privacyguides/privacytools.io
Archived
1
0
Fork 0
Code Issues 304 Pull Requests 47 Activity

vpn: encourage encrypted DNS & linkify https #1340

Merged
Mikaela merged 7 commits from vpn-warning into master 2019-09-27 11:08:43 +00:00
Conversation 9 Commits 7 Files Changed 1 +6 -2
Mikaela commented 2019-09-23 18:25:25 +00:00 (Migrated from github.com)
Copy Link

Resolves: #1314

https://deploy-preview-1340--privacytools-io.netlify.com/providers/vpn/

Resolves: #1314 https://deploy-preview-1340--privacytools-io.netlify.com/providers/vpn/
netlify[bot] commented 2019-09-23 18:26:04 +00:00 (Migrated from github.com)
Copy Link

Deploy preview for privacytools-io ready!

Built with commit cf57d26ec8

https://deploy-preview-1340--privacytools-io.netlify.com

Deploy preview for *privacytools-io* ready! Built with commit cf57d26ec8487d7c67688e8fbb592cd6c344cb1d https://deploy-preview-1340--privacytools-io.netlify.com
Mikaela (Migrated from github.com) reviewed 2019-09-23 18:27:43 +00:00
pages/providers/vpn.html
Mikaela (Migrated from github.com) commented 2019-09-23 18:27:43 +00:00

Logic flaw. Encrypted DNS comes before HTTPS.

Logic flaw. Encrypted DNS comes before HTTPS.
Mikaela commented 2019-09-23 18:43:45 +00:00 (Migrated from github.com)
Copy Link

I rubber duck debugged this in the new issue page.

🌐 Website Issue | VPN questions / encryption doesn't mention encrypted DNS and may be a bit misleading

#1207 not fixed by #1340.

What if I need encryption?

In most cases, your traffic is already encrypted! Over 98% of the top 3000 websites offer HTTPS, meaning your traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator.

Nope, your DNS traffic is announced and modifiable in plain text unless you run a local DNSSEC validating resolver (which will only help with DNSSEC-signed domains), so better advice would be to encrypt DNS.

However that doesn't prevent SNI from leaking where you are connecting to except in the rare cases of using FIrefox + DoH + Cloudflared domain.

Even if a site you visit doesn't support HTTPS, a VPN will not protect you, because a VPN cannot magically encrypt the traffic between the VPN's servers and the website's servers. Installing an extension like HTTPS Everywhere and making sure every site you visit uses HTTPS is far more helpful than using a VPN.

So maybe there is a missing question on whether I should use encrypted DNS with a VPN?

I rubber duck debugged this in the new issue page. * * * * * 🌐 Website Issue | VPN questions / encryption doesn't mention encrypted DNS and may be a bit misleading #1207 not fixed by #1340. > ## What if I need encryption? > > In most cases, your traffic is already encrypted! Over 98% of the top 3000 websites offer HTTPS, meaning your traffic is safe regardless of using a VPN. It is incredibly rare for applications that handle personal data to not support HTTPS in 2019, especially with services like Let's Encrypt offering free HTTPS certificates to any website operator. Nope, your DNS traffic is announced and modifiable in plain text unless you run a local DNSSEC validating resolver (which will only help with DNSSEC-signed domains), so better advice would be to encrypt DNS. However that doesn't prevent SNI from leaking where you are connecting to except in the rare cases of using FIrefox + DoH + Cloudflared domain. > Even if a site you visit doesn't support HTTPS, a VPN will not protect you, because a VPN cannot magically encrypt the traffic between the VPN's servers and the website's servers. Installing an extension like HTTPS Everywhere and making sure every site you visit uses HTTPS is far more helpful than using a VPN. So maybe there is a missing question on whether I should use encrypted DNS with a VPN?
Mikaela commented 2019-09-23 18:51:53 +00:00 (Migrated from github.com)
Copy Link

How about additional informationing self-contained networks to poke more holes into why someone would want a VPN? 😸

How about additional informationing self-contained networks to poke more holes into why someone would want a VPN? :smile_cat:
Mikaela (Migrated from github.com) reviewed 2019-09-23 19:45:36 +00:00
pages/providers/vpn.html
@ -12,3 +12,3 @@
<p class="card-text text-danger">If you are looking for <strong>anonymity</strong>, you should use the Tor Browser <strong>instead</strong> of a VPN.</p>
<p class="card-text text-danger">If you're looking for added <strong>security</strong>, you should always ensure you're connecting to websites using HTTPS. A VPN is not a replacement for good security practices.</p>
<p class="card-text text-danger">If you're looking for added <strong>security</strong>, you should always ensure you're connecting to websites using <a href="/providers/dns/#icanndns">encrypted DNS</a> and <a href="https://en.wikipedia.org/wiki/HTTPS">HTTPS</a>. A VPN is not a replacement for good security practices.</p>
<p class="card-text text-secondary">If you're looking for additional <strong>privacy</strong> from your ISP, on a public Wi-Fi network, or while torrenting files, a VPN may be the solution for you as long as you understand <a href="#info">the risks involved</a>.</p>
Mikaela (Migrated from github.com) commented 2019-09-23 19:43:51 +00:00

This is the main fix for #1314.

