Realistically, these things are mainly used to pirate and break the ToS of various websites ("Netflix from other countries", "buy games at cheaper rates"). With ISPs in some countries selling their customers' browsing data to advertisers, I don't think these shady VPN companies are much worse than not using them for a shockingly large amount of people.
Mullvad seems to come out pretty clean whenever these shady VPN providers show up on the news again. Being able to use them by just transferring some crypto to the right address without even needing to enter a username or email address seems pretty good. If you ever forget your account number, you're out of a month's worth of service at most and can just generate a new account when needed. It's the only commercial VPN I put a moderate amount of trust in, even though I've never used their service.
I see these posts, and my gut feeling is that Mullvad is probably fairly trustworthy at this moment in time, but the more word of their service spreads the more likely I would assume it is that they get approached by the type of government representatives you don’t say no to.
(I.e. I assume success to be a death knell for a service like this.)
I’m not a customer, but I’ve considered it from a privacy perspective (in that I could just route general browsing through it to block a layer of data harvesting). The problem is that I don’t know what authority they have to push back if pushed by the right actor (who inevitably will knock on the door at some point).
This is why privacy is a one-way circuit breaker kind of system. Once you give your privacy away, you can never assume anything about how your data is used. No matter the entity, you simply cannot trust that they will hold your data secure and use it in your best interests. Even Apple, hell even Signal, has leaky bits and "side channels" that can, and you must assume will, be subverted.
VPN services are well off the mark in terms of privacy protection. That the ~~marketing~~ propaganda is so focused on the opposite is an abomination.
> TLDR: The old maintainer appears to have sold the extension to parties unknown, who have malicious intent to exploit the users of this extension in advertising fraud, tracking, and more. In v7.1.8 of the extension (published to the web store but NOT to GitHub), arbitrary code was executed from a remote server, which appeared to be used to commit a variety of tracking and fraud actions. After Microsoft removed it from Edge for malware, v7.1.9 was created without this code: that has been the code distributed by the web store since November, and it does not appear to load the compromised script. However, the malicious maintainer remains in control, however, and can introduce an update at any time. It further appears that, while v7.1.9 was what was listed on the store, those who had the hostile v7.1.8 installed did NOT automatically receive the malware-removing update, and continued running the hostile code until Google force-disabled the extension.
>I see these posts, and my gut feeling is that Mullvad is probably fairly trustworthy at this moment in time, but the more word of their service spreads the more likely I would assume it is that they get approached by the type of government representatives you don’t say no to.
AFAIK (IANAL etc.) for that to happen several changes to Swedish laws would be required. And the follow up question would be what those demands possibly would be? And of course Mullvad's technical ability to comply?
For some comparison, you could look at the Swedish ISP Bahnhof, which quite publicly fights against the Swedish implementation of the data retention and requests by Swedish authorities. Repeatedly getting Sweden slapped by the EG court. (Which could also be compared with how Signal responds to requests for information about their users which they don't collect.)
There are (again AFAIK, IANAL) no NSL like laws in Sweden.
I use VPN services because my ISPs routing has a strange habit of going the wrong way around the globe and making mystery detours through the US. Picking a good point in-between helps to get on less congested paths.
I had this problem trying to do online gaming on Frontier. Their routing was both atrocious and mysterious. Using a VPN to get off their network ASAP made games playable.
What makes you think a more expensive ISP will go against their interests and refuse to maximize their profits by selling access to information that they are legally allowed to share? Are there expensive "privacy"-branded ISPs I'm not aware of?
True that. IIRC Mullvad was literally the world’s largest Wireguard deployment until Cloudflare did Warp. Just because people haven’t heard of it doesn’t mean it’s small. They just don’t advertise on shitty podcasts, so it doesn’t have the same brand recognition.
Mullvad isn't small, and I'm not sure how Nord specifically compares, but its probaubly worth noting they mostly use 100TB, Tzulo, Quadranet, M247, and 31173. They use a bunch of others but not much.
Mullvad for obvious reasons is used for less... wonderful usecases. It's not uncommon for websites to block you due to abuse from that exit. ASN blocking is rather common with mullvad too though that's less avoidable.
I have less info on Nord, although I can see it has about 4x the ip's. No idea if they are more diverse network wise. Their accepted payment methods suck though.
I saw NordVPN ads in German TV. At this point I would say they invest all of their money into marketing - my reason for never ever buying their product. I haven't had any issues in terms of blocking on mullvad but my sample size is small since I don't change the servers that often.
Yeah my impression is they're all marketing and care relatively little about privacy. How you can claim to care about privacy but still require an email is beyond me.
