What's the intended audience for this? As a tech-savvy person, reading his commentary on TunnelBear completely discredited his site in my eyes. He talks about things that are completely irrelevant and are incredibly silly to even remotely care about from a VPN provider.
Despite his listed criteria at the top, the star ratings and rank order seem to be based on how the provider made him feel, and has nothing to do with actually how secure and privacy-protecting the provider is. (To be fair, though, without inside knowledge, it's hard to evaluate how up-and-up they are.) Based on his own metrics, PIA should be listed as #1, not #8; it's the only one that hits all nine of his "Important" list.
I'm completely baffled as to why this list was constructed as it is.
On a side note:
"First, I'm upset at Private Internet Access because I had to modify this site's CSS just for their needlessly long name."
TunnelBear - 5 stars, because "it's just so much fun to use."
I hate being a cynical ass (I really do) but this guy has no business at all running this website.
I'll not preach the long form of my usual VPN rant (briefly: they introduce another man-in-the-middle - who is probably anonymous to you, one who is very likely not subject to and utterly unaware of data protection laws, which makes you less safe rather than more).
People will read this site, think he knows what he's talking about, and get themselves into a lot of bother because of the bad advice this dude is giving out. He really needs to read up on what he's advocating here, as he clearly has no knowledge of the critical security factors behind these services.
You might think to yourself:
"Easy on, maybe he's writing for folks that don't care about security and just want US Netflix unblocked in their country."
And you would be right if not for the bottom of the page saying this:
"If you've found this site useful, please share it with a friend who you think would benefit from safer, private browsing."
So yeah, actively encouraging the spread of this terrible security advice is probably worth calling out.
The following VPNs were not reviewed due to their website experience being poorly designed. This can mean heavy use of stock photos, utter disregard for detail, difficult navigation, excessive and hard to follow text, non-defaulting to HTTPS, and overall poor usability.
At least he understands what's important in a VPN. Kudos for excluding services that use stock photos in their website design.
of course there is no causal relation between website quality and VPN quality. but there is definitely a statistical relationship. setting up a secure and fast VPN is very complex and it's hard to see why somebody would then neglect the entry point to that service. actually I'd assume that this negligence would be likely when the VPN is actually only supposed to serve as a malicious MIM. hence I accept this as a valid heuristic.
There are so many bad websites for good projects. Case in point: OpenBSD and OpenSSH websites looks like ugly colored plain HTML from the 90s but they are still killer projects.
You may be right but I think his own website is poorly designed too: he says that "Private Internet Access" is too long because forced him to modify his CSS, and as a "forum" (link at the bottom of the page) he uses GitHub's issue tracker.
> The one thing I didn't like was that P2P/torrenting is blocked. They claim that to enable torrenting, they would have had to enable logging.
Wait, if Tunnelbear are throttling P2P connections, where is the red flag?
Regarding NordVPN: I’ve used them a few years ago and their service was terrible. Disconnects upon disconnects, servers not working for days — I gave up eventually.
Never tested any other VPN he reviewed, however, I’ve written a guide[1] how to pick a VPN provider without throwing numbers and reviews around me, if anyone wants to give it a read.
PIA has a surprisingly broad reach, financially and in some cases structurally supporting Freenode, Snoonet, Fight For the Future, EFF, Software Freedom Conservancy and many more.
Its actually unnerving how many of the same projects and groups they support, in some cases being the main benefactor.
Unnerving is definitely the wrong word. If you want to be negative about it, this is just really good advertising to a tech savvy audience. I honestly just switched my VPN subscription over to PIA after reading this list...
What is unnerving about it exactly? It seems to me that's exactly the type of thing you'd want from a company who focuses on privacy. It gives the appearance that they actually, truly care about privacy and aren't just in it for the money (and I have no idea if that's actually true or not).
AirVPN similarly supports many projects including tor, ooni, opennic etc., but this "tech-savvy" guy conveniently chooses not to review it and many others including tor guard, due to issues in site navigation.
The intended audience is whoever will click the affiliate links.
Garbage like this is why I wish there was no affiliate business on the internet. You can never assume good faith if someone tries to earn money from you.
But none of the links are affiliate links? I mean, I agree that this is far from the best, most comprehensive VPN review site, but you can't just make things up like this.
Regardless of how you feel about _why_ PIA sponsor the organisations they do, it is surprising to see someone claiming they "perhaps put [their money] to better use" given their record of supporting foss and digital/online rights [1].
Additionally, the characterization as being extremely focused on the tech illiterate I feel isn't really the case either, they have lots of docs about how to use OpenVPN [2].
Thirdly, while there's no online free trial, at DEFCON and other events they do liberally hand out free trial cards.
The above points, as well as reading the commentary, leads me to believe that the author hasn't spent much time at all using or understanding the various product offerings, and the written review and star-score seem to clash with the high feature based score listed above. I can't speak at all for the other providers, but I don't feel like PIA at least has been well researched.
There was one VPN provider he just rated 1 star and refused to use because the home page didn't feel modern enough. At that point I mentally rated the article 1 star and refused to take its contents seriously.
PIA actually scores as one of the highest on the objective measures. The star count is just a subjective impression and experience with getting it set up. They connect over HTTP on startup instead of HTTPS (which is unacceptable for a privacy company). They then ping almost a hundred servers on startup (no other app does this, at least not to this extent).
Hi mobitar. Thanks for the highest score in regard to the objective measures. Regarding the subjective impression and experience, I'd like to let you know what's going on. If you feel that this changes your impression, it would be great to update accordingly!
