Jump to content
Search In
  • More options...
Find results that contain...
Find results in...

Tom Scott on common VPN sponsorship claims

British educational youtuber Tom Scott has released a video about common claims made in VPN sponsorship segments.

 

 

Video summary:

  • You don't need a VPN to hide your password these days since SSL encryption is used almost everywhere.
  • "Military-grade encryption" is what SSL uses as well. Not a wrong claim, but misleading.
  • Your ISP can see what domain names you request, which is something you might want to hide with a VPN. But what they can't see is the whole URL.
  • VPN providers can be compromised by hackers or governments as well.
  • They are great for circumventing geo-blocking and piracy though, but you can't really advertise with that.
  • Originally, this video was sponsored by a VPN provider, but they dropped it last second.

tl;dr: VPNs are not a general necessity because of SSL

 

I'm not posting this here as an attack on LTT or anything like that, and I'm aware that many of you will already know most of this. I'm just seeing a lot of channels with less of a tech-focused audience (and owners) do actual scare-mongering that it makes me glad that this easy to understand counterpoint exists.

Link to post
Share on other sites

To me, the main advantage to a VPN should be more about overcoming geo-restrictions and less about security. I found the whole 'make your connection private' thing kind of irrelevant too.. For many people using an alternate DNS would work for that purpose too.

Saw the video a minute ago, thought it was a pretty interesting... I guess 'unpopular voice' as compared to a greater part of YouTube.

"We're all in this together, might as well be friends" Tom, Toonami.

 mini_cardboard: a 4% keyboard build log and how keyboards workhttps://linustechtips.com/topic/1328547-mini_cardboard-a-4-keyboard-build-log-and-how-keyboards-work/

 

Link to post
Share on other sites

It has gotten a lot better in the past few years due to Lets Encrypt, but there are still a lot of sites out there that don't use SSL.

 

The people who don't know to look if the site has a cert or not are the people who need a VPN, which are the ones being scared into getting one... so I really don't see that as a problem. Maybe not the right way to go about it, but it is still protecting them.

Link to post
Share on other sites
Just now, minibois said:

For many people using an alternate DNS would work for that purpose too.

Unless your ISP logs DNS traffic, which is usually unencrypted, yeah. But if they do that, then you might want a VPN for other reasons as well.

Link to post
Share on other sites

VPNs are not required but are still a very good idea.

 

Various attack vectors exist.

 

Firesheep

SSL Downgrade attacks

DNS resolution leakage

SSL MITM via certificates (e.g. Enterprise Fortinet/Fortiguard)

PLEASE QUOTE ME IF YOU ARE REPLYING TO ME

LinusWare Dev | NotCPUCores Dev

Desktop Build: Ryzen 7 1800X @ 4.0GHz, AsRock Fatal1ty X370 Professional Gaming, 32GB Corsair DDR4 @ 3000MHz, RX480 8GB OC, Benq XL2730 1440p 144Hz FS

Retro Build: Intel Pentium III @ 500 MHz, Dell Optiplex G1 Full AT Tower, 768MB SDRAM @ 133MHz, Integrated Graphics, Generic 1024x768 60Hz Monitor


 

Link to post
Share on other sites

I never needed a VPN in NZ. What I need is an uncesored DNS so that my pi-hole can be in control of what I determine to be undesireable. None of the sites I visit are banned, but in the weeks after the chch shootings I got to test that TOR browser worked fine around government censorship.

Link to post
Share on other sites
4 minutes ago, Scheer said:

It has gotten a lot better in the past few years due to Lets Encrypt, but there are still a lot of sites out there that don't use SSL.

 

The people who don't know to look if the site has a cert or not are the people who need a VPN, which are the ones being scared into getting one... so I really don't see that as a problem. Maybe not the right way to go about it, but it is still protecting them.

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. It stops your isp from looking at that data, but then you have to trust the VPN provider and their ISP not to look at your data.

