Tom Scott on common VPN sponsorship claims

[kshade]

British educational youtuber Tom Scott has released a video about common claims made in VPN sponsorship segments.

 

 

Video summary:

• You don't need a VPN to hide your password these days since SSL encryption is used almost everywhere.
• "Military-grade encryption" is what SSL uses as well. Not a wrong claim, but misleading.
• Your ISP can see what domain names you request, which is something you might want to hide with a VPN. But what they can't see is the whole URL.
• VPN providers can be compromised by hackers or governments as well.
• They are great for circumventing geo-blocking and piracy though, but you can't really advertise with that.
• Originally, this video was sponsored by a VPN provider, but they dropped it last second.

tl;dr: VPNs are not a general necessity because of SSL

 

I'm not posting this here as an attack on LTT or anything like that, and I'm aware that many of you will already know most of this. I'm just seeing a lot of channels with less of a tech-focused audience (and owners) do actual scare-mongering that it makes me glad that this easy to understand counterpoint exists.

[minibois]

To me, the main advantage to a VPN should be more about overcoming geo-restrictions and less about security. I found the whole 'make your connection private' thing kind of irrelevant too.. For many people using an alternate DNS would work for that purpose too.

Saw the video a minute ago, thought it was a pretty interesting... I guess 'unpopular voice' as compared to a greater part of YouTube.

[Scheer]

It has gotten a lot better in the past few years due to Lets Encrypt, but there are still a lot of sites out there that don't use SSL.

 

The people who don't know to look if the site has a cert or not are the people who need a VPN, which are the ones being scared into getting one... so I really don't see that as a problem. Maybe not the right way to go about it, but it is still protecting them.

[kshade]

Just now, minibois said:

For many people using an alternate DNS would work for that purpose too.

Unless your ISP logs DNS traffic, which is usually unencrypted, yeah. But if they do that, then you might want a VPN for other reasons as well.

[rcmaehl]

VPNs are not required but are still a very good idea.

 

Various attack vectors exist.

 

Firesheep

SSL Downgrade attacks

DNS resolution leakage

SSL MITM via certificates (e.g. Enterprise Fortinet/Fortiguard)

[Bacon soup]

I never needed a VPN in NZ. What I need is an uncesored DNS so that my pi-hole can be in control of what I determine to be undesireable. None of the sites I visit are banned, but in the weeks after the chch shootings I got to test that TOR browser worked fine around government censorship.

[Electronics Wizardy]

4 minutes ago, Scheer said:

It has gotten a lot better in the past few years due to Lets Encrypt, but there are still a lot of sites out there that don't use SSL.

 

The people who don't know to look if the site has a cert or not are the people who need a VPN, which are the ones being scared into getting one... so I really don't see that as a problem. Maybe not the right way to go about it, but it is still protecting them.

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. It stops your isp from looking at that data, but then you have to trust the VPN provider and their ISP not to look at your data.

[orbitalbuzzsaw]

Yeah the security aspect to VPNs has always seemed a little ridiculous to me. The only really good reason to use one is getting around geo-restricting these days with HTTPS so widespread

[kshade]

3 minutes ago, Electronics Wizardy said:

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. It stops your isp from looking at that data, but then you have to trust the VPN provider and their ISP not to look at your data.

Usually, the scenario is that you don't trust the local network, not some connection between datacenters, so yes. But SSL is much better, of course.

[Scheer]

5 minutes ago, Electronics Wizardy said:

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. It stops your isp from looking at that data, but then you have to trust the VPN provider and their ISP not to look at your data.

I mean more for using public Wifi and having people packet capturing locally.

 

You are right tho, its still possible to intercept down the line.

[LogicalDrm]

-> Moved to General Discussion

 

This does not qualify as news.

[MichaelWd]

1 hour ago, Electronics Wizardy said:

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. 

I thought a VPN would mean you're sending and receiving all the data encrypted?

[kshade]

29 minutes ago, MichaelWd said:

I thought a VPN would mean you're sending and receiving all the data encrypted?

To and from the VPN server, yes, but that then has to send out the traffic you tunnelled to it in its original form again. The server you are communicating with doesn't know that the VPN is there.

 

It's kinda like having another router out in the Internet, after your normal one, with a safe one-to-one cable between the two.

[colonel_mortis]

To preface this, the post that I'm replying to makes valid points, although on the modern internet they are less applicable than they used to be.

3 hours ago, rcmaehl said:

Firesheep

Firesheep, and other stripping attacks are still a valid concern, and a VPN does help, but they are much more difficult to execute to any effect these days because they require you to visit a page over HTTP first, but almost all of the big sites where you might start browsing (Google, Facebook, Reddit, etc) use HTTPS and HSTS to protect against that. These days, I suspect (with no concrete evidence beyond HTTPS and HSTS adoption metrics) that using Firesheep wouldn't yield useful credentials very often.

 

HSTS means that there is no way to strip the encryption from linustechtips.com - if your address bar shows linustechtips.com then it is required to be encrypted and there is no option to override security errors in the UI. More and more sites, especially large or sensitive ones, are adopting HSTS.

3 hours ago, rcmaehl said:

SSL Downgrade attacks

SSL downgrade attacks can be a concern, although not many sites support SSLv3 these days anyway and modern SSL+TLS libraries include indicators to detect when a connection has been downgraded. Again it could be an issue but in practice it won't affect many sites. In particular, any site that handles payment information has to use TLSv1.2 or 1.3 now, so downgrade attacks are not a concern on that front.

