Everyone saying you don't need a VPN but you do

I’m a cyber security hobbyist, but I admit that I’m a newbie compared to the veterans out there. So I wanted to stop by and ask why every youtuber these days says you don’t need a VPN. I say you do, if:

1. You don’t want everyone and their dog to see your real IP (so basically you’re against being dox’d)
2. You lousy government is censorious so you can’t watch x,y, or z
3. You want the whole of your traffic encrypted (it helps a bit more than HTTPS, right?)
4. Your ISP believes they should get to determine what you download, and will cut off your internet if you don’t have a VPN

I’m hoping someone here can tell me if/where I’m wrong on that list. Lastly, why would the pos EU government be trying to ban them if they’re so useless? Methinks these youtubers don’t know what they’re talking about. Thanks!

Welcome! We’re here to help with any cybersecurity questions you may have. Get started protecting yourself online with these tools:

VPN - PrivadoVPN: VPN $1.48 Deal From PrivadoVPN | PrivadoVPN
Browser - Firefox: Get Firefox browser — Mozilla (US)
Password Manager - Bitwarden: Bitwarden Password Manager Pricing & Plans | Bitwarden
Search Engine - DuckDuckGo: About DuckDuckGo

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

As some who is a security professional with 10 years of experience in pentesting, red teaming and security research, I can tell you that it’s not that simple. Using a VPN for security / privacy is largely a shift of trust. You are basically placing your trust in your VPN provider instead of your ISP. That’s not a reason to say everyone needs a VPN, people need to decide if they can trust their ISP or some faceless company based in another country. There may well be reasons for both positions.

Another important thing to note is VPN companies are smaller and less regulated than an ISP. This means they likely have far less security resources to dedicate to securing their own infrastructure. Also given that VPNs are often targeting people for “hiding your activities”, I can almost guarantee you that the alphabet boys (NSA, GCHQ, and every other intelligence agency) have already been in their network for years and slurping up and storing your data. It’s a very juicy target for an intelligence agency and they absolutely have the resources to hide there.

For most people in western countries, I would say it’s probably not needed, unless it’s for torrenting in a country which isn’t friendly to pirates, or doing bug bounty research where you risk looking like a hacker and having global CDNs and WAFs blocking you.

1. I’m sorry but could someone explain how this works? I was under the impression that ISP dynamically assigned an IP address that changes regularly unless you pay to have a static one. Also, the IP address might only give you the city you’re in and not your specific home address or even which part of the city you’re in.

I thought doxing mainly came from people doing some OSINT from a combination of stuff people post on social media and from data brokers. Am I way off base in thinking an IP address doesn’t give you much if you live in a western country in a big city?

2. This would depend on which country you’re in. If those YouTubers are in the US for example, I can’t think of any site that’s been blocked so you can’t watch the videos.

3. If HTTPS (TLS) wasn’t secure enough, I think there would be much more discussion among security folks about finding a replacement. What about TLS do you think is insecure?

4. Again, it depends on what country you’re in. If you’re talking about sailing the high seas, people aren’t solely on using torrents for that and they’re not using a VPN.

As for your comment on the EU government, I’d need to know the specifics of this. There’s probably a lot of nuance that is missing. Is it all VPN they’re trying to ban? Link me to a quality article if they are so I can learn more.

My 2 cents:

" You don’t want everyone and their dog to see your real IP (so basically you’re against being dox’d)"

• Yes you have a point, but you can use the Tor Network at that point to hide who you are without utilizing a VPN.

“You lousy government is censorious so you can’t watch x,y, or z”

• Once again you can use the Tor network as its all free and provide anonymity while online.

" You want the whole of your traffic encrypted (it helps a bit more than HTTPS, right?)"

• Pretty much all websites use HTTPS now since HTTPS ecrts are free, so everything is encrypted, with the exception of your DNS resolving, but you can fix that buy enabling DNS over HTTPS, then everything is encrypted.
• However if an ISP wanted to know where or what you are going or doing they have the resources to investigate that easily, encrypted or not, but normally do not unless authorities are involved." Your ISP believes they should get to determine what you download, and will cut off your internet if you don’t have a VPN"
• Never heard of this before, unless your in China.

Maybe using a VPN can get you to stream some streaming services that you would not normally get to, but not all VPN services suppress X Forward in the HTTP headers so the streaming service will know you are on a VPN and probably will refuse you.

The only reason I or my clients use VPN now a days is to connect to the office for resources, otherwise surfing with HTTPS, DNS over HTTPS and using Tor when needed should all be sufficient. If you need more than that, may as well use Tails!

FYI most VPN services do track you and sell that information to 3rd parties, one of the worst being NordVPN and its other white label VPN companies.

