As title. Italy is decided to pass a law that basically creates a chinese-type firewall in the country. The question is simple: even if I’m not doing anything illegal, my VPN provider will have to know what am I doing to report it in case it’s illegal, or face jail.
So how could my traffic remain private in this scenario?
Can a VPN provider with no logs policy be held accountable of anything? Can it actually know what I’m doing?
You must log in or register to comment.
For sure.
Yes
Yes. Pay anonymously and change accounts every few months.
If possible, share your VPN creds with others, such as installing it as a whole-house VPN for you and a neighbor. The more mixing, the better.
The post office knows who you are sending letters to. They have to know because they have to deliver it. They do not know the content of the letter. They also dont know if the letter will be passed along by the receiver to a different destination.
Your ISP knows you are sending traffic to a VPN but not where they are sending it to. The VPN knows where you are sending traffic to but not the content of that traffic. So if you browse a website that only serves pirated content, then they knows you are consuming pirated media but not which media.
If the law requires the VPN to report any and all traffic to blacklisted sights then a “no logs policy” would breach that law.
However to make this law work, Italy would have to ban all VPNs and http proxy services outside of Italy. Italy would have to force pretty mutch the whole world to follow this law for it to work.
What happens if you run a tiny server on AWS in the USA to proxy your private traffic. Unless AWS USA is watching all traffic to see if it complies with Italian law there is no way to enforce it.
If it truly keeps no logs, then it cannot tell what you are doing. But otherwise, a VPN provider can indeed tell what you’re doing because you are only shifting the trust from your internet service provider to your VPN provider. I would highly recommend something like IVPN or Mullvad and only pay for it in Monero. That way, even if logs are kept, you are just a number account to them and they do not have a name for you.
a VPN provider can indeed tell what you’re doing
New to me that https is broken
You can read more about this learning about X.509.
Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.
You can read more about this learning about X.509.
Its the PKI thats broken, namely the root stores. Has been unreliable for many, many years. This is why packages are signed.
So you are basically saying that root CAs are unreliable or compromised?
The great thing is, that you can decide on your own which CAs you trust. Also please proof that those are actively malicious.
And no. That is not the reason that packages are signed, i am guessing you mean packages like on linux, packages contained in the installation repository. The reason is, that you build another chain of trust. Why would i trust a CA which issues certificates for domains with code distribution. That’s not their job.
HTTPS doesn’t stop them from knowing what you visited. It just stops them from knowing what you did while you were there. VVPN provider can still see that you visited Google, but they cannot see what you asked for Google to do for you.
Yes. Not claimed otherwise. OC claimed that they see what you are doing which is wrong.
don’t have to break TLS to know what site you are accessing. The SNI of the cert does that.
The specific url however is protected by TLS.
They see what sites you are visiting yes but they do not see what you are doing on them. They do not see the content of the traffic. Huge difference.
Huge difference depending on who is judging you
When you get judged based on what website you are visiting it is very likely that you are already the bad guy by using a vpn.
An account with your IP address
That doesn’t really make a difference if no traffic history is saved. If there are no logs of traffic saved, there’s noting that can be tied to the account.
This citizen has an account with this VPN provider is not “nothing”.
It is nothing of significance WRT prosecution or any kind of legal action. It is nothing useful.
Yes, any VPN provider will see what’s in your traffic, no way around that…ever…no matter who you choose
however not all VPN providers will keep a record of your traffic, so it may only exists briefly in their servers as it passes through and then it’s gone. This is how companies like mullvad operate. Even if the cops come with a warrant, there will be no evidence because nothing is saved.
Aren’t there a few VPN providers that don’t even install writable storage in their servers? I can’t remember which, but I’m sure there’s at least one that boots their machines off of read-only media and only installation hard drives in the servers used for storing login credentials.
Mullvad is the one!
Yes there are, your data still resides in their servers as it passes through them though. But like I said, as soon as it has been processed there is no log of it so it is only present briefly and not in a persistent manner.
Yes, any VPN provider will see what’s in your traffic, no way around that…ever…no matter who you choose
Yes, there is a way around it, just use https.
Doesn’t that just hide the specific content? They still know where the content is coming from?
And not everything done online, especially things that can get you in trouble with authorities (like torrenting copyrighted material) can be done through https.
Basically everything online can be done encrypted. bittorrent has had support for encryption for years. There are other challenges like hiding from DPI and the thing that you broadcast your torrent IP but the content can be securely emcrypted.
Depends on your definition of “what”, and the server you’re talking to, and what DNS you’re using, and your VPN provider, and maybe the phase of the moon.
So, pretty much the best-case scenario is when the site works via https, and the server supports “encrypted client hello” (ech), and your browser has ech enabled. In this case your VPN provider can see that you’ve sent something to the IP (one IP can host multiple websites with different domains).
Https and no ech = can see IP, can see the domain.
Http = can see everything (thankfully, quite rare now).
Some VPN providers may as well use their own DNS, then they can see what domains you’ve talked to regardless of ech (afaik, since domain lookup should happen before client hello, since you’re basically looking up whom to “greet”)
Some providers are Facebook with fake mustache and will shamelessly try to mitm you
When you visit sites with https then the traffic is encrypted. They still see what sites you are visiting.
The only vpn company id ever trust would be mulvad.
They’re towards the top, but there’s a handful of others that demonstrate they are doing good work
Why?