The HTTP connection upon startup is for the region data request which is signed and verified upon receipt. It's tamper proof, but you can read it. It's something that anyone with the client can read, and the client is free to download.
Arguably, it's more secure to entrust the communication from PIA to the client software itself than to blindly entrust it to HTTPS which has provably been compromised due to bad actors in the past.
We're in #privateinternetaccess on irc.freenode.net to discuss anytime as well!
Thanks for everything mobitar and for taking the time to produce this report.
Sorry mobitar, I forgot to address the pings. This is to find the best (closest by network latency) path to you. We're really focused on providing the best possible experience, and that experience is simply providing what we do best, in the most unobtrusive way possible.
And to that extent, when it comes to your privacy and fighting for your internet civil liberties, we'll be second to none.
I've seen PIA being very active and friendly, along with supporting FOSS which I love, so I say good work.
That said, a question: is there a way for a power user to control this startup ping mechanism in favor of using a single server they have selected as the best? The only reason I see to not do this would be if your IP ranges are volatile time-wise for some reason. Or perhaps I'm missing another factor?
If you're using the app, I know you can choose a server instead of "Auto". Not sure if it does the pings.
You can bypass the app. I've identified some servers that work good and are close to me and just use a separate app with the profiles/configuration I need. (You can use the built in VPN on your OS or use the OpenVPN app directly for example if you want).
Hi Andrew! I've used PIA for a few years now. I'm very happy with it.
There's just one thing that's kind of a deal breaker. I recently switched to Mac and the Mac PIA Client is quite far behind the Windows, Android and iOS versions.
I'll list all my issues together here:
Major issues
- slow to start
- slow to connect (often tries forever). This is my biggest issue. On other platforms (or connecting directly with the built in Mac vpn function) it takes like 2-3 seconds. With the Mac client it takes many times longer. There's also no feedback about what stage the connection is in, unlike on every other OS.
- doesn't reconnect if network changes, so internet just stops working
Minor issues
- can't see pings for servers
- not as sexy as Windows client
I switched to using the built in Mac VPN feature to connect which is much faster, but occasionally stops working altogether for 20-30 minutes. So right now I don't have a good reliable VPN solution.
Can you please fix the mac client so that when I wake up my macbook after couple days of sleep I don't have HUNDREDS of "disconnected" messages from PIA to dismiss? I understand it connects and then disconnects every time the computer wakes up briefly during sleep, but the onslaught of notifications is.....A lot.
Considering your claim to be interested in producing a quality analysis of the various services and clients, and in other reviews you took pains to point out that connections were made to Google analytics servers, I found it pretty disappointing that you didn't explain what the servers that PIA were pinging actually are.
Are they, as I suspect (as a PIA user), pinging their own servers worldwide, to find the fastest options available? Are they pinging third parties?
Your review basically says "pings are bad m'kay" without demonstrating any understanding of what the client is doing.
Furthermore, your questioning of the use of port 80 makes me wonder about your own security knowledge. You really don't understand why a commercial VPN product designed to be used by portable devices in unexpected environments might commence a connection on port 80?
These 'objections' you have make me sceptical of your attention to detail in general.
Their app has all of their various points of presence pre-populated. If you use your favorite OpenVPN program to connect you would need to get a couple dozen configs imported.
It also tries to find the fastest connection for you, which is useful when traveling.
I have happily used PIA for years on Ubuntu and macOS and Android, but I never, ever use their clients. Just download the ovpn files[1] and set them up with the native support built into your OS (or use something like Viscosity for more functionality). On an unrelated note, I'm happy to know that my (reasonable) annual subscription allows them to support FOSS projects, they should really publicize that more!
I don't know, the criticism in the list is certainly irrelevant, but as far as I can see PIA is a US company and I believe it is kind of absurd to nowadays trust any US or UK company about privacy-related matters. The UK has become one of the worst countries in the world regarding privacy due to the Investigatory Powers Act, but the US also doesn't have a good reputation in this regard.
A simple Google search also reveals various user complaints that PIA apparently uses a Ruby (!) script to constantly write an extensive local log of all web activities, and the option is switched on by default. That's not inspiring my confidence. Their pricing is great, though.
The problem I have with VPNs in general is that quite a sizable number of them look as if they had been set up by dubious entities solely to collect data on their customers. Especially the ones with competitive pricing.
I would rather trust some of the more expensive ones from e.g. Sweden.
"Failure to comply with the present Terms of Service constitutes a material breach of the Agreement, and may result in one or more of these following actions:
...
Disclosure of such information to law enforcement authorities as deemed reasonably necessary.[1]
Which is so strange because in in the technical category they're one of the best. Shopping for a VPN provider 2 years ago I almost passed them right by due to how the site looks. So glad I dug a little deeper and eventually chose them because the service 'just works' and 2 years later I don't have a single complaint.
> A pretty boring company. Extremely transactional. You get in and get out. It delivers its experience the way a utility company would. Sometimes, that may be a good thing. But in this case, since I have choice, I'd rather give my money to a company who would appreciate it a little more — perhaps put it to better use.
PIA might be very "transactional" but I like them and I've never had any issues with their service. I'm surprised it didn't get a better rating. I don't need a flashy VPN, a utility is exactly what I'm looking for.
Given that he rates Vyrpr above PIA, when Vypr have had clear incidents of doing enough logging to identify which user has done something [1][2], and PIA do no logging [3], I'm not particularly inclined to trust this analysis on the basis of which app is more "fun" to use.
