I'm pretty sure they're "recommending" it because they're getting paid for it - it's a sponsor segment. After demonetization became common YouTubers looked for other sources of revenue and there are rather few companies that try to contact them directly for ads, so you see them appear over and over again.

Yeah it's diffidently not being recommended, it is being advertised. I wonder how many money they have spend. Every freaking channel mention them at some point.

You start to wonder where their money is coming from - their retail prices are already cheap, the discounts the influencers offer make it basically free. How's that sustainable?

But do they even have to pay much to youtubers for those ads? If you get 50k to 100k views per video then you'll likely make around the range of $50-$150 for the video. Paying the youtuber $50-$100 per video would already have a significant impact on their income, so they'd probably consider it. That would be 50k-100k people who will see the ad, because adblock can't block it.

If somebody is getting $50-$150 per video, they're probably doing it for the passion of making videos, not for the income, and they probably have another source of income that dwarfs what they're getting from youtube.

Not necessarily. If they put up a video every day then that's $1500 a month minimum. That's decent income in most countries, even in many EU ones. Now imagine if sponsor segments doubled that for you - now it's $3000 a month, which is already on the lower end of decent even in the richest countries.

No idea.

Yesterday I saw a discount with an extremely cheap 3-year plan (under 30$ and no data limit, iirc). The price didn't offer confidence that the service would be available for all three years.

Snake oil salesmen have been around for centuries. When you have an audience of hundreds of thousands or even millions of viewers it's your moral responsibility to not betray their trust by recommending them bullshit. Unless you personally evaluated the claims of the product (definitely not the case as most of these people don't understand how a VPN works beyond "it somehow protects your privacy") and are happy to stand behind them, don't say anything.

In my opinion there's also another problem that needs to be considered, regardless of security skills: none of these VPN providers' business models are sustainable; they offer "lifetime" plans for cheap to begin with but also tack on extreme discounts (I once saw 83% off) in addition to paying influencers money to promote those discounts. There has to be a catch.

> none of these VPN providers' business models are sustainable

You can fit like a hundred of VPN users into a single cheap VPS server. With current prices for VPN they are anything but unsustainable.

I have a non technical friend who did this citing CNET. It felt like kind of a shit thing based on how it was being advertised, but I couldn’t actually see anything that warranted saying nord was bad.

How would have expressed this in laymen terms (before this compromised thing was revealed obviously)?

My layman explanation is:

You have to take your choice of VPN seriously. When you use a VPN, they can read all of your internet traffic, so choose a company you can trust with that information. If they screw up, like NordVPN did, then anyone can read all of your internet traffic even when you think you're safe. You're often better off without a VPN than with one.

This seems like an overstatement. Five years ago, mostly true, but can they mitm my ssl connections? (I'm getting mixed answers on StackExchange, but it seems like generally no.)

They can see what sites I visit, but for most of those sites, they still shouldn't be able to see the content.

(This might be more nuanced than the layman explanation needs to be. Just curious for my own sake.)

It's likely that they cannot trivially MITM SSL connections but for that to be true you're relying on a bunch of things which are not trivial to verify:

1. All of the apps and sites you care about are HTTPS-only and don't rely on, say, an HTTP-to-HTTPS redirect which can be bypassed.

2. The VPN client doesn't do something like configure a proxy.

3. Your OS, apps, and browser don't have exploitable bugs or weak software update mechanisms, or that the VPN provider or whoever compromised them isn't going to try exploiting them.

Obviously the third one is a relatively low probability since it's noisy but it's the kind of thing which would be hard to rule out since VPN providers have a market incentive to cut corners if they think it won't be noticed and by their nature it's easy to imagine a law-enforcement or intelligence agency thinking it'd be a good service to compromise to get access to a userbase which contains people who are trying to hide something of interest.

Depends, if they have a root (or a wildcard) certificate, they can show you that, and your browser will happily show you a green lock. However, the list of root CAs in your browser is public, for Firefox see [0], and hopefully someone would notice if a VPN provider has access to such an certificate.

(However, that is something that also applies to ISPs, at least Telekom has a CA and therefore a root certificate.)

[0] https://www.mozilla.org/en-US/about/governance/policies/secu...

The article I linked in my original comment goes into a bit more detail and is aimed at the layman, but it's a bit more in depth than a comment you can make in a conversation.

I also don't blame them, and in fact I'm a bit bullish on the fact that these influencers are bringing greater awareness to using VPNs to an audience that might otherwise not use them / understand them.

None of these VPN critiques, including yours, actually address the reasons people use VPNs. Here's a big one: https://iknowwhatyoudownload.com/