CyberManDan

Security Advice & Blog

You can’t watch any video on YouTube now, or visit any tech website without seeing an advert for VPN services that offer anonymity, privacy, and security. But can they be trusted? Are they worth while? What privacy are you really getting?

First we’ll take a look at what a VPN is from a basic technical perspective. Then we’ll break down the typical features that these VPN’s claim to offer you, and provide some explanation as to why these could be true. Then, we’ll look at what other benefits VPN services offer you. Armed with all the facts, you can then decide whether a VPN service is right for your need or not.

 

What is a VPN?
VPN stands for ‘Virtual Private Network‘. You may be familiar with them in a work scenario or from the millions of ads.

We’ll start with a corporate/business example, as this used to be the most common use for VPN’s. In order to do your job, you need access to your emails, files and other applications that are all running on your corporate network. This is fine when you’re sat in the office, because you’re connected to your corporate network, but when you’re at home (or travelling) you’re connected to someone else’s network which naturally is not trusted by your company.

This is where companies found a need for VPN’s. By connecting ‘to VPN’ meant creating a dedicated tunnel between your device (laptop) and your company network so that any network traffic was securely passed between the two, allowing the company to trust your device. It meant that your traffic looked like this:

Your Computer –> Your Router –> Your ISP –> Multiple Other Internet Routers –> Your Company Network
(I will create some images to better explain)

Every step of the way your traffic is encrypted, and your VPN software is creating a Private Tunnel of network traffic between you and your company, making this Virtual Network.

Now let’s look at an example of normal internet traffic, and consider the possibility that you are logging in to the eBay website.

Your Computer –> Your Router –> Your ISP –> Other Internet Routers –> eBay

Now let’s look at how traffic will flow with a VPN

Your Computer –> (E) Your Router –> (E) Your ISP –> (E) Other Internet Routers –> (E) Your VPN Provider –> Other internet routers –> eBay
(E) = Encrypted

You can see that using a VPN, your traffic gets encrypted all the way to your VPN Provider, after which it’s no longer encrypted.

Have you spotted a problem with this yet?

Let’s look at the features advertised by VPN Providers and what they mean.

Secure Access | Encrypted Traffic | Identity/Privacy Protection | Private Browsing History | Unblock Websites | Protection using Public WiFi

All sounds wonderful right? Where do I sign up? Have my credit card…. let me buy it now!!

We should all be concerned about our own privacy and security and should do whatever we can to protect ourselves. The question is… who or what are we trying to protect ourselves from? Criminals? Malicious Websites? Our Internet Service Provider (ISP)?

What if I were to tell you that only one (1) of those features listed above is actually true, and four of them are partially/mostly not? Let me explain…

Secure Access & Encrypted Traffic – lets debunk this in one go!
VPN’s do, 100%, encrypt traffic. However, almost 90% of the internet use HTTPS, which is a secure format of HTTP, a protocol used for web based traffic. You may see it in web addresses eg. https://www.bbc.co.uk and your browser (Chrome, Edge, Safari) will typically show a padlock somewhere to show that it’s secure. These websites use certificates that can only be issued by certain trusted companies around the world, and can only be issued to someone who proves they are who they represent. So I cannot get a certificate for BBC because I cannot prove that I own the domain bbc.co.uk.

Any website that uses HTTPS also encrypts traffic automatically. Without going into detail on Public Key Cryptography, it’s creates a trust between two endpoints (yourself and BBC) and traffic between the two of you is encrypted and secure. So VPN hasn’t provided anything different to what you’re already doing. 

Identity and Privacy Protection – we all want this for sure!
By having an internet connection, your access to the Internet comes through an IP Address. This is unique to you, and is your ‘entry point’ on the internet. When you browse the internet, websites can see that a request has come from your IP Address. These are allocated to ISP’s and they sub-allocate them to the services/people they want to. If you were to lookup your IP address on the internet you will find who owns the IP Address, and a rough geo-location as to where it’s being used. It does not provide any information about you as an individual or your house.

A VPN service will take you out to the internet from an IP address that belongs to them, not you. So any website you visit will not know where the request has come from, and passes the traffic back to the VPN Provider, and back through your VPN tunnel, back to your PC.

So, you go to eBay (like our earlier example), and you log into your account. eBay now knows exactly who you are. So how have you protected your identity? You haven’t, you’ve told eBay exactly who you are, they just don’t know where you’re logging in from. Let’s be fair, eBay doesn’t care where you’re logging in from. Some companies do, and we’ll come on to this later.

Private Browsing History – well this is easy…
Who is looking at your browsing history? Website that you visit.
How do they do this? By using information stored on your PC.
Your VPN provider does not have any control over the information on your PC. Websites you visit using a VPN will still use cookies etc. to gather information about where you’ve visited. All you’ve actually achieved is stopped your ISP from seeing the websites that you visit.

Protection using Public WiFi – how?
By encrypting your traffic…… well we’ve already covered this (above).

Unblock Websites – This one IS true!
VPN services have gateways/endpoints all over the world, allowing you to choose where in the world your traffic enters the internet. So, you could connect to a VPN service in US and when accessing Netflix, they will believe you are in US so you can access content that’s only available in the US. Similarly people in the US can connect to a UK VPN and access BBC iPlayer that is only available in the UK. Although that’s the more common use for VPN’s, what I should say is that if you’re travelling abroad, it will allow you to connect back to your home country to access content that you’re normally eligible for (sounds more legitimate).

Some websites (eg. Facebook) use personal data, including your location, to target adverts specifically to you and people in that area. If you want to help avoid those then a VPN can help, but it won’t reduce the amount of ads, they’ll just be less relevant to you.

 

Summary & Advice
Don’t get fooled by their marketing jargon. VPN’s advertise features that already exist in nomal web browsing. There are only 2 reasons to need a VPN.

1) If you are really paranoid about what your ISP sees (the websites you visit – only the name eg. bbc.co.uk, is visible, no data or personal information) then yes, a VPN is for you as where you go on the internet is tunnelled through the VPN provider. However, be mindful that now the VPN can see what websites you’ve gone to instead of your ISP.  Do you trust your VPN provider more than your ISP? Perhaps.

2) If you want to access websites as if you’re located in an alternative country then yes, a VPN is for you as it allows you to choose your exit point on the internet, and access services that are only available in that country.

All other features of a VPN provide very little in addition to what already exists and what you already do.