As a cybersecurity engineer. I would consider this paranoia.
You can use a VPN. Hell if you know how, spin one up for yourself somewhere.
You should however research what VPN provider you want.
Proxies are literally just VPNs for http traffic. Not using a VPN means your ISP will see your dns which you don’t want.
Stop spouting “I know tech BS”
VPNs are fine. Just pick one you trust. If you can’t trust any of them, then spin one up on your own.
Don’t leave your VPN on all the time. You shouldn’t 100% trust any VPN provider, they are like 20% right in not trusting VPNs. Turn it on when you don’t want traffic tied to your identity.
I personally use surfshark, but only occasionally when I actually need a VPN. I’m not vouching for Surfshark, they’re not private, no VPN is. It just prevents Specific people I don’t want to see it’s me doing things.
Easy solution… for everyone… we all stop masturbating and convert to nuns… church is free compare to a vpn… and easier to setup than a proxie! Lets pray for our souls instead!..
that’s exactly the point i usualy make, do NOT use commercial VPNs because you can never be sure they don’t log, so it’s safer to assume that they all log everything, as a result it’s usualy safer to simply use a proxy for web traffic only and let the normal traffic routed normally instead of letting everything go thru a company that acts like a black box.
i personally use a VPN, but it’s my own servers that host it, so i know what goes thru it and i know that nothing is logged, i don’t use it for the stupid reasons mentionned in advertising but for routing traffic thru my home firewall and LAN/DNS/NAT to filter traffic. this is a valid use of a VPN.
you call me paranoid, i personally take it as a compliment. being paranoid while working with networks is much better than being unaware of potential dangers, i’d rather be too careful than not enough. and i recommend everyone on the net to be paranoid, because nobody (especially companies) want your safety and well being when they can get easy money by doing thing you won’t even notice.
in such context that OP mentionned, a proxy does exactly what is needed to circumvent IP blocking/filtering from websites, a VPN can do that too but it’s overkill and can lead to more safety issues, while a proxy does exactly what is needed for such job, and it’s much safer.
always use the right tool for the right job, you can use a hammer to open a nut, but you can also use a nutcracker which is designed for such job, that doesn’t mean the hammer wont work, but you have much more chances of having a problem if you use the hammer than the nutcracker.
also about this :
Proxies are literally just VPNs for http traffic. Not using a VPN means your ISP will see your dns which you don’t want.
I hate to tell you this but you are not smarter than the people who design VPN protocols. Neither am I for that matter. But I do audit them, have have very intimate knowledge on how they work.
An http proxy and dns over HTTPS is not enough.
In order to establish a TLS session to encrypt your DNS you need to pass a handshake which means your initial request is going to be unencrypted. There is nothing preventing a MITM attack against your DNS request, and your ISP likely already does this when using 1.1.1.1 for example. The same vulnerability lies inside encrypted email when establishing Secure SMTP. Don’t use STARTTLS, because step-down attacks can force your server to talk unencrypted. Use Explicit TLS.
Proxies and TLS are layer 3 protocols, meaning it’s easy for your OS to fuck up your routing tables and send everything unencrypted. Most people have no clue what they are doing. VPN’s are both easier to use, and serve the same purpose.
I forgot to mention client side attacks like revealing your IP by simply using an API request to api.ipify.org or another to bypass the proxy. This can be done with a myriad of protocols.
The issue with proxies is they only handle 1 protocol.
VPNs handle all of them because they operate on layer 2.
I am going to make a post about how VPNs work so I can inform everyone on how these work, they can make their own decisions. I will also include my own recommendations to satisfy everyone.
Here’s the post: https://discuss.eroscripts.com/t/should-i-use-a-vpn
i’ve never said i was smarter than those who made the VPN protocol, i am saying that such protocol is not the right tool for the task OP mentionned. you’re responding to things i’ve never said
i never said VPNs were bad or useless, i use my own everyday, i am saying that Commercial VPNs are a problem, and the average user doesn’t need it.
paid VPNs are acting as glorified proxy, lots of them even do false advertising to attract more normies into their scam.
the average user who buys a VPN each month to watch netflix and pornhub doesn’t need a VPN, a proxy does exactly what they want and causes much less security problems.
the problem i have with VPNs isn’t the protocol itself but what VPN providers do with it, they add logging, tracking, and you pay for this shit while they pretend to protect you. yet you just claimed that i pretend to be smarter than those who made the protocol, since the beginning i haven’t criticized the protocl but VPN servce providers.
you want a VPN ? make your own, rent a VPS, install OpenVPN, Wireguard or anything else, and you’ll be fine. this is a reasonable VPN usage.
those who want to visit websites with a different IP to avoind geo restrictions should use a proxy instyead of a VPN, they’ll get exactly what they want, but
you cannot trust VPN companies. you have no way to check that they’re legit and not recording your activity
Ok, it’s fine that you don’t trust commercial VPN providers. I would agree. they shouldn’t be trusted but you’re making 2 mistakes.
