NordVPN, eh? I'll never forget there was a reddit thread on /r/vpn where a NordVPN customer complained about a billing issue or something.
NordVPN's official response was to get defensive; they proceeded to actually publicly post a screenshot which included the customer's email address. I couldn't believe it.
That tells you all you need to know about NordVPN's terrible attitude towards privacy.
A VPN is inherently not a privacy tool. It is perceived that way because of the acronym Virtual 'Private' Network but privacy is not in the design specs at all.
It's just for tunneling over untrusted networks like Starbucks Wi-Fi and spoofing your geo-location. That's it. You can't verify the no-logs claims by providers unless you're physically in their building and auditing the setup yourself.
And some, like MullvadVPN, don't even ask for common PII. No usernames, no email addresses, no passwords, no persistent billing information.
They could claw some information from certain payment providers (like if you used Stripe to top off your account) if they wanted, but you can pay your bill by putting cash in an envelope and mailing it, if you wanted to.
thats good enough for me. I am sick and tired of websites telling me what I can and cannot do based on my location. Its not the 90s anymore, I refuse to put up with geo blocking.
I'm curious as to why you're being down voted. Technically VPN is a private network, but what you're getting at isn't wrong either. If you don't own / control the network you have no way to verify. I'm not passing judgement on Nord one way or the other but I get what you're saying.
EDIT: At the time you were downvoted, I see it's not longer the case. Further comments about Nord and questionable behavior have also been posted in the thread.
My goal isn't to correctly judge people's character, it's to get the most value for my dollar. If you force me into evaluating your character one way or another, I'm simply going to choose to not do business with you, my dollars are better off that way.
Allegedly, they are using their customers as botnets to resell traffic from residential IPs, mostly for scraping, through their other business "Oxylabs".
I am the top comment on that post and you got the whole situation backwards and are thereby just spewing FUD with the implication in your comment :/.
The idea was never that NordVPN was reselling the network connections of NordVPN customers; it was always that they were, on their backend, originating NordVPN customers traffic from maybe-sketchily-sourced IP addresses.
Here is a paragraph I wrote a couple years ago on the topic of how centralized VPN companies manage to bypass blocks by content providers (such as Netflix).
> One VPN company that actually seems to do "well" at this is NordVPN: they've even managed to provide access to Disney+! Someone did a deep analysis of how this worked a while back (an article which has since been deleted, weirdly, but a copy can be found on the Internet Archive). They are "linked closely with a Lithuanian data mining company called Tesonet" which also runs Oxynet, which in turn advertises itself to have "32M+ residential proxies…100% anonymous proxies from all over the globe with zero IP blocking", which the author of that analysis believes is how NordVPN is originating their traffic... and how did they get all of those IP addresses? The contention was that they seem to be stealing them, convincing random products to embed malware that attaches them to the Oxynet essentially-a-botnet.
I'm not a conspiracy theorist, but the relations of Tesonet, NordVPN and Oxylab is creepy at best.
People make the allegation that NordVPN is routing some of Oxylabs' traffic, because that's exactly what HolaVPN and Bright Data (previously known as "Luminati") does. (See https://archive.is/aJY0F ) And Luminati Networks sued Tesonet for patent infringement on this.
Just the corporate structure of Tensonet in itself should make people stay away from any of their VPN products.
"Consenting and fully aware individuals become a part of a residential proxy
network in return for a financial reward or some other benefit. When they choose to participate in our suppliers’ pools, they consent that a part of their internet traffic and a small amount of the device’s hardware resources will be used for a variety of business cases."
Does anyone that uses NordVPN know how explicit this is in their client/agreement? If they are even using it...
I don't opt in to anything like this (as far as I know). Looking at the preferences, I don't see something that sounds like it maps to the consent above. So ... I'm not really sure.
I've read this stuff before, from various supposedly above-board companies. If this is true, where can I sign up? I've never seen companies clearly offering this without being misleading.
Since oxylabs allows selecting a proxy at a very granular location, it should be possible for researchers to get a bunch of these dodgy browser extensions and correlate which are forwarding oxylabs traffic.
>You’d almost certainly see that traffic going across your network, right?
This is why their marketing campaigns are so aggressive. They completely rely on the unsophisticated masses, to whom a computer is a magical box of fairy dust that plays Netflix shows.
I fully agree that informed consent is necessary before funnelling connections for others, esp. given varying local laws around internet traffic responsibility.
However, I also think this is the only way to bypass streaming sites blocking VPNs - the whole reason for using such a service in the first place.
IMHO the shadiness is only around consent and not the means. Unfortunate, but such is reality.
Hey, Vykintas from NordVPN here. By going open source we are trying to be more open. NordVPN customers aren't used as botnets to resell traffic and you can easily check it using Wireshark as well as look through the code. As you can see majority of it is open source. If you have any questions - shoot them and I can try and answer them. Otherwise - please don't spread information without proper investigation.
