Contemplating signing up for a Virtual Private Network (VPN)? Why? The truth is most people don't need them, most of the time. Here's how to determine if it truly makes sense for you.
This article will assist you with cutting through the vast amount of VPN marketing B.S. found on the Internet.
This is a platform agnostic guide to helping consumers make a realistic assessment of their interest and suitability of using a Virtual Network Provider (VPN) to access the Internet. Subjects include:
- Why use a VPN?
- Use Cases (typical user profiles)
- Why You Might Not Want a VPN
- When a VPN Makes Sense
- Mobile Device VPNs: The Good, The Bad, and The Ugly
- Geo Un-blocking: VPN or Smart DNS?
- Are You Committed?
This article's focus is exclusively on consumer-oriented, client-side TUN type VPNs.
I've heard everyone should use a VPN. Why?
There's unfortunately a lot of fear mongering and mis-information in the media and on the Web regarding VPNs. Some of this is propagated by unscrupulous VPN providers (an issue I wrote about in a blog post entitled, The Great Global VPN Swindle). Don't get me wrong. I am a big proponent of VPNs. However, like many mainstream tools developed with good intentions, a significant portion of users have no clue what they're doing. When it comes to privacy-based methods and technologies, you're doing yourself a disservice if you don't fully grasp your goals and the tools you are attempting to employ in order to attain them. Used improperly, VPNs garner a false sense of security and may even increase your risk of compromising private information and/or your identity.
VPN Use Case Scenarios
Here are the most common use cases for VPNs. These are scenarios where a VPN makes sense:
- Corporate Security. Your company requires it. This is increasingly commonplace. It allows employees to access internal network devices seamlessly while ensuring sufficient security is in place during the connection.
- Transmitting sensitive data over an insecure connection. A VPN is good at encrypting plain text data when other methods cannot be used.
- Anonymity. Concealing your real IP address and/or physical location.
- Privacy. Hiding your online activity from surveillance.
- Evading Censorship (e.g. you are in China).
- Accessing alternative regional content. VPNs can be used to alter where you appear to be physcially located, but this method is not normally the best approach toward geo-spoofing.1 Depending on your goals, you are usually better off using other techniques, such as a Smart DNS service.2
If you're not concerned with any of these circumstances, perhaps a VPN isn't worthwhile for you.
Why You Might Not Want a VPN
Like most things in life, there is no proverbial, “free lunch.” VPNs come with trade-offs. Here are the downsides that may discourage you from directing all your internet traffic across a VPN. If these factors are more important to you than your privacy and the protection of your data, you may want to re-think using a VPN:
- Adds time delay (lag) to network traffic
- Reduced speed (data throughput) due to additional networking overhead
- Network connections are more complicated to setup and maintain
They're (Usually) Slow
Redirecting your internet traffic between servers and encrypting it adds overhead and slows down your connection. This is the biggest drawback to a VPN, why it should be used only when necessary, and why I am a strong proponent of Split VPNs.
VPNs aren't always slow, but they are slower. That's a fact. Whether or not you will notice a VPN connection being slower than a non-VPN connection boils down to a combination of your hardware, the VPN service provider's hardware and network efficiency, and how much of your network traffic utilizes it.
No Standard Protocol
Unfortunately, since there is no industry standard, the format of these virtual connections varies wildly. As explained in one of my blog posts (Is Your VPN Helping or Hurting You?), this is something where you should be aware of, but not alarmed by it. The most important factor when considering a VPN is actually Choosing the Right VPN Provider.
There are two types of VPN software: proprietary and open source. The former are custom made, closed development solutions where an organization produces a software solution for both ends of the virtual network. This may include custom security protocols or off-the-shelf versions. Algorithms used to encrypt the data payload may be common knowledge (open source) or proprietary (secret).
As the term implies, open source VPNs use open source developed software to manage secure connections. They usually employ industry standard encryption protocols to secure the underlying data, though sometimes they will use uniquely crafted algorithms. Regardless, being open source, the methodologies are available for public scrutiny. If a VPN uses proprietary security algorithms, this is a significant potential drawback as it is difficult for the end user to ascertain the value of such systems compared to other, open source VPN systems where the security methodologies are known.
When a VPN Is Probably Overkill
What do those factors outlined above boil down to? Trust. Perhaps you don't trust a local WiFi router, or you don't trust a website to not track your behavior and your identity. Whatever the reason, if you are going to be transmitting (sending and/or receiving) content, how do you know when it’s wise to use a Virtual Private Network (VPN) to mask your identity and/or sensitive network traffic? If VPNs are such a great idea to protect your privacy and content from prying eyes, why doesn't everyone use them all the time? The short answer is: for some people, they are a good idea to use all the time.