No threatmodel.
The threatmodel is avoiding detection by your ISP so you can freely consume pornography.
What threats are there to this detection?
Deep packet inspection. Traffic monitoring, DNS extrapolation, etc.
If a commercial VPN provider mitigates these threats then it does the job.
Does the commercial VPN provider create threats to the scope of our threatmodel?
No. It solves our problem. It operates on layer 2 so there are no circumvention possibilities.
Does it create threats outside the scope of our threatmodel? Yes.
How can I avoid those threats? Turn the VPN off after I’m done.
Advising to use an insufficient solution.
Do proxies + DNS over HTTPs solve my detection threats? No
Deep packet inspection is still possible. Traffic monitoring is harder but WEBRTC leaks are still possible. DNS extrapolation is possible but only if DNS over HTTPS isn’t properly configured certificate pinning. Client side attacks are still possible in revealing IP addresses by circumventing the HTTP protocol.
Plus Proxies have the same problem as VPNs. You need to trust your proxy.
not exactly the same problem, the attack surface is reduced cause you’re only exposing your browser traffic, your other programs will use the regular routing path so the proxy server cannot see that. unless your use the proxy as a system proxy, in which case i consider to be a mistake as big as using a commercial vpn
No threatmodel.
The threatmodel is avoiding detection by your ISP so you can freely consume pornography.
is this even legal in the US ? in Europe this is totally illegal for ISPs to do that. GDPR requires ISPs to get explicit consent of their customers in order to log anything
This is the problem though. Your attack surface is out of 100%
100% on the VPN when using the VPN
80% on the ISP
20% on the proxy when using the proxy
The goal is to have as little or no information about your pornographic activities being detected by your ISP.
If I dont want my ISP learning about my internet activities. I dont want 80% of my attack surface to be my ISP.
is this even legal in the US
Yes.
GDPR is an European Union Law that US ISPs do not need to comply with.
What makes it worse is there is no GDPR equivalent in the US.
Some countries do like Canada has PIPEDA.
The US at this time has no governing data privacy laws.
A VPN is just an additional layer of encryption. Even if your VPN is logging all your data, any data transferred over https or other encrypted protocols will remain encrypted even to them. They can at best only peel back the layer of encryption applied by the VPN protocol. Mind you I’d trust a paid VPN over an ISP simply because the paid VPNs have a profit motive to give end users what they want. The VPN market is very competitive and users are always demanding privacy. ISPs do not have a financial incentive to protect your data though, particularly in the US where most ISPs have a monopoly in the market they reside.
It’s good that you are approaching each part of the chain that transfers your data with suspicion, healthy skepticism is good. As Vlad pointed out though, VPNs are just a more complete form of protection as opposed to proxies. If you don’t trust your VPN provider you can research a better one, use a double VPN (applying a router level and then a client level one for example), or use Tor. Ultimately it’s entirely up to you how far you want to go to protect your data.
If targeted towards the EU, they must still comply. This means that if a US company offers a payment options in euroes, they must obey the GDPR.
And note that even if they use a tool that detects your region and converts the currency and displays the costs for this conversion, if its not clearly stated, its deemed targeting EU users.
This is why US companies are better off always displaying dollars and only in the payment step through paypal have paypal do the conversion (paypal acts as currency exchange here, which means paypal has to obey the gdpr, but the other company doesnt).
Its highly unlikely that an US ISP will offer payment options in euros, but if they do the consequences are big.
US Companies are required to comply with GDPR when they are selling services to EU customers.
US ISPs have no reason to sell services to EU customers unless they are selling serverspace/Colocation.
Residential Internet doesn’t need to Comply with GDPR.
This is true, but for mobile internet (which is still an ISP) rules are a mess quickly.
If the company is US oriented and targets US customers only, they go fully by US rules (unless EU explicitly disallows, GDPR doesnt protect well here and only covers the pure basics).
