VPN and privacy on terb
- Thread starter fuji
- Start date
Yes, but cloudflare. Also although your traffic to terb is https encoded your DNS request for terb's IP is unencrypted and logged. We know DNS is long term logged since Paul Vixie used DNS logs to uncover Trump's server's communications with Russian banks.
Cloudflare terminates your https connection to terb, decrpyts, re encrypts, and forwards your connection to the actual terb webserver. Cloudflare, a US company, is therefore able to see all your traffic decrypted. Terb's owners signed the certificate that enables cloudflare to do this as part of buying cloudflare's anti DDOS solution. Cloudflare also had relatively weak security practices as demonstrated by the cloudbleed leak.
US or Canadian police, or hackers, could therefore intercept and read all terb traffic by serving cloudflare with a US warrant (or just hacking them). If I were the NSA, I would become cloudflare's biggest investor and partner.
The FBI and RCMP will figure this out too, if they haven't already.
So I would assert that you should not trust that HTTPS connection at all and instead VPN to protect yourself.
I now remember using TOR's 30 day trial offer and I was not impressed with the speed, now that you mentioned it - that's why I never continued with their service.
I would like to get the best of both worlds - speed and privacy (as secure as VPN) if at all possible with PIA. According to your recommendation, your assessment, PIA is the way to go with speed according to REDDit VPN reviews. Can you recommend PIA providers that you've tried?
https://www.reddit.com/r/vpnreviews/comments/4ylflv/review_torguard_vs_nordvpn_vs_private_internet/
- Vyper vpn is not suitable if you torrent. It's apps are good, easy to use and have some good features but it's expensive, keeps logs and has no linux client ( it does have openvpn config files). Vypervpn was the least likely to be blocked by a website for "abuse".
- Nordvpn scores well on thatoneprivacysite.net but a lot feels unfinnished. The android app can be a pain. The desktoip app has only app kill switches. There's no linux client ( it does have openvpn config files). It does offer novel special servers but apart from anti ddos for gamers/streamers I would question the usefulness of these servers.
- Torguard may not have the slickest vpn software but they do specifically cater for torrenting ( tor in the name meaning torrenting ). It was generally no fuss dealing with them or their app. My biggest gripe was the internet killswitch was a bit difficult to setup.
- Pia ticks all the boxes. It's suitable for torrenting has a good android and desktop app. It's the cheapest per month if you sign up for a year. I didn't like the lack of a digitally signature on their app and there are no frills ( ddos proection, anti-vpn circumvention) but it is cheap and functional.
Cost
NOTE deals/offers are often available especially for long term subscriptions. However I would highly recommend taking out a one month subscription first to "see how things go" before taking out any cheaper long term subscription.
PIA
1 month - $ 7
6 months - $ 36 ( $6 a month )
1 Year - $ 40 ( $3.33 a month )
Torguard
1 month - $ 10
3 months - $ 20 ( $6.66 a month )
6 months - $ 30 ( $5 a month )
1 year - $ 60 ( $5 a month )
Nordvpn
1 month - $ 8
6 months - $ 42 ( $7 a month )
1 year - $ 69 ( $5.75 month )
Vyper
1 month basic - $ 10
1 month pro - $ 15
1 month premier- $ 20
1 Year basic - $ 80 ( $6.66 a month )
1 Year pro - $ 100 ( $8.33 a month )
1 Year premier- $ 120 ( $10 a month )
Considering VPN as an option along with PIA, but most likely go with PIA because of it's speed, unless of course we can factor in the speed as well. Looking at ExpressVPN or IPVanishVPN as providers.
Great point, but for me - speed would be on top if I can't settle for both. Thanks for your input Fuji, you've shed some light on internet security, how much do we really need and how to go about doing it.
