If you’ve watched more than a handful of YouTube videos in the past few years, you’ve probably seen sponsored advertisements for VPNs impressing on you the great security benefits of using a VPN. But in a time where a lot of Internet communications are already encrypted, what are the actual benefits of using a VPN?
And before I get into the details, I’ll just say that I don’t hold anything against creators who accept sponsorship from VPN companies. They’re not responsible for having a deep technical knowledge of the things they advertise, but I strongly believe that VPN companies should be more honest in their marketing.
What does a VPN actually do?
At its core, a VPN or Virtual Private Network creates an encrypted “tunnel” between your device and the VPN company’s server, such that all your Internet traffic is encrypted between these two points, and appears to the broader Internet to originate from the VPN company, rather than your device specifically.
One of the most common benefits touted in VPN advertising is security – that if you’re not using a VPN, then all your bank details and passwords will be stolen by some shady person wearing a hoodie in a dark room 😱.
Nowadays, this point is misleading. At the time of writing, somewhere around 85% of web browser traffic is encrypted with HTTPS, also known more generally as TLS. All content sent between you and a website using HTTPS is only accessible to you and that website, be that your bank, a social media platform, etc.
While reading this blog, you’ll probably (depending on your browser) see a padlock icon in your browser indicating the connection is encrypted. If you go to a site without HTTPS, then you’ll see (again depending on your browser) a “Not Secure” badge warning you that your connection is, you guessed it, not secure.
Adding a VPN on top of a connection already encrypted with TLS(when it’s setup correctly) accomplishes very little from a security perspective. One layer of modern encryption is strong enough that, for all practical purposes, it’s unbreakable.
To break TLS encryption would require something on the level of a supercomputer working for thousands of years, which is why pretty much all attacks on it centre around intercepting the connection and causing it to be encrypted for the attacker rather than the original site. In the context of a modern web browser, doing this pretty much requires the attacker to install a root certificate on your device, and if they have access to your device to do that, then they can pretty much do whatever they want, VPN or not.
So what about connections outside of a web browser, like in apps? Well in a lot of cases, encrypted communications are fairly likely to be happening anyway, as both Apple and Google have been strongly pushing for TLS in apps, but there are some caveats. App developers can still use unencrypted connections in some cases, and even if they are using TLS, it is possible to configure it without the verification necessary to prevent it being intercepted. With Apple and Google’s efforts here, this problem should eventually be solved, but we’re not there yet.
In these situations where there is no encryption, or it’s configured poorly, then VPNs can help, though it’s important to remember what VPNs actually do: they encrypt traffic between you and the VPN company. This will protect your unencrypted traffic through your local network and ISP, however both the VPN company and any networks between them and the final destination will be able to see the unencrypted traffic. This is why it’s important that you pick a VPN company that you trust, though the true long-term solution in this case is for developers to simply use encrypted protocols to begin with, rather than relying on every user using a VPN as a partial bandaid solution.
Another thing to be mindful of in this case is that commercial VPN services effectively end up redirecting traffic from a lot of users through a single point, which makes bulk surveillance or interception easier. It’s another reason to put some care into picking a VPN provider.
So to sum up, VPNs will provide a security benefit(albeit only partial) when sites and apps aren’t already encrypting your traffic(or are doing it improperly), but a better solution is for said sites and apps to simply encrypt traffic themselves. And in that latter case, which is increasingly becoming the norm, VPNs don’t provide a meaningful security benefit.
So, if TLS is so great, then what’s the catch? Well, even when using TLS, there are certain pieces of metadata which remain unencrypted, and some of them can’t really be encrypted with a protocol like TLS because they’re simply necessary for the way the Internet functions.
The most widely-known pieces of metadata visible on a network are IP addresses. IP addresses have been quite overblown as some sort of secret identifier, but really they’re just how the origin and destination of Internet traffic is identified. They need to be visible to every network a piece of data travels through so that routers know where to send it, and so that the server at the other end knows where to send the response.
One of the IP addresses of this blog is
18.104.22.168, but all the information that I could gain from that as someone inspecting traffic on the network is that you’re visiting a website hosted behind Cloudflare. Given that Cloudflare hosts around 25 million domains, that alone doesn’t really lead to any privacy issues, however for sites that aren’t hosted behind a large company, just an IP address could very well identify the exact website you’re visiting, even though the content of your communication would remain encrypted.
When using a VPN, your local network and ISP won’t see the IP addresses of the sites you’re using, just the IP address of the VPN server. This is another thing to note: using a VPN doesn’t make you invisible. To any intermediary networks, it will probably be quite obvious that there’s a VPN connection from your device(or at least your network), which in certain circumstances could look suspicious.
The next bit of metadata is DNS. DNS is the mechanism through which your device finds the IP address for a given website, and as I’ve written before, it’s completely unencrypted by default. DNS will reveal the domain you’re browsing (like google.com, twitter.com, etc) while the content, if protected by TLS, of course remains encrypted.
