Maybe I’m completely wrong about everything I’m going to say and in that case we can laugh about this theory I guess but here it goes…

Most people are only worried about if the VPN provider is keeping logs or not. But even if they don’t keep logs you could still be tracked by anyone who can see incoming and outgoing connections to the VPN server.

This would be easier to explain if I drew some images but I hope you understand anyway with just text. What it looks like for these adversaries is:

  1. they know your IP and who you are.
  2. They see you connect to a VPN server.
  3. They see VPN server connecting to many different servers and they don’t know which one is you.

But when it comes to number 3, they could actually figure out which one is you.

Obviously, if you are the only person connected to the VPN server they will see that there is no one else besides you using it and then any outgoing connection from the VPN server must be you.

If there are just a few users. Maybe three users are just connected to the VPN server but not doing anything, just idle. Another user is spending time reading reddit. Then you connect to the vpn server and within a minute a new outgoing connection from the vpn server starts and goes to lemmy. Pretty good guess that is you from their perspective. And to make the guess even better, when the connection to lemmy ends, you decide to immediately end your connection to the VPN server. I’m confident this would be enough evidence in a court and then it’s definitely enough for data harvesting and mass surveillance.

All this analysis can be done automatically with AI, even if there are hundreds users on a VPN server, the AI will over a larger amount of time (not just hours but days/weeks/months) collect enough data to be able to profile users and make good guesses which domains you are visiting even if the VPN prpvider doesn’t have logs.

What is the solution to avoid this type of tracking? Tor baby, tor. Leeegggoooo Whonix!

  • hersh@literature.cafe
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Some VPNs allow multi-hopping, similar to Tor. I couldn’t give you an exhaustive list but most popular ones support this. Mullvad and Proton do, for example. There are also strategies to add noise into VPN traffic.

    This is not a silver bullet, of course. Tor has similar problems as you describe if an adversary has visibility into enough nodes. As always, this comes down to your threat model.

    On the one hand, I find the advertising of VPNs outright dishonest. On the other hand, I would trust any reputable VPN provider much more than I trust my ISP or cell carrier.

        • kevincox@lemmy.ml
          link
          fedilink
          arrow-up
          0
          ·
          2 months ago

          Most particularly they generally pretend that nothing on the web is encrypted whereas in practice HTTPS is nearly universal at this point.

      • hersh@literature.cafe
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        2 months ago

        Sure. I’m referring to the ones that run big ad campaigns, like Nord and Mullvad. They tend to overstate how a VPN can protect you, sometimes in ways that barely make sense. There is no epidemic of criminals stealing personal credit card information over insecure wi-fi, for example. The ads play into ignorance and fear.

        That said, yeah, I’d rather be on a VPN when on a public wi-fi network. But I’m not really worried about someone sniffing my encrypted HTTPS traffic (which is pretty much everything nowadays; Firefox by default won’t even load unencrypted web sites).

          • hersh@literature.cafe
            link
            fedilink
            arrow-up
            0
            ·
            edit-2
            1 month ago

            They have a big IRL ad campaign in major US cities. See https://mullvad.net/en/blog/advertising-that-targets-everyone

            These ads certainly aren’t the worst, but they’re still a bit misleading. Using a VPN is not going to prevent tracking in general. Your phone apps will still send GPS data to all the same places. Web sites will still use all the same cookies. Facebook is still gonna be Facebook. 🤷

            That said, Mullvad does include domain-based ad and tracker blocking with their DNS server (which is free and available to the public, btw), and that’s also optional on the VPN, so it does help to a point.

            (Pinging @countrypunk@slrpnk.net to avoid double-replying. )

    • masterofn001@lemmy.ca
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Ivpn is one service that not only supports the use of tor, but they also invest in the tor organization and run a lot of nodes.

      Their site is also a goldmine of basic to advanced level docs on serious privacy and security (free). Including detailed instructions for cresting your own anon servers, vps, etc. And how to use a VPN with tor properly.

      They are quite serious about what they do and how they do it.

  • tetris11@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    Also, if you have a limited RAM smartphone and your VPN is operating in userspace, then all it takes is for one really large image to grace your smartphone screen for your OS to go into out-of-memory kill mode. What’s it going to kill? The foreground app you’re trying to use, or the background VPN app.

    In my experience, the VPN goes down before the browser does. Mounting a swap on your phone is not the worse solution against this, but the UI starts to get really unresponsive.