Everything you say is true, but VPN isn't 100% secure either. PIA will hide your true source IP address end-to-end, but not your data - in PIA data is only encrypted up to PIA's exit server. Example: when you exit the PIA server in Holland, although no-one can determine your true source IP they will be able to see your unencrypted data. If your data stream includes personal information (a name, email address, important #, etc) you can still be compromised. Yes, with HTTPS server sessions Cloudflare (or Akamai - the biggest player in content delivery) breaks the encryption chain, but HTTS/SSL secures you everywhere else in the datapath. Therefore HTTPS should still prevent most (but not all) hacking of your datastream end-to-end, but it doesn't hide your source IP.
Combine PIA with HTTP and you have two layers of defense. <--- Geek speak in my industry uses the terms "layered defence" or "defense in depth". You use multiple technologies to provide a more comprehensive solution. More layers, means better defense: i.e. a locked-down browser in an VM-based operating system protected by a software firewall and MAC address randomization. Local network protected by a hardware firewall using IPS technology. Trusted secure DNS source. VPN service that hops on and off in at least two countries. On-and-on.
The weak link by far will always be the idiot human that falls for a phishing attack or downloads spyware or simply gets social engineered and provides personal data. There's always someone smarter .......
At a certain point PC security becomes insanely cumbersome. So I typically just use PIA for 90% of my protected browsing needs and a lot of web sites have already gone HTTPS -- I feel reasonable safe assuming I don't do anything stupid. When I feel paranoid, I jump in the car and use a few open wireless sites I've discovered along with PIA and Technitium. <-- I only do this when download entire season of certain TV shows or music compilations from studios/labels that I know aggressively chase pirates (i.e. Walking Dead - I've received 2 letters a few years back, the second was really nasty and I don't want to mess with these people.
Be aware Technitium has limited usefulness in the real world. I run it on my PC when using public wifi as a last line of defence if LE finds the need to see my PC - "hey officer, that's not my PC's MAC, but here's my PC" - of course you have to delete everything first if given a chance.
Although this thread is VPN focused, I hope everyone also protects the Windows PC itself:
- Keep your OS and application patches up to date
- Keep your PC microcode (BIOS) and hardware vendor programs up to date
- Run a good antivirus program. Windows Defender is NOT a good AV program. Make sure that program scans inserted CDs, DVDs, USB keys, Emails, IM, etc. For my personal and work PC I bought Norton AV and for my family gaming PC I use paid ESET. For my screw-around PC I use free AVAST, but it's annoying lately
- Make sure you are running strong encryption on your wifi (WPA2-PSK) with a strong password. If you are somehow obligated to give your wifi password to someone, CHANGE IT as soon as they leave.
- Turn-off your Windows' filesharing (default), occasional check that the setting hasn't changed.
- Perform regular scans with SuperAntispyware and Malwarebytes
- Run ccleaner and Windows Disk Cleanup monthly
- Use a password manager and FFS, make sure you use a different password for every site you visit and make sure it's strong. I keep a copy of all my passwords on an encrypted USB key that is stashed away.
- Perform regular backups. Make sure the backups are encrypted and the backup medium (I use a portable drive) is kept far away from your PC (to prevent theft) ideally in a fireproof box. My neighbour and I store each others back-up at our house.
- If your browser has incognito mode or equivalent - use it.
- I run "Click&Clean" on Chrome - it will delete all cookies, browsing history, temporary browser files and cache upon closing Chrome
- I run "Blank new page tab" in Chrome - when opening a new tab it opens in a blank page - no previous pages are shown
- Use a password to protect your PC, encrypt the disk if you OS supports the feature. Consider using Windows professional for it's encryption if you have something to protect.
- Set your screensaver to lock your PC after 5 minutes. Yeah, it can be a hassle, but it could save your ass.
- I've created an red icon on my desktop called "LOCK" with a target of C:\Windows\System32\rundll32.exe user32.dll, LockWorkStation Everytime I get up from my seat, I select it and my PC locks. Again, bit of a hassle, but it only takes 30 seconds for someone to compromise you.