Link to post
Share on other sites

Yeah the security aspect to VPNs has always seemed a little ridiculous to me. The only really good reason to use one is getting around geo-restricting these days with HTTPS so widespread

My PCs:

VALENTINIAN : CPU: Ryzen 7 2700X || CPU COOLER : Corsair H115i Pro || MOBO : MSi B450 Tomahawk Max || GPU: ASUS GTX 1080 Ti Strix OC || RAM: 4x8GB Corsair Vengeance (3200) || SSDs: Samsung 970 Evo 250GB, Samsung 850 Evo 1TB x2 || PSU: EVGA G2 850W w/ Cablemod Black & White Cables || CASE: NZXT H510 White || MONITOR: Acer Predator X34A (1440p 100hz), HP 27yh (1080p 60hz) || KEYBOARD: GameSir GK300 || MOUSE: Logitech G502 Hero || AUDIO: HyperX Cloud Alpha, Logitech C920 || CASE FANS : 2x Corsair ML140, 2x Corsair ML120 ||

DIOCLETIAN III (HTPC) : CPU: Ryzen 5 1600 || CPU COOLER : Cooler Master Hyper 212 Black Edition || MOBO : MSi X370 Gaming Pro Carbon || GPU: ASUS GTX 1080 Strix OC || RAM: 2x8GB G.SKILL Ripjaws V (3200) || SSDs: Crucial P1 500GB, Crucial MX500 1TB || HDD: Seagate Barracuda 2TB || PSU: Seasonic 650W w/ Black & Red Extensions || CASE: Phanteks P300 || Monitor: Samsung Q60 65" QLED (4K 60hz) || KEYBOARD: Logitech G613 || Mouse: Logitech G305 || CONTROLLER: Xbox One Controller x2 || AUDIO: Samsung Q60R Soundbar || Case Fans : 2x Cooler Master Masterfan Pro 120, Noctua NF-F12 iPPC-2000 ||

JUSTINIAN - Dell XPS 15": CPU: Core i7-9750H || GPU: GTX 1650 || RAM: 2*8GB 2666MhZ DDR4 SODIMM || SSD: 1TB M.2 PCIe || CASE: 15.6" Laptop with dBrand skin || MONITOR: 15" 1920 * 1080 IPS || KEYBOARD: Dell Keyboard || MOUSE: Logitech G305 White || AUDIO: HyperX Cloud II ||

OTHER : Dell Latitude (i7-6600U, 16GB RAM, 500GB SSD) || HP All-in-One (Unspecified Haswell i7, 8GB DDR3, Crucial MX500 500GB ||

MOBILE : Galaxy S9 (64GB + 64GB uSD) || Galaxy S7 (32GB) || FitBit Blaze || iPad 7th Generation ||

CONSOLE : Nintendo Switch (Pro Controller x3, Joy-Con Grip x1, PowerA Enhanced Controller x1) ||

Link to post
Share on other sites
3 minutes ago, Electronics Wizardy said:

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. It stops your isp from looking at that data, but then you have to trust the VPN provider and their ISP not to look at your data.

Usually, the scenario is that you don't trust the local network, not some connection between datacenters, so yes. But SSL is much better, of course.

Link to post
Share on other sites
5 minutes ago, Electronics Wizardy said:

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. It stops your isp from looking at that data, but then you have to trust the VPN provider and their ISP not to look at your data.

I mean more for using public Wifi and having people packet capturing locally.

 

You are right tho, its still possible to intercept down the line.

Link to post
Share on other sites

-> Moved to General Discussion

 

This does not qualify as news.

^^^^ That's my post ^^^^
<-- This is me --- That's your scrollbar -->
vvvv Who's there? vvvv

Link to post
Share on other sites
1 hour ago, Electronics Wizardy said:

But does a vpn even help if https isn't used? Your data is still send over the net unecrypted, just a small encrytped jump to that vpn provider. 

I thought a VPN would mean you're sending and receiving all the data encrypted?

Link to post
Share on other sites
29 minutes ago, MichaelWd said:

I thought a VPN would mean you're sending and receiving all the data encrypted?

To and from the VPN server, yes, but that then has to send out the traffic you tunnelled to it in its original form again. The server you are communicating with doesn't know that the VPN is there.

 

It's kinda like having another router out in the Internet, after your normal one, with a safe one-to-one cable between the two.

Link to post
Share on other sites

To preface this, the post that I'm replying to makes valid points, although on the modern internet they are less applicable than they used to be.

