy and technical questions, audits, and how much personal information they collect.
For “relative trust,” some users trust their VPN provider more than their ISP or the local shady cafe’s wifi. Sometimes the relative trust is easily determined not by the VPN’s trustworthiness alone but by a high distrust of the ISP or local wifi.
You can spin up your own VPN using your own hardware (e.g. OpenWRT router) or a rented VPS. This will bypass the vast majority (perhaps all?) VPN blocklists while still “hiding” your IP address.
Yeah, exactly. The main reason we recommend using a VPN is the diversity of choices. In most areas there is typically no free market of ISPs to choose from. If somebody has to handle your unencrypted traffic then at least some will be better off with a multitude of options.
Plus most traffic is encrypted, so in a worst case scenario of your VPN turning out to be worse than your ISP the downside isn’t too severe. I think that tips the risk calculation towards using a VPN even more for most people. If this were 15 years ago and unencrypted HTTP was everywhere it would be harder to recommend a VPN, at least for home usage (still would make sense for public/shared networks).
Additionally, sharing an IP with others is a small but non-zero benefit, which gives a slight edge to using a shared provider over self-hosting a VPN.
Definitely not true, unless you are installing a malicious Root CA certificate on your device. But that’s sort of a “man on the end” attack if you are compromising your endpoint that significantly.
There is a lot of metadata about HTTPS traffic that can be discovered by your network, like the IP you’re connecting to and the domain name if ECH isn’t used. That isn’t anywhere near “functional decryption” though. That’s the sort of thing scummy VPN providers want people to believe.