VPN Services

From Mark Weiman's Wiki
Jump to navigation Jump to search

Introduction

VPN services have become popular and have been heavily marketing their services to both the tech savvy and the non-tech savvy alike. Although VPN services can be a useful product, the companies that push them do participate in misleading advertising and overstate their usefulness.

Legitimate Features

VPNs do have some legitimate uses. If someone starts a VPN service themselves or purchases a VPN service, I can see these as good reasons to go ahead.

Access Home/Business Services

If there's services at home or at work that require you to be on that network to access, like a home storage machine that isn't available on the public internet, a VPN is a good option to tunnel back to a private network to securely access these resources is a legitimate use of a VPN (and probably the primary intention of the technology).

I personally use this to access my home network, office network, and to provide assistance to my Linux using family members.

Getting Around Content Blocks

Let's say you live in the United Kingdom and you want to access a service that is exclusive to the United States. If you use a VPN service to make you appear from the United States, you may be able to use these services.

Be careful with this as you may be breaking some law for your jurisdiction and be sure to observe the law, or not.

Sticking It To The Man

Some jurisdictions are rather harsh on their censorship practices, although this would likely not work in jurisdictions like the People's Republic of China as they can block the VPN service's IP address directly, but in some jurisdictions that censor certain content as per their law, you may be able to jump to an IP address in a jurisdiction that has more relaxed laws like the United States.

Be careful with this as you may be breaking some law for your jurisdiction and be sure to observe the law, or not.

Overstated Reasons To Use

With the legitimate uses of VPNs stated above, this is not what the commercial "privacy" VPNs advertise. Their claims are generally true, but other alternatives are just as effective.

Hiding Usage From ISP

This is a true statement, if you tunnel all of your traffic through a VPN, your ISP cannot take data of usage. This is good and bad in a way.

The good is obvious, this is one less person keeping tabs on your usage, but you are only exchanging one person for another. Now, the VPN provider can see this traffic and do all the same things that your ISP may do. Plus, you never know what your ISP does with that data. They may be using it to analyze usage for services to attempt to make those services function better on their network by adding caches or peering with other networks to get better latencies or bandwidth.

This "feature" only serves to scare you into thinking your ISP is evil and that you need protection. Not only can the VPN provider see all your traffic and do what it want with it, your ISP can clearly see that you are using a VPN as instead of seeing your visits to my page, for example, they see traffic only going to a few addresses that the VPN server is using.

Now, there are some reasons to want to hide even more from your ISP. Perhaps you go to a religion college and want to hide some sites you are visiting, this may be a reason to take the extra step.

All Your Traffic Is Encrypted

This is mostly true. Now, if a VPN provider is using a VPN protocol that is not encrypted, then anyone between you and the VPN can see the traffic anyways. This is not the reason why I hate this claim.

This claim always comes with the example of visiting a password protected service on that darn insecure coffee shop WiFi. THEY CAN SEE YOUR PASSWORD THEY CLAIM! It is true that if you connect to an unprotected wireless AP that anyone can technically see your traffic, but there's a few things that make this claim 100% bogus.

The first thing is obviously the HTTPS protocol. You know what that S in HTTPS stands for? Secure. It's encrypted. Sure, they can see the IP address you're contacting, but what good is that information? They cannot see your password, let alone even your username, so what good does it serve to see the IP address if the attacker is after your login credentials?

The second major example is DNS. Most of the time, DNS is done without any security. Honestly though, what good does it serve the attacker if you're requesting the address of twitter.com? They know you're going to twitter.com, but the traffic you get from twitter.com is still done over HTTPS and therefore, they cannot see your login. If you are concerned that someone can see DNS requests for whatever reason, there's solutions for that as well! Look into DNS over HTTPS or DNS over TLS as well as DNSSEC to make sure that you are encrypting your DNS traffic as well as VERIFYING that you are getting back legitimate responses (DNSSEC protects from people claiming that a domain is going to an illegitimate address as opposed to the domain owner's specified address).

The VPN just adds another layer of complexity. It doesn't really provide any meaningful security as well because an attacker that either is an employee of the VPN service or some attacker that managed to compromise the service can still see your DNS requests (if some form of encryption isn't being used) and the addresses you are contacting. It's a disingenuous claim to make you feel uneasy to use the internet without them.

Also ARP spoofing concerns are mostly a thing of the past, don't even come at me with this one.

TL;DR: YOUR PASSWORD IS SAFE IF YOU SEE THE NICE LOCK ICON IN YOUR ADDRESS BAR.

Protecting Your IP Address

I'm going to go ahead and just get the only legitimate argument I can think of out of the way for this one. Say you are a Twitch streamer (just an example) and you want to protect your IP address from those jerks that want to kill your stream by performing a denial of service attack against you, you can use this to change your address so they would attack the VPN service's address rather than yours.

Saying that, really, in normal every day usage of the internet, no one's going to care what address you're coming from except the service that needs to send packets back to you.