First of all, I want to reiterate that I purposefully used the word "allegedly" because I have no proof. I only have a smoking gun https://archive.is/bQo0O .
Second of all, I want to explain that it is very difficult to verify any of your points.
> you can easily [...] look through the code. As you can see majority of it is open source.
The whole thing is one giant "Initial commit" of what looks like millions of lines of code. Auditing this code will take months for single motivated person. There is little to no comments. "Just read the code" is difficult in this context. Also routing traffic through the client can be done just with 2 lines of code enabling kernel ip forwarding, and another line of code adding a nft/iptable rule to nat traffic from NordVPN to the outside world. This is looking for a needle in a haystack if this is obfuscated.
Also your Windows and MacOS clients (which are the most used by non-power-users) are not opensource, at the time of writing. So these ones could still be doing what has been alledged. This would be fine, since it's most likely most of your users.
> you can easily check it using Wireshark
This is also not that easy. If, as alleged, Oxylabs resells millions of NordVPN IPs to thousands of Oxylabs customers, you only have 1/1000 chance to be the botnet of the day. So you would need to be running Wireshark the one day out of 2½ year to see the traffic going through with Wireshark.
I hear there's a dirty secret that more and more companies are doing this to make things like Netflix that block VPNs "just work" though their services. Not sure how true this is or how widespread, though.
I ran into a situation where I left a VPN on my phone on and the Target app (US store Target) would pop up an alert "true".
I assume someone was detecting if you were using a VPN and testing and it somehow made it into production. I emailed them and never heard back.
Granted ... I get why a retailer with financial activity going on might want to know if a VPN was used to possibly apply extra scrutiny to the purchase.
Target now also has a world class incident response and forensics team setup after their big breach and being nearly every security vendors topic du jour for years. It's entirely reasonable they do this to add to malicious detection signal, or fraud.
"Exit node" users and VPN customers don't need to be in the same set, though: It's entirely possible that the VPN operator buys residential IP forwarding volume and includes access to it as part of their product offering.
That doesn't make things much better for unwitting users sharing their internet connectivity with insufficient or no education, though...
That is an exceptionally broad statement. I think it's probable that Netflix doesn't work with large-scale VPN providers because it's broadly easy to identify the traffic source. However, using a wireguard tunnel from my ipad back to my house, netflix works fine.
There’s many ways Netflix could detect VPN use, especially on mobile devices.
It’s not obvious at all. Netflix could be doing something as simple as checking the IPs or could be actually checking the use of VPN at a system level. Both are equally valid readings of the GP comment.
I was suspended by Disney+ for accidentally turning on my VPN to a location they didn't like...I instantly cancelled my subscription. I couldn't believe the suspension message, banned a paying user... Never again.
You don't have to, I can use my Android TV to stream torrents in a Netflix-like GUI using public torrents. My father uses it and he's not very "techy".
It even syncs progress across devices, works on all my devices (doesn't work in the Apple ecosystem).
What about a VPN that tunnels relevant traffic (i.e. usually the one to their backend API and/or DRM key/licensing server, not to their CDN) through residential connections in the same geography as the VPN relay?
I had whole home VPN configured and I couldn't access NFLX streaming content from the house. Getting Netflix traffic to bypass the VPN is incredibly difficult without hacking the client side code to have it update the bypass rules on-demand in response to the client side JSON payloads - or hook into DNS resolution and do VPN bypassing there based on a regeular expression of the origin and the returned records.
The way NFLX works under the hood, from the client's perspective, is that it makes an initial request to a service hosted in AWS. That service stitches together the list-of-lists on the home page. Then you select a film to watch, it again reaches out to a service hosted in AWS to ask to stream the content. This is really straightforward to get working with whole home VPN, you just bypass the VPN for those origins (using DNS queries to get the IP blocks) and you are golden. A little cron job could keep that IP bypass list fresh and it worked well enough to get through the UI.
But then the AWS service responds with a list of streams you are licensed to watch and URLs that point to their location. Those URLs point to Netflix's OpenConnect CDN hosts. Nearly every time I went to stream, I'd pull a different origin for the content and that would route back through the VPN. The list wasn't stable, so I couldn't compile a comprehensive list of origins to route around the VPN with.
So NFLX blocks VPNs to protect their licenses, which I understand. But their architecture made it impossible for me to allow their service to bypass my VPN. So any device I wanted/needed to use NFLX on had to have a direct connection to the internet.
If Netflix can see that your traffic is coming out of an AWS datacenter, then yeah they'll block it.
If Nord VPN is really bouncing your traffic out of some other residential customer's connection, that would be a lot harder to detect. And a lot more ethically questionable if the other user doesn't realize they're doing it.
But if the VPN provider really was routing other customers traffic through your internet… you’d know it. You’d see requests and traffic that you didn’t make going across your router. Since you’d be the endpoint for the other dudes VPN you could probably even see what IPs they are connecting to and get an idea about the nature of their requests.
I dunno if SSL encrypts the entire HTTP payload or not but could you even figure out the URL’s being requested using a tool like wireshark?