When a VPN Makes Sense
Let's cut to the chase. A VPN is not for everyone. There are several distinct circumstances where a VPN makes sense, and a number where quite frankly it is probably not worth the trouble. To begin with, a VPN is more likely to be a sensible approach if you meet any of the following critera. Do you:
- Distrust your normal Internet service provider?
- Regularly use public hotspots, such as free WiFi in coffee shops, grocery stores, etc.?
- Travel frequently, and rely on anything other than a personal hotspot device for internet service?
- Wish to hide your identity while visiting websites or other services on the Internet?
- Need or want to evade censorship
If you responded with a "Yes" to any of those questions, then a VPN likely makes sense for you. If not, a more reasonable approach may be to not bother with a VPN, while making an effort to curb other behaviors that expose you to unnecessary risks online. My suggestion is to be realistic when it comes to assessing your risk profile and your likelihood of diligently using one. Of course, there is more to it than that, but those thoughts will get you started on making a reasonable self-assessment.
A few more thoughts for you to ponder.... If your needs include mobile devices, make sure you understand the difference between a Kill Switch versus an On-Off Switch. Many VPN providers with mobile apps falsely advertise the latter as the former. There is a difference. If you'll be using a Windows-based computer, you should also be familiar with what a kill switch is. If you're using a Linux based platform, you should have no need of one (Linux distros should effectively operate as a kill switch automatically, by design).
Mobile Device VPNs: The Good, The Bad, and The Ugly
Contemplating using a VPN with a mobile device? There are a few additional factors to take into consideration. Let's start with the concept of a Kill Switch. When executed properly, this is a great feature (more details below). Unfortunately, this good concept has morphed into a not-so-great, but popular feature (especially on mobile devices) that regardless of what's called is in fact a simple On-Off Switch. What's so bad about On-Off switches? They're great when you're switching on and off a light bulb, but a VPN... not so much. Why?
- False sense of security ("I'll just turn it on when I need it.")
- Unknown risk: Poor implementation within an app = data leakage
- How do you know it's working? You don't.
- Forget Me Not. Did you forget to turn it on? Oops.
The Good: Kill Switches
What's a Kill Switch? In a nutshell, it's a switch that kills your VPN connection. They are used to safely disconnect a VPN and disable it. A proper kill switch protects you against leaks, which are when some data slips onto the VPN interface after you've begun the kill process. This usually results in the last vestiages of supposedly protected data being sent out of an insecure channel, such as your normal outbound network connection, revealing your true IP address and thereby who and where you are.
Every VPN should have a kill switch. Some VPN software has one built-in to an interface, and by default when you shut down the VPN via any means it should behave like there is one.
The Bad: On/Off Switches
These are normally found on mobile device implementations of VPN software. They differ from a Kill Switch in that they don't actually disconnect the VPN. They simply disable traffic being sent and received through it, but the connection is persistent. The reason why is it means less latency (delay) when a user wants to switch back and forth between using the VPN or not. It sounds like a good idea, but it's not. It exposes the user to a myriad of potential attacks. For example, because the program is running in the device's memory, it can potentially be manipulated by another application with root-level access. This attack vector is similar to why putting Windows devices into Sleep mode can be a bad thing. It opens the door to a whole class of attack types that don't exist if you don't use an On/Off switch feature. If you're going to use a VPN, don't use one with this feature. Shut down the VPN application completely. Or use one with a true Kill Switch.
On/Off switches also encourage bad habits. Are you familiar with those old analog alarm clocks that you have to set the night before, every night? What happens when you forget? They don't work. On/Off switches with VPNs are kind of like that. When they are not working, it's not obvious. Sure there are symbols that appear on your device to inform you it's "on," but when people become accustomed to turning things on and off all the time, they tend to become jaded as to which state the device is in at any given point in time. It becomes easy to overlook the current status, and conscientously think how it should be at that particular moment in time. It's just human nature.
If you're going to use a VPN, it needs to be fool-proof. You only need to forget once to risk compromising yourself. The bad guys can slip up all the time and you won't know it. You on the other hand, can't afford to ever make a mistake. If you think you can, you're better off not bothering with a VPN. Otherwise, there's that False Sense of Security thing.
The Ugly: Lying VPN "Apps"
Sadly, creating a mobile "VPN" app is just too easy. This abomination is the worst problem of the bunch. Ostensibly, an app (application) on a mobile device acts as a secure conduit when you want to use a VPN. The problem is if you haven't read the fine print, you're likely to fail to notice the fact many of these applications do not actually encrypt your data! Wait a sec. Isn't that what VPNs are supposed to do? Yes. Yes, they are. Now, that doesn't mean there isn't a secure tunnel (after all, hopefully your VPN app is actually doing something), but what good is that and how much can you trust it if the app does not bother to encrypt the data inside the tunnel? Think I'm paranoid?
