> sure, threat model matters. no protection is 100%, but more is better.
You can't just say "threat model matters" and then treat security as an absolute gradient (poset?). That means you don't have a real threat model.
> using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server.
Bold claim – you've gotta show your work for this one.
> there is no threat model where your own hosted proxy could ever provide better protection than any VPN.
"no threat model [em-bee can imagine]", maybe :)
Here's one for you: how do you know your VPN provider doesn't log usage? You SSHed in and looked at /etc/syslog lately? Went to their hosting provider and opened door 641A?[0]
You sell a VPN and accept US cash? You are interacting with the US financial system and are open to all sorts of laws and enforcement levers that get to be pulled against the company that sold you that service & pinky swore they didn't log.
How sure are you about that "no log" claim if your VPN provider had a visit from a friendly FinCEN CI and some HSI folks who explained what a "US nexus" is?
All this said, I don't necessarily disagree with you: my personal threat model is that bigger fish exist than me, and a paid VPN provider fits the risks I take. Yours might be the same. But I don't see how you reasoned your way there.
You can't just say "threat model matters" and then treat security as an absolute gradient (poset?). That means you don't have a real threat model.
> using my own hosted proxy means that my identity is out in public. it's not even hidden. no need to even seize payment records. anyone can look up the ip address and eventually figure out who owns the server.
Bold claim – you've gotta show your work for this one.
> there is no threat model where your own hosted proxy could ever provide better protection than any VPN.
"no threat model [em-bee can imagine]", maybe :)
Here's one for you: how do you know your VPN provider doesn't log usage? You SSHed in and looked at /etc/syslog lately? Went to their hosting provider and opened door 641A?[0]
You sell a VPN and accept US cash? You are interacting with the US financial system and are open to all sorts of laws and enforcement levers that get to be pulled against the company that sold you that service & pinky swore they didn't log.
How sure are you about that "no log" claim if your VPN provider had a visit from a friendly FinCEN CI and some HSI folks who explained what a "US nexus" is?
All this said, I don't necessarily disagree with you: my personal threat model is that bigger fish exist than me, and a paid VPN provider fits the risks I take. Yours might be the same. But I don't see how you reasoned your way there.
[0]https://en.wikipedia.org/wiki/Room_641A