If such a feature exists (and I have no idea if it does) I assume they would only route traffic to known streaming services through it. Otherwise you're making random customers into exit nodes for potentially criminal traffic, which could go very badly.
Netflix works just fine through VPN - it just limits the offerings. If I disable VPN I additionally get local-to-the-country offerings, on top of the "through VPN" ones.
Netflix definitely works with NordVPN. My partner and I regularly use it to enable us to stream content which isn’t available in the UK but is elsewhere in the world.
Specifically to watch The Walking Dead if I am honest.
Netflix can be a bit sneaky - there's some content that it won't even show you if you're on VPN, even if the source and destination regions can see it; I use a VPN regularly for other streamers, but netflix I sometimes end up having to turn off my VPN to even find particular shows.
It fully depends on whether the IP address associated with your VPN tunnel has tripped their automated detection systems or managed to land on a public blacklist like Project Honeypot. But they do actively track and block VPN traffic.
Used NordVPN for 3 or so years and I have been sharing my Nord and Netflix account with several different people on and off over the years, none of us have ever had an issue streaming Netflix. Amazon Prime and some other streaming services, yes, but oddly not Netflix. However my current gf often will get interrupted in the middle of streaming while using ExpressVPN so she just switches over to Nord and issue solved.
I mean, it works just fine; you can watch all Netflix-owned content on NordVPN. You just can't watch any of the stuff they license for local distribution.
Maybe you're confusing NordVPN with Hola, which was used by Luminati which became or sold to Bright Data. Perhaps Oxylabs is sourcing from somewhere similar, but what evidence do you have that it's NordVPN?
I used to buy residential IPs from a competitor of Oxylabs in a previous life. Nothing illegal, just scraping data from websites using cloudflare. (Cloudflare has some anti-scraping-scraping protection, even if you do 1 request per 15 second)
I asked this question, the answer from this other company was "we would close your account". But they were unable to explain clearly to me how and if they monitored this.
In fine, I think this is your responsibility, you basically voluntarily installed some malware.
It might be against your provider's terms of service, but it's hardly illegal.
If someone else is doing illegal things on your IP address then you could blame the (users of the) service to avoid liability. Still you could find yourself targeted by a lawsuit. I wonder if Oxylabs' terms protect you in this case.
Ex-employee of Golden Frog GmbH here (makers of VyprVPN). Golden Frog nor VyprVPN ever sold any of its customer information in my time there. Based on my conversations with current employees, they still do not.
Not all VPN providers sell data (DNS or otherwise). Some operate for privacy-driven reasons and actively seek to be good stewards for their customers.
Mullvad does not log anything and it makes sense. You can literally pay with an envelope of cash and you will receive a single Account ID to activate your VPN. You don't even provide any personal details.
Mullvad is the best privacy-focused VPN, hands down.
> Mullvad does not log anything and it makes sense.
That might well be true, but anonymous payments are no proof, or even supporting evidence, for your claim.
It could still be very lucrative to resell data in the form of "users who access foo.com often also access bar.com" – and you can probably see why that could easily be deanonymizing.
If a provider can sell a VPN for $1/month as a loss leader and make $5/user after selling all data, what keeps a $10/month VPN from making >$15 doing the exact same thing?
My point was that they charge more for the subscription to avoid putting themselves in a situation where they feel pressure to sell user data to make up for a bad quarter of sales.
I was under the impression that VPN services were very profitable on their own, without selling data. Is this really a price thing, or is it a shady greed thing?
It’s hard to have another business model when you know nothing about the user. Please read up on how Mullvad works and then come back with a coherent argument on how they could be making money off user data.
Lots of video streaming services seem to be in the $10/mo range, and they have to deal with licensing all the shows and storing them. $3/mo seems pretty reasonable off the cuff for a VPN service.
Mulvad is the only VPN I trust (almost) completely.
Private Internet Access and ProtonVPN both have tenuous relations to shady stuff. Private Internet Access got purchased by the same company that made Cyberghost (malware), but so far nothing bad has come of it. AFAIK they're also the only VPN that has been truly court-tested.
ProtonVPN has some really weird circumstantial stuff related to TesoNet.
Any other VPN I wouldn't trust by default. Shady business sector.
I owned a small VPN provider. We never did or considered doing that. So your statement is definitely false. But I also doubt that it's even approximately correct. Even assuming the worst of most VPN providers, I'd be very, very surprised if that could be a viable business model. Your DNS data isn't even remotely valuable enough to justify user acquisition and bandwidth/servers cost.
OpenDNS built a business around this model: use our DNS servers and we sell the DNS hits to third parties looking to track traffic. I worked at a company that bought this data and resold it. Maybe the little VPN providers don't do this, but the big ones certainly do.
Shouldn't that just be ALL PROVIDERS in general? There's probably a few choice ISPs that maintain their dignity, but I wouldn't put it past Comcast, Verizon, and all the mobile providers out there.
