Comment by Scrounger
16 hours ago
I don't think I agree with the following from this guide:
> Do not use a personal virtual private network (VPN). Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface. Many free and commercial VPN providers have questionable security and privacy policies. However, if your organization requires a VPN client to access its data, that is a different use case.
What do you disagree with?
> Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface.
That's true. A VPN service replaces the ISP as the Internet gateway with the VPN's systems. By adding a component, you increase the attack surface.
> Many free and commercial VPN providers have questionable security and privacy policies.
Certainly true.
> if your organization requires a VPN client to access its data, that is a different use case.
Also true: That's not a VPN service; you are (probably) connecting to your organization's systems.
There may be better VPN services - Mullvad has a good reputation around here - but we really don't know. Successful VPN services would be a magnet for state-level and other attackers, which is what the document may be concerned with.