Disclaimer: I used to use Vyrpr, when I found out about the logging, I switched to PIA, which I use with Tunnelblick anyway instead of their app. Furthermore, I can only really go by what they say, as I don't have inside access to their systems.
Since the entries on the site are ordered top-to-bottom based entirely on his subjective rating, ignoring the objective criteria, the list absolutely rates Vype higher, in both a figurative and literal sense, and in a way that implies that his 5-star ratings are far more important than the objective criteria.
The fact of a connection being established in port 80 is to do with how TCP/IP works. You aren't even claiming to understand what protocol is in use on port 80, not to mention whether the data is in the clear, what it is for, etc. This isn't analysis, it's... something far short of analysis that I can't think of a kind name for.
It's worse than that. Back when I used PIA a few years ago, they would pass your username and password around in the query string, completely plain-text. That was their session mechanism. I sent them an email explaining the problem and got a refund. Their security mistakes, and the fact that they are based in the US, disqualify them for me. I really wish people would recommend someone else.
I would be interested to know more about this; why they were doing it at the time and if it's still being done.
The use of port 80 is not really important; I'm not sure if the article's author is using "port 80" as shorthand for "unencrypted" but that's sloppy writing if so; you can certainly establish encrypted connections over port 80, of course. I used to do SSH on port 80 all the time to get around stupid firewalls...
That, in and of itself, is not an issue. Your browsers, for example, download Certificate Revocation Lists over plain-text HTTP as well -- but they are digitally signed.
Lol this site is a joke, how much is TunnelBear paying him for the top spot? They're the only VPN provider I see consistently spending money on marketing and sponsoring YouTube videos. 'Fun to use'..what? I don't care if my VPN is 'fun', I want it to protect my privacy.
He mentions that 2 of the VPNs are 'uninspired'. Sorry, I didn't realize that tunneling traffic to protect privacy was an art project and not a technical one.
FWIW I've used PIA for 2 years now with no issues. A TON of torrenting has gone through them and they don't care in the least. In addition when their Russian servers were seized I received an email immediately letting me know their current situation and about their key changes due to the event. Plus they no longer do business in that location due to it. Pretty top notch company in my eyes even if their site does look 15 years old.
I agree. I have been using PIA for years and though it is not always blazing fast, it does the job and is very easy to use on both OSX and iOS. I found it really strange that PIA was the only one that hit all 9 of the highly desirable but was "very transactional". I felt the same way about the "fun to use" thing.
I was wondering this as well. Very low quality; seems like more shill advertising. I've been using Windscribe for years and I've only experienced a disconnect once EVER. It's also dead simple to setup and use; basically it's a one click install, then one click to connect (maybe 2 or 3 if you want to switch to a different location), but this is part of his review for Windscribe, "Ultimately, couldn't get a proper connection working."
> Lol this site is a joke, how much is TunnelBear paying him for the top spot?
Sadly, this is the case for a lot of media/recommendations/etc now. Maybe it has always been this way, but it's much more noticable now.
The fan driven recommendations/sites are a thing of the past as everyone is trying to monetize and make money off their articles.
Even worse, with the move by corporate america/government agencies/political groups into the social media space, even comments/submissions have to been viewed with some degree of skepticism.
It seems like every other article/submission/comment/etc are selling something and the internet/social media/etc is no longer a community but a marketplace.
To steal (and paraphrase) what is basically the perfect summary of this from @SwiftOnSecurity:
Commercial VPNs: for when you want all the security of Ukrainian coffee-house wifi from the comfort of your own home.
Taylor Swift isn't wrong about this. Use something like Algo to run your own VPN if you have to. If you must use a commercial VPN to get to Netflix or whatever, do it from inside a virtual machine that you use for nothing but that.
You have the security of the datacenter provider instead when you use something like Algo. That datacenter provider is going to have logging, probably wouldn't take pseudoanonymous payment methods like BTC directly, does not have legal insurance, will shut you down if you get enough file sharing complaints and probably wouldn't do things like having RAM only VPN servers w/ read only boot media.
Nothing prevents the datacenter provider from doing the bad crap that commercial VPN providers can do. There are ones out there that let you use standard clients as well, so the bad client software part is kind of moot. The only advantage you get is control and responsibility over the vpn server.
> Nothing prevents the datacenter provider from doing the bad crap that commercial VPN providers can do.
Money prevents it. Of course datacenter could toggle logging for particular server, but logging everything is very expensive. Most of their clients aren't running VPN servers or file sharing software so it's easier for them to just kick you out on DMCA arrival or when something shady is going on rather than keep your bandwidth.
On other side any commercial VPN service is always waiting for problems with law enforcement to come. And unlike datacenter huge part of their customer base will be doing something shady so they can't just stop providing service in every of such cases.
> Money prevents it. Of course datacenter could toggle logging for particular server, but logging everything is very expensive.
They'll absolutely log a particular server if a law enforcement agency requires that they do so, and they'll bill the agency for it, so money isn't a factor.
Wouldn't it still be prohibitively expensive for a commercial VPN service to log all traffic at all times? The traffic going through should be proportional to their scale, just like a generic VPS company. Why does logging get more expensive just because a server is general-use rather than solely a VPN server?
It could easily be still prohibitively expensive, but I totally sure that percent of DMCA and law enforcement incidents per customer will be way higher for commercial VPN service. Especially if this VPN service marketing is targeting at selling "anonimity", "no logs" and acceptance of cryptocurrencies.
At least they can for sure have turn full logging for anyone who paid with bitcoin (even if it's through coinbase).
> Use something like Algo to run your own VPN if you have to.
