Why don't "VPNs don't protect you like they think you do."?

PixelRogue1 wrote:

Appreciate the link. Little useful but also quite light.

Personally, on open networks all the time which is one other key drivers. It isn't bullet proof, no fence is impenetrable...it is a tool to help. If anyone things your data providers aren't logging, think again. So even if your VPN is logging, it isn't any worse than your data provider.

Waiting for the ability to mask MAC ID's on iOS (a benefit that exists for Android) as that is another critical component.

I think you have a basic misunderstanding of what a VPN provides. If you use for example secure protocols your data is protected without a VPN. So, for example, if you use a browser with https protocol to access a secure server then your data is encrypted. If you use an insecure protocol like http, your data is viewable at all nodes through which the data is routed.

If you use a VPN, the VPN provider has access to all your data to do with what they wish. If you are using an insecure protocol, the VPN provider can get and sell all your data. Then the VPN provider re transmits your data insecurely to its final destination. Your VPN provider does not have special secure routes to an insecure site. So, the VPN provider does exactly what you do when you send data to a destination except they intercept the data for their use.

The only valid use of a VPN is to provide a secure point-to-point tunnel to a workplace or other private network.

Don't be fooled by the third party VPN advertisements and false claims.

i’d suggest acquiring a better understanding of TLS-based security, of iCloud+ Private Relay, and of both sorts of VPNs, and preferably that knowledge that not from the endemic advertising, more advertising, and the VPN-owned VPN reviews.

I do understand that some folks want their network metadata collected by sketchy providers, and want unnecessary added overhead for a connection and that overhead that contributing negligible additional benefits over the existing connection security, and all that configured in a way that is perfect for collecting personally-identified metadata, of course.

Apple has been using random Wi-Fi MAC addresses for a while, as well: Wi-Fi privacy - Apple Support

PixelRogue1 wrote:

…

Where I agree is that some VPN providers claim the moon and the stars while other providers will outright lie. Much of what I see in these debates is often more judgement of VPN and its usage, a strong bias (at times even naive understanding of VPN) - including in the link that was sharing in this tread. Then there is also a common theme expressing that those using a VPN are gullible and fall prey to misinformation and lies.

Everybody falls prey to misinformation, advertising, propaganda, and phishing, sooner or later.

And too many of the VPN providers are themselves sketchy, or have been caught in lies.

iCloud+Private Relay is pretty slick. I don't use it, yet admire the approach. It, too, has its limitations (and would put VPN on TOP of iCloud Private Relay if I were one to use iCloud services.

That already happens.

There are many valid purposes and use cases for VPN that include...

• Connecting to specific networks (home networks, work etc,) (cited by the article linked)

For connecting to a business or home network, the built-in VPN client or an add-on client works fine. Well, Cisco Secure Mobility Client (née AnyConnect) seems to crater every so often, based on reports around here.

I help with and run those VPNs routinely, and those usually get mentioned (as a different use case) in most coffee shop VPN discussions.

If you have a properly-configured VPN server, you can (unnecessarily) also use that to doubly-wrap your coffee shop connections, akin to running your own Algo VPN server, too.

• When on open WIFI networks at a coffee shop, hotel etc (cited by the article linked)

Which contributes negligible additional security over the existing TLS and Private Relay and ODoH , and adds overhead.

Gets your personally-identified metadata centralized and collected, though. Good at that.

• Additional protection and safety for journalists in countries where specific types of content is prohibited.

Yeah. If that’s your use case, I wouldn’t touch a commercial VPN with a barge pole.

There have already been espionage efforts targeting those too, and I’d expect most countries and regions will already monitor or block those.

And those VPNs can be detected and monitored (or can be blocked) in any region with pervasive access.

If you’re an investigative journalist, political dissident, or similar, get specialized help with your security, and don’t trust random internet suggestions, and don’t trust random VPN providers that may well be run by or backdoor’d by an adversary. Getting your own comms to blend in can potentially be far more important.

• Blocking ads, specific categories of content

That would best be performed using an ad-blocker, either within the browser, or possibly as a Pi-hole or similar on the local network. Multiple ad blockers do work, though keeping only one blocker enabled at a time is usually best.

