If you search the Firefox add-ons website for "VPN", 170 results are returned at the time of this writing. Not all of these are add-ons for Virtual Private Networks, but most are and some of the most popular ones are by companies which advertise their service as being "free".
Rule #1: NEVER trust a VPN whose service is "free"! It costs a lot of money, time and effort to run a proper VPN service, so if it's advertised as being "free", it's because you are likely the product. For example, the most used VPN add-on is Browsec VPN. Let's have a look at two excerpts from their "privacy" policy:
1.1 Personal information
"Personal information" means any information that identifies you and includes information provided by you when using our services.
2. Use of Personal Information
2.1 Use
Browsec may use automatically-collected information in the aggregate for the purpose of monitoring, research or analysis. The information is collected only when Browsec service is currently active.2.2 Disclosure
Browsec may share anonymous data in aggregated form with third parties, including its affiliates, advertisers and other current or prospective business partners. Browsec may use anonymous data for web site administration, advertising and promotional purposes and may share such information with affiliated and unaffiliated entities for such purposes.
Browsec may provide access to anonymous data collected from Browsec users to outside companies for purposes of monitoring, analytics, advertising and marketing.
Does Browsec VPN sound like a Virtual Private Network provider to you?
Rule #2: A browser add-on is never necessary to use any quality VPN service.
Rule #3: Protecting only browser traffic leaves the rest of your system and network devices unprotected.
Rule #4: Many, if not most VPN's, are GARBAGE!
Rule #5: Many "reviews" of VPN companies are written by paid bloggers or employees.
Rule #6: Any caring VPN provider will not require any personal information to create an account. Payment may be made using cryptocurrency and not even an email address (or at least not a real one) will be required.
The fact is, no VPN can be trusted entirely unless you run it yourself with your own physically secured hardware and that is not a job for any amateur. That said, there are two, and only two VPN providers that i've found thus far, that seem to be trustworthy, one being AzireVPN and the other being OVPN. Both claim to own, secure and deploy their own hardware, both claim to run the OS in RAM only (no storage media), both support WireGuard, and both accept cryptocurrencies. More information on these companies is contained in my article, Tor versus a VPN – Which is right for you?. If you know of any other VPN's that tic these boxes, let me know.
UPDATE: Thanks to 'Mark' in the comments who twisted my arm to have a closer look at Mullvad. It appears Mullvad does indeed own some of their servers and a portion of those run the OS in RAM, however that list gets quite small when you filter by WireGuard and there are none located in the U.S.. The remainder of their servers are dedicated we are told and many of those, including those in the U.S., run the OS in RAM and support WireGuard.
I suggest checking Mullvad: Open Source + BTC + Monero + no data (even email)
https://digital-lab-wp.consumerreports.org/wp-content/uploads/2021/12/VPN-White-Paper.pdf
i’ve heard many people recommend Mullvad, however i don’t believe they own or physically secure their servers – that said, i don’t think Mullvad is a bad choice, but i don’t know that it’s a better choice than Azire or OVPN
i’m not sure what you’re referring to when you mention open source – both WireGuard and OpenVPN are FOSS
1. Their applications are FOSS as one of the few on the market and have deterministic builds
2. Here you can choose your own and physical servers as well as RAM-servers and even ISPs:
https://mullvad.net/pl/servers/
https://mullvad.net/pl/help/server-list/
https://mullvad.net/pl/blog/2019/8/7/open-source-firmware-future/
https://mullvad.net/pl/blog/2019/6/3/system-transparency-future/
3. It’s worth to read the pdf attached above, because they really deserve your attention ;)
you’re right Mark – i like what i see so far, and i see they do own some of their servers and the rest are at least dedicated
are you affiliated with Mullvad?
I am not associated with Mullvad in any way. I searched for a long time as the most possible VPN supplier (in my country it is very important).
I wanted to share my insights because I value your work very much!
Pdf I have linked is extensive, but it is worth knowing because it draws attention to interesting things
thanks for the info – i added an update to this post and also updated the Tor versus a VPN article + added a link there to the pdf
It is interesting that important information has arrived today = this is a sign from the galaxy ;)
Pay attention to care and transparency: https://mullvad.net/en/blog/2022/10/21/security-audit-report-for-our-app-available/
Something **all** VPN users should consider…
If I was the establishment I would create a VPN, like AzireVPN, OVPN, and Mullvad. But not just like, exactly it. I would even run it exactly as advertised. If the VPN lands in court it will live up precisely to its expectations. Why? Because it gives me access to private information of everybody using my service and I can collect as much data of what sites they visit, when, how often, etc, exactly the details we want to hide from our ISPs. My service will come highly recommended by security experts in the field etc. You catch my drift.
Now i am not saying i am not using VPN myself, i am just saying this should really be considered if you are really serious about your privacy. You can connect to your VPN provider anonymously which will eliminate the described problem, but most people don’t, in which case the above should be taken into consideration.
Now i can already hear the argument that you’re paying anonymously for your VPN service using cryptocurrency, in which case i hope you bought the crypto anonymously to start with, BUT, even if you did purchase your crypto anonymously and your are connecting anonymously to the cloud with your crypto client when you are making your transactions, even if you did everything anonymously (high five across the galaxy), if you connect to your VPN provider with your clearnet IP, THEY know exactly who you are and where you are connecting from etc.
Being completely anonymous is a tricky thing.
> Being completely anonymous is a tricky thing.
agreed! and i also agree that no VPN is deserving of 100% of your trust, however i would posit the same for Tor which you could substitute for VPN in your comment and, minus the payment part, your comment would still hold true i suspect
Only that with TOR your adversary would need to (own and) control both your enter and exit nodes, which will unlikely be the same two if you reconnect to the TOR network. Making this attack a real pain in the ass and a gamble. Which is why it is highly insecure to choose your own enter and exit nodes possibly always keeping them the same (facepalm) or choosing exit nodes for specific tasks. Your adversary could learn your behavior and thus refine the attack and increase likelihood of success.
where there’s a will there’s a way – i’ve never done this, and i’m not sure it’s very possible to do unless you’re the ISP, but from what i’m told an entire Tor network can be run on one box: https://shadow.github.io/
On a fundamental level, I agree with you. But sometimes you have to make a choice other than global anonymity:
Two arguments for me:
1. You trust your VPN more than your ISP (ISP is a big problem in my country)
2. In my country, you have to steer clear of government censorship