This might be good advice for tech-savvy people, but too hard for most folks.
Also, Algo is targeted at only security/privacy, and not censorship resistant. The last time I checked, it didn't offer any protocols that work well behind GFW.
Also, where are you going to run your VPN? Assuming you don't have your own hosting infrastructure (or domestic broadband connection in another country), then you're renting a server from someone else. Perhaps your assumption is that a random VPS provider is more trustworthy than a random VPN provider?
> If you must use a commercial VPN to get to Netflix or whatever,
> do it from inside a virtual machine that you use for nothing but that.
Again, good advice for tech-savvy people, but not practical for most folks, particularly for the times when they're on mobile devices.
I don't disagree with your overall sentiment (I don't use commercial VPN providers for the same reasons), but for many folks these serve a useful purpose, and there are no practical alternatives.
I use a commercial VPN primarily so that my IP is shared across hundreds of other users (as opposed to using it so that my data is safe being transmitted through coffeehouse WiFi), and thus would make it at least marginally more difficult for someone to track me.
That observation matches my experience, at least for cheap offers. I bought a one-year subscription to ivacy.com (a Hong Kong based provider ~ Chinese government controlled) at a ridiculously low sales price and it turned out that they impose a maximum password length of 8 characters limited to a small ASCII set. It's like buying a cheap Casio watch imitation with a "waterproof" sticker on it - not really waterproof...
Something that can work well on a limited scale is if you have access to ssh into company/edu servers around the world - then you can use sshuttle and your traffic looks like it coming from a company/university campus.
Have friends that went back to their homes for summer. They're logging to their universities via the school VPN to watch game of thrones and other things...
This guy has been reviewing VPN services for a while and has put together an incredibly comprehensive table as well as a selection of more detailed reviews, selected from the list at random so as to remain impartial. Recommended.
PS: Since this is HN, I just want to say that if you can, you should run your own VPN. Use Algo, full stop -- it's put together by some of the best in the business. If you do decide to go with a third party provider, hopefully the six criterion I suggest in my post are helpful.
So much wrong about this blog post - first, written by the creator of a VPN company, someone obviously biased, with a stake in the industry:
Many of the items you claim are not addressed by TOPG absolutely are. Questionable/sketchy product marketing & SEO, ethical business practices, etc are all covered in the detailed comparisons Ethics section. Other items you claim he SHOULD look at go against his methodology and are impossible to indepdently verify - such as technical architecture and sustainability.
The main purpose of jurisdiction is to see which countries are more likely to illegally spy on its citizens and which have a track record of being an "enemy of the internet". You claim a VPN located in the US (like the one you made and have a stake in) are subject to government agencies such as the FTC, but many if not most of these companies are regularly allowed to flout FTC rules on native advertising and bad SEO and such which is why the industry is largely in the misinformation mess that it is - and we all know about Five Eyes and why that matters - any laws claiming to protect its citizens are kind of negated by programs such as PRISM, XKeyScore, and every other one we've learned about from Snowden.
You claim you get suspicious of TOPS reliability is because the data is wrong on Cloak - "TOPS claims that Cloak’s native apps leak IPv6 and DNS traffic." The detailed comparison actually shows whether the service officially tunnels or actively blocks IPv6 and runs its own first party DNS server. This is worded plainly in the header and further explained in the glossary. Lastly, if these are actually not the case for yours or any service, all he requires is a link to the official site where the data can be validated. I'm wondering if the point of the article was a lead up to the end in an attempt to turn people away from TOPS so your joke of a service (which surprise surprise, didn't score so well on the chart) isn't seen for what it is.
Thank you for creating a new and anonymous HN account just to deliver your important message.
Alas, it is confused in many particulars. Normally I wouldn't feel the need to reply to posts such as yours, but today the oppressive heat wave seems to have lifted from Seattle and I happen to have a delicious coffee beverage in hand.
So I'll bite:
> First, written by the creator of a VPN company
Guilty as charged. That I co-founded a VPN company is disclosed quite clearly, both here on HN and on my blog. Let there be no confusion. :-)
> someone obviously biased
It's hard to judge another person's biases from afar. I generally refrain from accusing others of bias when I don't know.
But I definitely understand how you might reach the wrong conclusion here. If it helps, I will reiterate that I am no longer with my old company (I sold it quite some time ago); I no longer have skin in the VPN game.
---
Before I dive into your specific points, I want to make a meta-point that seems to have been missed both by you and by other people who responded to my post:
TOPS is, in the right hands, a valuable resource. The person who built TOPS appears to have extremely good intentions and has done an amazing amount of useful work.
The problem isn't TOPS in isolation. The problem is when TOPS gets in the hands of the typical unsavvy potential purchaser of VPN services. It is my belief that the right axes on which to judge VPN services are fundamentally resistant to objective measure. In my experience, unavvy customers armed only with objective information are likely to go astray.
Okay, on to the specifics:
> Questionable/sketchy product marketing & SEO, ethical business practices, etc are all covered in the detailed comparisons Ethics
Let's take a look at the current ethics columns. Today, they break down more-or-less into two buckets.
The first bucket has to do with affiliate marketing and effectively asks three questions of both the VPN provider and its affiliates: is SPAM avoided, is the copy ethical and is disclosure followed properly? Alas, the gradations of unethical behavior run pretty deep in the VPN affiliate world (ask me over beer sometime), and go far beyond copy and disclosure. TOPS is providing useful information here, but capturing the fullness of affiliate behavior would probably require an armada of columns.