Nord is approaching Kape Technologies, owner of ExpressVPN, Cyberghost and PIA with a potential takeover bid. If the deal to go through, no actions from competition would matter as there wouldn't be any. This new unit would be way bigger than the rest of the industry together. Even now, I doubt that NordVPN is pressured by Mullvad or Proton.
What value is a bunch of a users DNS traffic? All you’d have is what domains they visited… not what products they view or anything like that. I imagine most of that data is “target.com” or “Reddit.com” and such. It can’t be all that valuable for ad targeting…
This reminds me of the 'original' 2019 video by Tom Scott called "This Video Is Sponsored By [redacted] VPN" where he explains most of the reasons listed to use VPN by ads is useless:
And then a few years later with "My robot double sells out (so I don't have to)" he did a follow-up listing useful reasons (geo-based content, better prices on vacation sites, etc) which was sponsored by NordVPN:
Thats not selling out. If he keeps the old video up and doesn't make the claim that NordVPN does things it doesn't actually do, then he's just advertising.
There are legitimate uses for VPNs, they're just not the reasons these VPNs advertise (the the parent comment says).
That original video, however, was extremely one-sided and was by and large shared around by people who believed there was absolutely no reason to use a VPN. In the second video, he of course has to address this, and just backhandedly blames a segment of his viewers for this; but, of course, he had never bothered to provide any clarification or correction in the years since he had posted the prior video, instead deciding to enjoy the benefits of his video becoming a tool to back up misinformation right up until he had an actual incentive to move to the other side. This is the hallmark of a dishonest individual who cares much more about their bottom line than the content they post.
As far as I know, while they might be using a botnet to geo-unblock streaming sites (which is what many VPNs do, and at least somewhat shady/ethically dubious if it happens without explicit user consent of the users whose devices/networks are being used), there isn't any evidence for NordVPN users being used as a botnet.
Out of curiosity I scrubbed through his 20 latest videos and three of them had NordVPN segments. To be fair on him though, he "only" promotes it as a way to get around geo restrictions when travelling the world. Accessing UK websites for example. If I remember his original video, it was more a complaint about people promoting VPN as "more secure" against hackers and such.
I wouldn't say "a lot", but he did some. He never said he would never do VPN ads, he said he would not do it using the false advertisement talking points. For example, when speaking of geo-block bypassing, he alway mention this probably goes against the terms of services of most streaming services.
Yes he does now, though if I remember correctly he makes absolutely zero claims about privacy or security enhancements and focuses on the region-shifting capabilities (especially as a Brit who frequently travels abroad)
Hey, Vykintas from NordVPN here. Hackernews looks to be a tough crowd, so I wanted to add a few things. Today as you correctly spotted we released a Linux app as well as Libtelio and Libdrop open source - a step towards more transparency. Can see quite a few conspiracy theories there, happy to address them. While no service out there is perfect, we are aiming to create the best VPN service. Nord isn't keeping any logs, is continuosly audited and since today looking to build in the open. Nord has never been a part of any kind of botnet.
Besides open sourcing - today we launched Meshnet free so you don't need a subscription to use it to connect your own devices, spin up your own VPN server etc. Hope it will be useful.
If you have doubts about Nord - I will try to answer your questions.
I canceled my sub months ago after getting completely fed up with the Linux CLI client spamming ad-like output trying to push some new feature after running any sort of command. Definitely coulda come up with a bash alias to scrub it out, but despite really liking Nord’s features otherwise, I didn’t want to play whack-a-mole with a closed source client or suffer the slowness/pain of going the OpenVPN route.
This is EXACTLY the right signal to bring myself (and presumably many other people in the same boat) back as happy customers. Sorry you’re dealing with unhinged conspiracy theories in this thread… but I think in the long run, this open sourcing will go a long way towards shoring up your customer base and keeping power users happy. Great work and TYVM!
Well, the client code certainly isn't great. Reading through it random, I see a lot of undocumented code, functions with 20 positional arguments (who wants to bet some call sites silently swap two of them?), a file called constants.go where random strings are defined far away from where they're used, etc.
There are also random, mostly undocumented, interfaces lying around /everywhere/, in all kinds of places not connected with either the call site or the implementation. My favorite is a custom bools library called "strings".
I haven't found any obvious bugs, but the coding standards are poor. Good on them for open sourcing it, but man, did nobody stop and think "hang on, is this code gonna make us look bad?"
This is not a snarky response, but is it possible the answer is simply "who cares?"
I see NordVPN ads all over youtube, podcasts, and TV. Those overwhelmingly non-technical customers certainly don't care about the code quality, documentation, or constants defined far from where they're used.
It seems to me this is about marketing the product to be perceived as transparent and secure, which is certainly what those customers care about.
NordVPN is a professional business making wild claims about the security properties of their product. We are not talking about bashing an amateur gamedev for their coding standards - we're talking about something that supposedly protects your privacy online. I think it's OK to expect a high standard of code review.
