← Back to context

Comment by fulafel

3 years ago

VPN originally meant something quite different from the commercial consumer VPN product that mullvad represents, and was more like the encrypted overlay network provided by Tailscale. These are coming together again in this revolution of the wheel of reinvention. Not using "reinvention" in any negative way here, this is is good, I think.

For history and how some people (John Gilmore[1]) thought uniquitous interoperable VPN tech (using the IETF standardized IPSec) be used to end-to-end secure internet traffic generally, see eg this FreeS/WAN rationale from the 90s: http://web.archive.org/web/20210125023625/https://www.freesw...

Then in between then and now were the VPN dark ages where it was mostly only used as a tech to accesss old timey corporate "internal networks".

[1] https://en.wikipedia.org/wiki/John_Gilmore_(activist)

57 comments

fulafel

Reply
sam0x17  3 years ago

Don't forget that historically, a "half-measure" a lot of people used to use to get around regional blocking was "web proxies" like those linked to by proxy.org. I used to operate one as a young teen and I will say they are a security nightmare -- nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial.

Personally I used to run a domain parking service (back when I was a teen in the early 00s) that used the domains as web proxies and replaced all adsense blocks it could find in the content with my adsense code, and did a 50/50 split between my code and the domain owner's code. Google eventually became wise to this and banned that sort of thing but it was pretty cool while it lasted, and honestly I think it was super fair considering we didn't even add any ad blocks just re-used the existing ones already in the content.

  • lxgr  3 years ago

    With practically-ubiquitous HTTPS, these days proxy use is mainly a privacy risk since for HTTPS, they usually can only support transparent byte relaying anyway.

    • codetrotter  3 years ago

      > for HTTPS, they usually can only support transparent byte relaying anyway.

      On my LAN I run Squid on a Raspberry Pi, and have my personal laptop configured to use that as a HTTP and HTTPS proxy.

      All TLS HTTP connections going through the Squid proxy are intercepted.

      This only requires that my laptop trusts a self-signed TLS certificate that Squid uses.

      Someone could easily run the same kind of thing on the internet, providing free proxy service and telling their users to trust a certificate signed by them, without properly explaining the consequences of that. And a lot of novice users would likely use that proxy service. Gleefully unaware that even the “encrypted” traffic is completely visible to the proxy.

      In fact, I would be extremely surprised if there aren’t a whole gazillion of services out there doing exactly that.

      But in many jurisdictions running a service like that would likely be cybercrime. And even if it wasn’t illegal, it’s still not nice. So, you know, don’t go and actually create a service like that.

      22 replies →

    • sam0x17  3 years ago

      web proxies completely bypass any protection offered by HTTPS as they act as a true man-in-the-middle and place requests on behalf of the user. Unlike traditional proxies, web proxies are entirely web based and use a web interface so literally all the data flows through the server side code of the web proxy.

  • AdmiralAsshat  3 years ago

    > nothing stopping a web proxy operator from sniffing all user credentials passing through them, and modifying PHPRoxy to do this is trivial

    That's why you go through seven proxies.

    • barkingcat  3 years ago

      no, that's why you tunnel through seven proxies, each being used with different sets of credentials/encryption keys, all disposable. The last tunnel is not the main data channel, but the channel you use to coordinate command and control, and then you use a botnet to distribute pieces of your real communications.

    • sam0x17  3 years ago

      web proxies aren't traditional proxies. They have a web interface and issue requests on behalf of the user server side, so all of the user's data flows through the user interface and the server side in plain text (though protected by the HTTPS of the web proxy itself). This is fine if you 100% trust the web proxy, but a malicious web proxy operator could easily look at all your data.

  • Bluecobra  3 years ago

    I used to pay a small fee for a shell account by some UK provider so I could setup a SOCKS proxy over a SSH tunnel. I suppose they could have captured my egress traffic but I trusted them not to that. I was just using it to watch BBC iPlayer/Channel 4 from the US anyways. :)

hinkley  3 years ago

The first VPNs I encountered were for bridging branch offices onto the corporate network.

It was only later when they made 'consumer' vpns where they became point-to-multipoint affairs, for bridging a single computer onto the network. I'm not really sure how that confusion happened. In that era they were glorified SSH tunnels.

  • paleotrope  3 years ago

    Well they generally call the first type Site to Site VPN tunnels and the second client tunnels. Lots of different marketing from various companies makes it confusing since it's basically all the same oss under the hood.

  • OJFord  3 years ago

    Presumably via corporate 'single computer onto the network', basically as soon as laptops became commonly issued.

badrabbit  3 years ago

Not "originally" but still, site to site VPNs are widely used.

Technically, mullvad's VPN is also site to site, except the remote site is the internet.

I regularly used similar VPNs to connect entire segments of my home LAN to the internet.

The main difference is how you setup the client end because almost always, the other end is a network instead of a host.

mindslight  3 years ago

What is with this tendency to want to gatekeep the term "VPN" away from consumer-oriented providers? The general term "VPN" means exactly the same thing now as it did 20 years ago.

Virtual means it doesn't correspond to a physical network interface. Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4. And they've always been network interfaces showing up on some node, regardless of whether that node might have been a vendor's proprietary black box.

Decades ago there were fewer uses/topologies, dedicated "routers" were more important, and people naively trusted infrastructure. Those are the differences that have evolved with time. Quick searches say OpenVPN was released in 2001, and tinc in 1998.

  • lmm  3 years ago

    > Private means it involves encryption, as opposed to a basic tunnel like ipip or 6in4.

    The common-sense meaning of "private network" was, and is, a network that is private. I had one with a bunch of my university friends - we ran our own network services that we wouldn't trust to the wider world, like we had back when we lived together and really did have our own private network.

    A point-to-point line to the provider's router that then bridges you onto the public internet is a "private network" only in the most degenerate sense.

    • mindslight  3 years ago

      > A point-to-point line to the provider's router that then bridges you onto the public internet is a "private network" only in the most degenerate sense.

      You can make an analogous argument about the traditional corporate site to site VPN, which is a point to point link between routers that bridges two non-virtual networks. By your standard, calling that a virtual network is only true in the degenerate sense.

      I see your point about the possible meaning of "private", but I don't think that quibbling over the semantics is useful for much besides gatekeeping. There were plenty of corporate VPN links piping Internet-reachable IP addresses, just as there were plenty of VPN links with broken or nonexistent crypto.

      2 replies →