The second bucket is for "good faith" behavior and has exactly three columns, including "contradictory logging policies" (do they say 'no logging' but it looks sketchy?), "claims 100% effectiveness" (nobody can!), and "incentivizes social media spam". These are interesting in a shallow sort of way... alas, it's hard to go particularly deep while remaining objective.
Which brings us to the crux of the matter:
> Other items you claim he SHOULD look at go against his methodology and are impossible to independently verify
Yes and, again, this is the point of my post!
I believe that some of the most important attributes of a VPN provider to consider are precisely the ones that cannot be objectively measured. In other words, trust signals are potentially far more important than many of the objective columns on TOPS. Perhaps I argue this unsuccessfully, but there you have it.
At the end of my post, I suggest six trust signals to look for. These are things that, realistically, cannot be captured objectively. These are also things that I recommend to all potential VPN customers. A handful of VPN providers (including the one I co-founded and providers like TunnelBear and VyprVPN) fit the bill.
> The main purpose of jurisdiction is to see which countries are more likely to illegally spy on its citizens and which have a track record of being an "enemy of the internet"
Yup, the US is bad... which has little to do with whether a VPN provider based in the US is fundamentally trustworthy.
There's a bunch of muddled discussion in your paragraph that follows, so I'll just say this: if one of the "bad" countries wants to get at your VPN traffic, do you really think it matters where your VPN provider is located? If the NSA wants your data, they'll probably find a way to get it.
I will provide one specific ding against US-based VPN providers that you didn't mention: they're subject to National Security Letters. NSLs typically come with a gag order, so providers must both comply and cannot say they have done so. That's quite bad; there's a lot of political momentum in the US right now to change this.
> The detailed comparison actually shows whether the service officially tunnels or actively blocks IPv6
This column on TOPS is a bit confusing and in my opinion needs to be fixed, since it's effectively using a binary to handle tripartite state. The three possible states seem to be: IPv6 is blocked, IPv6 is supported, and IPv6 isn't blocked and actually leaks. I suppose the right thing to do is to have two separate columns.
I elided this detail in my post, I think reasonably so. But it's a good point to make for people looking at TOPS.
> runs its own first party DNS server
Which the service I co-founded does, despite TOPS's claim to the contrary. A minor data inaccuracy; given the complexity of maintaining TOPS, I don't count this against them. I say as much in my blog post.
---
> I'm wondering if the point of the article was a lead up to the end in an attempt to turn people away from TOPS so your joke of a service
Y'know, it really annoys me when thirsty randos show up on the Internet to cast aspersions. But I'll resist the temptation to go further and just have another nice sip of coffee instead. :-)
I don't see how having more information can be harmful. There's even a simplified red/yellow/green table if you don't want the details.
TOPS is one of the extraordinarily few impartial guides to VPN providers. We would be far worse off without it.
Running your own VPN is fine if your goal is to protect yourself from a malicious LAN, but useless if you're trying to hide your identity. The IP of whatever provider you choose can reveal your identity just as easily as your home IP.
> I don't see how having more information can be harmful.
It can be harmful in the hands of less savvy potential VPN customers, when it leads them entirely to the wrong conclusions. (You're unlikely to fit in this category.)
Looks to me like you're primarily advertising Cloaks, owned by a US-based company. There are tons of reasons why privacy-minded users would want to avoid a company under US jurisdiction, but you mention none of them.
There might indeed be reasons to avoid US jurisdiction -- that's true, but it's not relevant to the point I attempt to make, which is that labeling the US "bad" by default and without qualification is silly, and is one (of several) ways TOPS might lead less savvy potential customers astray.
As an aside, I'm skeptical that there are "tons" of actually good reasons to avoid US jurisdiction. I don't doubt that good reasons exist. It's just that I've seen plenty of bad ones! :-)
And to clarify: no, advertising Cloak is absolutely not my goal. If you're interested, I'm always happy to recommend trustworthy VPN services that aren't Cloak. I mention Cloak in that post because in my (biased!) opinion it's a good exemplar of the six criterion I look for. That's no accident, since I co-founded Cloak and built it in part to satisfy those criterion. That I'm Cloak's co-founder is pretty clearly disclosed both here on HN and on my personal blog. I should mention, for completeness, that I'm no longer affiliated with Cloak.
Nah, I don't buy your reply but totally understand your perspective. My assessment and general advice stands as is, for most people (including US citizens) it makes a lot of sense to avoid any US or UK based VPN providers. I'd personally also avoid a company operating under French jurisdiction.
The problem I've found with running my own vpn is that I could not find affordable vps with anywhere near as affordable bandwidth and speed. The main vps providers all cap your download/upload. ovpn is what I settled on and am quite happy.
Yes, this is definitely an issue - I should really put an asterisk on my “roll your own” proclamations. Better VPN providers offer numerous POPs and generally good network perf that can be hard to replicate on one’s own. (That said, these are necessary but not sufficient conditions for a given VPN provider to be “better”.)
"The following VPNs were not reviewed due to their website experience being poorly designed. This can mean heavy use of stock photos, utter disregard for detail, difficult navigation, excessive and hard to follow text, non-defaulting to HTTPS, and overall poor usability. "
And apparently that applies to AirVPN? Lol, this guy lost all credibility, this is just another "honest and totally not payed for online review", thats why tunnelbear is righ there at the top (you see their commercials everywhere) and he even says it's his favorite VPN.
Mullvad is the best. If you are comparing VPNs and don't mention Mullvad, you have not done your research. Or, ya know, you're writing a paid review and need to intentionally leave out better VPNs :)
Sounds like a perfect provider. Prices are clearly stated on the site. You get what you pay for. They have some guides for people that might need more help setting it up.