That's how you ship Rust with resource constraints. You get on with your work and pay down debts as you go.
The fear of what other people will think about your code can become seriously debilitating, fucking up project timelines and priorities. Good on the author(s) for sharing. Perfect is the enemy of good enough.
I thought people have moved on from using slog for structured logging and instead rely on the same as exposed by the tracing library. In the end, slog was good enough for the task at hand and that's what matters most.
> a file called constants.go where random strings are defined far away from where they're use
Wouldn't that be the purpose of such a file? One central location to adjust what some magic number is - then reference it (via eg lsp autocompletion) were used?
I know that some programmers hate getting their code reviewed. All I can say is that code reviews are, in my experience, strongly correlated with code that's cheaper to maintain and operationally less surprising.
Seeing this code certainly makes me think that the team writing it either doesn't have a culture of taking code reviews seriously, or that they don't have a lot of people who know the best practices in this language (Go). Either way, if they're not catching the easy stuff, I don't trust them to catch the subtle stuff either.
NordVPN are far too aggressive about youtube marketing to not be sketchy imo. Open source client doesn't really help because whatever sketchy shit they're up to is probably mostly on the server side anyway.
I wonder what their total youtube sponsor spot expenditure has been. It must be a ridiculous amount of money.
LTT had a segment about VPN on their WAN show. They ran the numbers and figured out that you can basically print money by running a VPN service without doing anything sketchy. They even had the software up and running. However they decided to pull the plug for ethical reasons because they would basically have to protect their customers doing criminal things. Piracy they reckoned was a gray area but there's a lot of worse things going on online. So it's fully possible that NordVPN just got big enough to have a massive advertising budget.
I don't think its sketchy, it's just that the VPN business has extremely large revenues compared to costs of the service, which means A LOT of money remains for marketing. They can spend exorbitant amounts on youtube ads and affiliate review sites.
It's a bit of a unique market in this way, people are willing to pay $5-$10 per month for something that costs $1.
Every VPN worth its salt is located in a similar country, as it's critical for a VPN to operate out of a jurisdiction that does not require log retention for a certain period of time nor cooperates with Five Eyes law enforcement.
They have a ridiculously high ad spend, ridiculously high prices, located in a tax haven, their advertising routinely makes false, exaggerated claims, they've been exposed as having logs even though they claim otherwise, and may or may not be running a botnet. Everything about this company screams money laundering scheme to me.
EDIT: I've realised my claims about logging were overblown. But I'm not so insecure as to edit it out so here's a disclaimer :)
I don't trust audits. Too many ways to trick auditors, or auditors could be corrupt. And it only proves what was the case during the audit, assuming the auditors didn't miss anything, not before or after.
I'll admit I misread another comment on this post as them definitely being exposed for logging though, my mistake. I've been unable to corroborate it. I did find that the company openly admits it cooperates with law enforcement and does log on behalf of law enforcement.
Additionally there are so many other red flags I'm not inclined to believe anything they say.
While I can agree that something about the business seems sketchy as hell, I don't see how it would be money laundering.
Do you think they're buying a bunch of YouTube sponsorships with drug money to then attract customers to an unprofitable business? Or they're buying their product themselves and then advertising to make it seem like they have a legitimate business?
For laundering, the more legitimate cash flow the better. The less actual work, also the better.
Throw money at Youtubers, they make the ads for you.
Indiscriminately approve the sponsor spots(Check out IncognitoMode's sponsor spots. He practically designs his spots to be unapprovable. NordVPN will always work with him anyway. They don't seem to care).
You get lots of customers, charge them enough that a large profit margin is to be expected. Botnet users to save even more cost on getting hosts. Log user data and sell it on dark markets. That's the money you can then launder with your large clean cashflow.
At least that's the sort of set up I had in mind.
The datamining and botnetting is possibly optional. Dirty money could also be from any other criminal activity, maybe crypto scams or some other e-crime. Or just drugs/sex trafficking. Or here's a wildly speculative one: use your vpn service to aggregate CSAM and sell that on the dark web, then launder the money via your seemingly legit vpn service. Bonus: keep logs for blackmail purposes in case your Dark Web enterprise craters. Blackmail futures!
I feel like I could sit here all day listing viable ways of building a nasty, disturbingly profitable criminal enterprise under the guise of a VPN service.
(I swear I'm not a criminal I just know how to think like one).
You've described many malicious things they could do, but none of it is really money laundering. And if your goal was money laundering, I'd assume you'd want to make that business look as clean as possible, not a VPN we can all agree appears shady as hell.
What you're referring to is the Youtubers own lack of understanding on what a VPN can and can't do. NordVPN provide some talking points but I myself have seen some Youtubers stumble through and add in some wild claims that just aren't true. That's still on Nord for not vetting and correcting them and this is also what you get when you try to shill something to your community that you have no expertise on.
The fact that NordVPN needs its own library should already be seen as a red flag. If you need a VPN at all (which you usually don't) then you should use something that works with widely used and tested protocols. That was historically ipsec or openvpn (both not ideal), these days wireguard is probably a better choice.
