Condobloke
Well-Known Member
Your Free VPN App Might Be Spying on You
Some VPNs are actually malware in disguise.
au.lifehacker.com
VPNs may actually be spyware
Your Free VPN App Might Be Spying on You :: Some VPNs are actually malware in disguise. Nov 18, 2025
- Thread starter Condobloke
- Start date
au.lifehacker.com
CaffeineAddict
Well-Known Member
VPN's or proxy services spying on users or hacking them is nothing new and exactly why I'll never use them no matter how much they promote their trustworthiness.
Nothing beats tor if one needs to proxy their traffic, and it's free.
Nothing beats tor if one needs to proxy their traffic, and it's free.
I would absolutely never trust a VPN that didn't charge me money. In fact, they should be audited and 'zero-knowledge'.
Also, this could maybe have gone into the News category, now that I think about it. But, it also fits this category just fine.
Also, this could maybe have gone into the News category, now that I think about it. But, it also fits this category just fine.
CaffeineAddict
Well-Known Member
hm, if you want my money then I can trust you?
Problem is something else, you never know whether some VPN wasn't set up by an agency or a bad actor, they can ask for payment but this doesn't change anything.
Nah, if you're running a business where you're selling a specific service, you're less likely to screw over the people who use your software. It's not perfect, but it's a good indicator. Also, having been audited is nice. You can also look for VPNs that have open-source applications.
An example would be Windscribe. They're audited regularly, no log, zero knowledge, etc... They offer a very limited free tier meant to entice you into paying for the full service. (That's known as a 'loss leader'.) You can read their source code (if you want, but that has been audited).
There's always some risk, but I'm not one of those people who live a life of paranoia.
That combination of things means it's likely reliable and reasonably trustworthy.
Someone providing a free VPN is not somebody I'm going to trust with my data. They have every incentive to spy on me and no incentive to be honest. You can trust 'em, if you want. But, well, I'd point you to this very thread as a reason why I'd never do so.
The term "zero-knowledge" always reminds me of one the first 'VPN'-like public services; I found their technical concept ultra cool. It was called https://en.wikipedia.org/wiki/Zero_Knowledge_Systems.
It is peculiar the terminology itself disappeared for over a decade, to resurface mainly with focus to crypto currencies.
It is peculiar the terminology itself disappeared for over a decade, to resurface mainly with focus to crypto currencies.
CaffeineAddict
Well-Known Member
Yeah, companies whose only purpose is to profit from providing a VPN are unlikely to ruin their reputation.
But there is possibility like you said, and a user has no control over it other than not using VPN.
Tor users may be tracked if one is not careful but if it does its study this can be prevented so I prefer control over "it likely won't happen".
I think a good example of zero knowledge would be something like Proton, or even Mega.io. Everything you upload is encrypted and they don't have the ability to decrypt it. Only you hold the keys. Losing those keys means a complete loss of your data.
You're very, very secure if you're not an idiot. As far as we know (and this is constantly tested), so long as you're just using .onion sites, and you're not doing stuff like allowing scripts to execute on web pages, you're really secure. People get busted because they break the 'rules'. Don't give out any personal information of any kind. Do not let anything you do on Tor reflect in the real world. Keep the two completely separate. The place is full of law enforcement.
Then, there's using Tor to access the regular internet. That's extremely risky. It's even more risky when the end point, the exit nodes, are run by law enforcement agencies (and they are).
They can do something called a 'timing attack'. With cooperation from your ISP (who is going to cooperate), it's even easier. Basically, they see when packets enter the Tor network, and they see when packets exit the Tor network. Using this data means they can figure out who you are in the real world. It's not easy. It's not 'cheap'. But it's possible and has been used already.
The people who get busted on Tor always broke the cardinal rules.
I don't have much use for Tor, outside of curiosity. I like to keep abreast of the exploit market and databases put up for sale.
If you're going to use Tor to do illegal things (which I generally don't condone), make sure you don't violate the rules.
Note: Breaking unjust laws is an exception (for me). If you live in an oppressive regime and need to get the word out, by all means go ahead and break that law. Of course, that comes with some risks, but you can use 'SecureDrop' on the .onion site. That'll be reasonably secure. Of course, some agency might be able to tell that you're using Tor and that alone may be enough to be risky. At any rate, my point is that I support violating unjust laws.
disclaimer: It's actually been some years since I used tor. My major usage actually dates back to the widespread advent of the .onion network. It was part of tor, but major usage was to surf regular web anonymously.
That said, I'm not convinced it is risky these days of TLS/https-everywhere - don't forget the traffic itself is encrypted, i.e. it leaves the exit node encrypted.
The anonymity is always WIP for the project. For example, I recall when they removed the option to choose the number of hops you can use. The reason being they noticed traffic analysis was used to identify users who use custom options (i.e. something else than the regular three hops).
The major obstacle I see is you basically can't use a lot of the most regular web-services without javascript & folks. This certainly is a big risk, but one that is outside tor itself, i.e. the big infrastructure providers (like CDN) which receive the traffic can correlate traffic exiting tor. With that it is more the set of agencies that have access to those. If they also run exit nodes, does not matter as much in my view- said CDN sees the same info.
Last edited:
And Mullvad VPN
Mullvad VPN was subject to a search warrant. Customer data not compromised | Mullvad VPN
On April 18 at least six police officers from the National Operations Department (NOA) of the Swedish Police visited the Mullvad VPN office in Gothenburg with a search warrant. They intended to seize computers with customer data.
Update: The Swedish authorities answered our protocol request | Mullvad VPN
Since the events of the search warrant by the Swedish police at Mullvad’s office in Gothenburg, we have tried to get hold of documents and protocols tied to the operation.
OP
Condobloke
Well-Known Member
Amen.
I value reputation, and runs on the board. Other vpn companies would give their eye teeth to have Mullvad's reputation (and their servers)
.....and that includes Nord.
Mullvads subscription price .
wendy-lebaron
Well-Known Member
it wouldn't surprise me. from wicked internet service providers. which are supposed to keep a monthly fixed rate. but keep raising the bill on me. i never learned how to set up vpn. so i never cared. but thank you for this valuable reminder.
MzQ1NjExN2
Well-Known Member
Mullvad here as well. Hope you guys who are using Mullvad VPN are taking advantage of the Mullvad browser. You can use their browser app along with the VPN. I believe it only works if you use their VPN. I found sites like Reddit that block you will work if you change the location in the browser app to Japan. Just a FYI.
They can still see the domain you go to, they just can't see the data you shared. It's a timing attack. They don't really need to know what you're doing so much as they want to identify you. It's more a preliminary step during an investigation and not necessarily anything more than that.
Yup. I've used them as well. I've also used Nord. I'm currently using Windwscribe with a fairly limited account as I only need it for one specific activity. (I like to watch IMSA on YouTube, and I'm geoblocked. They're well aware that I use a VPN and do not care.)
