this post was submitted on 13 Jul 2023
41 points (95.6% liked)

Privacy

31951 readers
607 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

Considering my threat model is just preventing my ISP to know which websites I am visiting and to prevent my government (India) from tracking me, do I need to use a VPN?

Currently, I am using a trusted VPN provider with a permanent kill switch and am never off of the VPN. Today, I was reading IVPN's homepage and it says, "A VPN can be effective at encrypting your DNS requests so your ISP or mobile network provider cannot monitor or log the domains you visit." But as far as I know, DNS over HTTPS does encrypt the DNS requests. Right?

I regularly clean my cookies, use hardened browsers, etc. So is a VPN really necessary for me? Or shall I just shift to using Quad9's DoH or something?

Edit - I am using the router provided by the ISP and I cannot change it because I am behind CGNAT. I can use a separate device and install PfSense or OpenWRT or something on it and use that as a firewall. Any suggestions there?

top 22 comments
sorted by: hot top controversial new old
[–] [email protected] 43 points 1 year ago (2 children)

Without the VPN, your ISP knows you are making a DNS request, but they can't see what domain you are resolving. A moment later, they see the IP that request resolved to, when you request that site. They can see how much encrypted traffic is going back and forth. When they see that the IP address hosts a porn site, and traffic analysis shows you're starting and stopping video streams, they know you're jerking off, but can't figure out your specific fetish.

With a VPN, your ISP only ever sees the VPN's IP address. They know when you are sending and receiving traffic to/from that IP, but they don't know the original source. With traffic analysis, they can probably figure out that you're watching videos, but they probably can't distinguish between YouTube and YouPorn.

[–] [email protected] 8 points 1 year ago

With cloud/edge/cdn, though, theyre basically just seeing that youre connecting to a data center, and ips cycle very frequently so they're not getting useful information.

[–] [email protected] 3 points 1 year ago

Right. You can easily do a reverse lookup to an IP address and see what hostname it is.

[–] [email protected] 21 points 1 year ago (1 children)

They will see the IP of the site you are visiting if you do not have the VPN. Depending on the site it could be obvious which site it is, if it has a dedicated hosting for example

[–] [email protected] 8 points 1 year ago

Also, looking at it from a different angle, a VPN hides your IP from service providers, which makes it harder for them to track you. In addition to that a proper VPN will also protect you when connecting to an insecure network, like scetchy public Wifi

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (1 children)

Just to add a counterpoint to all the comments, my personal policy is who do you trust more your ISP or your VPN provider, most VPNs say they don't track but they can easily lie about it and they could easily change their policy overnight. Also, since most require a client installed on your machine, they could easily install a shim and get access to your in-flight encrypted data. If this were a case where you're in a country where you know they're tracking you, absolutely use a VPN that you trust. In the US/EU I just don't see much use for a VPN unless you're trying to get access to Geo-blocked content.

[–] [email protected] 1 points 1 year ago

With some VPN services you may or may not help out in a peripheral way. I've seen a bunch of random times over the last year when websites prompt me about being in Ukraine. I'm in the USA. I switch my VPN location at random after clearing my cookies/cache/site settings. It seems to help obfuscate tracking to some degree. I really want to setup a automated randomized VPN on my next router running OpenWRT.

[–] [email protected] 6 points 1 year ago

Whaaaaa?

No a vpn is NOT just about dns.

Dns is the starting point, but the main idea is to route your traffic through a central point without logs.

This means that from a network sniffing perspective, I know you’re sending data to the vpn endpoint, but the data is encrypted (also a vpn important point) and I don’t know where it’s going at all after that.

Even if I’m sniffing the traffic going out of the vpn endpoint , because there’s many people using the same point, while I can see that someone on the vpn was looking up pages on the pirate bay looking for the latest movie, I’m unable to match that to. A person connected. It could be one of thousands of people browsing with this vpn. So I don’t know that it was you looking for the latest minions movie.

