> how they all act as if the majority of the websites their users are going to aren't HTTPS and they act like their main benefits are filling in the gaps that HTTPS actually fills in.

I hear most of them saying "Don't want your ISP spying on where you're browsing? Use a VPN." Which HTTPS does not cover.

With HTTPS, ISPs can see _where_ you are browsing, but not _what_ you are browsing. Of course them seeing the top level domain still violates certain aspects of privacy, personally I’d prefer ISPs couldn’t even see that. But it’s not like they are peering into the actual content of what you are browsing.

True, and with the rise of CDNs it's probably even harder to figure out what's happening. But it still gives them more info than is necessary, given they like keeping logs for the powers that be.

Providers, at least in Europe, are much more strongly regulated than “vpN ProVidErs” re: privacy and everything else.

Which can be a bad thing, if you want to access banned websites.

I imagine it's the reputation of the provider that's the main driver, not the regulation.

I’d agree with you about HTTPS providing most of the benefit that VPN advertising focuses on if I hadn’t seen repeated direct evidence that even most technical users will blithely click through HTTPS errors’ “accept the risk” bypass. It’s as if knowledgeable users think “sure, this could be a man in the middle attack, but it’s most likely just a benign cert problem, because certs are hard.” Sigh.

To be frank that's also because the cause for an HTTPS certificate error ranges from "malicious hijack" to "misconfigured server setup" to "I lapsed the expiry date" to "I am using a self-signed certificate".

The degree of which these should be scares is not equivalent, yet browsers will treat all of these as equivalent even though they can distinguish between them in the error page. It just results in clickthrough fatigue, where technical users just ignore the warning because it's not worthwhile to deal with even when they really should.

Plus a VPN won't protect you from a malicious hijack, it just prevents them from grabbing your IP address.

The reason the browser doesn't differentiate between them is because the end result is the same - the cett doesn't match the browsers trusted store. The battle has beenosr on self signed certs at this point (unless you're an enterprise, at which point bundle them with your image).

The difference between a misconfiguration and a compromise is intention, both should be treated as equally suspicious.

The problems with clicking past those errors are typically not due to network sniffing but with whatever crazy shit is on the page they are going to.

The only two valid usecases of big VPNs like these are

1. Very mild security increase over public wifi 2. Shifting your risk from the ISP spying to mullvad or the VPN provider spying or slightly anonymizing if mullvad rotates IPs.

(2) is a real benefit because ISPs are pretty terrible, but it's still pretty minor in the grand scheme of most people's threat models.

3. You live in a country where your ISP is legally mandated to record all of your browsing history and make it available to the government.

4. You live in a country where certain websites are blocked because the government doesn’t agree with them, or because those websites don’t want to deal with your country.

Those countries probably block VPN services, especially the popular ones which buy all the ads.

There are some countries that block VPNs but there’s also many countries that don’t. For example, TPB is blocked in UK by court order but VPNs work just fine.

Certain Russian news websites are DNS blocked in the EU. I haven't heard of anyone having serious issues using a VPN.

Yeah, I hate my ISP. I am certain they sell every bit of data they can. Ergo, I use a VPN most of the time.

I haven't experienced an HTTPS error on a legitimate site that I would input any personal information into in years.

I couldn't imagine clicking past one of those warnings to login to my bank or even amazon.

>if I hadn’t seen repeated direct evidence that even most technical users will blithely click through HTTPS errors’ “accept the risk” bypass

As far as I recall this is not possible on Chrome if you are MITM'd. If the cert presented doesn't match the cert in the HSTS cache, there is no option to bypass. If the server's cert is expired, then you do indeed see the option, but an expired certificate doesn't necessarily mean danger.

It is possible to bypass. Just more difficult.