• @[email protected]
      link
      fedilink
      18 months ago

      If it’s all encrypted & they don’t have the DNS requests, all they can see is that you sent X bytes to some IP which isn’t very helpful. Who’s to say these VPNs aren’t selling their data back to the ISPs anyhow?

      • Lemongrab
        link
        fedilink
        08 months ago

        Encryption doesn’t mean perfectly hidden. Metadata isn’t encrypted for HTTPS iirc. And the ISP knows who your sending traffic to since they are routing you there and are usually your DNS. When connected to a good and trusted VPN, all that is hidden, your DNS can’t give away your location, and the only server you contact is the VPN

        • @[email protected]
          link
          fedilink
          18 months ago

          What metadata? The headers are as encrypted as the payload. That there was a key exchange between you & a server isn’t too useful.

          “Usually” is a strong word for DNS as well since all OSs let you change it & the megacorporations like Google & Cloudflare have already compelled a lot of folks to use their DNS ta resolve faster since the ISP ones are slow (& the smarter, curious folks used that as a launching point to find other provider or self-host). Some platforms have even been shipping DNS-over-HTTPS to get around some of these issues (since the payload & headers are encrypted under TLS).

          • @[email protected]
            link
            fedilink
            English
            18 months ago

            the hostname of a website is explicitly not encrypted when using TLS. the Encrypted Client Hello extension fixes this but requires DNS over HTTPS and is still relatively new.

            • @[email protected]
              link
              fedilink
              18 months ago

              Everything after Hello is encrypted tho. The metadata is important, but takes some leaps of assumption to know what that data means—moreso than the metadata of say WhatsApp since the payload could be just about anything & from anywhere, not just a P2P text/multimedia message. And DNS over HTTPS does exist now & has support in all browsers & mobile operating systems. If it’s the hostnames you are worried about, a simple SSH SOCKS5 proxy with remote DNS could work with many older technologies. Not saying there isn’t some worry, but there are solutions now, the ISP is getting close to nothing, & for most folks subscribing to a comericial VPN is not worth giving monthly money to these actors that you probably can’t trust.

          • Lemongrab
            link
            fedilink
            08 months ago

            It doesn’t matter if they are encrypted if you can sell the data about what the user is doing (eg if your connecting to a shopping website your probably shopping their). Better to obfuscate the source by choosing an endpoint that isn’t geographically related and associated with your identity. I only would ever recommend using a VPN that is open source and well audited by a renowned 3rd party auditor(s). https://luxsci.com/blog/what-is-really-protected-by-ssl-and-tls.html

            • @[email protected]
              link
              fedilink
              18 months ago

              Sure if you need that protection, but there is a lot of fearmongering about VPNs that are misinformation to sell products most folks don’t need to be worrying about versus more pressing matters in security/privacy

          • Lemongrab
            link
            fedilink
            08 months ago

            Usually means in 99.9% of typical configurations unless you are a techy or an enterprise.

        • @[email protected]
          link
          fedilink
          18 months ago

          By who? Who is auditing the auditors? That’s not to say audits aren’t good, but when the code is proprietary, a lot of trust is required. I would prefer banking on solid, open tech which the TLS standard is. There is still use cases for VPNs, but outside like streaming piracy, you might be better served by the Tor network.

          • Lemongrab
            link
            fedilink
            0
            edit-2
            8 months ago

            Yeah, I don’t trust proprietary server backend. Also I2P is a good option that should be less slow under the traffic of thousands of users.