VPNs haven't been useful since 2002

[l0st]

Numbers stations are a good example of unbreakable codes.  Uniform blocks of numbers repeated over and over.  Random number changes at periodic intervals, then one number will change which equates to where to look up the location of the message in a subsequent string of blocks.  Then blocks of numbers, and more blocks of numbers.  There's no way to tell even how long a message is.  And by keeping message lengths uniform, no forensic pattern analysis can be performed (mathematical or otherwise).  It's just impossible to break.  A "1" in position #2 of a block of (5) might mean a <space>.  A "1" in the 2nd position of an identical (5) digit block might mean "G".  A "1" in the 2nd position of a 3rd block of (5) digits might be an instruction to look at the 2nd letter in on the cover of the Bible which is an "O".  And the next message is completely different with blocks of (5) random digits which are all meaningless and to be discarded.  There's just no way to crack something like that.  Plus, a digit could refer to a word

21379 21379 21379 21379 21300 21300 21300 21379 21379 21379 21379...on and on, 24 x 7 x 365 for decades on end.  Some have been on the air for 30+ years, just non-stop numbers.

It's really fascinating study when you look into it.  I spent a lot of time back in the 2000's listening to endless strings of numbers and studying the CONET project research publications.

Numbers stations are still out there too, which is a testament to their unbreakable security.

The type of encryption they use on numbers stations is called a "one time pad". It's impossible to break because the key is unique every time and only know by the two parties communicating and is never sent over the air, only the contents of the cipher. Even if it is broken, only that message is decryptable, although this is theoretically impossible because the key is always random and bears no statistical relationship to the message.

This VPN ordeal really isn't a bug or exploit, nor was DHCP intentionally designed to be vulnerable per se. VPNs were originally designed to connect two private networks. Pushing internet access to users came later, ergo split tunneling. The DHCP protocol has always been plaintext and was simply extended add this route functionality. It was designed in an era when networks were considered secure and bad actors were not commonplace.

Split tunneling can be exploited by a nefarious provider. It ultimately comes down to the fact that if you're not running your own network you must trust the entity hosting your services.

[FlyingClayDisk]

The type of encryption they use on numbers stations is called a "one time pad". It's impossible to break because the key is unique every time and only know by the two parties communicating and is never sent over the air, only the contents of the cipher. Even if it is broken, only that message is decryptable, although this is theoretically impossible because the key is always random and bears no statistical relationship to the message.

...

That is correct; it is a 'One Time Pad'.

[Maxmars]

Ultimately, this is the inevitable 'disconnect' between the design of networking frameworks, and the utter incompatibility with the true purpose of networking, which is an open communication channel between devices.  The internet was established to make a connection between disparate entities, not to "preclude' communications.

The internet was about 'sharing' not 'restricting.'

"Bad actors" and abusive exploitation was not part of the design intent.

VPNs are necessary because of the notion of 'concealed' data exchanges... and as we can all see, it's the 'secret,' 'back channel' approach to connectivity that engender the 'need' to encrypt - not the end-users themselves.  ISP's take "advantage' of that 'new' reality to layer "other' services which can be charged to the users either directly or indirectly.  This is just one reason why the internet was fertile ground for commercial exploitation.

It's akin to the development of "push" technologies that offer "control" to data sources in the guise of necessary 'handshaking' between systems.  Suddenly, you're experiences online are subject to "cookies" and "java scripts," and "HTML codes" you can only 'witness' and 'subject yourself' to... truncating services should you refuse.  Anyone who 'blocks' any of these things can experience crippled "functionality" like pages not loading, and apps not functioning unless you "allow" the service provider some level of control of your browsing data... and what data they can access, store, and relay.

With VPN's this is supposed to 'encapsulate' your data... but it is an illusion.  If your data is there, someone else can see it now. The process of encrypting could be isolated... except to your ISP, of course.  And if the ISP has open exploitable opportunities, you are now subject to their exposure... like how 90% of all exploitation happens at the industry level, not personal users. (But that doesn't stop them from charging money to "secure your safety" with "data protection claims.")

This tech is not bulletproof.  It NEVER was.  (But don't tell their marketing departments that, they'll refuse to discuss it.)

[l0st]

It's akin to the development of "push" technologies that offer "control" to data sources in the guise of necessary 'handshaking' between systems.  Suddenly, you're experiences online are subject to "cookies" and "java scripts," and "HTML codes" you can only 'witness' and 'subject yourself' to... truncating services should you refuse.  Anyone who 'blocks' any of these things can experience crippled "functionality" like pages not loading, and apps not functioning unless you "allow" the service provider some level of control of your browsing data... and what data they can access, store, and relay.

...

This tech is not bulletproof.  It NEVER was.  (But don't tell their marketing departments that, they'll refuse to discuss it.)

Whew, tell me about it! The intentional restrictions on functionality if you do not allow the site you're accessing to run whatever they want in your browser these days are absolutely maddening. It used to be sites were designed to gracefully fallback and avoid using scripts unless absolutely necessary. Now, half the sites you go to only show you a blank page if you don't have JavaScript enabled.

Very well said.

I think the encryption built into IPv6 is intended to replace all these band-aids, but will it ever finally catch on? They've been saying for years that IPv4 exhaustion is here yet here we are 2024 and many sites still don't implement it. I'm beginning to think it may never happen.

As an aside, a few years back I tried to go full IPv6 only on my home network just for shits and giggles but I found that many networks simply weren't prepared to handle IPv6, even if it was enabled, the service levels weret typicallu much lower than for IPv4 traffic. Additionally, there were still many sites that didn't implement it at all.

[Maxmars]

At the risk of sounding simplistic, I blame monetization.

In the end, no one wants to lose their money-making exploits.

While I accept that trade and commerce have a place in our society... somethings merit their exclusion.  Yeah... I can be an idealist that way.