• Choosing different protocols and locations based on need at the time.

Or for better security there, using an Algo VPN server for that, or using a VPN server on your home or business network, which avoids the whole metadata collection and logging issues, and allows using robust credentials snd not credentials ~everybody knows.

I haven't dug too deep into the MAC IDs other than. knowing services use iPhone (likely iPad) MAC IDs all the time and wish I could easily change them up - haven't gone deep yet into trying. MacOS wifi MAC IDs are as heavy as use case as mobile (for me.) Thank you for the link.

It’s been automatic for years, and IIRC was enabled by default when introduced.

Each randomly-selected MAC persists on each Wi-Fi, so MAC filtering (and the problems that exist there) is feasible on a per-Wi-Fi-network basis.

It is possible to reset all per-network MAC addresses as part of resetting network settings.

If MAC address tracking is a concern, I’d likely be equally concerned about Bluetooth chatter here, and you can shut that off. And I’d also avoid using hidden SSIDs, as those turn all Wi-Fi clients into what amount to mobile advertisements. And the hidden SSID doesn’t hide the Wi-Fi network, it makes it stand out to anybody inclined to look, as the cherry atop.

I think you have some basic misunderstandings about VPN.

Here's how I look at VPN. VPN is analogous to hiring a hiring an uncertified private guard about whom you know nothing to deliver your postal (paper) mail to your home. Along the way, the guard opens and reads all your mail before it is delivered. You feel that this is more secure than normal mail delivery -- it is not.

I distinguish between the above VPN and the VPN my employer requires to access the corporate network. The employer VPN is specially configured and is bullet proof, or as close as one can get. It is set up by certified companies with credentials and certifications that are also used by banks, investment houses, and the government, to ensure secure access. The people employed by these certified companies are IT Security professionals. The private guard I allude to above has no advanced degree and no credentials and probably is no more trustworthy than someone you randomly hire walking down the street.

PixelRogue1 wrote:

Here on the Apple Forums, VPN is a four-letter word. I would like to learn more around how VPNs do not protect us like we think they do....w/o the presumption that everyone using a VPN thinks a VPN is an easy bullet proof solution for privacy. It is a tool, not a single solution. It is a valid useful tool.

It's even less than that. It's just an acronym. VPNs are one of the most popular forms scam and spyware apps these days. Everyone always thinks their own chosen VPN service is safe and reliable. The stronger their feelings about that, the more likely they are to use one of the worst examples.

steve626 wrote:

I think you have some basic misunderstandings about VPN.

Here's how I look at VPN. VPN is analogous to hiring a hiring an uncertified private guard about whom you know nothing to deliver your postal (paper) mail to your home. Along the way, the guard opens and reads all your mail before it is delivered. You feel that this is more secure than normal mail delivery -- it is not.

I distinguish between the above VPN and the VPN my employer requires to access the corporate network. The employer VPN is specially configured and is bullet proof, or as close as one can get. It is set up by certified companies with credentials and certifications that are also used by banks, investment houses, and the government, to ensure secure access. The people employed by these certified companies are IT Security professionals. The private guard I allude to above has no advanced degree and no credentials and probably is no more trustworthy than someone you randomly hire walking down the street.

Some of the add-on security apps are getting difficult to distinguish actual malware with their data collection and personally-identified metadata resale habits — such as that of the recently-fined Avast — and there are allegations that some of the entities that were previously associated with malware moved into providing VPN services. The whole of the add-on security market looks shady, or poorly-implemented, or both.

And yes, a purpose-dedicated end-to-end VPN for an affiliated organization — and those end-to-end VPNs inevitably with unique credentials — is far better second-wrapping security than is a shared-credentials coffee-shop-second-tunnel VPN service.

And you’re correct that a second tunnel doesn’t do appreciably better than what the existing connection security (TLS tunnels, Private Relay, and ODoH) provides for accessing the open internet.

See https://gist.github.com/joepie91/5a9909939e6ce7d09e29

And perhaps this conversation.