You know this. I know this. April knows this. People who follow you might not.
-
-
Replying to @ericlaw @aprilmpls
I know that VPN doesn't solve it either, so I don't follow your argument.
2 replies 0 retweets 0 likes -
After much (needed & excellent!) work, only now are 80% of Android apps encrypting: https://security.googleblog.com/2019/12/an-update-on-android-tls-adoption.html … Hard for an educated layperson *who doesn't know the TLS state of their app stack* to conclude that VPN provides zero additional assurance on a *local* untrusted network.
1 reply 0 retweets 0 likes -
I assume you know the problem with this, a *local* untrusted network is no more secure than a *remote* untrusted network. You've just shuffled some packets around, collected $4.99 and improved nothing.
2 replies 0 retweets 4 likes -
I mean, the idea here is that the VPN is a remote *trusted* network, and one with an absolute ton of egress traffic. (and to be clear, I don't use them, but I also don't think they are valueless)
2 replies 0 retweets 4 likes -
That is an unusual use of the term "trusted network". If it's trusted, then why bother with https at all, we can just tunnel everything to them and call the problem solved. TLS is only necessary over untrusted networks, right?
1 reply 0 retweets 1 like -
Let's not hyperbolize; I've been working for years to move everything to HTTPS/TLS. It is the most important thing we can do to protect traffic, and I never claimed that it wasn't. But TLS will never obscure the destination or quantity of your traffic, or its traffic patterns.
1 reply 1 retweet 7 likes -
Concur 100%. But an apparent conflict emerges when collection is shifted from one org to another, for money. And like the Firefox DoH move, it centralizes visibility - and exploitability and profit motive - for the data. There's no Let's Encrypt of VPNs (unless you count Tor).
1 reply 0 retweets 0 likes -
There is no free-as-in-beer VPN like Let's Encrypt is for certificates, but there are lots of good ways for people to roll their own for free. One great option is Algo VPN, which should work on just about any cloud provider (or home network) in the world. :)
1 reply 0 retweets 1 like -
Agreed, but it's beyond most people's capability. Perhaps close tothe same order of magnitude as the people who can truly judge the threat model.
1 reply 0 retweets 0 likes
There's a difference between those two things, this is just proxying your traffic through a bandwidth reseller. It's dangerous to conflate these, one is just cynically shuffling bits from one untrusted network to another to extract revenue, the other actually has value. 
-
-
Replying to @taviso @TychoTithonus and
Different to the extent Mozilla has extracted privacy guarantees via business contracts with the bandwidth providers. Secure proxy: https://www.cloudflare.com/mozilla/firefox-private-network-privacy-notice/ … VPN:https://mullvad.net/en/help/no-logging-data-policy/ …
2 replies 0 retweets 2 likes -
Replying to @dveditz @TychoTithonus and
That doesn't make sense. You're transferring packets from one untrusted network to another. I guarantee the privacy to myself on my endpoint, so what did I gain by transferring my packets to another endpoint with a weaker guarantee?
1 reply 0 retweets 1 like - 6 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.