VPN services are widely advertised as a way to anonymize, hide, and secure your use of the internet. These claims are wildly misleading or downright lies.
What Is A VPN?
A VPN (or a Virtual Private Network) is a software defined network (as opposed to your Wi-Fi card or your Ethernet controller on your computer, which are hardware based) that allows one to set up a network over another network (like the wider internet). This is useful if you have a need to network computers or routers together that are not in the same location to allow access to systems that are available only to a specific network address.
I use VPNs myself, two in fact (one that I manage and one that my employer manages) and these are the reasons I use them.
- To easily network my own systems and servers together for easy access.
- To access systems and routers that belong to my family (I am the de facto IT service technician for my family).
- To access systems that are related to my job.
What I do not use them for:
- Having "private" internet access.
- Gaining an ability to "anonymize" my internet use.
- Circumventing region-locked services (the only real legitimate use of these fraudulent services).
My general recommendation if asked whether someone should buy into one of these services is don't. It doesn't give you any meaningful security and just exposes another leak in your wallet.
How Are They Misleading?
The issue is that most users of the internet are not completely aware of how using it works. This is not just non-computer scientists either as you see a lot of "computer experts" recommend use of VPN services.
Who are they misleading? Let's start with some of the claims.
Claim: That person at the coffee shop can steal your password!
This claim is mostly false these days. With the wide adoption of HTTPS (secured hyper-text transport protocol), your communication with the site you're visiting is encrypted. This includes the part when your credentials are being sent to the site for verification.
The only time this is not true is when you are using a site that doesn't support HTTPS and only does regular plain-text HTTP. For most sites you visit though, like GMail, Twitter, etc, they use HTTPS and often enforce its use.
The only way around this is with a "man in the middle attack", which isn't common, nor is 100% prevented with a VPN (if the MITM attack is being performed between the VPN's gateway point and the service you're accessing).
Solution: Make sure you have a lock icon in your address bar that signifies that you're using HTTPS.
Stop Your ISP From Spying On You
Claim: Use our VPN and now your ISP cannot see what sites you visit!
This is true, but you know who can see your traffic? The VPN service itself! All you're doing is trading one set of network engineers for another. They may claim that they don't actually log or analyze your traffic, but if they also do not disclose their systems to you, how are you supposed to know if they actually are discarding all that information? There are instances of organizations that made this claim, then proved to not actually discard them and disclosed the information at a government's request.
Now remember, like in the section above, the ISP and VPN provider (whichever applies here) cannot actually see the content of most packets, only the header information (addresses, ports, etc). This is useful information for either for some optimization of their networks, but mostly not useful for an attack.
Solution: Use Tor, real private browsing or use DNS over TLS/HTTPS for private DNS.
Stop X Site From Tracking You
Claim: Using our VPN will stop those dirty tech companies from tracking you!
Real Ways To Secure Yourself
Use An Up To Date Computer
This goes without saying, using a computer that has outdated software makes you particularly vulnerable to exploits.
Make sure that lock icon is always present in your browser's address bar. This signifies that you are encrypting your traffic and the browser verified the certificate to be authentic. Avoid using sites that do not enforce HTTPS usage.
Use DNS over TLS/HTTPS
DNS is done unencrypted and can be seen by anyone between you and the server you're using. Having it encrypted with TLS or being done over HTTPS mitigates this and encrypts your queries. This doesn't prevent your ISP from seeing which IP addresses you're talking to, but they cannot see what domain name you used to get that IP address.
Don't Use Your ISP's DNS
This kinda is self explanatory. If you are trying to not let your ISP watch your usage, telling them which sites you use is counterproductive. I recommend using a service that supports DNS over TLS (like Cloudflare's 184.108.40.206).
Stop Using Sites That Don't Respect Your Privacy
If your goal is to stop services from tracking you, a VPN doesn't actually do anything for you. If you are concerned that Facebook knows when you're on the toilet, it may be better to just ditch their service altogether.
Use An Ad Blocker And Privacy Badger
Ad Blockers stop you from seeing ads and in turn prevents you from clicking on them.
When To Use A VPN
What VPN Services Actually Offer
They only offer a glorified proxy service, not a VPN. They are proxying your data via their gateways to make it appear like you're coming from a different location.
To Connect Private Networks Together
This is actually the intended purpose of VPNs. Connect to your work or home's network from another location. I use this to connect to my own networks, my family's networks, and the network at my employer to access servers and computers without it being open to the wide internet.
To Spoof Your Location
I mentioned this above, but the claim that you can watch a Netflix show not available in your area is true and a valid reason to do so. Saying that though, it may be better to get a cheap VPS server and do this yourself and setting specific routing rules instead of buying into a VPN service.