When the topic of VPN comes up, there are often posts which criticize the use of a VPN for the use case of privacy. These posts are often absolutist in nature and fail to address specific threat models. Of course a VPN isn't going to protect your privacy from state level actors - I doubt that it is possible anyway.
Why I use a VPN:
1. I don't want many of the sites I browse to know my IP.
2. My US ISP corrupted my government to allow them to steal my data. I don't know if I can trust my VPN provider, but I know for certain that I can't trust my thieving ISP.
3. I frequently connect through untrustworthy networks when traveling. Yes, SSL helps, but going through a VPN is an added layer of abstraction.
I am not a network security expert, so criticism of these three use cases is highly welcome.
All of this can be achieved through a person VPN rather than a commercial subscription one by ssh -D whateverPort user@ip_address and setting up a SOCKS proxy in Firefox on that same port.
>there are often posts which criticize the use of a VPN
Often they specifically critique the likes of NordVPN etc. The off the shelf solutions rather than personally setup VPNs. What disgusts me is that they charge fees that are multiples of what it costs to run a basic Linode or DO Droplet for a month and a virtual machine is far more useful than a commercial VPN.
I agree with this completely. However, in this particular instance, I could make an argument for using – or at least subscribing to – Mozilla VPN simply as a method of supporting the organization. It's vital that Mozilla maintains a strong engineering force counteracting monopolies who push loss-leading products to capture markets like web browsing and email.
You don't have to even use it, but every dollar of revenue that Mozilla can attribute to their privacy products and services means one less dollar is needed from their hostage deal with Google.
That's the premium you pay for not having to deal with hosting and configuration. There are plenty of people - even in the tech community - who lack the knowledge to handle this themselves.
A personal VPN hides my "True IP", but it doesn't mix my traffic with thousands of others and shift that ip randomly over a few days.
That's the great, albiet unfortunate, value of retail VPNs; other people are using them and your traffic mixed with theirs. Being a totally anonymous but unique individual is less valuable in today's marketing morass is less valuable than being one of many in a VPNs IP space.
The one and only thing a VPN does is that it switches your IP to another. It has absolutely nothing to do with privacy or security. An IP-address is just a single metric among hundreds that are used on the web to track users. IPs are also typically not equal to a user. It is common that an IP is a set of users and IPs often change when it comes to consumer ISPs. VPN makes sense in TCP-scenarios like Bittorrent but for web it is pretty much useless in itself.
If you use any currently standard protocol such as wireguard, openvpn, IPSEC with Suite-B ciphers you are getting 'enhanced-privacy'* from eavesdroppers on your local network, which eliminates alot of low-tier/easy MiTM attacks.
A two-layer/double tunnel is pretty-good for mitigating against most commercial data collection by eavesdroppers. (Though your tunnel-exit/last-VPN-hop, (varying by client-destination protocol), and the destination IPs/sites will still be able to collect data of course).
*Consider privacy a vector. Suite-B ciphers are not perfect, letalone their freely-available implementations.
I have had this argument too many times. It is a combination of cargo-culting and a flawed understanding of basic security principles.
I use paid VPN services a lot as well as cloudflare warp. I understand and accept the risks the anti-vpn crowd keeps repeating. In the US, your local ISP and like you pointed out sites that sell and mine info about you are much higher risk of compromising your privacy or posing a security risk.
My traffic enters hostile network territory once it is delivered to my ISP router or the remote end of a VPN tunnel. Take NordVPN for example, I don't use them but it is more difficult but still possible for law enforcement or surveillance/ad companies to coerce or collude with Nord than with site owners and ISPs. TLS metadata including timestamp, SNI and other details along with my IP are known to Nord. To my ISP, they know my current location, usually social security number , birthday and whatever info their router can gather is known to them. Sites I visit without a VPN have my IP user-agent and whatever they collect with JS. A VPN removes the IP collection by sites and traffic sniffing by ISPs that can and do sell to whoever can pay them a fee.
VPN providers pause a significantly reduced risk than ISPs and they reduce risk from sites you visit. If you research a VPN provider and pick ones that have the most to lose by working against your interest, you reduce the risk even further.
Setting up a VPS and maintaining is a hard dealbreaker for me since I don't have the time and even if I did there is a shit-tom of more productive things I would rather do. But even if that is the case, which VPS provider should I trust more than a VPN provider? Digitalocean or cloud providers?
You know, few months ago I needed to setup a VPS fast, I must have tried 5+ including DO amd OVH. They needed to collect my email, some of them were picky about what card I used, others like DO wanted my phone to be valid, it was crazy! Only one weird vps provider let me but they didn't provision it after waiting a while. OVH wanted more info back and forth eventually after a few days supposedly they let me have a VPS but I no longer needed it after wasting money at so many places. Whether for anti-abuse reasons or anti-privacy VPS providers these days are hostile, they need too much info from you so how can you trust them with all your traffic?