...¿? I don't really need fun. Just want something that's boring, quick and works.
This comment is a nice example of how the "I'm a rational person and only features matter"-mindset actually works against its stated goal.
With any VPN provider, there are certain crucial features where you have to trust them, "no logging" being the most prominent.
Since you're unable to get to the actual truth (until it's too late), you're left with trying to get a sense of the provider's character: are they supporting open source projects in the privacy space? Do they advocate for causes you believe in (by, for example, participating in the net neutrality blackout)? Do they take pride in their work ("show source" may be helpful here)? Do they have humour?
None of these are definitive. But in my experience, it's actually pretty hard for people who aren't members of a certain community to emulate it convincingly.
I agree with your basic premise, and I definitely use some kind of fuzzy gut feel metric when doing my own evaluations. That said, if someone is claiming to do an unbiased review, we need more than gut feel.
If your goal is no logging and one of your metics is "Do they have humor"? You're in deep trouble.
I wish that people would stop citing White's page without explanation. His stuff about using known secret keys is all about IPsec. People using VPN services mostly use OpenVPN.
When I'm providing security advice to a general audience, I can't expect people to reliably follow detailed instructions. "Oh, use VyperVPN, except you have to use OpenVPN, except on iOS where you're forced to use IPsec, and <detailed description of crypto settings follows>."
I can tell them one thing: use Cloak. And I know that, no matter how they do so, they won't be less safe than they would have been without it.
Well, there's your problem, starting with "Oh, use VyperVPN". IVPN, for example, has leak-free apps for Windows, OS X and iOS. And are working on Android.
As someone living in China, a VPN provider that doesn't provide direct download links to their Android client is completely useless. The only way for me to install an app from Google Play store is to flash a custom ROM and install the Google Play Store, install another VPN (?!!) to access the Play Store, and then download the app in question.
Furthermore, the fact that Apple has just pulled VPN apps from its App Store and the unfortunate fact that you can't sideload apps makes iOS an untenable OS choice.
> ... Apple has just pulled VPN apps from its App Store and
> ...you can't sideload apps makes iOS an untenable OS choice.
I'm pretty sure you can still install VPN apps (e.g. Potatso 2) from the iOS App Store, although perhaps they're not available if you're logged in with a China iTunes account. iOS allows you to install apps from multiple iTunes accounts on the same device, though, so this doesn't seem like much of a limitation.
(Not sure if they're also blocking by IP address.)
Yeah. I was referring to installing the applications from China. I was unaware of the ability to add a non-Chinese iTunes account to circumvent the issue. Thanks for correcting me!
Sad to see AirVPN excluded. While their website isn't the most elegant I've seen, it's not user hostile enough to abandon altogether, IMO.
It also seems a bit odd to rate VPNs on their specific technical merits and features, and then disqualify for their homepage UI or sign up flow. I'd venture most VPN customers would tolerate a lot of ugliness for a truly private, secure, and reliable service. I would.
Agree. I have been with AirVPN for years, after having tested many other of the highly rated VPN's. AirVPN has a functional website, works great within my Linux containers and is overall very stable. Highly recommended.
> The screenshot of their app on the iOS App Store shows a bunch of credible logos of their mentions, but then quotes "VyperVPN is the best service on the market" as coming from a reddit comment by a random user. Questionable tactic.
Interesting this showed up on HN the same day as the exposé on Facebook's Onavo VPN logging its users activity.[1] I'm guessing Onavo should be put on that list and given zero stars.
"The only thing harder than finding a VPN provider is finding an honest VPN review website."
100% true since the "best VPN" likely has the highest affiliate commission.
In fact, websites that claim honesty and transparency like BestVPN and VPNMentor actually display pop-up alerts advertising their highest rated VPN.
"I built this website because I wanted to finally get to the bottom of the question: which VPN providers are trying to build an honest long-term brand while also delivering an exceptional product experience?"
This is a fair metric. Unfortunately useless for most VPN users but this is another question. And to give him credit: He does not use affiliate links.
I suspect that he knows little about VPNs and why many users have to use them. By the way, I suspect most of these VPNs to fail in China!
Astrill.com is good for China.
vcp.ovpn.to has a good reputation regarding privacy.
I'm disappointed that Mo flat out disregards options "due to their website experience being poorly designed." A slick website means that money was spent on the website.
I've been using EarthVPN[1], one of his unreviewed options, for several years, and am very happy. It's cheap and cheerful, but yes, the website isn't great. The company is registered in Cyprus, and at USD40/year with three concurrent connections (from the same IP) and servers in many, many countries, it's a great way to bypass geoblocked websites.
I haven't tried. I use one of their UK servers for iPlayer, with dnsmasq and policy routing so that Netflix NZ still works. I should try putting the Roku's default route through the US.
That's the advantage of several connections from the same IP :-)
Why is private Internet access so low? It ticks almost all boxes, has a native client for windows/Linux/Mac/android/iOS and I have used it on a 300Mbps connection with no degradation of speed. Yet here it gets 2/5 stars? Why??
Obviously not ideal for non-technical users, but I found it really easy to spin up a VPN on Digital Ocean.
I'm sure it wouldn't be hard to make it almost a turnkey operation, just run the script and you're good to go, and then it would be a viable option for non-technical people.
Of course, not ideal for anonymity, but a perfectly fine solution for if you want the security benefits of a VPN, or to get around geoblocking (I originally spun up my VPN to watch something that was geoblocked, now I keep it for when using open wifi connections).