If the company is US oriented, but targets EU customers, but only through US specific methods (effectively being more like ‘importing’ a service. they are still not covered by the GDPR. The EU customer explicitly gave the US permission in that case.
For true multinationals however, the GDPR does apply even when a US person visits the EU, or a EU person visits the US (there are certain protocols the isps need to handle to ‘secure’ the information). The US laws on that does have some conflicts (but to the same degree the EU one also does). But this is handled as a trade agreement.
In its basics it comes down to: If you visit the other continent, your data is stored at that continent, but if a request is made, its always granted unless protected as politician/journalist/lawyer.
This is why for example vodafone uses diffirent subcompanies as those subcompanies are often based at specific continents to avoid conflicts, and therefor can be protected by them (if the US would force such subcompany to do illegal things, that subcompany can be forcefully detached from the main one by the EU, which is damaging towards the US by losing control as now data trades are completely blocked off).
This is correct but this comes down to the scope we are discussing. I don’t know how many US cell carriers would be wanting to monitor cell data traffic. The way internet works for cell carriers is WAY different than the way you would be assigned a public IPV4 address.
In cell carrier provisioning your traffic isn’t “Locked” to your cell’s ISP.
Your traffic is shared among a complex shared network that no one company owns. but multiple companies share bandwidth on based on agreements. This is why you can still use your phone long distance on a different carriers tower. This applies for VOIP, SIP, and your data. They are not one to one in the context of if you want to use a VPN, in fact because of how it works, a VPN may nor help anyway, unless you pick a location outside the country. It’s possible if you pick a US location, your endpoint could be one of those carriers datacenters and defeat the purpose anyway.
TL;DR Cell traffic works different enough that VPN use on cell phones is a different discussion altogether.
Zero rating is a thing they do care about though. So it is relevant. An example we had in europe was free music streaming. And sure, it might often not involve the most extreme examples of data, its still data.
And to be able to not count music on the normal data level, some tracking is required. Tracking that the GDPR does care about.
Zero-rating is an example I actually like to demonstrate my point. Some time back my wife (on a paid plan so not exactly zero rating) had a cell provider that injected ads into webpages that were not encrypted with TLS. I got her a VPN, set it to always on, no more intrusions. Zero rating is not a violation in the EU for GDPR. People need to remember GDPR makes using customer data have to follow rules. It’s not illegal if it’s in your contract.
I think we’ve gotten off track though. The primary point is using a higher layer protocol like an http proxy to avoid tracking is a bad piece of advice. If your goal is to prevent tracking access to a site, an http proxy is insufficient for a multitude of reasons.
Going down a layer fixes ALL of those reasons. Use a VPN. if your don’t know how to make one yourself a commercial VPN will do fine. Don’t leave it on 24/7. Only use it when trying to accomlish your goal (bypassing state restrictions).
Note that zero rating has multiple methods of working:
IP whitelisting (always allowed EU wide, but very limited in flexibility)
Deep packet inspecting (often not allowed, it would require explicit permissions and cannot be used in marketing anymore from that point on)
Phone firmware/local software. Software can use other authentication methods that are recognisable. These are often vulnerable for exploits (giving you ZR for things you shouldnt).
Trusted parties. Whichever company you connect to, that company can pass information about the portion that needs to be zero rated. The ISP can then compensate again. It does not need any detailed transfers and therefor is allowed in the EU (most IPS dont trust this though as its highly exploitable by the companies).
A VPN in some of these cases do negate the zero rating aspect with it. So can be counter productive here.
And yes, a zero rating ‘package’ is alloed to be sold for specific services as long as the package is kept generic enough to allow other parties to join in (for example: free music streaming must enable all music platforms to enter). The GDPR only partialy covers this, but the DMA made this very strict now.
Also, that a contract mentions certain things doesnt always make it instantly valid. Some permissions require explicit permissions. A big document with all rules in those cases is not valid. And GDPR specific things do require that permission. The ‘cookie wall’ is one of those things the GDPR requires even if it sometimes just doesnt make sense when tracking is the service itself.
The IP method relies on IP used by known content distributors like netflix, spotify etc. And since IP is always known, they can act upon that and zero rate the traffic.
But i wasnt realy saying zero rating was against the gdpr, just a few variants that are and some conditions can can create conflicts. These conditions can make certain services not possible to be zero rated.
Other than that, what you said was simply just true, and i wasnt realy trying to argue against that even, just inform to those that want more details and explain some nuances.