Mullvad, PIA and Proton along with many others let you sign up with cash or giftcards and you can use a fake name/address. The only info they have TLS sni/metadata and your IP. They purposely get the least amount of identifying information from you.
I said cargo-culting because the people that oppose VPNs had some setup work for them and they think that and only that is ideal.
I see extremely talented security folk say that and similar cargo-culting on other subjects like how you shouldn't have an AV/EDR or just use only mac and Linux if you want to be secure lol.
It'd be interesting if Mozilla offered a iCloud-like solution. Obviously, they wouldn't have the tight integration compared to Apple on mobile or desktop. They'd also need a really compelling use case that Apple can't offer.
If you compete with iCloud and Google you'll always be a niche player.
But I think if a brand name like Mozilla would offer a standards based "internet suite" (think: mail and notes over IMAP, file cloud over WebDAV, calendars and todo's over CalDAV, VPN over WireGuard etc. so basically your online stuff without the proprietary device-locked walled garden implementation) it could become at least a sustainable business for people who:
- Care about not being locked in
- Do not want the hassle of self hosting
- Feel less comfortable about using a non-brandname NextCloud provider
> We currently offer Mozilla VPN in Austria, Belgium, Canada, Finland, France, Germany, Ireland, Italy, Malaysia, the Netherlands, New Zealand, Singapore, Spain, Sweden, Switzerland, the UK, and the US.
This list really needs to expand a lot more, and quicker. Mozilla is “literally” leaving money in the table by not serving many other countries. The market size may not be as big, but there is the Mozilla brand name recognition among people who work in tech and there are people who’d like to support Mozilla Corporation directly.
for mozilla neither,
for mullvad probably good, i think many trust the mozilla brand more than mullvad
mullvad is an average vpn provider
also its important to note, that many question that VPNs provide any security at all , i think for 7 dollars you pay their email relay and phone masking seem like the more interesting feature and value
What is the best way to support Mozilla/Firefox? I'm happy to sign up for this if it is the best way to contribute to the longevity of the product I use more than anything else.
My poorly informed understanding is that they are not interchangeable.
The Mozilla Foundation exists to support internet freedom. Firefox is a means to that end, but if they fired every Firefox developer and replaced them with a skin on top of Chrome that wouldn't be against Mozilla's goals.
Which means: if you want to support Mozilla you should sign up for this and some of that money will trickle down to Firefox. If you want to support Firefox then you should convince people to use it more.
Whatever the default search engine currently is, don't change it. Moz earns a kickback every time you use it.
It's probably still Google and I generally encourage people to get weaned off the Google product teat as much as possible, but that search engine integration is how Moz makes most of their money from what I understand.
I've been a happy Relay customer since it was introduced. There's nothing worse than getting on an email list and having no way to get off! I'm happy to support Mozilla via Relay, and the service is useful!
For VPN, I'm already paying for Mullvad, not sure this bundling helps me. Curious to see if it takes off.
Also note that the Firefox Relay feature doesn't support custom domains, it supports custom subdomains only, it has some misleading documentation around this topic.
Readit News
Why I use a VPN:
1. I don't want many of the sites I browse to know my IP.
2. My US ISP corrupted my government to allow them to steal my data. I don't know if I can trust my VPN provider, but I know for certain that I can't trust my thieving ISP.
3. I frequently connect through untrustworthy networks when traveling. Yes, SSL helps, but going through a VPN is an added layer of abstraction.
I am not a network security expert, so criticism of these three use cases is highly welcome.
>there are often posts which criticize the use of a VPN
Often they specifically critique the likes of NordVPN etc. The off the shelf solutions rather than personally setup VPNs. What disgusts me is that they charge fees that are multiples of what it costs to run a basic Linode or DO Droplet for a month and a virtual machine is far more useful than a commercial VPN.
You don't have to even use it, but every dollar of revenue that Mozilla can attribute to their privacy products and services means one less dollar is needed from their hostage deal with Google.
If you already have a droplet unused sure but otherwise being able to change ip in different countries adds some additional value for 2 dollars more.
That's the great, albiet unfortunate, value of retail VPNs; other people are using them and your traffic mixed with theirs. Being a totally anonymous but unique individual is less valuable in today's marketing morass is less valuable than being one of many in a VPNs IP space.
