With the significant caveat that the VPN industry is, unfortunately, something of a lemon market at present.
It’s not pretty (PDF); and, while I’m sure somewhat different moles have popped up since that report was assembled, it isn’t clear that the overall trajectory is positive(though Facebook’s pet VPN caught a ban which is certainly a plus).
It’s a real pity. You can’t, obviously, remove the element of risk in adding a man in the middle(though finding one more trustworthy than your ISP, especially mobile, is a lower bar); but, despite there being a number of VPN protocol options, “VPN” has become almost synonymous with ‘quite possibly dodgy app/service bundle’.
I’m not sure if this was cemented during a period when OS-provided support was mostly trash; or because getting the user to configure it is a customer support headache; but it’s not a plus.
Agreed. I wouldn’t advise just installing the first VPN one comes across. There are only a few I trust. The past year I’ve been using VyprVPN by Golden Frog both because they’re up front about what they will and won’t log and how long they retain it, they’re based in Switzerland which has relatively strong privacy laws, and they’re active in lobbying against authoritarian spying.
I’m definitely in favor of the tool; just not the state of the market.
The other issue (seems to arise particularly with Tor) is arrangements that just beg you to use the mechanism in a deeply counterproductive way:
The cute little rPi Tor hotspots, say. A fun project; and they do work; but the trick with Tor is that its design provides reasonably strong protection against traffic analysis by intermediate parties; but cannot(and doesn’t claim to) protect you from analysis of exit traffic by whoever is running the Tor endpoint; which makes it an abjectly terrible idea to allow traffic that contains useful plaintext or leaks identity or origin IP information to pass.
Unfortunately that’s a long list of common software; so a system for naively tunneling everything that a given device feels like chatting about when it finds an AP is very, very, likely to go badly. The actually-safe configuration is rather more limiting and pesky to set up; but on the plus side it isn’t automatically self-defeating.
Well, Tor was originally developed to allow parties with a certain level of mutual trust, specifically the US intel community, to communicate sub-rosa. It wasn’t ever really intended to allow unilateral anonymity.