Another bit of metadata that exposes the domain name is actually a part of TLS called SNI, Server Name Indication. This tells the website’s server what website you’re looking for, in case multiple websites are hosted on the same server. There is a standard in development called Encrypted ClientHello (ECH) which would encrypt the SNI, but it’s still in development and therefore not at all widely used at the moment.
Pretty much any VPN will hide the SNI, as it’s integral to the actual website traffic, but DNS is not as guaranteed. The DNS leak test website can help you test this out.
Of course, your VPN provider will still see this metadata, which is yet another reason to pick a reputable VPN provider, and why a lot of emphasis is put on “no log” policies. But in general, VPNs are great for increasing your privacy, particularly if your school/family/country doesn’t … agree … with your sexuality/gender identity/political views/religion/etc.
Another potential benefit of VPNs is anonymity, however it’s important to understand the limitations here.
There are many ways a website can identify you when you go to their site, the most obvious of which is asking you to log in, but your IP address, cookies and other modern fingerprinting techniques can all aid a website in identifying you.
Out of all these identifiers, using a VPN alone will only hide your IP address. Using the incognito/private/guest mode in your browser can help with some of the other identifiers, but if anonymity is a big concern to you, then something like the Tor Browser would be a better option.
Tor takes the approach shown in some spy/hacker movies: it bounces your connection through a number of different relay stations across the world. This, combined with its other anti-fingerprinting measures, means that using Tor makes tracing your identity almost impossible.
You should know however, that using Tor may raise even more suspicion than using a VPN, as its robust anonymity can unfortunately lend itself to criminal activity. Relaying your connection through multiple places across the world also slows things down quite a bit, so like many things, it’s a trade-off.
Accessing blocked or remote content
This is probably the main reason that people use a VPN these days, and indeed the reason that the concept of a VPN was created in the first place.
The more traditional VPN use case would be where a private entity sets up a VPN server intended for, for example, accessing work files away from the office, or if you’re particularly techy, accessing your home network away from home.
The common use of VPNs today is slightly different: because using a VPN means that your traffic appears to originate from the VPN provider, then they can setup servers in different countries to allow you to circumvent geo-restrictions on streaming services, or indeed to access sites blocked by the network you’re on (or by your country), though in this case, VPN connections may also be blocked.
For these use cases, VPNs are a perfect solution, and there’s not really any other general tools that will do the same job, except for perhaps zero-trust mechanisms in the “office” use case, but that’s quite out of the scope of this post :p
What I use
Personally, I only regularly use a VPN for remote access to my home network.
From a security perspective, the only website I can think of that I regularly use which doesn’t have HTTPS is the Australian Bureau of Meteorology, which I’m not too worried about (though more generally, I’m quite disappointed they haven’t gotten around to supporting it yet).
Public WiFi networks can carry a higher risk, as anyone is able to connect to them, or potentially impersonate them. Personally, I don’t often use public WiFi, and when I do, it’s most commonly on my laptop, where I can keep a closer eye on HTTPS in the browser anyway. If I really had to use my phone on public WiFi, then I could use my back-to-home VPN to get me back to a trusted network.
From a combined security and privacy standpoint, I pretty much always use DNS over HTTPS or DNS over TLS, which also gives a bunch of other benefits from speed to guaranteed DNSSEC validation, given the wide variability in the DNS resolvers used by different networks. The easiest cross-platform way to do this is with Cloudflare’s app, but there are also non-proprietary ways which just require a little more effort to setup(this is what I use and I may do a post on it in the future).
For privacy itself, I’m rarely on a network where I’m worried about being monitored, however when I was still at school (or in the rare case I’m using public WiFi for something sensitive), I’d regularly use my VPN back to home or hotspot my laptop to my phone and use mobile data instead. If I want to search for something sensitive, like medical information, then I’ll often use an incognito browser window to reduce the amount of data that sites have to correlate my activity with. In my specific setup, using my mobile data would also increase my anonymity compared to my home connection, just based on how their IP addresses are assigned, though this will likely vary with your exact setup.
Using VPNs can benefit your privacy online, and, to a lesser degree, your security and anonymity. They also allow you to access geo-blocked content or other sites blocked by your network or country.
When not using a VPN, your local network and ISP can see the names of websites you visit, and the content of any communications that aren’t already encrypted with something like HTTPS/TLS. You’ll also potentially be vulnerable to TLS interception by an attacker on your local network if you use apps that don’t verify their TLS connections.
Using a VPN simply shifts these metadata and unencrypted content “leaks” away from your local network and ISP, to between the VPN company and the destination of your communications. This area of the Internet is generally less accessible to small-scale attackers. A VPN will also prevent any attacker on your local network from intercepting poorly-configured TLS connections.
If you have any questions or I’ve gotten something wrong, let me know below or on Twitter.