The best REAL VPN service is Mullvad, research it and you will see it compared to others.

my 2 cents is

a good vpn is about £20 a year, sometimes a bit more depending if you get an offer or not…

will it help? who knows…

but if it provides 1% extra anonymity per day of using the Internet

then over a year that adds up… for £20 yes it’s worth it

it’s a ROI thing imo. if you want to be a tad more private then yes…

also, you get to watch programs from other countries

Yes, if you live in USA, you do. But if you live in a civilized country, then not really.

There are a few reasons why not average persons would need one and a few reasons average persons would need them.

Corporate greed: IP (and geo-fencing) based ads are all the rage. We used to do ‘corporate market research’ based on cookies, but that is no longer a thing since a few countries, namely the EU and the United States state of CA (opt out consent for CA) require consent for cookies. That means that websites now need a new association for their data collection. They can’t realistically pull MAC addresses (yet). In the US IP addresses are mostly considered public domain like your physical address. Yet a lot of businesses, LLCs, and people prefer to get PO boxes so that their mail and side hustles are not linked to their home. VPNs would do the same thing virutally for youtubers, instagramers, and online streamers.

​

If you are being censored in a country, getting a VPN might work for a while, but my guess is that the VPNs you are able to get in country still provide logging and provide that data back up to the government in some way shape or form. A VPN for the average joe isn’t going to do much but buy time. Now, if they know what they are doing and are running their own VPNs or using the dark web in an attempt to obfuscate their actions they might have a better chance, but also increased risk.

HTTP, HTTPS, and other traffic all rely on the protocol being utilized, such as TLS 1.3. But when you say isn’t a VPN better than HTTPS? Well that depends on what you want your VPN to do. Are you looking to establish a presence in another country to browse the web? Buy off their steam store? Access your data back home or make it look like you are still working from home when traveling to Hawaii? Access a rival corporation’s SMTP server? There’s a lot of different ways to establish a VPN with different protocols. Sometimes, corporations will stack VPNs or use different ones for different objectives.

​

In reality, for the average citizen in the US. You’re already hiding in the masses and no one really cares about you as an individual that much. Sorry, you’re just not that interesting. If you’re behind say a “Great Firewall” that prevents you from reaching data outside of your home country, sorry you’re probably out of luck because my guess is that they’re controlling all the VPNs, ISPs, and other enablers.

​

To your last point about an ISP getting to approve or disapprove your downloads and cutting off your internet, that’s… hey man, not sure what country you’re from but WTF? Usually this is because people are torrenting (read: Pirating) copyrighted material that hollywood doesn’t want shared so they send their lawyer with their letters to sue the ISP and the ISP tells you to stop. In that case, e.g. theft of IP, yeah a VPN would work but you’d want more than just a VPN.

So what about the best VPN company on the planet? Say you found the best and you used them. Wouldn’t they realize people are trying to infiltrate their system, and thus have good security against this?

I’m sorry but could someone explain how this works? I was under the impression that ISP dynamically assigned an IP address that changes regularly unless you pay to have a static one. Also, the IP address might only give you the city you’re in and not your specific home address or even which part of the city you’re in.

It is like that. There are various sites that will show your location based on your IP, and none of them are accurate.

To answer your question about 1. Being able to determine the city that someone lives in, is a huge help. Vs having to search the entire earth. You’re right, they would compile a lot of information if they’re trying to find you.

Wouldn’t your city be a big part of that? It’s going to be quite difficult to locate you if they can’t even tell what city you’re in. A good VPN should make that impossible unless they force the VPN company to give up your data. And some of them don’t even keep those records for that very reason.

Well almost regarding DNS and TLS. Even when you use DNS over HTTPS, almost all servers leak their hostname in the SNI field of the certificate.

What do you think about Private Internet Access? Or creating your own VPN?

I’m pretty sure though mate that the “plus” of watching programs from other countries (via streaming services you mean) is one already solved by most people(via good ol’ piracy) who consider using VPN for whatever reason…

It’s not £20 though. If you used your VPN for everything, all the time (granted, use varies) you would soon hit the VPNs data cap and you would have to pay for more.
I am not against VPNs. There are useful for sone things but not for 100% privacy and definitely bot for efficiency.

How about making your own VPN? There’s several tutorials on youtube to do this. For me it’s a matter of principle, I value privacy.

They might realise, but the best VPN company is probably tiny still. Mullvad has 24 employees, nordvpn has 72, these are tiny companies. They don’t have large security teams. In my career as a pentester, we NEVER didn’t get into the target company, and these were large tech companies, banks, insurance companies, ISPs, etc. Companies which have larger security teams than the total number of employees at the best VPNs.

They might realize if a low level hacker gains access, but a government sponsored actor? No way.

But it’s not impossible. Like I said before, using OSINT techniques couldn’t someone determine your city that way? Like checking social media posts, checking meta data off photos, etc… And since they’re gathering information anyways it’s not that much more work.

True, there is just no real 100% way to conceal yourself other than Tor and Starbucks WiFi and use a virtual image to surf or a laptop you don’t care about.

But what about the servers that don’t? Maybe you could use those.