Do DigitalOcean's IPs fall in a well-known IP range that would make it a target for IP blacklisting, as in the apparent case of AWS [0] (i.e. EC2 and Heroku)?
Too be honest despite your reassurance I still expected that there would be affiliate links, purchase cookies or other tracking somewhere (I checked, all good). Thanks for sharing your reviews!
I don't mind affiliate links. I mind when ratings, scores, ordering of results are influenced by payment from the reviewed companies. Or companies get excluded because they don't offer affiliate programs.
Example http://www.top10bestvpn.com/ "Please be advised that the operator of this site ACCEPTS advertising COMPENSATION from certain companies that appear on the site, and such compensation IMPACTS THE LOCATION AND ORDER in which the companies (and/or their products) are presented, and in some cases may also IMPACT THE SCORING that is assigned to them." (emphasis mine)
I'm still looking for a reliable provider that would support openconnect and / or wireguard. Alas, here in China OpenVPN-based VPNs are getting more and more flaky, with talks of shutting down completely soon (not talking about the fake Bloomberg article). IPSec and Socks5 never really worked. Streisand only really works on AWS and having an AWS public IP means no Google most of the time (they block whole IP ranges), annoying Cloudflare captchas and other quirks.
I once tried to set up OpenConnect on one of my servers as I heard it provided good results in China. Not only was the setup process relatively annoying, it was also relatively quickly throttled by the GFW. Shadowsocks / Lantern / ExpressVPN combo remains the best working option for me ATM.
Interesting. I had decent results with openconnect over daily rebuilding t2.nano instances in ap-* regions. Didn't try wireguard yet since I have a Mac, but UBNT ER-X is on the way and it has wireguard support.
I've been considering setting up a slightly different VPN service — one that provides each user their own dedicated VPN server (based on my IKEv2 config script, https://github.com/jawj/IKEv2-setup).
I have used both personal VPS hosted and commercial VPN systems at various times (I currently use a commercial VPN to anonymize some traffic sometimes and bypass national-level censorship).
In my understanding of the various pros and cons of those two options, I'm not sure I grasp the core value proposition that this offers. Why do I want:
A) A server with fewer (one) unique user(s), and therefore traffic that is much easier to analyse;
B) A service with a single static IP and geolocation; but which
C) I am trusting a third party to administer.
I seem to be seeing a service which offers me the biggest drawbacks of both sides. Am I missing something?
This site seems to me an imitation of sitebuilderreport which was featured on indiehackers recently [1]. The design and copywriting are similar. OP, was your site inspired by sitebuilderreport or are you connected with that site?
I'm (British) getting the impression that VPNs are becoming rather important to Americans (int al). Please bear in mind that us foreigners don't always get the memo about the current flavour of the day in all countries. I'm well aware that citizens of CN and many others really need privacy but it seems that there is a reasonably recent strange US fetish with VPNs.
US Congress passed a law earlier this year that dismantled FCC internet privacy protections which prevented peoples' internet service providers from fully capitalizing on peoples' internet history. VPN use is a way to encrypt your internet traffic, use not-your-ISP's-DNS, and protecting private information from being siphoned and ultimately sold.
I'm (British) getting the exact same impression for the UK, given the Investigatory Powers Bill[1] that compels your ISP to log all websites you visit. This is why I now tunnel all my browsing over an IKEv2 VPN.
One reason might be that if you download pirated content you have to do so over VPN. Otherwise your ISP will likely reach out and let you know you are doing something illegal
From the one line summaries, OP seems to prefer native apps vs. open protocols (e.g. OpenVPN/L2TP/etc.), why is that?
I looked at the Chrome extension of TunnelBear and it requires some ridiculous permissions [1], much more than just "change your proxy settings". This doesn't seem right.
TunnelBear claims to be secure but all they offer is an opaque app. Uhh, no thanks. I prefer to run my own VPN client that doesn't have potential spyware in it. I am surprised this was so highly rated by someone reviewing VPNs.
edit: I know you can't make everyone happy, but there are a LOT of VPN options out there and only the very best should be making it through.
That is nice of them to release a sanitized version of the audit report. I would still prefer openvpn or some other open source client that has been more battle tested for something I intend to use as a privacy tool. I don't think it changes my basic position on a closed source client. Audits are always point in time.
How do you not get IP vanish to work? it's literally just a windows installer & reboot. You can manually add a server on Android too using their guides (they have step-by-step pictures!). O.m.g.
I chose IPVanish over NordVPN because the later required me to upload a photo of my passport (to a third party) when paying! Who does that?!
"Facebook uses an internal database to track rivals, including young startups performing unusually well, people familiar with the system say. The database stems from Facebook’s 2013 acquisition of a Tel Aviv-based startup, Onavo, which had built an app that secures users’ privacy by routing their traffic through private servers. The app gives Facebook an unusually detailed look at what users collectively do on their phones, these people say.
The tool shaped Facebook’s decision to buy WhatsApp and informed its live-video strategy, they say. Facebook used Onavo to build its early-bird tool that tips it off to promising services and that helped Facebook home in on Houseparty."
Hi, impressed by the specs of your service. You seem to top both this list and this one (https://thatoneprivacysite.net/vpn-comparison-chart/). And I don't care if I have to pay a little bit more for such high standards.
But are you planning to add more servers in other countries (than the 5 you already offer)?
We are launching three servers in a new country next week, Norway. After that it will take a couple of months before we're ready to expand further. It's time consuming to do research regarding datacenters, find ISPs with satisfactory peering and to ensure that our physical security requirements are met.