- when you finish with a website that is password protected, log-out first, then close the browser. Don't just close the browser.
- Educate yourself on how phishing attacks and human engineering techniques as used by hackers. Might help you avoid being taken advantage on both the Internet, the phone and life.
- If you are a gearhead consider Linux or Windows VMs (VMware)
Curious as to other people's suggestions.
- Keep your OS and application patches up to date
- Keep your PC microcode (BIOS) and hardware vendor programs up to date
- Run a good antivirus program. Windows Defender is NOT a good AV program. Make sure that program scans inserted CDs, DVDs, USB keys, Emails, IM, etc. For my personal and work PC I bought Norton AV and for my family gaming PC I use paid ESET. For my screw-around PC I use free AVAST, but it's annoying lately
- Make sure you are running strong encryption on your wifi (WPA2-PSK) with a strong password. If you are somehow obligated to give your wifi password to someone, CHANGE IT as soon as they leave.
- Turn-off your Windows' filesharing (default), occasional check that the setting hasn't changed.
- Perform regular scans with SuperAntispyware and Malwarebytes
- Run ccleaner and Windows Disk Cleanup monthly
- Use a password manager and FFS, make sure you use a different password for every site you visit and make sure it's strong. I keep a copy of all my passwords on an encrypted USB key that is stashed away.
- Perform regular backups. Make sure the backups are encrypted and the backup medium (I use a portable drive) is kept far away from your PC (to prevent theft) ideally in a fireproof box. My neighbour and I store each others back-up at our house.
- If your browser has incognito mode or equivalent - use it.
- I run "Click&Clean" on Chrome - it will delete all cookies, browsing history, temporary browser files and cache upon closing Chrome
- I run "Blank new page tab" in Chrome - when opening a new tab it opens in a blank page - no previous pages are shown
- Use a password to protect your PC, encrypt the disk if you OS supports the feature. Consider using Windows professional for it's encryption if you have something to protect.
- Set your screensaver to lock your PC after 5 minutes. Yeah, it can be a hassle, but it could save your ass.
- I've created an red icon on my desktop called "LOCK" with a target of C:\Windows\System32\rundll32.exe user32.dll, LockWorkStation Everytime I get up from my seat, I select it and my PC locks. Again, bit of a hassle, but it only takes 30 seconds for someone to compromise you.
- when you finish with a website that is password protected, log-out first, then close the browser. Don't just close the browser.
- Educate yourself on how phishing attacks and human engineering techniques as used by hackers. Might help you avoid being taken advantage on both the Internet, the phone and life.
- If you are a gearhead consider Linux or Windows VMs (VMware)
Curious as to other people's suggestions.
Great technical advice Promo. IMAO, if someone really wanted to hack into your system, no matter your defenses, they will always find a way - check out the toys NSA has to do so: https://nsa.gov1.info/dni/nsa-ant-catalog/
For me, I use a separate computer/laptop for one use only, most of the time it's off line...
There doesn't seem to be a perfect answer. I boiled it down to NordVPN and PIA and paid for both so I could compare them.
I'm primarily talking about mobile phone usage since I never access terb from my work laptop nor from the desktop at home I share with my wife. Only from my mobile phone.
One free option is OperaVPN by the company that makes the Opera browser, which is a fast and free proxy VPN but isn't a true VPN and is owned by a Chinese(!PRC!) company. Better than nothing and free. Just download the app. You can run chrome on top of it.
But I rejected that since I'm ok with paying the forty to sixty bucks a year better solutions cost.
I have both PIA and Nord on my phone and I'm currently using NordVPN for one reason: I tested what happens when my phone migrates from WIFI to mobile data and back. PIA takes a long time to reconnect after the network change while the NordVPN client reconnected very quickly.
However there's a risk with Nord: PIA kills your internet connection until it reconnects while Nord doesn't, so with Nord you have to check your status bar for the lock symbol before browsing. Connect just once when it's not there and you could be blown. This is the "kill switch" feature and PIA's biggest advantage over Nord. However the fast reconnect with Nord is also a big convenience. It just works. PIA is faster than Nord when measured with speedtest but the difference isn't perceptible to me when browsing.