A 2016 research study performed by Australia's Commonwealth Scientific and Industrial Research Organization and the University of California at Berkeley3 analyzed 283 mobile VPN services found on Google's Play Store for security and connection integrity. Would you like to take a guess at the results? I'll summarize some of the highlights for you. 67% claimed to enhance the user's online privacy and security, yet....
- 84% failed to tunnel DNS traffic
- 82% requested unnecessary access to data never sent through the VPN to begin with (e.g. text messages, SIM card)
- 75% filtered traffic with 3rd party tracking libraries
- 66% failed to tunnel IPv6 traffic at all
- 38% installed Malware on the user's device
- 18% fail to disclose their hosting identity
- 4% implement a local proxy that intercepts and inspects local traffic on the device
- 2% performed active TLS interception mid-stream (effectively acting out a MiTM attack)
Are You Committed?
Using a VPN requires making a commitment. The entire point of it is to either:
- Deter hackers from compromising your security; and/or
- Be anonymous online (privacy) and protecting that anonymity
If you're ever hacked, it's quite likely you won't be aware of it until well after it has occurred (if you ever become aware of it). Therefore, being diligent and consistent in your security practices and online behavior is crucial.
If you're not consistently following best practices to protect yourself, it won't matter if you're using a VPN or not as you will likely put yourself in harms way at one point or another through your behavior. At that point, a VPN is unlikely to save you. Now, on the other hand if you are diligent in your behavior and regularly use a VPN, that puts you in a different category. In that case, you will dramatically improve your level of protection with a VPN. The key is being aware of what you're doing online and how.
While you have purview over your devices at some level and can act accordingly, there's a lot you don't have control over. While a VPN won't safeguard you from all risks, when used correctly, it will protect you from the most common risks associated with transferring information online.
So, you've decided a VPN is worth the trouble. Choosing the Right VPN Provider is unfortunately not as straightforward as you might think. Before you pick one, you might want to read The Great Global VPN Swindle.
Geo Un-blocking: VPN or Smart DNS?
If you are ONLY interested in geo-unblocking (i.e. geo-fencing or geographic based content restriction work-arounds), you are likely better off using a Smart DNS, which is less complicated than a VPN and nearly always cheaper. Or you might consider using both. Let's look at use cases where Smart DNS services make sense, or doesn't.
For details on what Smart DNS is and how it works, see What's a Smart DNS?
If you reside inside the United States and use a Smart DNS service, you're probably throwing away money and exposing yourself to unnecessary risk. Smart DNS services try to circumvent geographic content restrictions by routing your attempts to connect to known content providers to a proxy server based inside the United States, which masks your real IP address and sends you to a U.S. point-of-presence (POP) for the content provider. It makes you appear to be inside the U.S., so you are allowed to view U.S.-based content. The reason people outside the U.S. like doing this is because the U.S. tends to have a greater variety and depth of digital content than any other international region on the planet. However, as you can see, if you are already inside the U.S., what's the point? Answer: There isn't one 99% of the time.
What if I reside in the U.S. and I want to pretend I am somewhere else, say to access geo restricted content in the UK for example? If that is the case, then for you, yes a Smart DNS might be useful. However, you will need to be able to customize how the Smart DNS works. Otherwise, it will simply boomerang you back to the U.S. content. Not all Smart DNS service providers allow you to customize their behavior, though most do (and all the larger service providers do). You can read more about Smart DNS, how it works, and its potential pitfalls in my related article, DNS Alphabet Soup: Dedicated, Dynamic, Smart.
If you reside outside the U.S.A., Smart DNS services were basically made for you. They are born out of a strong demand from consumers who want the ability to access all content from various content providers. If this is the only reason you have been considering a VPN, you should think about using only a Smart DNS as an option. I recommend you read the related article, DNS Alphabet Soup: Dedicated, Dynamic, Smart before making a decision.
1 Geo-Spoofing is the act of altering geo-location metadata to make it appear as if a connection is emanating from a different physical location on the Earth from where it is actually located. You will find some additional information on this subject in this article explaining the DNS Location data.
2 See my article Locked Out: Circumventing Geofenced Content for more information on best practices to getting around regional content restrictions.
3 Association for Computing Machinery (ACM). 14 November 2016. IMC '16 Proceedings of the 2016 Internet Measurement Conference. pp. 349-364. https://dl.acm.org/citation.cfm?id=2987471