People often ask me what VPN they should use but never ask how it actually protects them (and they probably couldn’t answer that). Using a VPN does not always make you more secure, and is only really beneficial in certain conditions and against certain adversaries.
| When a VPN helps | When a VPN does not help |
|---|---|
| Protecting unencrypted data from an MITM (Man In The Middle) attack | Protecting TLS/SSL (https) traffic (not much) |
| Stopping your ISP (or coffee shop) from seeing browsing habits | Lowering video game latency |
| Bypassing location based blocking (eg. seeing Netflix’s UK catalogue from the US) | Stopping advertisers from tracking you |
| Increase download speeds |
A VPN encrypts all internet traffic exiting your device and sends it to a remote server which will decrypt the request and forward it on to its destination. In the case of a business VPN it would likely allow you access into the companies internal network even if you are not physically there connected directly to the network. Your ISP is able to see all of the destinations contacted by the various computers, phones, smart TVs etc. in your house. When a device is connected to a VPN, your ISP would only be able to see one destination; the VPN endpoint. If your web browsing connections use SSL/TLS only the domain name is unencrypted. Traffic such as the content of a webpage, or submitting a username and password are hidden from the ISP or any other man in the middle snooping on your connections. Even the portion of the URL after the domain name is hidden. Your ISP can see you went to youtube.com, but they cannot see that you went to https://www.youtube.com/watch?v=dQw4w9WgXcQ.
When you’re not at home, this still stays relatively the same with coffee shop or airport wifi. Many free wifi services nag you when you connect with some kind of acknowledgement of there terms of service or show a login prompt that allows you to login as a paid user or continue as a guest. Many of these services have in their privacy policies provisions to sell any marketing data off to advertisers which is again, generally only the websites you visit and not specifics of what you do on those sites. As an example, Boingo Wireless which is found in many airports states directly in their privacy policy that they will share any information collected about you with “advertising partners”. Just seeing the domain name of a website you visit isnt really worth much, but a VPN would block it if you really care enough to pay for that.
VPN advertisements lean hard on the idea that an attacker nearby could “intercept your traffic”. If the URL bar in your browser says “https” instead of “http” and has a lock icon to the left of that, a successful attack is extremely unlikely. There are still certain attacks that can defeat this but they are highly complex and not likely to be deployed by some random guy who just happens to be at the same coffee shop as you. A VPN isnt the best mitigation for this sort of threat vector. You’re better off just not connecting to the free wifi or not checking your bank account on that wifi until you go home.
If you connect to a VPN but are still signed into your Google, Facebook, etc. account, that service will still know you are the person browsing. The VPN does nothing to hide your identity. Likewise, if you had cookies or other tracking markers stored before you turned the VPN on, those trackers would know you are the same person browsing and changing your IP address is still just as worthless. A better option would be to install an ad blocking extension on your web browser such as uBlock Origin (Chrome / Firefox) or use the Tor browser bundle.
The most common use for VPNs is to bypass geolocation blocks. You’ve probably run into the Youtube error message before saying that the video you are trying to watch is not available in your country, or you’ve wanted to watch a show on Netflix which has already released in the UK, but wont come to the US catalogue for another few weeks. By using a VPN, you can select an endpoint in another country where the video or content is available and spoof your location so that you can view the video. Youtube and other sites do not care if you were blocked from watching a video in the US and then tried viewing the same video 1 minute later from an IP address in the UK. The blocking system is based only on the geolocation of your IP and takes nothing else into account.
There are some services that claim to put VPN endpoints physically near or inside the same data centers that are used by various multiplayer servers and can lower latency and give you an edge in competitive games. This is never true. They are not able to some how reduce the number of hops between you and the multiplayer server. The number of hops will always increase by at least one and consequently increase latency.
The major downside of using a VPN is the necessary trust that comes with all of your data transiting through one server. VPN companies make claims that they dont retain or sell logs but there is no way to back that claim with evidence. They can only rely on the public’s trust. VPN companies tend to hide themselves behind shell companies and vague state of origin so that governments cannot deliver warrants because the VPN service is outside of any law’s jurisdiction. China has taken advantage of this to secretly run VPN services so that they can snoop the traffic of hundreds of thousands of people outside of China for the state’s own benefit. In 2018 a study was done which determined that more than half of all of the most popular searched for free VPN services were subsidiaries of Chinese companies.
As an aside, when I have this conversation with people there are two very common questions that come up that I might as well answer here:
Yes, I have had to report people for looking at adult sites while connected to their company’s VPN.
Yes, I have unfortunately had to report people for accessing sites that contain adult content involving minors. No, I did not have to testify in the matter.