    • BearOfaTime@lemm.ee
      link
      fedilink
      arrow-up
      0
      ·
      2 months ago

      Yet another argument for root. Then you can exclude the VPN app from OOM. Or even move it into /system.

      I understand why this isn’t done (moving such apps to system), since mobile uses immutable OS concept. But we still need a way to manage such apps appropriately.

      • tetris11@lemmy.ml
        link
        fedilink
        arrow-up
        0
        ·
        edit-2
        2 months ago

        If you are who I think you are, we’ve probably had this discussion before. Even with an always on VPN, if the system runs out of memory it will kill the VPN first before the browser. In a perfect world the traffic would still be routed into a dead tunnel. From what I’ve seen, once the VPN is killed, the tunnel device is gone and the default route snaps back to wlan

        • masterofn001@lemmy.ca
          link
          fedilink
          arrow-up
          0
          ·
          edit-2
          2 months ago

          I am not. And I’ve never had this discussion.

          Always on vs the additional option of blocking internet until the VPN connects.

          The second option is more system level?

          Using shizuku (rish) in termux I checked the active links with VPN on and then force stopped / killed the VPN in terminal and checked again. The VPN tunnel disappeared but the dummy kill switch tunnels remained. I could not access any network connection.

          *The routing table also maintains the dummy kill switch

          • tetris11@lemmy.ml
            link
            fedilink
            arrow-up
            0
            ·
            2 months ago

            (oh sorry, but) I’ve heard this argument before. All I can say is that in my experience, when the system is out of memory, it kills some process (e.g. the UI) which upon restarting resets the networking

            • masterofn001@lemmy.ca
              link
              fedilink
              arrow-up
              0
              ·
              edit-2
              2 months ago

              You’ll be happy to know I just force killed :

              Android system
              Google services framework
              Network
              System UI
              System WiFi Resources
              Wi-Fi
              Settings
              System connectivity resources
              Secure UI service

              The results are the same

              VPN kill switch prevents network access.

  • Em Adespoton@lemmy.ca
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    The main defense against VPN timing attacks is to ensure your VPN exit node isn’t somewhere that the same person would have access to as your connecting IP.

    That said, if someone runs a website or service where you have a unique login or custom token and they have access to your ISP’s connection logs… a standard VPN will once again give you away. This is why TOR exists.

    I generally argue that an exit VPN doesn’t really provide much privacy; the only real services it provides are georelocation and protection against low effort bulk filtering (eg, identifying torrenters or bulk metadata collection).

    For everything else, either encryption and third party DNS is enough, or the exit VPN isn’t enough to stop targeted surveillance.

  • rumba@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    1 month ago

    It makes a lot to coordinate a timing demask. Those VPN nodes are busy. You also need to be monitoring very close to the in/e-gress which means you’re going to need ISP or data center cooperation.

    Doing this to tor is a little more approachable, because you can run tons of exit nudes in your own data center. If you throw enough money at the problem it’s possible to greatly raise chances to keep the entire conversation in your own data center.

    The thing is none of this is trivial. And it’s *probably not a good candidate for automatic. So you’re really going to have to have pissed in somebody’s wheaties sufficiently to become a target.

    If you’re doing anything that’s prison term illegal, All bets are off that a VPN will sufficiently protect you by itself.

  • bad_news@lemmy.billiam.net
    link
    fedilink
    arrow-up
    0
    ·
    2 months ago

    I feel like ISP-level timing attacks are a similar issue with tor, like we know the Germans can deanonymize you if they’re willing to expend the effort. Not saying tor isn’t better, all VPNs regardless of protocol can be forced to send in the clear if an upstream actor breaks the traffic correctly afaik as of now.

    • x00z@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      2 months ago

      I think you read the news about Germany unmasking somebody who was using an older version of a Tor app. This has been proven to be mostly a user error.

      The attacks occurred on an old version of the long-retired application Ricochet that lacked new features The Tor Project has released since to mitigate against the kind of ‘timing’ analysis described in the articles. The most current versions of Ricochet-Refresh have such protections in place.

      https://blog.torproject.org/tor-is-still-safe/

  • considine@lemmy.ml
    link
    fedilink
    arrow-up
    0
    ·
    1 month ago

    What about the fact that many large VPNs are owned by (the same) ad companies / data mining companies? Despite the technical discussion, aren’t we ultimately placing our trust in the hands of the untrustworthy?