That's all apart from the fact that most reasons advertised by companies like NordVPN why you need a VPN are bogus or outdated, and that the trustworthiness of a VPN only relies in small parts on the client they use.
(Update: skimming through the code it seems they somehow use openvpn. Not entirely sure if this invalidates my point, but then the question is: Why do they need their own client at all?)
They need their own client for the litany of value-adds they offer. If you just want an openvpn config from them they'll give you one. Would you give MS this same hassle if i told you they rolled their own vpn libraries?
Having your own client gives the user a good UX. You can't provide a seamless login, server switching experience, and whatever else they offer with a widely used open source client (without forking at least).
But you don't have to use their client. Most VPN providers (looks like Nord included) allow you to connect with any client that's compatible with one of their protocols. I use a different VPN provider with the official WireGuard client, even though they have their own company-made client.
I am not related to them, I'm just a user of it. But Mullvad.net is the only decent VPN. (They're the one Mozilla chose to provide their VPN infrastructure)
Rather, auditing is only proof that the parts the auditors looked at were secure against what the the auditors knew to look for, at the moment of the audit.
Auditing might not even cover the entire codebase.
For example, this is the writeup of the DeFi Euler hack yesterday by one of the sites listed auditors, who didn't actually audit the code that caused the bug...
Same company (no matter how hard they try to hide it), so unless it has better pricing or features, if you don't trust Nord, there's no reason you should trust Proton.
Though I do trust both, as Tesonet is based from here (Lithuania) and from my experiences with people who worked there, they have full trust in them and continue to use their services years after leaving the company.
> Same company (no matter how hard they try to hide it)
Do you mean that NordVPN and ProtonVPN are the same 'spiritually' in that they're both companies selling a VPN for profit?
Or is there genuinely some business connection between them that I've missed?
In the sense that there's a huge overlap of people who created Nord that are now working on Proton. Might be under the same employer indirectly (Tesonet or whatever they're called now). Whether officially they're under a different company/jurisdiction, that's a different thing.
From Tesonet[1]:
>We also provided ProtonVPN(opens in new tab) with operational and HR support when they decided to open an office in Vilnius.
>Contrary to all the myths and rumors, operations by different services have never been related to each other. The only common resources are the centralized HR and legal teams. We have strictly relied on this philosophy from the beginning in order to avoid any possible conflict of interest.
Especially not after Kape Technology bought up review sites and VPNs and updated reviews to shill the ones they own.
Kape Technologies was formerly known as Crossrider before it was acquired by Teddy Sagi, an Israeli billionaire that has spent time in jail for insider trading. Crossrider itself never had that great a reputation itself, what with their primary product being a development platform through which they were frequently used by third parties to invade ad platforms to serve up malware. They are now the owners of ExpressVPN, PIA, CyberGhost, and Zenmate.
Mullvad is a great example of how all VPN companies who promote privacy should behave, if only for the signup process itself. Zero personal information required.
Take a look at Mullvad for a VPN done right. Completely anonymous usernames, randomly generated, accepts cryptocurrency or cards purchased anonymously at a physical store with cash.
One concerning issue is the Swedish jurisdiction. The nordic countries are better at privacy, but Sweden is a 14-eyes nation. But I can't say it's better or worse than NordVPN's... Panama.
As long as people still realise that regardless of whether they pay with cash in an envelope or directions to the end of a rainbow, if they connect with their own IP to mullvad’s servers and there’s some compromise of these promises (court order, etc), it’s trivial to be owned.
Or if you wanna pay by cash, just send it to them in an envelope. No need to buy a card first then using that, when you can pay by the alternative that gives you the most privacy.
Thanks for providing additional information to readers. However, this is not entirely correct. Let me clarify:
- Community nodes are used to diversify server ownership and strengthen the privacy of connections.
- Community nodes may technically act as entry, middle and/or exit nodes.
- Community nodes will never be used for unencrypted connections, only for encrypted connections. We are thinking about a concept of trusted partners, which will also be allowed to handle unencrypted connections - but this is currently not the case.
- We publish advisories [0], which are automatically applied by all clients. This gives us the ability to quickly react to changing situations. Currently, community nodes _are_ being selected as exit nodes, but not as entry nodes.
I hope this cleared things up. I am happy to go into more detail.
Mozilla/Mullvad seem to be liked well enough. It's what I use, but I am doing it for geolocation issues and occasional scraping, so I am less concerned about logging/security.
A tonne of people here recommending Mullvad, which is great - they're great - but they don't offer the main selling point of most VPNs, so I feel this question needs qualification:
What are you looking for a VPN for. As much as the ads misrepresent the security & privacy aspects of NordVPN, &c., the vast majority of people use VPNs to watch region-restricted media. Mullvad does not support this.
So ... who's the best provider for watching region-restricted media?