3 hours ago, rcmaehl said:

DNS resolution leakage

Definitely a valid reason to use a VPN, although you don't need a VPN to achieve that (DNS over HTTPS and DNS over TLS, supported by Firefox and Android respectively, also achieve that). A VPN does also hide the IPs that you're visiting (which can be tracked back to a website relatively easily in many cases) and the SNI information (which is as leaky as DNS, although encrypted SNI is coming).

3 hours ago, rcmaehl said:

SSL MITM via certificates (e.g. Enterprise Fortinet/Fortiguard)

I would argue that if your company/school is MitMing your traffic, you should not be trying to bypass that with a VPN because it almost certainly violates their IT policy.

 

 

I personally have a subscription to PIA (which I purchased before they sponsored LTT), and when connected to public wifi for any significant browsing I will usually either use PIA or Cloudflare Warp, but realistically the security implications are negligible (and the privacy implications aren't huge).

[Xilefian]

Louis Rossman also released a video today about VPN sponsorships, in it he discusses some of his concerns including the fact that no-one can really audit these VPN providers to make sure they're doing the right thing, and Nord VPN for one somewhat proved that.

 

This touches on my concerns for VPNs, I remember a few years ago a YouTuber reached out to me to ask my opinion on VPNs as they had just started sponsor segments for a provider - yet had no knowledge about what VPNs actually did. I said my main concern is that you're piping all your data through someone else's network, you have to trust that the VPN is doing the right thing and there's no way to know if they actually are.

 

 

I have a hard time trusting my ISP is doing the right thing when I pipe my data through them - and they have government watchdogs on their asses here in the UK - it's tougher for me to trust a VPN has everything covered.

 

Geo IP switching is the one and only feature that tempts me to get a VPN, that sounds like a worthwhile tool if you need it.

[Flying Sausages]

VPN is great for me because it hides my true IP on porn and hentai site and some shady sites run by hackers.

[FezBoy]

Just a reminder that DNS over HTTPS is a thing.

 

For my purposes, uBlock Origin, Privacy Badger, HTTPS everywhere, and DoH are plenty.  I don't do any piracy, and privacy wise tracking cookies are more of a worry than the VPN's extra encryption and probable history collection. 

[poochyena]

 

I've been thinking what he says in the video ever since I started watching LTT promote VPN services. I've said it before that they just use fear tactics to get you to buy something you most likely don't actually need. I wish linus would be more honest about the actual use cases of VPNs.

[WereCatf]

12 hours ago, kshade said:

Your ISP can see what domain names you request, which is something you might want to hide with a VPN. But what they can't see is the whole URL

I have setup my Pfsense - box to use encrypted DNS-servers, so my ISP doesn't get even that. At worst they could look at what IP-addresses I contact and try to guess, but most websites use various kinds of load-balancing services, like e.g. Cloudflare, or are hosted on a shared platform, so even that won't work for most stuff.

 

Personally, for my uses, I just don't see any need for a VPN. Being able to access Netflix from other countries would be nice, but not essential, and I don't know which VPN-services would work for that, anyways.

[RejZoR]

Saying almost everyone use SSL is misleading claim. Disconnect on my iPhone has encrypted over 5000 unencrypted HTTP connections since August. And I'm not even that heavy web user.

 

VPN is meaningful if you're traveling a lot and you either want your IP to always be your home country IP and to be sure open hotspots aren't doing anything to your connections.

[Mihle]

Only VPN I use is OpenVPN from my phone to my NAS box when I am on WiFi I don't trust.

[RejZoR]

As far as VPN's go, I trust ProtonVPN the most (makers of ProtonMail). It ain't cheap though, but free version has unlimited bandwidth, quite decent speeds and for Europe with server in Netherlands which has good privacy laws which is nice. Would prefer Proton's home country of Switzerland, but hey, it's free version.

 

I always had doubts about VPN providers that have 5000 servers all over the world. If you have that many, your control of them is probably pretty poor and I'd have hard time trusting that.

[LAwLz]

9 hours ago, colonel_mortis said:

Quote

SSL MITM via certificates (e.g. Enterprise Fortinet/Fortiguard)

I would argue that if your company/school is MitMing your traffic, you should not be trying to bypass that with a VPN because it almost certainly violates their IT policy.

And if it's a certificate on the local machine then they can MITM the VPN tunnel too if they want, so the VPN doesn't really add any extra protection.

 

 

 

 

 

47 minutes ago, RejZoR said:

VPN is meaningful if you're traveling a lot and you either want your IP to always be your home country IP and to be sure open hotspots aren't doing anything to your connections.

That's one of the few legitimate use cases for VPNs I can think of.

But for those purposes I would recommend doing what I'm doing and just host a VPN at home. That way, you don't have to pay a monthly fee. Router manufacturers like Asus has made it really easy to configure.

 

Those VPN subscriptions only has 2 legitimate reasons for existing if you ask me.

1) Circumventing GEO restrictions. For example accessing US Netflix while being in Sweden, or for example if you are in China and want to access a blocked website.

2) If you're not tech-savvy enough to configure your own VPN at home and still want to do what RejZoR mentioned (appear to be at home while away in some other country, and making sure your connection at an open hotspot isn't tampered with).

[RejZoR]

@LAwLz

I think main reason why ppl opt for VPN services is they are not tech savvy enough to setup their own VPN (or just too lazy like me ). But if you can, that's the best and most secure way, because only YOU can be 100% sure what VPN server is doing. No one can 100% guarantee for any VPN service that it's not doing anything funny behind the scenes. And even if company is not, scenarios like NordVPN fiasco recently can happen where 3rd party has access to their server in an unauthorized way.