> Your IP address is a largely irrelevant metric in modern tracking systems.
I don't believe this for one second.
Your IP address on its own is not sufficient to identify you. That doesn't mean your IP address is not helpful in identifying you.
If you have Javascript disabled, it is a heck of a lot easier to identify you with a combination of an IP address, user agent, and OS than it is to identify you without the IP address cutting down the pool of potential visitors.
On top of that, if you're targeting me and do a geo-location of my IP address, it will get you within 5 miles of my house. That's close enough that you'll know which county I'm in, which with a few other easily-obtained pieces of information will let you pull up my voter registration, which will give you my exact street address.
Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.
This argument comes up all the time, and I have never heard anyone explain it in a way that passes my sniff test. If you want me to stop using a VPN, you need to do a lot better than just claiming that IP addresses don't matter -- you need to show some kind of evidence to back that up.
Eh. If you're enabling JS because you think it's going to help you blend into the crowd, I am skeptical that you understand how powerful JS fingerprinting actually is, particularly around cache abuse and super-cookies.
You don't need to go all the way, but the very least I would advise turning on the resist-fingerprinting config in Firefox. At a minimum, block things like canvas/webGL. You're making yourself more identifiable by doing so, but the alternative is worse.
Now, if you're not using a VPN, and you're in a rural area, and you're on Linux/Firefox with Javascript disabled -- sure, I definitely buy that I could do some pretty decent correlation with that info. That's why VPNs (for all their flaws) still matter.
Sure, I do understand that, and yes IP hiding does matter. I'm merely pointing out that disabling Javascript (and eventually enabling some set unique to you, to un-break a broken site) is just another way to leak some bits one might want to be aware of. Faking the common fingerprinting vectors known to expose you uniquely is possibly a better way... until the new ones are found. I don't know. The leaking bits need to be carefully accounted for, and you don't know the site userbase for sure to blend into the largest cluster possible. I don't think that fingerprinting is something that can be fought by the end user efficiently, besides the very obvious things like blocking the major vectors.
> Faking the common fingerprinting vectors known to expose you uniquely is possibly a better way...
I wish there was more research being done around this. I appreciate what Firefox is doing, and I assume there are good reasons for their fingerprinting strategies. They know more than me about this stuff. But... it still sets off some alarm bells in my head. It seems like it would be strictly better to spoof location/canvas/microphone data instead of only blocking it.
But who wants to put in the effort to develop tracking for non-JS users? In reality, most will just ignore the few users that don't want to be tracked. Even ublock origin should be enough for most.
However, IP is certainly used. I know of a few cases where IP is at least used as a filter. Most websites won't see that many users from one IP address.
> Your IP address on its own is not sufficient to identify you.
Wasnt there a story yesterday that FBI tracked some a guy who had logged into Jihadi forums with the IP, knocked on the door with a copy of a passport of the guy's dad.
Pick a cloud provider you trust. I was thinking of moving from Digital Ocean (US) to Hetzner (German) and setting my own VPN up through a normal server.
I've pondered this before, but I don't see much advantage in having my traffic which currently comes from many IP addresses as I roam about the world, many of them shared and constantly changing, all come from one IP address that is absolutely only me.
Plus browsing the web from a hosting provider is a worse web; you'll get more sites rejecting you or putting you through bad CAPTCHAs all the time because the same service you can rent a server from, so can all the spammers and scrapers and other bad actors, so you're pretty likely to end up in an IP space with bad reputation.
If anyone can argue me out of this position, go nuts. I want this to work and do something useful, I just can't convince myself it does even with that bias.
No, that's a different web. I live in the "google bullying" web between my combination of using Firefox + uMatrix on desktop, Brave on Android, and DuckDuckGo as my search engine. Google gets very little of my desktop info and fragmentary mobile use only. I do a few extra CAPTCHAs but it's not too bad.
The "I think you're a bad actor" web is much worse. Ask Tor users.
It's not that they're more trustworthy it's that you have more control. They could be feeding traffic to the NSA as well but you can encrypt it yourself -- with VPN services like Nord you're relying on other people to do that for you but often VPN services can offer convenience services like country switching etc but if security is what you're after then cloud providers and setting up your own VPN seems like a more reliable alternative.
To the people looking to setup a simple http proxy in three steps:
1. Set up a server instance who's IP you know and have configured ssh.
2. In Browser: Manual SOCKS Proxy: 127.0.0.1: your_chosen_port
3. In terminal: ssh -i ssh_key -D your_chosen_port user@ip_address
I'd rather trust an at least somewhat trustworthy VPN provider with my data than a random coffee shop and clients who happen to be on the same network at the time.
I feel like that's crazy. There should be no traffic entering or leaving your machine that's not end-to-end encrypted already. Trusting some fly-by-night VPN provider because they buy a lot of YouTube ads is no substitute for proper end-to-end session level encryption.
Simply seeing what servers you connect to can reveal a lot about you. Where you work, what social media accounts you have, what apps you have installed, what you are interested in reading etc. HTTPS doesnt help you with that.
Yeah much better, a server that the user will probably not be talented enough to secure and will forget to patch the OS, libraries or application itself.
/s
Analogies are imperfect, but I think the intention was more like "If for some reason you cannot do that, here is a simple meal you can make in your own kitchen."
This article tries to enumerate the use cases for use of commercial VPN services, but misses out my only use case of these services: evading geoblocks. It seems fallacious to me.
The article is slightly more nuanced... know when and why to use VPN is more accurate. As mentioned near the end of that article, using known or suspected hostile networks, like public WiFi is a good reason to use VPN.
The problems addressed by avoiding a locally hostile network by connecting to another, globally hostile network is solving a very limited, nuanced set of problems.
Unless you're VPNing to your home or office, these public providers are just asking for trouble. They're too cheap to run well.
Yes, you can run your own VPN... that’s a great solution.
Also public WiFi attracts low hanging fruit sort of exploits. Incentives for the VPN company that already makes money, to actively hack and exploit your machine are significantly less.
https://gist.github.com/joepie91/5a9909939e6ce7d09e29