NordVPN honestly seems like a very competitive option here
Perfect Privacy. VPN chaining, setting so your IP address always changes to be the one closest to the server, no logs (audited), stored in ramdisk, unlimited connections and bandwidth because they don't even know who's connecting.
Cons: it can be slow and have issues with disconnects sometimes.
I didn't know that, but it almost makes me trust their service more. While I don't share their views, I do think technologically capable extremists are probably who I'd most want behind a service that I use as a layer for anonymity and privacy from everyone including government agencies.
> The UK's Advertising Standards Agency(Opens in a new window) has banned a NordVPN commercial for misleading viewers about the privacy risks of using a public Wi-Fi network without also having a VPN.
In essence: HTTPS already does what NordVPN claims you need a VPN to do. More, in fact, because HTTPS validates that the domain you're communicating with is the domain that shows up in your browser's address bar, which a VPN can't do on its own.
This is Tom Scott's 'original' 2019 video called "This Video Is Sponsored By [redacted] VPN" where he explains most of the reasons listed to use VPN by ads is useless.
However a few years later with "My robot double sells out (so I don't have to)" he did a follow-up listing useful reasons (geo-based content, better prices on vacation sites, etc) in which he was sponsored by NordVPN:
It's pretty silly when you see it being advertised on various high profile YouTube channels as some kind of magic protection that protects you from ID theft, password leaks, viruses etc.
Unless there’s reproducible builds I guess having the source code gives little comfort. Does the compiled application work with NordVPN services at least?
Their "articles" largely seem to be SEO/content farm pieces without any meaningful content.
For example, their article on SOCKS vs. HTTP proxies vs. VPNs is factually nonsensical (by e.g. describing HTTP proxies as "always unencrypted", or SOCKS as having higher performance due to "not rewriting packet headers"): https://nordvpn.com/blog/socks5-proxy/
Yea, same thing happens when you search for 'Console lock timeout' (how long does the login screen show on Windows 11 before it puts the monitor back to sleep, default = 1 minute, not configurable by default).
Somewhere there is a FULL article on how to do this on the website or partitionwizard...
WHY?
You see 20 websites with the same info re-hashed. And none of them mention the particular edge case that I'm running into.
I really wish Google goes back to preferring bullet points over prose.
Another example:
Search for 'squirrel bite rabies'. You only get pest control companies telling you how you can get rabies.
Except there have never been any reported cases in the USA.
I don't mind those two to be honest. They do seem to be by the creators themselves, not some third party that buys advertising time for a shady business. The content is good and the price is right. Perfectly legitimate way of diverting revenue from Google to the creators themselves and making a small step towards a video platform less run by algorithms and advertising.
(I am not a subscriber or an impacted creator, but I did try it out. Honestly you'll have seen all interesting content by the end of the week, but for that price... worth it to buy it every couple years when there is new content.)
NordVPN do logs and you will get caught if you do crimes using their services. It happened before during the Dutch KPN blackmail case and it will happen again. Everyone at BalCCon was warned about this a few years ago.
Every service does this. Either that or they're the next Pirate Bay: a service blocked under copyright law without violating copyright, they only linked to places that were happy to infringe copyright (specific torrent peers). Domains were expropriated, IP addresses blocked, ISPs coerced into replacing DNS entries... If I remember correctly, the founders also all have interesting stories about the legacy this carried for them personally when trying to do business later.
Until a VPN service gets that kind of status, you can assume they either follow local laws or haven't gotten a request for data logging for anything bad enough yet (realize that this doesn't have to be even close to murder-for-hire: being complicit in other people sharing movies between them reaches that "bad enough" bar).
I was misled by the title of this submission. The Linux NordVPN client is now open source (https://github.com/NordSecurity/nordvpn-linux), but the Android, iOS, macOS, and Windows NordVPN clients are still closed source.
I'd love to learn why they have a mix of Go and Rust. Did they initially use Go and then migrate? Do they use Go for some things and Rust for other things? Have labor market dynamics played a role (lots of Rust devs from crypto startups becoming available)?
It would be great to hear from their CTO on the rationale.
Hopefully this helps the app become more stable, on Windows it has become pretty unstable as of late. I've had background tasks fail, LAN problems, issues with it acting like it's trying to connect still when it's actually successfully connected to the VPN, and sometimes where it won't reconnect to the VPN at all without a reboot. Some of that could be problems from Windows Insider but some of the same happens on a Windows 10 box I have that is on the standard release channel.
I have never seen so much false narrative, misunderstanding, speculation and conspiracy rabbit holes in a HN post.
Wild to see so many people conjecturing about one of the most scrutinised and researched VPN providers in the world, whose source code is now available for all to see and not a single person, here or on Reddit has been able to flag any code of concern and the result is just pure conspiracy with zero evidence.
So, should we, or should we not use a VPN?
If most sites nowadays are on HTTPS, is vpn still needed for daily use
I think the only reason now to use a vpn, is to login to a site as if from a different location, if the site blocks your region, or sensor some of its content
Posted this on another thread about VPNs a few weeks ago. Reposting here since I think it applies.
