Aren't you just giving your info to a VPN provider instead? Like, if I wanted to gather data on potential threats as an CIA dude or whatever is probably set up and advertise VPNs cause someone using one is more likely to have something to hide so you have less to sort through. How is that better than your ISP having access to your web activity? Where I am ISPs require a warrant to disclose info. Just feels like a trick.
Fair enough. I was mostly just curious. I just try to not do anything online that I could be bothered about anyway.
Well don't use a US-based VPN if you're trying to sell state secrets to China or something lol. Use one from some 'enemy' nation so its less likely to be spied on by the US. But even that's sketchy if you're actually trying to obfuscate something, which is why Tor exists. I think Tor basically routes the data parts through multiple different VPN-like things in different countries (I think Tor was also created by the CIA).
And of course another weak link is the certificate system. If a certificate authority is compromised (aka the CIA asks to view certificate private keys or something) then I think they could pretty much man-in-the-middle anything they want using that certificate authority or its 'child' certificate authorities (maybe).
Basically, if you want "perfect" (i.e. as good as it gets, but still crackable with brute force) security, you'll need to use something like PGP with email or files and exchange public keys with the person on the other end in person (so the govt. can't pretend to be you or the other person using your/their 'public' key) or something lol, which would allow you to encrypt any type of data using the recipient's public key, and the recipient can decrypt it using their private key, and vice versa. Public-key cryptography is used in pretty much everything but I think you can get actual security only if you treat the public key itself as a secret. I'm still a newbie in terms of this stuff though.
Of course in reality it would probably be pretty difficult for the govt. to man-in-the-middle you every time you try to download some privacy software or cryptographic keys or something, but if you were specifically being targeted by the govt. they might be able sort of "wiretap" you via your wired internet or cell network and view/modify any traffic to/from your computer by using certificate private keys they've gotten hold of and other things to perform a man-in-the-middle attack and pretend to be the other endpoint in your communication, which is something that using "pre-shared keys" (ie lets create a secret code with each other and remember it) would make much more difficult/impossible.
What is this insane rant 🤣
I feel like vpns work best to obscure location/IP address info bc ideally there is no way to connect incoming encrypted data to the outgoing encrypted data. Also the feds required a warrant to get data from VPNs too and the VPN companies stake their reputations on keeping that info safe even if they have to fight in court while ISPs have no pretence of privacy. It's all about making it more difficult to connect your traffic to you because if the feds really want to find you they will.
Fwiw I have very little knowledge of networking or whatever but that's the understanding I've gotten over the years
Fair enough. What about the possibility of an agency just kinda running some VPN networks and collecting data that way? Would they really have to tell you?
I don't think its impossible and im sure they have set up smaller ones. At times there have been vpns advertising on deep web markets and carding forums specifically for crime which has to be an Op. But for the larger reputable vpn services those are multi million dollar companies with massive server farms and stuff which would be pretty tough to keep everything under wraps. It would be way easier to hack in and set up a backdoor or leak. Again online opsec serves the purpose of making you be more trouble than your worth for the feds so every extra layer helps.
Yes, it's problematic, yes, it's not a great solution, and for more dangerous stuff hacked or public access points combined with tor are the go-to. But you can still try to find some reliable VPNs for less critical stuff; I'll copy an answer I made in my thread in /c/tactics on this very question:
Your best bet is VPNs that actually were subpoenaed by law enforcement and demonstrably couldn't give them the stuff they asked, because it tends to show (not 100% but close) that they really don't keep logs. That has happened with PIA and ExpressVPN (I use the later; the first one is a bit more shrouded in secrecy, though it did get subpoenaed several times without results too), and a few others. I've also heard good things about this list though I can't vouch for it personally.