PIA is US based but there was one case where the FBI demanded logs and PIA showed up in court and simply said they didn't have any. FBI was able to obtain proof that their suspect was a customer of PIA but not any usage data so it ended there. So their "we don't log" has been verified in a US court case, it seems legit.
Nord also does not log and it's not US based so in theory less susceptible to a US warrant.
I think both are pretty good and neither is perfect.
I will likely continue flipping between them since I've paid a year's subscription on each.
I'm primarily talking about mobile phone usage since I never access terb from my work laptop nor from the desktop at home I share with my wife. Only from my mobile phone.
One free option is OperaVPN by the company that makes the Opera browser, which is a fast and free proxy VPN but isn't a true VPN and is owned by a Chinese(!PRC!) company. Better than nothing and free. Just download the app. You can run chrome on top of it.
But I rejected that since I'm ok with paying the forty to sixty bucks a year better solutions cost.
I have both PIA and Nord on my phone and I'm currently using NordVPN for one reason: I tested what happens when my phone migrates from WIFI to mobile data and back. PIA takes a long time to reconnect after the network change while the NordVPN client reconnected very quickly.
However there's a risk with Nord: PIA kills your internet connection until it reconnects while Nord doesn't, so with Nord you have to check your status bar for the lock symbol before browsing. Connect just once when it's not there and you could be blown. This is the "kill switch" feature and PIA's biggest advantage over Nord. However the fast reconnect with Nord is also a big convenience. It just works. PIA is faster than Nord when measured with speedtest but the difference isn't perceptible to me when browsing.
PIA is US based but there was one case where the FBI demanded logs and PIA showed up in court and simply said they didn't have any. FBI was able to obtain proof that their suspect was a customer of PIA but not any usage data so it ended there. So their "we don't log" has been verified in a US court case, it seems legit.
Nord also does not log and it's not US based so in theory less susceptible to a US warrant.
I think both are pretty good and neither is perfect.
I will likely continue flipping between them since I've paid a year's subscription on each.
Update on this: I have confirmed PIA simply lacks this feature. When you migrate from WiFi to mobile network you must manually disconnect and reconnect. Not hard to do that but it's an inconvenience: your whole mobile data connection is blocked until to do. NORDVPN handles this efficiently.
I also found on Android you can mitigate the impact of Nord's lack of a kill switch by going to settings, connections, more connection settings, VPN, and selecting "always on VPN". That generally prevents non VPN traffic being sent out though I still confirm the VPN is working before browsing here.
With that my opinion is that Nord is better for mobile use on Android devices.
On desktops and laptops it's a different story. At least for me on my desktop it's just WiFi so the reconnect issue isn't as big a problem and PIA is faster, and has more features, including a kill switch.
Currently I'm using PIA on my home computer and Nord on my mobile device.
Update on this:
NordVPN sometimes failed open in my mobile phone, meaning, lost connection and didn't restart, even though I had set it as AlwaysOn VPN, leaving my connection unprotected. The little key would disappear from my Android status bar but that's easy to miss.
Since then I have gone back to PIA on my mobile phone. It does sometime mean I have to open the PIA app to get it to reconnect but in these cases browsing is blocked until it's secure.
I judge that to be safer.
So my vote now goes to PIA both in mobile phone and PC.
NordVPN sometimes failed open in my mobile phone, meaning, lost connection and didn't restart, even though I had set it as AlwaysOn VPN, leaving my connection unprotected. The little key would disappear from my Android status bar but that's easy to miss.
Since then I have gone back to PIA on my mobile phone. It does sometime mean I have to open the PIA app to get it to reconnect but in these cases browsing is blocked until it's secure.
I judge that to be safer.
So my vote now goes to PIA both in mobile phone and PC.
