I roam around on some tech forums, and every now and then, a user pops up with a question about his or her VPN provider. There seems to be a general consensus, that using a VPN is a silver bullet for all your concerns about privacy online.
Instead of explaining it over and over, I thought it was about time to put something on this site. Just my laziness, so I can point them to this little post 🙂
What is a VPN?
A lot of people asking questions about their VPN service provider, seem to not exactly know what it actually does. Which is weird, since most users I spoke to online have a strong believe that this will protect them from all the spying eyes in the world.
This was never the use case for the technology in the first place!
A VPN connection is a secure tunnel from one private network to another. Before this hype started, it was usually used in work environments. For example; people that work at home and still have to be able to use company resources only available within the company network. A very legitimate use for a VPN tunnel!
When you decide to pay for a subscription with one of these providers, you are able to setup a secure tunnel to that provider’s private network. Which means everything is encrypted between your device and the VPN provider’s private network.
However, most people access websites when online. Those websites usually are not hosted inside the private network of the VPN provider. So the VPN service will still have to go out to the final end-point to actually retrieve the website for you on your behalf. This is done in the same manner as you would do, when not using a VPN. The only difference is that the VPN service will do this for you, and sent the data back to you.
An image says more than I could explain in words, so there you go.
On the top diagram you see a normal request to a website, coming directly from your computer.
The bottom diagram illustrates the same request but this time it’s tunneled through the VPN server. Everything that has the lock icon, is the part of the communication that’s encrypted.
So the arrow from the VPN server to the internet, is still the same. If you look carefully, you can see that all you’re doing – when it comes to encryption – is for your ISP to not see much about your website request. The communication that leaves the VPN server is still the same as it was when you’re not using a VPN. That can be encrypted by ways of HTTPS/TLS or not, nothing will change about that part of the communication, when you’re using a VPN.
But what about privacy!?
The reason I often hear for using a VPN, is that the website being visited will not be able to see your actual home IP address. The website will see the VPN’s IP address, which is very true. But does that even matter?
What tends to be forgotten in this defense, is that there are many more ways of tracking you. Tracking based on IP is actually not foolproof. There are better ways to track you, such as by using cookies or browser fingerprinting.
I am certainly no expert on tracking, but I do know that IPs are often dynamic and cannot be relied on to identify a user. People that are experts in this field also know this, and have found ingenious ways to track a single user more accurately.
What also tends to be forgotten is that if you use a VPN, it basically is a voluntarily setup MITM (Man in the Middle). All your traffic will go through the VPN server, and that VPN server can do anything with that traffic. Such as logging everything you do, or worse, changing what gets sent back to you or to the website you’re trying to visit.
Ok fine, but what are legitimate use cases than?
Like I said before, using a VPN in work environments can be a very legitimate thing to do, depending on context. After all, you probably trust your company being able to log all your data communication. But you won’t need a VPN service subscription for this, your company will provide this free of charge for you inside the company’s network!
Another somewhat more gray area where a VPN can help, is with bypassing geo-restrictions. Some services online check your IP to get a general idea of where you are in the world, and block your connection to that service when that service has decided it should not be available to your area (for example for copyright reasons).
Using a VPN located in a different country can bypass those checks, since the service/website you want to go to, will end up seeing the IP of the VPN. Tricking the service/website into thinking the connection originated from where the VPN service is located.
The most legitimate use case for having a VPN subscription, is when you want to use open Wi-Fi hotspots.
Open hotspots are not encrypted and therefore when your data leaves your device, it will be hurled through the ether as such. Anyone able to pick up the signals (being close enough to the hotspot) can intercept your traffic.
If you use a VPN in this situation, your data will be encrypted as soon as it leaves your device. So it does not matter anymore that the hotspot does not provide encryption, the VPN tunnel will.
Who are you to point this out!?
For people that do not know me, taking me as a very credible source might be a tricky thing to do.
If you don’t want to take my word for it, then maybe it helps to read up on the subject. Understand what you’re actually using and how it works. Look for pros and cons of using a VPN service provider, instead of just going along with the FUD that’s being spread by these providers to make some easy money.
There are more people out there trying to get people to realize they’re wasting their money. Below you find just two of them highlighted, but if you look you can find many more;