What's a good VPN for Sonoma OS Mac M3?

Walletarian wrote:

1. First, thanks for quick response.

One that encrypts my browsing, especially financial institutions

Built in.

It’s called Transport Layer Security, or TLS, or by the older Secure Sockets Layer SSL name. When used in website access, it’s shown as an HTTPS connection. TLS / SSL / HTTPS creates a secure connection from your local client all the way to the destination server, and back.

For added privacy, enable iCloud+ and Private Relay.

2. Home (fiber network w Wifi), travel through airports, hospitals, general web browsing

Built in.

3. account info, transactions, medical data

Built in.

4. Always like free, but the adage you get what you pay for holds true. Less than $100

Built in. Free, too.

Not sure of your "aware" statement. You saying no VPN will protect general web browsing.

The commercial first-few-hops,VPN apps add a weak second tunnel around the first (and far more secure, and end-to-end) TLS tunnel, and personally attribute the traffic to you. Which means that while the services might not have access to your data, they do have access to your metadata, all neatly centralized and terminated onto their servers for easy collection and attribution.

Commercial first-few-hops VPNs badly solve a problem that hasn’t existed for a decade or so, and badly solve it using a second and weak tunnel around just part of the far more secure and end-to-end tunnels already used, and badly solve the problem in a way that is perfect for collecting and personally-identifying and reselling users’ network activities.

Too many of the VPN vendors are themselves either shady, or have been caught in lies such as the leak of logs from the “no logging” VPN services.

And I’m sure that the massive hype around VPNs is not indicative of shady business practices, of course. 🙄

If you really need a VPN for geolocation shifting such as for website testing, or content delivery network testing, or such, look at running your own Algo server.

Walletarian wrote:

Thanks, Bob,

So logging into a bank site with two factor is best I can do? How does Norton et al, get away with security claims then, or is it just the MacOS Security is so good?

I don't like being a suckerfish :)

If you are connecting to a bank or such, use secure protocols such as https or sftp rather than insecure protocols.

Public VPNs do not add additional security. If you are sending insecure data on the Internet the vpn company, and all nodes between you and the final destination, sees that information and they can do with it whatever they feel like doing (selling it, sharing it, etc.) They then dump your information back onto the Internet to send it to the bank etc. These VPN companies do not have special secure access to banks, etc. They forward your data, after accessing it, in the same way you initiated the transaction.

Just adding to the excellent and comprehensive replies you already received:

Don't use VPN services. No, seriously, don't.

To which I would add: no. Seriously. Don't.

I travel a bit and hotels often offer free internet.

So do I. I'm traveling right now. I'm using an old Mac. A very old, well-traveled, beaten-up outdated one running an "obsolete" operating system. Yet somehow I manage to make financial transactions and probably do everything else you do, without using VPNs, "Norton" or any of that nonsense. Do I look worried?

I am a bit annoyed that I can't watch a movie that isn't available outside the US at the moment. I suppose I could use a VPN to get around that inconvenience, but I'll get over it. Or perhaps I'll just have to spend the twenty bucks and buy it.

Read Effective defenses against malware and other threats - Apple Community. That's what I do and it's what I recommend.

Could you provide us with four additional bits of information?

1. What do you consider as a "good" VPN?
2. Will you be accessing a device at your home or work location? ... or for general web browsing?
3. How secure do you want to be using this VPN ... or, maybe, what are you trying to protect using one?
4. What is your price ceiling, or only looking for free options?

Just so you are aware, no VPN for general web browsing, will provide you with 100% end-to-end security.

Ok, let's go over each of those:

1. No VPN encrypts your data if that data it not already encrypted. Instead it provides a secure "tunnel" for that data to travel to. As you know, when you prefix a URL with "https:" that already encrypts that data stream between your device and the website's web server. Using a VPN with already encrypted data will add to the level of security.
2. When connecting to your home from a remote location, your home's router (or a dedicated VPN server) will be required to establish a VPN between devices. That would mean, your home router must not only include VPN server service, but also be configured to accept request to establish a VPN tunnel from a VPN client running on your Mac. This would also be true if you are connecting to your company's network.
3. Yes, these definitely would be types of data you would not want to be open to the public. A VPN would help with this.
4. As you can imagine, you do "get what you pay for." Most "free" VPNs have to make money some way in order to provide their service. Free VPNs also tend to have far fewer servers to handle managing VPNs. It is best to shop around. The key question to ask the VPN provider is do they keep track of your data, and if they do, what do they do with it? A number of well-know brands do, in some form or other, sell this information.

Not sure of your "aware" statement. You saying no VPN will protect general web browsing.

Yes, I'm very familiar with this. Most, if not all, VPNs that provide you with a service to "protect" web browsing, are based on using SSL/TLS. These are also known as "User to Server" VPNs.

Yes the data traversing the VPN tunnel between your device and the VPN provider is mostly encrypted (I say mostly, because a few "bad eggs" have been known not to actually provide you with an actual encrypted tunnel), when that data leaves their server to journey the rest of the way to the actual website's server, it is now completely outside of the tunnel ... leaving it vulnerable to attack. That's why I'm saying that these do NOT provide 100% end-to-end security.

The only VPNs that do are the ones that you (or your company) has control of both end-points of the tunnel.

Although the following article is a bit outdated (2017), it still holds true today. Hopefully, you will find it an interesting read. There are many more like it.

• https://www.engadget.com/2017-04-07-good-luck-finding-a-safe-vpn.html

Walletarian wrote:

1. First, thanks for quick response.

One that encrypts my browsing, especially financial institutions

2. Home (fiber network w Wifi), travel through airports, hospitals, general web browsing

3. account info, transactions, medical data

4. Always like free, but the adage you get what you pay for holds true. Less than $100

Not sure of your "aware" statement. You saying no VPN will protect general web browsing.

Unless you are using the VPN to create a secure point-to-point tunnel to your workplace or other institution's private network the VPN provides no security.

Walletarian wrote:

Thanks, Bob,

So logging into a bank site with two factor is best I can do?

Two-factor is an authentication mechanism, not a privacy mechanism. 2FA is a last-ditch protection against compromised credentials, such as attacks based on password reuse and the ever-popular password cramming, or credentials phishing. (SMS- or standard RCS-based messaging 2FA isn’t great, but it’s better than no 2FA.)

How does Norton et al, get away with security claims then,

I’d expect most vendors will adhere to their tech specs and their fine print. Vendors may well include omissions or gaps or glossed-over details that are “advantageous” (to the vendor) in their fine print, of course. Avast surprised a few of their users a while back, for instance.

or is it just the MacOS Security is so good?

Most modern systems do pretty well, which means the threats have also evolved and moved on to different targets and different techniques.

More than a little of the malware and junk available for macOS lately is deliberately installed—cracked apps, adware, couponware, add-on security tools, etc—and not the traditional malware mess that Microsoft Windows was having decades ago.

A whole lot of what bad happens now is phishing, and spear-phishing, exploits due to re-used passwords and the inevitable cramming, and related. Ah, well… Sooner or later, we’re all going to get phished.

Walletarian wrote:

So logging into a bank site with two factor is best I can do?

Two factor authentication (2FA) is to protect your user credentials. If available, I would always recommend that you enable this feature.

By default, most 2FA implementations rely on sending you a text message with a verification code. This is better than nothing, but text messages themselves are not 100% secure. Better methods have been introduced, but it will require that the financial (or any) institution allow for them ... and that is either PassKeys or having a physical Security Key. An example of the latter would be a YubiKey.