[–] [email protected] 6 points 1 year ago

TL;DR If you don't want your ISP to know the sites you visit you need some sort of proxy (which can be accomplished with a VPN).

There is lots of metadata about your requests. With a proxy your ISP can only see traffic volume. The contents are encrypted and all go to the same IP address. With just volume information it is quite difficult (but not impossible) to determine what sites you are visiting.

Without any sort of proxy the ISP can see a wide variety of additional info:

  1. Which addresses you are connecting to. Can narrow down (and frequently pinpoint) what sites you are visiting.
  2. Domain of most sites you visit (via SNI) (for sites not using encrypted SNI which is most of them).
  3. Full info about unencrypted connections (consider turning on HTTPS only mode in your browser to avoid this).
  4. DNS queries if you aren't using DoH, DoT or similar.

It sounds like you are aware but please remember that while this will be hidden from your ISP it will not be hidden from your VPN provider. You are essentially just shifting trust. Another advantage can be frequently changing your IP to make it harder for websites to track you. If you want to hide from everyone you will need a better solution such as Tor.

[–] [email protected] 6 points 1 year ago (1 children)

Most sites still send domain name in clear text. You can see it in Wireshark or PCAPDroid. You need VPN if you don't want your ISP to see the sites you visit.

https://blog.cloudflare.com/encrypted-client-hello/

[–] [email protected] 1 points 1 year ago

This is pretty easy to do with a network tap, but it's a bit of data to capture an search. The SNI header tells a frontend at the IP what site you want. Something like SecurityOnion sitting on your net is a way to see it yourself.

Email is likely just as much a risk since the host would not only know who you communicate with but the content.

[–] [email protected] 4 points 1 year ago

Only a VPN will mask the SNI from falling into the hands of the ISP. DoH will simply encrypt the contents of the DNS requests (which is nice to have but not the solution to your problem), your ISP will still know you made a DNS request and the IP your request resolved to

[–] [email protected] 2 points 1 year ago

Encrypted DNS is better than nothing but in terms of privacy it doesn't help much.

[–] [email protected] 2 points 1 year ago (2 children)

How do you access banking apps/websites with always-on VPN and permanent kill switch?

[–] [email protected] 3 points 1 year ago (1 children)

My banking apps and netbanking work just fine regardless of which country I am connected to. UPI (unified payments interface) requires an Indian IP, though. But I can still do everything while connected to my VPN provider.

[–] [email protected] 1 points 1 year ago (1 children)

None of my banking apps work with VPN even with a spoofed Indian IP. UPI works without issue for me as well.

[–] [email protected] 1 points 11 months ago* (last edited 11 months ago) (1 children)

The good one like Mullvad does not have a server in India. Do you recommend something as good as Mullvad for accessing UPI and strem vid apps?

[–] [email protected] 1 points 11 months ago

I haven't used mullvad but I do use protonvpn. On my android phone icici banking app doesn't work even while being whitelisted. Prime video needs to be whitelisted but functions. Didn't find an issue with Netflix. Haven't tested other platforms.

[–] [email protected] 2 points 1 year ago (1 children)

Not OP, but back when I used Surfshark it had the ability to allow bypassing the VPN only for certain programs, IPs or URLs.
I mostly used it to get less latency with online games or getting access to them in the first place as often I'd encounter login servers that just didn't work though a VPN.

[–] [email protected] 1 points 1 year ago

Thanks! I will look into my VPN client and see if it provides this feature.

[–] [email protected] 1 points 1 year ago

What was all the hub-bub years ago about proxies? Didn't they do what VPNs do today? How are they different?

[–] [email protected] 1 points 1 year ago

In your case a VPN makes more sense when you can’t really control the router. I like Cloudflares 1.1.1.1 Warp VPN it masks my IP and speeds up my connection. If you want to torrent or other questionable things something like Mullvad, Proton or IVPN is a better choice.

load more comments
view more: next ›