PIA has proven in court multiple times that they don't log. Everyone in this post worrying about Kape is probably not using their vpns for anything illegal in their jurisdiction, and are just obsessed with "privacy"
Wonder whether the government of India makes any demarcation between corporate VPN or personal VPNs? Or is it just consumer VPN services that need to comply.
Everything from cloud vendors, ZScaler, Cisco AnyConnect are technically offering access to private networks with a mix of public internet &/or intranet
> Data Centres, Virtual Private Server (VPS) providers, Cloud Service
providers and Virtual Private Network Service (VPN Service) providers,
shall be required to register the following accurate information
which must be maintained by them for a period of 5 years or longer
duration as mandated by the law after any cancellation or withdrawal of
the registration as the case may be:
> a. Validated names of subscribers/customers hiring the services
> b. Period of hire including dates
> c. IPs allotted to / being used by the members
> d. Email address and IP address and time stamp used at the time of registration / on-boarding
> e. Purpose for hiring services
> f. Validated address and contact numbers
> g. Ownership pattern of the subscribers / customers hiring services
Seems to me like it would target all of them. But I just searched for "VPN", didn't read the full document yet.
I use a VPN service specifically to get around region locking. ExpressVPN has been pretty good in this regard though lately Netflix has stopped working.
When I'm in a hotel or otherwise need to use a local wifi I use the VPN client to connect back to one of my own machines, not that I care a lot if Kape can see my traffic.
The law that they’re talking about also mandates cloud and server providers to maintain IP allocation histories and validate customer identities by way of KYCs.
The actual order targets both VPS and VPN providers, here's the excerpt:
> Data Centres, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers, shall be required to register the following accurate information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be:
> a. Validated names of subscribers/customers hiring the services
> b. Period of hire including dates
> c. IPs allotted to / being used by the members
> d. Email address and IP address and time stamp used at the time of registration / on-boarding
> e. Purpose for hiring services
> f. Validated address and contact numbers
> g. Ownership pattern of the subscribers / customers hiring services
The law includes data request for owner and IP of VPSes too. So maybe no logs but the IP address and the VPS will be tied to your real identity anyway so no improvement
Do you really think you operate the VPS host box in a foreign country? And you really think a foreign government doesn't have sovereignty over their own soil?
I got some for you:
- principles, and going as far as extending freedom even if you personally already benefit from it
- civil desobedience is a thing, even though some stances are questionable.
And, I thought the debate for more needs of privacy, and given the threats have been proven to even come from governments (snowden/NSA, pegasus), was settled, visibly it isn't if even on HN such argument is given in the context of such a clear subject. The overstepping body there is the government, not the busines imo.
I'm not very clued in about this but I had a question.
I'm not sure about the privacy angle but if you spin up a node on a cloud provider, install a VPN on it, do your thing and then destroy it, wouldn't it serve just as well as any of these? Apart from the technical complexity of this, how different is it from using a commercial VPN provider?
You lose anonymity. Your cloud provider would have all your details and most certainly have a log of all IPs used by you. If someone came looking for an IP, they would trace it back to you.
Suppose a GoI website is geo-blocked such that only the citizens of India can access it.
Now that a global vpn company has removed its servers out of India, does it mean its customers (while using that vpn service) is blocked from accessing the said website?
They'll register (or purchase) IP address blocks that are marked as Indian in the various GeoIP databases, then assign those IP addresses to servers hosted outside India.
> With virtual locations, the registered IP address matches the country you have chosen to connect to, while the server is physically located in another country.
How does this work then? How can you have a Indian IP address, while the server is located in the UK?
Fake WHOIS records, you can typically populate anything there. Some geolocation providers blindly trust the values that you put in there (for example, Maxmind); others do triangulation based on trace routes and ping times to deduce if the advertised location is actually correct (ipinfo, DB-IP).
They must control ranges of "indian" IP addresses but announce BGP routes for them in Singapore and the UK. GeoIP says India, BGP takes you somewhere else. Easy peasy
not true -- your prefix location is a BGP tag which is appended based on where you're physically connected (which T1 carriers will do). Obviously you can get around it with an overlay network but you'll need some trivial PoP in India.
interesting that they're having so much success with false RIPE/ARIN entries. Proper geolocation (as in with visiblity of most T1s) would trivially identify the origin of traffic.
How does Geo-location from IP work anyway? From my knowledge it's just figuring out the ISP the IP-block is assigned to, and finding out the address of the ISP. But technically a computer anywhere in the world can have any IP? Or since I don't know anything about routing: are there routing rules that would think "This is an Indian IP, I'm going to forward this data towards India"?
Any computer can't have any IP, but the routing rules have nothing to do with physical location. Routers advertise to their neighbors the IP block(s) that they serve.
