Is ____ VPN good? Some tips on threat modeling and critical thinking.
by happenstance - Friday June 16, 2023 at 12:23 AM
#1
A guide on how to determine if your VPN (or really any service) is suitable for you.

Houskeeping
  • There is no such thing as truly "safe". Assume every service you use is compromised, because even if it currently isn't, odds are one day it will be.
  • You should not be relying only on a VPN to protect you. What they are capable of and the protection they provide is widely overstated, look into combined use with Tor and proxies. 

Some questions to ask yourself about your VPN company:
  • Is it regularly audited? Are these audits independent and done by reputable individuals and organizations who are unaffiliated with the VPN company?
  • Is any part of it open source?
  • Does it claim to keep logs? Is this verifiable? (you can never truly know, but their audits and interactions with law enforcement can shed light on past practices at least)
  • Where are they based? What are the laws regarding privacy and logging in which they reside? Does that country (by itself and via proxy) have a track record of respecting those laws?
  • Who owns the company? Not just who runs it, but are there any shell companies or parent companies? Who owns those? What other ventures are they involved in? Follow the money, what are their financial interests in running a VPN company?
  • What is their history with law enforcement?
  • What is their TOS? How do they enforce it?
  • What protocols do they allow you to use?
  • How do they accept payment? Are the options privacy friendly? How do they store payment information? Is this included in their audits?
  • Do they require PII to register? Do they authenticate users in a privacy friendly way?
  • Who owns their servers and infrastructure? How is their server and infrastructure operated? Is this included in their audits?
  • Have they been accused of any scandals? What was the outcome?
and finally,
  • If there are any questions that are answered unfavorably, what risk is presented as a result of this? How can I mitigate this risk? Is this risk and mitigation acceptable and realistic for me?

The common thread throughout these questions is to think about:
  1. How does this service operate on both a technical and business level within their environments?
  2. How can these operations be used or abused against me?
  3. How likely is this to occur/how big of a risk is this to me?

The overarching ideas can (and should!) be applied to any service you use. There is no such thing as a "perfect" service. Everything will have vulnerabilities and red flags (and i'd be willing to argue not having any red flags is a red flag within itself). You choose what level of risk you're comfortable with, just take the time to understand what that level of risk is.

How can I determine if my VPN has these characteristics?:
  • Read the privacy policy/TOS/and audits.
  • Search for your VPN on reddit/hackernews.
  • Read articles from non-shill sources you trust
  • Use OSINT to learn more about the business (will largely depend on where it is based - registries.opencorporates.com is a good start. for country specific information see https://en.wikipedia.org/wiki/List_of_of..._registers)

Your OPSEC is the last place you want to get lazy. Put in the time to understand and research the services you rely on, future you will be thankful.

Be careful.
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  18 Threat Hunting and OSINT Tools xzin0vich 0 497 07-15-2023, 08:31 PM
Last Post: xzin0vich
  Tips to increase rate and damage by ddos attacks CPU 3 729 07-02-2023, 08:11 AM
Last Post: AkarmaeAsed
  How to have good opsec and why. Egirl 0 583 06-25-2023, 03:17 AM
Last Post: Egirl



 Users browsing this thread: 1 Guest(s)