I feel that VPNs are not very effective when it comes to privacy. They can help bypass geographical restrictions for streaming services, but that isn’t as reliable now since some platforms are blocking VPN traffic. VPNs still have a valid place in corporate settings, but for individual privacy, I find them unnecessary. The only thing that might sway my opinion is proof of attacks on public, insecure WiFi networks.
Also, if it’s a free VPN, chances are you’re being exploited in some way (like having your data collected and sold). I haven’t looked into which VPNs have been caught selling data, but I have no doubt there are plenty that go unnoticed.
Regarding DNS sniffing, I don’t find it particularly concerning—who cares if someone notices an IP visiting Google, Facebook, or financial sites? Plus, DNS over HTTPS (DoH) and DNS over TLS (DoT) are reducing that risk. I’m open to learning about other serious threats that VPNs might help with, but for now, I’m not convinced they’re necessary for everyday internet privacy.
Edit: I should mention “security” instead of “privacy”, although I stand by my thoughts on privacy (unless you’re engaged in illegal activities). Many people overlook what might change my stance: evidence of attacks effective on public, unsafe WiFi for an average user who browses the web and checks their phone regularly.
Feel free to stick with my original point; it’s still true, but doesn’t address things like, “I use XYZ protocol, which runs unencrypted.” My response to those is: avoid using them in public
To /u/lazzzzlo, Your post is under review for potential removal due to Rule B violations.
To encourage valuable conversations, consider these techniques:
Engage with the strongest arguments of other commenters, not just their weakest points.
Practice steelmanning instead of strawmanning—interpret others’ statements in the most reasonable way.
Avoid shifting the goalposts. If you need to adjust your claims during an argument, acknowledge it with a delta before continuing.
Ask questions to grasp the opposing view rather than simply trying to prove them wrong.
Please review Rule B guidelines and consider whether you may have exhibited any of these behaviors. If so, strive to redirect the discussion. The goal of CMV is to understand differing viewpoints.
Firstly, the idea that it ‘might be worse’ outside of privacy doesn’t align with common sense. SSL over a non-VPN vs. SSL over a VPN has the same man-in-the-middle risk, but at least one is focused on privacy and security.
Secondly, you don’t want malicious users to know your IP address. Being consistently identifiable enables various forms of attacks. The concern isn’t about being more or less likely to be targeted; it’s about how quickly someone can act once they do target you. If someone is targeting a person and has extensive knowledge about their behavior, they are much more likely to succeed.
A VPN can complicate malicious activity to gather information about you, because over time, your online identity becomes less stable and recognizable. This is particularly true if you only have one identifiable fact about you versus multiple known patterns of behavior from attackers.
@Bex
Your perspective depends on who the potential attackers are. Commercial VPNs concentrate many concerned about privacy through a single outlet. This helps against small-scale attackers but may expose you to larger threats.
For example, if you don’t use a VPN and play a peer-to-peer game, someone on the other side might launch a DDoS attack against your visible IP address. This kind of attack won’t work if you’re using a VPN. The VPN also adds a layer of complexity for potential attackers.
However, it could expose you to everyone who can compromise the VPN itself. Because VPNs attract privacy-conscious individuals, they can be a tempting target for centralized attackers. If a service provider is compromised, you risk entering the wider net of exposure.
@Merritt
And for peer-to-peer activities, you should be cautious whether your VPN provider respects that data! Often, a VPN can hinder P2P connections since they are often designed to traverse NAT and require direct computer-to-computer connections.
@Bex
Honestly, an IP address alone is nearly insufficient for attacks. It can sometimes indicate a 250-mile area around your home, and perhaps there’s a vulnerability if you left a port open. It’s far more common to disclose details through an email address.
Sorry, u/lazzzzlo – your comment has been removed for violating Rule 4:
Award a delta if you’ve acknowledged a change in your view. Do not use deltas for any other purpose. You must provide an explanation of the change for it to be valid. Misusing deltas includes sarcastic, joke, or super-upvote deltas. More information.
Amos said: @Wilder
I genuinely wonder what ‘attacks’ people are most concerned about on ‘insecure’ WiFi?
I’ve had my eBay account stolen three consecutive times.
You may need to improve your password and check if it has appeared on haveibeenpwned. Also, ensure you’re free from client-side malware.
The compromised access isn’t likely due to public WiFi; eBay employs HSTS to ensure encrypted connections, and they’re on the HSTS Preload List. A DNS spoof would not work unless bypassing significant security warnings about invalid certificates.
@Bex
SSL over a non-VPN connection versus SSL over a VPN carries the same man-in-the-middle risk, yet one offers a focus on privacy and security. If the risks are equivalent, why should you choose to buy a VPN? All VPN providers advertise their ‘military-grade encryption’ (which is essentially the same as HTTPS) to prevent eavesdropping from hackers.
As for your IP being exposed, while it’s true you shouldn’t reveal your home address, in public spaces, particularly on insecure WiFi— which is the context of this discussion— the actual address is irrelevant. It would either be a local IP or that of the cafe you’re in. For home use, yes, you should be cautious of falling victim to malicious sites along with another bad move, needing to expose something vulnerable over WiFi. The average person may not even know how to properly secure themselves against traditional attacks.
You state that ‘so much pattern data’ is crucial for potential attackers targeting you; however, that partly implies a very dedicated person going after you specifically!
While I understand your view that a VPN can obscure your identity over time, it’s solely a hindrance against more common attacks. I suggest you research browser fingerprinting techniques. A single IP is largely ineffective in tracking; a fingerprint is far more precise.
Tanner said: @Amos
While together these factors seem less impactful, addressing each could yield significant results.
Of course, however, even when using a VPN, they can track which one you’re using. Recognizing users via a VPN address combined with their fingerprint creates a highly effective tracker.
We need to consider who you want to keep your activity hidden from.
If it’s about privacy from your local ISP or the government, VPNs can help. Fully encrypted traffic leaving your country can be essential if you’re doing something that your government might disapprove of.
@Holland
That’s true, but in that situation, a determined regime ISP will likely block VPN usage. In that case, you can rely on Tor with bridges or snowflake as a free alternative.