With ever more Supreme Court fuckery going on I'd like to help comrades in my local org be better secured against potential breaches.
Ideally I'd like to recommend 1-3 options that meet these needs:
- Easy to use
- Can be used on phones as well as mobile devices
- Doesn't retain any network traffic data
Any ideas on what options we have?
If you're in the US, ISPs can legally sell your data since 2017, so another purpose of VPNs is to obfuscate what sites you are visiting from your ISP.
under most cases, they only have this data via DNS. it's encrypted once the actual https request is made - only the destination ip address is available at that point. so encrypting DNS and securing that is probably more important than the protection a VPN provides. if you use a VPN without some form of DNS encryption, you're trading one ISP you don't trust for a second you shouldn't trust but inappropriately are. DNS anonymization is an extra step you can and should take to ensure you're not trusting your DNS provider, either - it works by tunneling encrypted DNS requests through shared, public relays.
what you actually need a VPN for is to mask your ip address to the website you're visiting and to mask the ip address you're visiting from your ISP. these are important considerations but it's useless if you don't first protect DNS, ensure you can't be tracked via cookies/be fingerprinted, and ensure you're only connecting to websites over https.
VPNs are an important and useful tool but they're not the first or best tool for digital hygiene. you have to tackle each layer, one at a time. start at the top and work down the hierarchy.
HTTPS includes the domain of the site you're visiting in plaintext, and your ISP will get that information about every request you make unless you're using a VPN/a proxy/Tor, DNS aside.