As a super high level example, your ISP's core router would advertise to other ISP's routers that it serves 10.123.x.x IPs, so any IP address in that block gets sent to that router. Then within your ISP, the router in your area would advertise that it serves 10.123.45.x, so it receives packets for IPs in that more specific block from the core router. So your IP would have to be within the 10.123.45.x block, because that's what the router serving you is assigned.
I think it goes deeper than that. Even here in the UK with its heavily centralized PoPs it's possible for geolocation tools to narrow a consumer down to a specific town (my cable connection tends to get geolocated to a big town 20 miles from me though) so I assume databases of locations of PoPs are maintained somewhere too.
There isn't a standard way to do this, and all depends on people using random "Geo IP" databases. Most of these databases are made using a variety of sources, though primarily the easiest is to see what ASN the IP address belongs to, and then you just put all those IPs as belonging to that ISPs country. This covers 90% of the domestic users. What ExpressVPN has to do is, simply convince one of these ASNs to allow announcing a IP block from them on BGP, and that will work until some GeoIP database finds out and changes the country for whatever IP block ExpressVPN got.
In some cases, traceroutes from different locations around the world can be used to roughly triangulate the location. Though you may find the datacenter to be inside of earth if the IP is actively being used for unicast :)
Cross reference with billing address? Your ISP knows where you live, and what IP you have. Do you trust them not to sell that data?
Any delivery of anything on your phone at least goes to a nearby cell tower but probably exits on your IP from your wifi, and has your address as a requirement. Seems very easy.
Uber Eats, Doordash, etc all know the address of your ip as a requirement to perform their services.
ExpressVPN does this a lot for their "European" servers. If you ping them it ends up in the UK (as far as I can tell), even for their countries like Serbia and Montenegro
> Rest assured, our users will still be able to connect to VPN servers that will give them Indian IP addresses and allow them to access the internet as if they were located in India. These “virtual” India servers will instead be physically located in Singapore and the UK.
Wondering why anyone is still using ip-based geolocation. The most popular use for VPN's is mocking your location to Steam and Netflix. Could be these players allow mock locations because it gives them revenue..
It seems pretty clear to me at least for the Netflix case.
- Content providers care because they want to sell exclusive per-region licenses.
- Netflix doesn't really care, in fact the may benefit from more content available to their users.
The end result is that Netflix will do the bare minimum to keep the content providers satisfied.
Steam is more of a concern because they have different prices per region. But IIRC they use your billing address, not your IP location which is harder to spoof.
That is also true for Netflix and they do care. Indian monthty subscription is much lower priced and starts ~2$ than U.S. that costs like $20[1]
Geolocation is largely a feature in products and in licensing because there is big purchasing power difference between rich and poor countries.
Netflix has been more tolerant in the past of region bypass than others for the same reason they didn't crackdown on password sharing but won't be in the future.
[1] The actual prices we pay might vary in both countries depending on promotion and tie ups etc, but these are list prices of which those components would be applied.
Would getting the cheaper subscription not require the user to have a valid mode of payment that can be attributed to India? I do not understand how credit cards work, but I suppose the company probably can atleast obtain the card holder's country?
They could also easily block known VPN IP ranges (they don't). Netflix generally is not (yet) user unfriendly.
There are myriad ways of buying a subscription, including gift cards, third party tie-ups etc, it won't be easy to implement a fool proof solution which works for all of them, especially without degrading user experience.
It is more likely that problem is not big enough for Netflix that it wasn't worth investing that kind of effort.
Similar to how they are handling password sharing now, it is perhaps possible they will look into this in the future as margins tighten and pressure increases as they keep loosing subscribers to competition.
Cat and mouse game seem to be nowhere near its end. And totally agree, businesses will happily play it forever.
Why geo ip? Naivety/ignorance coupled with the outdated business logic that segmenting audiences to skim customers to the max will continue to be the winning strategy. It rarely come from within IT brainstorming, those in denial or sticking to short sighted green are the business strategists also being vaguely sold that controlling can be done (and to some degree yes it can be so long as consumers bases don't in their majority adopt privacy measures and moan when being unlegitimately denied access)
On the more forgiving side, it does help easily monitor kiddy attacks altogether, if there is no market in Takjistan, why bother looking at false vs true positives coming from there, dumb scripts are dumb but can still be costly for the network management team.
> Wondering why anyone is still using ip-based geolocation
I don't think there's a reasonable alternative. If you ask users for their location they can just lie, if you use the JS geolocation API they can trivially deny or spoof it. If you base it on billing address you're locking out people who are traveling, which seems unwanted (especially for long-term travel).
So instead they end up playing a cat and mouse game to try to block VPNs.
> Not only is it our policy that we would not accept logging, but we have also specifically designed our VPN servers to not be able to log, including by running in RAM.