If you use any currently standard protocol such as wireguard, openvpn, IPSEC with Suite-B ciphers you are getting 'enhanced-privacy'* from eavesdroppers on your local network, which eliminates alot of low-tier/easy MiTM attacks.
A two-layer/double tunnel is pretty-good for mitigating against most commercial data collection by eavesdroppers. (Though your tunnel-exit/last-VPN-hop, (varying by client-destination protocol), and the destination IPs/sites will still be able to collect data of course).
*Consider privacy a vector. Suite-B ciphers are not perfect, letalone their freely-available implementations.
I use paid VPN services a lot as well as cloudflare warp. I understand and accept the risks the anti-vpn crowd keeps repeating. In the US, your local ISP and like you pointed out sites that sell and mine info about you are much higher risk of compromising your privacy or posing a security risk.
My traffic enters hostile network territory once it is delivered to my ISP router or the remote end of a VPN tunnel. Take NordVPN for example, I don't use them but it is more difficult but still possible for law enforcement or surveillance/ad companies to coerce or collude with Nord than with site owners and ISPs. TLS metadata including timestamp, SNI and other details along with my IP are known to Nord. To my ISP, they know my current location, usually social security number , birthday and whatever info their router can gather is known to them. Sites I visit without a VPN have my IP user-agent and whatever they collect with JS. A VPN removes the IP collection by sites and traffic sniffing by ISPs that can and do sell to whoever can pay them a fee.
VPN providers pause a significantly reduced risk than ISPs and they reduce risk from sites you visit. If you research a VPN provider and pick ones that have the most to lose by working against your interest, you reduce the risk even further.
Setting up a VPS and maintaining is a hard dealbreaker for me since I don't have the time and even if I did there is a shit-tom of more productive things I would rather do. But even if that is the case, which VPS provider should I trust more than a VPN provider? Digitalocean or cloud providers?
You know, few months ago I needed to setup a VPS fast, I must have tried 5+ including DO amd OVH. They needed to collect my email, some of them were picky about what card I used, others like DO wanted my phone to be valid, it was crazy! Only one weird vps provider let me but they didn't provision it after waiting a while. OVH wanted more info back and forth eventually after a few days supposedly they let me have a VPS but I no longer needed it after wasting money at so many places. Whether for anti-abuse reasons or anti-privacy VPS providers these days are hostile, they need too much info from you so how can you trust them with all your traffic?
Mullvad, PIA and Proton along with many others let you sign up with cash or giftcards and you can use a fake name/address. The only info they have TLS sni/metadata and your IP. They purposely get the least amount of identifying information from you.
I said cargo-culting because the people that oppose VPNs had some setup work for them and they think that and only that is ideal.
I see extremely talented security folk say that and similar cargo-culting on other subjects like how you shouldn't have an AV/EDR or just use only mac and Linux if you want to be secure lol.
But I think if a brand name like Mozilla would offer a standards based "internet suite" (think: mail and notes over IMAP, file cloud over WebDAV, calendars and todo's over CalDAV, VPN over WireGuard etc. so basically your online stuff without the proprietary device-locked walled garden implementation) it could become at least a sustainable business for people who:
- Care about not being locked in
- Do not want the hassle of self hosting
- Feel less comfortable about using a non-brandname NextCloud provider
[0] https://en.wikipedia.org/wiki/Netscape_Communicator
This list really needs to expand a lot more, and quicker. Mozilla is “literally” leaving money in the table by not serving many other countries. The market size may not be as big, but there is the Mozilla brand name recognition among people who work in tech and there are people who’d like to support Mozilla Corporation directly.
1: https://developer.mozilla.org/en-US/plus#subscribe
it's not theirs, it's mullvad ones
https://mullvad.net/en/help/partnerships-and-resellers/
Mozilla is a 3rd party with their own account system and payment system, that means you are traceable, you need to register to mozilla
Mullvad doesn't have any account system, and you can pay using cash
is it good, is it bad? it's up to you to decide based on the provided informations
mullvad is an average vpn provider
also its important to note, that many question that VPNs provide any security at all , i think for 7 dollars you pay their email relay and phone masking seem like the more interesting feature and value
The Mozilla Foundation exists to support internet freedom. Firefox is a means to that end, but if they fired every Firefox developer and replaced them with a skin on top of Chrome that wouldn't be against Mozilla's goals.
Which means: if you want to support Mozilla you should sign up for this and some of that money will trickle down to Firefox. If you want to support Firefox then you should convince people to use it more.
It's probably still Google and I generally encourage people to get weaned off the Google product teat as much as possible, but that search engine integration is how Moz makes most of their money from what I understand.
For VPN, I'm already paying for Mullvad, not sure this bundling helps me. Curious to see if it takes off.