Even though it will take some time for the next location to be added, feel free to email us with your suggestion.
I use KeepSolid. I've been really impressed. I think his review has done them a disservice. They have a really helpful app on all platforms and their staff are friendly, too.
Disclaimer: none. I have no affiliation other than I am a customer.
They have been fast, and honest with all 2 of the issues I have had with them over the last almost 3 years. I would strongly recommend them to anyone. If there was a real issue with the service he should have talked about that.
What this review really lacks is the additional features VPN's can provide, such as malware and fishing protection, location diversity, scale, jurisdiction, protocols supported, etc etc.
I am a happy user of NordVPN with all of the above points adressed by them really well. BTW the latest feature, CyberSEC also blocks ads which is a major plus for me, making the VPN that much faster.
I'm looking for a great vpn.
After looking at https://thatoneprivacysite.net/vpn-comparison-chart/
I found Hide.me interesting except for the price but on their website they have guides to explain how to manually set up the vpn.
I never see Hide.me mentioned.
Is there someone using it or thinks it a good choice for privacy on Android, win10 or mac
Both iOS and macOS (I don't know about windows, I havent used it recently) have built-in VPN clients so what would be the advantage to using a client from the VPN provider?
* If you need to change your location (country) often, the apps usually have a dropdown where you select the country you wish to connect to
* It's easier to setup, especially for novice users
* They can have additional features, like a kill switch that makes sure that if the VPN connection drops you don't send any traffic over your non-VPN connection
The built-in VPN clients support old broken insecure protocols (PPTP) and expensive, hard to implement and hard to deploy protocols (IPSEC-LLTP), whereas public vpn providers tend to use simple, secure, easy(er) OpenVPN for the bulk of their connections. So you need a addon client to use them for their best features.
I kind of expected network based tests as reviews.
E.g. throughput, latency, connection setup, encryption strengths, fixed ip address etc etc. This is just a feature compare, where one trusts the vpn provider on their blue eyes, e.g. "No logging or tracking"
I cannot imagine a sane service provider that doesn't have some kind of logging, not of your (in vpn case,) browsing activity itself, but when you connected, what accounts are getting brute forced, etc etc. This is logging too.
Could use a breakdown of which criteria each provider supported, because just a colored circle doesn't show which of those criteria are supported or not.
I'm not impressed with this review. The author doesn't even mention the need to prevent leaks with firewall rules.
Edit: As others note, he doesn't include AirVPN, which is one of the best activist-focused services around. And his comments about IVPN are bizarre. It is expensive. But it has no affiliate program, and its apps are among the best. In particular, for being leak free.
Any opinions on ProtonVPN? I use it now more or less everywhere. No problems with it - it's fast enough (though definitely slows down my connection from about 12 to 16Mb/s to about 5 to 10 Mb/s.
I chose it b/c the organization behind it seems trustworthy. I don't know what the author has in mind when he labels the billing practice "shady".
Horrible article.
If he tried the services he didn't like the websites for (fucking childish excuse btw), he would realise that airvpn offers all the services he was treating as a pro. This is a dissapointing read, and even more disgusting it made its way up to the top of this great website.
All this article is missing is the referral links - then I don't see any difference with other websites, which the author wants to distinguish from. Actually, there are some good websites around - it just takes a lot of patience to search...
Has the world forgotten about iPredator? The VPN service spawning from the legal issues with The Pirate Bay. One would assume that a VPN "by crime riders, for crime riders" would fulfil all the requirements and many more.
A Nice-to-have would be static IP address so that you can run a private home server. Pity that the site don't include this since only a few vpn providers have an option for that.
If I just don't like the feeling of being logged on some ISP
, is paying for a VPN something for me? Any free options for privacy ? Or is it more for torrents and stuff?
If you don't like being logged, then having a logless VPN like ExpressVPN, Tunnelbear, etc should be fine. For torrents, some VPNs like Tunnelbear preferred to disable the BitTorrent port completely
So, it's just a matter of finding a VPN that matches your preferences, but I'd avoid using a free VPN.
Reading his reviews I felt the author was looking for that warm feeling a toddler feels when being coddled by his mother. Take a look at his comments on PIA, "Extremely transactional. You get in and get out. It delivers its experience the way a utility company would. Sometimes, that may be a good thing. But in this case, I'd rather give my money to a company who might put it to better use."
What? Extremely transactional? You're in and out? When using my VPN I want to click 'connect' to connect, choose US if I want my connection for the US, and 'disconnect' to disconnect... No fancy website or pretty colors needed.
Surprised few people picked up on this... this site is 100% Bullshit. The "ratings" are purely driven by which server is offering the author a commission per sign up.
How do I know this? I do the same thing with my sites.
He doesn't like PIA, a company that sponsors dozens of security companies/projects/etc because he would rather the company he chooses put their money to better use.... Like make bear graphics so his VPN is 'fun' to use.
Again - how did this make the front page... Embarrassing for HN.
Despite his listed criteria at the top, the star ratings and rank order seem to be based on how the provider made him feel, and has nothing to do with actually how secure and privacy-protecting the provider is. (To be fair, though, without inside knowledge, it's hard to evaluate how up-and-up they are.) Based on his own metrics, PIA should be listed as #1, not #8; it's the only one that hits all nine of his "Important" list.
I'm completely baffled as to why this list was constructed as it is.
On a side note:
"First, I'm upset at Private Internet Access because I had to modify this site's CSS just for their needlessly long name."
Are you kidding me? Really?