VPN Not Safe Anymore. Is it? (Is what my Friend claims.)

I got a friend who works his life in IT and runs his servers etc.
His opinion is that VPNs are not Safe anymore and not worth putting money into.

But why?
He says the Isp logs the key for the iirc aes256 that vpn uses.
My response was private exchanged keys. but not rly a solid answer on that.
I mean sure aes256 isnt great but an isp cannot just crack that willy nilly right?

I personally think he is being a bit to paranoid.
Sure a vpn connection from anywhere is suspcius for an isp but what are they gonna do?
Allocate resources to hunt down and somehow find out what those vpn users use the vpn for?

Edit: Well, i did not expect this to blow up.
From what i can gather is that a Vpn is generally in 95% of cases still better than no Vpn.
Even tho (apparently) the Vpn providers know what you do and having one who does not hand out any info or is completely unable to hand out info is best.

Yes, the VPN provider knows what you’re doing. You’re relying on them to not share your data, we just know they’re more reputable than ISP’s.

He says the Isp logs the key for the iirc aes256 that vpn uses.

They’re wrong. HTTPS protects that private key exchange from anyone but you and the VPN provider.

ISPs want to make money and not break the law. They don’t care what you do if you don’t get them in trouble.

It can also hide your traffic from other users if you are on an open network. Like hotel wifi, et al

It’s not worth an ISPs time to try and find what you’re doing with a VPN.

Once any traffic is not immediately visible to them they can claim ignorance of anything and their requirements to make sure you’re not doing anything bad end. Why would they make extra work for themselves?

Yes, VPN providers know about all your every activities.

Just look up Facebook and onavo.

Basically Facebook acquired this VPN company and used the analytics to buy out up and coming social networks before they got to any reputable size.

There was plenty of social media before Facebook like MySpace bebo and Facebook was a complete nobody at the time not knowing what direction to take. But no competitors. Major buyouts like Instagram and WhatsApp are notable but not normal.

So VPN isn’t safe if you are not in control of it.

VPN is a virtual private network.

That’s it, that means between you and the server you connect to is private. Once it exits onto the big bad web it’s back to being vulnerable.

VPN - like wireguard is noted as being extremely secure and has been adopted straight into the Linux kernel which is an incredible accolade. It’s not vulnerable to decryption but it is vulnerable to deep packet inspection as in yes this is wireguard VPN traffic but nothing more and nothing less.

The VPN server knows your source IP address because it has to get packets back to you. This source IP address can be associated with your identity by law enforcement if they subpoena your ISP. They can’t get this source IP from logs (let’s just assume there are none), but they can figure it out via traffic patterns.

While there may be hundreds of outbound connections from the VPN server to all sorts of places on the Internet (further obscuring what you are actually doing), the right people can still identify the session traffic. From there they can see that a particular session is using X amount of data per minute.

Then they look at the connections to the VPN server (again, there may be hundreds) and they can see that session traffic. Now you can’t directly correlate the incoming session with the outgoing session by some packet identifier. But you could see a similar traffic amount in one in-bound session that matches an outbound session.

Now whoever is doing this investigation knows, with some reasonable probability, the source IP of the person on the anonymized side of the VPN. Maybe that’s not enough to close a case, but it would significantly narrow down the potential suspects.

If they kept up that monitoring, they could possibly generate a timeline. For example, at 2pm GMT the suspected host started transferring a lot of data and the anonymized VPN session also started transferring a similar amount of data. At 3PM GMT, the suspected host stopped the traffic and, look at that!, the anonymized session also stopped.

Your ISP is NOT going to do this. But the FBI can and will. Even if the VPN company has no logs and is running their servers in RAM, the data center where the VPN server is hosted (which is NOT owned by the VPN company and probably has policies to comply with any and all law enforcement) can give them access to the data streams to and from that VPN server.

If you are torrenting or just trying to hide porn viewing from your ISP, the FBI is not going to get involved. But if you are truly up to no good, a VPN may not do much to help. As others have said, it’s better than nothing, but you can’t trust it to be some magic anonymizing thing. And I bet you that the FBI (and CIA and NSA and KGB, MI5/6, etc…) all have software that will do that analysis and correlation pretty quickly. Heck it’s probably pre-installed at a lot of internet backbone data centers.

My ISP makes money by connecting me to the internet. For them it doesn’t matter if there is a logging scandal because I am not paying them to not log my traffic but to provide me the internet connection.
A VPN provider gets money from me in order to not log my traffic and hide it from my ISP. If there is a logging scandal than my VPN provider goes out of business.

Therefore the reason why I trust my VPN provider more than my ISP is that one needs to do what they claim in order to stay in business while the other doesn’t needs this.

It sounds like your friend has valid concerns, but VPNs still offer significant privacy benefits against ISPs snooping. It’s about risk mitigation

It’s not the encryption or the like you need to worry about.

You’re shifting the ability to be monitored from your ISP to said VPN provider. Everything out of the VPN network is as-if you weren’t using a VPN. Do you trust them?

Android or iOS don’t firewall inbound traffic on a VPN. So any ports or sockets on your device can be directly connected to from said VPN (this is how I access resources on my phone remotely). If said VPN isn’t set-up properly, other users may be able to, too.

Is the VPN software/app actually secure? Is it backdoored? Does it ask for excessive permissions? Is it using the cryptographic methods it claims?

Is the VPN ran by trusted or shady individuals?

The list could go on.

Baseline rule. If you don’t run the VPN yourself and don’t control the infrastructure in which it resides, it’s not safe.

No, ISPs can’t just crack your vpn. I think that kind of attack would need to be done on the user or vpn machine, unless there’s a vulnerability on the vpn which is exploited. Good vpns will be as protected as possible against vulnerabilities. Keep your client and OS patched. If the NSA are breaking in to your house you’re fucked whatever precautions you take so don’t worry about that and obviously don’t do anything serious enough for that kind of attention

What about running my own VPN?

we just know they’re more reputable than ISP’s.

More importantly, usually the VPN has less data about you than the ISP does. It’s fairly easy to sign up for VPN without giving ID. Whereas ISP knows your home address, almost certainly your real name, etc. So it’s better to split data between ISP and VPN, instead of letting ISP have all of it.

How do you know this? Most of them are probably honeypots.

Why are they more reputable? VPNs provide a false sense of security unless you run your own. They also make performance worse and make troubleshooting more of a PITA.

It’s fairly easy to sign up for VPN without giving ID. So what does the VPN know, what can they betray ? Just “Someone at IP address A is doing HTTPS traffic to sites B, C, D”.

What if someone chains two vpns? like installing vpn A on device, and vpn B on browser as an extension. Does it make both vpn providers blind to “who is visiting this site”? Let’s assume both vpns are purchased by real credit card so they know the client!

that is some great insight. Thank you^^

Running your own VPN still sends your traffic to your ISP directly from your home.