3 hours ago, rcmaehl said:

Firesheep

Firesheep, and other stripping attacks are still a valid concern, and a VPN does help, but they are much more difficult to execute to any effect these days because they require you to visit a page over HTTP first, but almost all of the big sites where you might start browsing (Google, Facebook, Reddit, etc) use HTTPS and HSTS to protect against that. These days, I suspect (with no concrete evidence beyond HTTPS and HSTS adoption metrics) that using Firesheep wouldn't yield useful credentials very often.

 

HSTS means that there is no way to strip the encryption from linustechtips.com - if your address bar shows linustechtips.com then it is required to be encrypted and there is no option to override security errors in the UI. More and more sites, especially large or sensitive ones, are adopting HSTS.

3 hours ago, rcmaehl said:

SSL Downgrade attacks

SSL downgrade attacks can be a concern, although not many sites support SSLv3 these days anyway and modern SSL+TLS libraries include indicators to detect when a connection has been downgraded. Again it could be an issue but in practice it won't affect many sites. In particular, any site that handles payment information has to use TLSv1.2 or 1.3 now, so downgrade attacks are not a concern on that front.

3 hours ago, rcmaehl said:

DNS resolution leakage

Definitely a valid reason to use a VPN, although you don't need a VPN to achieve that (DNS over HTTPS and DNS over TLS, supported by Firefox and Android respectively, also achieve that). A VPN does also hide the IPs that you're visiting (which can be tracked back to a website relatively easily in many cases) and the SNI information (which is as leaky as DNS, although encrypted SNI is coming).

3 hours ago, rcmaehl said:

SSL MITM via certificates (e.g. Enterprise Fortinet/Fortiguard)

I would argue that if your company/school is MitMing your traffic, you should not be trying to bypass that with a VPN because it almost certainly violates their IT policy.

 

 

I personally have a subscription to PIA (which I purchased before they sponsored LTT), and when connected to public wifi for any significant browsing I will usually either use PIA or Cloudflare Warp, but realistically the security implications are negligible (and the privacy implications aren't huge).

HTTP/2 203

Link to post
Share on other sites

Louis Rossman also released a video today about VPN sponsorships, in it he discusses some of his concerns including the fact that no-one can really audit these VPN providers to make sure they're doing the right thing, and Nord VPN for one somewhat proved that.

 

This touches on my concerns for VPNs, I remember a few years ago a YouTuber reached out to me to ask my opinion on VPNs as they had just started sponsor segments for a provider - yet had no knowledge about what VPNs actually did. I said my main concern is that you're piping all your data through someone else's network, you have to trust that the VPN is doing the right thing and there's no way to know if they actually are.

 

 

I have a hard time trusting my ISP is doing the right thing when I pipe my data through them - and they have government watchdogs on their asses here in the UK - it's tougher for me to trust a VPN has everything covered.

 

Geo IP switching is the one and only feature that tempts me to get a VPN, that sounds like a worthwhile tool if you need it.

Link to post
Share on other sites

VPN is great for me because it hides my true IP on porn and hentai site and some shady sites run by hackers.

Link to post
Share on other sites

Just a reminder that DNS over HTTPS is a thing.

 

For my purposes, uBlock Origin, Privacy Badger, HTTPS everywhere, and DoH are plenty.  I don't do any piracy, and privacy wise tracking cookies are more of a worry than the VPN's extra encryption and probable history collection. 

Resident Mozilla Shill.   Typed on my Ortholinear JJ40 custom keyboard
               __     I am the ASCIIDino.
              / _)
     _.----._/ /      If you can see me you 
    /         /       must put me in your 
 __/ (  | (  |        signature for 24 hours.
/__.-'|_|--|_|        
Link to post
Share on other sites

 

I've been thinking what he says in the video ever since I started watching LTT promote VPN services. I've said it before that they just use fear tactics to get you to buy something you most likely don't actually need. I wish linus would be more honest about the actual use cases of VPNs.

Link to post
Share on other sites
12 hours ago, kshade said:

Your ISP can see what domain names you request, which is something you might want to hide with a VPN. But what they can't see is the whole URL

I have setup my Pfsense - box to use encrypted DNS-servers, so my ISP doesn't get even that. At worst they could look at what IP-addresses I contact and try to guess, but most websites use various kinds of load-balancing services, like e.g. Cloudflare, or are hosted on a shared platform, so even that won't work for most stuff.