Do people really believe this bullshit? Empty claims of servers running "in memory" as a meaningful defense against surveillance?
Going diskless is not a complete defense (nothing is), but it still helps against certain attack vectors. Borrowing from Mullvad's blog post on the topic[1]:
- If the computer is powered off, moved or confiscated, there is no data to retrieve.
- Running the system in RAM does not prevent the possibility of logging. It does however minimise the risk of accidentally storing something that can later be retrieved.
But VPNs already promise not to log anything, so running in RAM makes about as much sense as "double encryption" (actually I think some VPNs do offer such a thing, and people are gullible enough to accept it).
Non-persistence of any data is a positive in terms of data at rest, how is that not a defense against surveillance? Regardless of the fact that it's not verifiable, assuming it were true, would it not be a good thing?
How is an anonymous, non-attributable, non-verifiable statement, from a company trying to sell you a product, worth anything? Why assume it's true when it is so contrary to even basic common sense, for anyone who has ever stood up a LAMP stack?
I don't mean to assume it's true to validate their advertising. For the sake of argument, if a server uses only a RAM disk, is that an improvement over having disks? Of course a network can still have sneaky equipment in between but that is still possible without RAM disks, so is it not beneficial to have a RAM disk?
Please note that I am not arguing in favor of their advertising or to say that it is successfully avoiding surveillance. But, do you believe that no-disk boot, assuming it actually takes place, is a positive thing, or not?
I admit I misconstrued your original comment to be a criticism of the technology rather than the fact that this VPN company advertises as such. Nonetheless I do think no-disk-boot is not useless as a technology and if you have any disagreement I would love to hear it, as someone who uses a VPN (not expressVPN) that says they use the same setup.
It depends entirely on the threat model. If three-letter agencies are the adversary, moving logging to RAM is unlikely to be a meaningful deterrent - they probably already have a root shell or direct access to the VM hypervisor. So if it doesn't protect against nation states, whom are we defending against? Another law enforcement agency raiding the server room and taking hard drives? But I thought ExpressVPN doesn't log anything, so why would that matter? Let's just be real and practical about what problem this is actually purported to solve, else we should call it theater because it's what it is.
Because it's pretty easy to set up a ready only server that runs off read only storage and that doesn't include any writable storage. The fact that it could be done doesn't really require extreme proof. They could still be lying but it's not a hard or unusual thing to do.
these claims aren't necessarily empty, but pointless because ISPs still log everything, as they're required by law pretty much everywhere. it would require a bit more digging to through, but the data is still there - even with some clever routing with on-premise equipment, there's still more than enough data to deduce which inbound connection corresponds to which outbound connection
if your threat model is three letters agencies, vpns and tor are a fig leaf
I agree a VPN won't help against a three letter agency. But it will help against an ISP, who has a legal right to sell your browsing data in the US.
This is one of the use cases for why you might want a VPN, if you trust a VPN company more than your ISP.
A VPN is just paying for putting your trust in a VPN brand rather than an ISP brand. I don't see why that's such an offensive business to so many HN users.
> I don't see why that's such an offensive business to so many HN users.
Because the assertion VPNs - apparently unlike every other ISP - do not log or monetize your data is simply laughable, especially as so many are based in third-world countries, set up by shell entities and have almost no accountability for any of their claims.
Their entire business model is premised on the fact that they don't. If they ever were found to be, their hundred million dollar businesses (expressvpn) would vanish.
When express has their servers seized in turkey, there was no usable data on them.
I know you are super paranoid, but that still doesn't make my point wrong, or using a VPN wrong. Again, if you trust a vpn more than your ISP, that's pretty legitimate in many countries.
I'm as generally skeptical as anyone, but I think you've seen that it's essentially impossible to rationally debate with someone who believes in a conspiracy to the point that evidence against it can just be dismissed as part of the conspiracy itself. It's frustrating.
I certainly wouldn't trust my life to an unaudited VPN, but I think your two main points are pretty compelling -- 1) the business model is of large VPN companies is based on trust. They have very explicit, business interest in not violating that trust. 2) in one case we know of, when seized, the servers didn't have actionable information on them.
Does that mean every VPN company is trustworthy? Of course not. Does it mean that things could change at any time? Of course.
Microsoft used to crow about this stuff a lot of with respect to O365. I remember getting a dirty look when I laughed at the rep.
Their services terminate TLS locally for most tiers of service (Even with the “Government Community Cloud”), so you need to be careful and use VPNs in any scenario where a foreign interest may be interested in what your employees are up to.
https://www.cnet.com/tech/services-and-software/what-is-kape...
https://www.reuters.com/technology/kape-technologies-buys-ex...