I've recently been describing what a commercial VPN provides to non-technical friends and family as a type of "global virtual Internet cafe" subscription - the pros and cons of using a physical Internet cafe mostly apply. An Internet cafe isn't inherently (i.e. due to technical benefits of underlying technology) any more or less secure than connecting to your home or work wifi/network, and the Internet cafe knows who you are and what websites you're visiting, but your ISP/employer doesn't (since you're "at" the Internet cafe, not on your home/work network).
Of course, your ISP/employer does know that you're visiting the Internet cafe, and in the case of work (and some ISPs) can stop you from doing so.
If you visit a website from an Internet cafe, the website may still be able to figure out who you are, just like they can when you bounce between different networks normally. And of course, if you login to your account on a website or put your shipping address or something in when buying something, you're self identifying (unless you have throwaway accounts or forwarding addresses or whatever).
And finally, if someone really wants to figure out who you are to a high degree of confidence, they will.
I find this lands pretty well and is close enough to being technically correct without getting into the details that non-technical people would start glazing over if I got into.
Correct me if I'm wrong, but origin and destination are still visible to your ISP and any snoopers on your network. The content is encrypted, but not the origin and destination of the request. I use Mullvad because they seem to be a company with insanely good ethics and it's only $5/month. Mozilla VPN uses the under the hood I think.
Your ISP doesn't get the full URL: they can tell which website you're visiting, but not the specific content you're accessing. The amount of information that is leaked by this, depends on which kind of site you're visiting. In the end, I occasionally use a VPN only if I'm connected to a public hostspot.
With a VPN your origin and destination are visible to your VPN provider. You're just moving the point where your metadata can be grabbed. I don't particularly trust my ISP, but I don't see a reason to trust any VPN provider any more.
I mean, I generally trust Mozilla + Mullvad a lot more than Spectrum. The only reason Spectrum wouldn't be selling or otherwise mishandling every bit of data about me they can is if they're too incompetent to realize they have the data. Mozilla has a good track record; they could always become compromised or make other mistakes, but Spectrum fucking sucks.
That's right, origin and destination are still visible. Even if you use encrypted DNS to hide hostname to IP lookups, your actual traffic has to be routed somehow by someone. Whether that's your ISP or a VPN provider + their ISP.
> If most sites nowadays are on HTTPS, is vpn still needed for daily use
Let's say every website is still on HTTP (not S). How does a VPN for daily use help you at all?
Your traffic traverses the Internet unencrypted anyway: either from your ISP to target server, or from the VPN's ISP to target server.
It shifts the responsibility from one party to another, but it doesn't reduce the unencrypted path. Instead of trusting your ISP, you now have to trust a shady operator that often promises not to comply with local laws when the police comes with a warrant. They often also don't have assets to seize, so little reason to be legit. And it's not like you can stop paying the ISP that you are so distrustful of. It only costs you more money.
>So, should we, or should we not use a VPN? If most sites nowadays are on HTTPS, is vpn still needed for daily use
It's good for hiding metadata like sites you access. In my country there's a recent law demanding ISP to record metadata and allowing many agencies to access it without warrant.
IP addresses? DNS queries? Later if you either use ISP provided DNS servers or unencrypted DNS. You can identify host from queries and IPs and then match it to TLS connection.
Torrenting without a VPN gets you a nasty letter pretty quickly. Someone at my IP address downloaded a single episode of The Last of Us with the VPN turned off, and I got an email that same day. No idea who would do such a horrible thing, but I think I saw some hacker-looking guy parked on the street stealing my wifi.
I am taking a look at this. Now do Grammarly next, if we want to go by annoying Youtube ads. Someone should tell Grammarly that they are being excessive and too much advertising actually turns people off your product.
Thats just your opinion. But now when anybody thinks of a website that can help them with writing documents, especially if English isn't their native language, there is exactly one website that comes to everyones minds. In fact, I don't know of a single competitor to mind, that's pretty effective marketing if you ask me.
They're certainly not doing it out of the goodness of their heart. Or for the goodness of privacy online.. Doesn't leave many good options but you can be sure, they're not losing money.
I have always wondered about these providers. Their margins must be amazing considering they can justify this amount of influencer marketing. Or is there also big amount of VC money they are still burning through?
Usually the offers in addition have pretty good discounts from original price.
I wish I had a source, but I've heard guesses as high as 90% profit for most VPN subscriptions. Especially overloaded and bloated garbage VPNs. Most people don't know they're being throttled by the VPN if they only use it to watch Netflix.
I am 100% sure that some of these services are state sponsored. NordVPN in particular have been associated with "some" countries. You have to be a complete moron to buy a service like this for privacy. You buy it for getting away with simple crimes like piracy.
NordVPN's official response was to get defensive; they proceeded to actually publicly post a screenshot which included the customer's email address. I couldn't believe it.
That tells you all you need to know about NordVPN's terrible attitude towards privacy.