This is the main fix for #1314.
pages/providers/vpn.html
Mikaela (Migrated from github.com) commented 2019-09-23 19:44:42 +00:00

I am not entirely happy with this, but I welcome better suggestions. Otherwise I would say that it's good enough.

I am not entirely happy with this, but I welcome better suggestions. Otherwise I would say that it's good enough.
Mikaela (Migrated from github.com) commented 2019-09-23 19:45:04 +00:00

I think it's a fair warning even if maybe misplaced.

I think it's a fair warning even if maybe misplaced.
pages/providers/vpn.html
Mikaela (Migrated from github.com) commented 2019-09-23 19:44:17 +00:00

This was missing the fact that DNS was most likely unencrypted.

This was missing the fact that DNS was most likely unencrypted.
pages/providers/vpn.html
Mikaela (Migrated from github.com) commented 2019-09-23 19:45:29 +00:00

Don't forget what VPNs were originally for. And keep Tor hidden services and similar in mind :)

Don't forget what VPNs were originally for. And keep Tor hidden services and similar in mind :)
nitrohorse (Migrated from github.com) reviewed 2019-09-24 03:45:08 +00:00
pages/providers/vpn.html
nitrohorse (Migrated from github.com) commented 2019-09-24 03:33:33 +00:00

suggestion to add a semicolon after "helpful":

      <p>The answer to this question is also the not very helpful: <strong>it depends</strong>. Your VPN provider may have their own DNS servers, but if they don't, the traffic between your VPN provider and the DNS server isn't encrypted. You need to trust the <a href="/providers/dns/#icanndns">encrypted DNS provider</a> in addition to the VPN provider and unless your client and target server support <a href="https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https">encrypted SNI</a>, the VPN provider can still see which domains you are visiting.</p>
suggestion to add a semicolon after "helpful": ```suggestion <p>The answer to this question is also the not very helpful: <strong>it depends</strong>. Your VPN provider may have their own DNS servers, but if they don't, the traffic between your VPN provider and the DNS server isn't encrypted. You need to trust the <a href="/providers/dns/#icanndns">encrypted DNS provider</a> in addition to the VPN provider and unless your client and target server support <a href="https://www.eff.org/deeplinks/2018/09/esni-privacy-protecting-upgrade-https">encrypted SNI</a>, the VPN provider can still see which domains you are visiting.</p> ```
nitrohorse (Migrated from github.com) commented 2019-09-24 03:35:39 +00:00

Suggestion: I think we don't need to hyperlink in this title since we already link to that page within the body of text.

      <h4>Should I use encrypted DNS with a VPN?</h4>
Suggestion: I think we don't need to hyperlink in this title since we already link to that page within the body of text. ```suggestion <h4>Should I use encrypted DNS with a VPN?</h4> ```
nitrohorse (Migrated from github.com) commented 2019-09-24 03:42:34 +00:00

Just a suggestion, a bit more terse:

      <p>However <strong>you shouldn't use encrypted DNS with Tor</strong>. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.</p>
Just a suggestion, a bit more terse: ```suggestion <p>However <strong>you shouldn't use encrypted DNS with Tor</strong>. This would direct all of your DNS requests through a single circuit, and would allow the encrypted DNS provider to deanonymize you.</p> ```
blacklight447 (Migrated from github.com) reviewed 2019-09-24 09:27:36 +00:00
blacklight447 (Migrated from github.com) left a comment

looks great!

looks great!
nitrohorse (Migrated from github.com) approved these changes 2019-09-26 17:00:47 +00:00
blacklight447 (Migrated from github.com) approved these changes 2019-09-27 11:08:08 +00:00
This repo is archived. You cannot comment on pull requests.
Reviewers
No Reviewers
nitrohorse
blacklight447
Labels
Clear labels
🔍🤖 Search Engines
approved
approved, waiting for a PR
dependencies
Pull requests that update a dependency file
duplicate
feedback wanted
high priority
I2P
The Invisible Internet Project (I2P)
iOS
low priority
OS
Operating Systems
Self-contained networks
Social media
stale
A label for stalebot if it gets added
streaming
Anything related to media streaming.
todo
Tor
Anything covering the Tor network
WIP
active work in progress, do not merge or PR (yet)!
wontfix
Issues or bugs that will not be fixed and/or do not have significant impact on the project.
XMPP
Extensible Messaging and Presence Protocol
[m]
Matrix protocol
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
Browser Extension related issues
enhancement
software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
Correction of content on the website
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
Firefox & forks, about:config etc.
💻 hardware
🌐 hosting
🏠 housekeeping
Anything primarily related to site cleanup.
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
Virtual Private Network
🌐 website issue
*Technical* issues with the website.
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
Domain Name System
🗨️ instant messaging (im)
🇦🇶 translations
Anything covering a translated version of the site
No Label
🔒 VPN
🗄️ DNS
Milestone
No items
No Milestone
Assignees
Clear assignees
jonah
No Assignees
1 Participants
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: privacyguides/privacytools.io#1340
No description provided.
Delete Branch "vpn-warning"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?