 

Personally, for my uses, I just don't see any need for a VPN. Being able to access Netflix from other countries would be nice, but not essential, and I don't know which VPN-services would work for that, anyways.

Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites

Saying almost everyone use SSL is misleading claim. Disconnect on my iPhone has encrypted over 5000 unencrypted HTTP connections since August. And I'm not even that heavy web user.

 

VPN is meaningful if you're traveling a lot and you either want your IP to always be your home country IP and to be sure open hotspots aren't doing anything to your connections.

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3733MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites

Only VPN I use is OpenVPN from my phone to my NAS box when I am on WiFi I don't trust.

“Remember to look up at the stars and not down at your feet. Try to make sense of what you see and wonder about what makes the universe exist. Be curious. And however difficult life may seem, there is always something you can do and succeed at. 
It matters that you don't just give up.”

-Stephen Hawking

Link to post
Share on other sites

As far as VPN's go, I trust ProtonVPN the most (makers of ProtonMail). It ain't cheap though, but free version has unlimited bandwidth, quite decent speeds and for Europe with server in Netherlands which has good privacy laws which is nice. Would prefer Proton's home country of Switzerland, but hey, it's free version.

 

I always had doubts about VPN providers that have 5000 servers all over the world. If you have that many, your control of them is probably pretty poor and I'd have hard time trusting that.

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3733MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites
9 hours ago, colonel_mortis said:
Quote

SSL MITM via certificates (e.g. Enterprise Fortinet/Fortiguard)

I would argue that if your company/school is MitMing your traffic, you should not be trying to bypass that with a VPN because it almost certainly violates their IT policy.

And if it's a certificate on the local machine then they can MITM the VPN tunnel too if they want, so the VPN doesn't really add any extra protection.

 

 

 

 

 

47 minutes ago, RejZoR said:

VPN is meaningful if you're traveling a lot and you either want your IP to always be your home country IP and to be sure open hotspots aren't doing anything to your connections.

That's one of the few legitimate use cases for VPNs I can think of.

But for those purposes I would recommend doing what I'm doing and just host a VPN at home. That way, you don't have to pay a monthly fee. Router manufacturers like Asus has made it really easy to configure.

 

Those VPN subscriptions only has 2 legitimate reasons for existing if you ask me.

1) Circumventing GEO restrictions. For example accessing US Netflix while being in Sweden, or for example if you are in China and want to access a blocked website.

2) If you're not tech-savvy enough to configure your own VPN at home and still want to do what RejZoR mentioned (appear to be at home while away in some other country, and making sure your connection at an open hotspot isn't tampered with).

Link to post
Share on other sites

@LAwLz

I think main reason why ppl opt for VPN services is they are not tech savvy enough to setup their own VPN (or just too lazy like me :P ). But if you can, that's the best and most secure way, because only YOU can be 100% sure what VPN server is doing. No one can 100% guarantee for any VPN service that it's not doing anything funny behind the scenes. And even if company is not, scenarios like NordVPN fiasco recently can happen where 3rd party has access to their server in an unauthorized way.

AMD Ryzen 7 5800X | ASUS Strix X570-E | G.Skill 32GB 3733MHz CL16 | PALIT RTX 3080 10GB GamingPro | Samsung 850 Pro 2TB | Seagate Barracuda 8TB | Sound Blaster AE-9 MUSES

Link to post
Share on other sites
On 10/29/2019 at 12:09 AM, poochyena said:

 

I've been thinking what he says in the video ever since I started watching LTT promote VPN services. I've said it before that they just use fear tactics to get you to buy something you most likely don't actually need. I wish linus would be more honest about the actual use cases of VPNs.

It's to hide the fact that he's the main consumer of Dennis body pillows.

Home AI/Game Development, and Music Editing Workstation:

Bloodshed and the Fenris-Wolf:  https://pcpartpicker.com/list/Fx3sNP

 

Mobile Workstation:

Ryu Hayabusa:  https://pcpartpicker.com/list/37bVz7

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×