VPN Security – What it does and how it helps you (OR NOT).

With the decline in online privacy and the ever increasing number of cyber attacks, Internet users feel the need to learn how to protect themselves when going online. Therefore, more and more people are looking at virtual private network security providers as a possible solution.

However, despite the hype, they do not substantially improve the security of your information as it travels across the internet.

You can read my ‘excellent dissertation’, or watch the video I found by Tom Scott (see below) who says exactly the same thing.

I should point out that the traditional VPN between your device and your office or between 2 offices, does provide a data secure connection to any data/systems in your office or between the 2 offices.

First things first: What is a secure Website ?

Typically, any website you access today, even if they don’t request user information uses a secure web format based on an secure socket layer (SSL) certificate encryption and look like :  – Note the closed Padlock.

This means that the data content that you read from or provide to, the website is secure from being viewed by anyone. Therefore, your username/password and bank details are already secure because the website is secured with HTTPS.

The corollary of this is that is that the content passed to or from an unsecure website with a URL in the form

What does a Normal Connection look like ?

Typically, when you connect to the Internet, your Internet Service Provider (ISP) receives your packets and routes them to the host you intend to visit and routes the responses back to you.

As your Internet traffic passes through your ISP they can see

  • The connection metadata
      Where you are from
      Where you are going
  • The contents of unsecure websites that you visit.

What’s more, they can track users’ behaviour and sell their personal details to advertisers and other third parties.

What they cannot see is the content (what you send/receive) of any secure websites/connections.

Next: What is a VPN?

VPN stands for a virtual private network and refers to software that is used to encrypt traffic between two points/systems, providing a private & secure tunnel between them.

VPN software typically uses SSL encryption which is the same process as is used by Secure website encryption.

Additionally, VPN security providers use a method called NAT (Network Address Translation) which remaps your Internet traffic when it reaches their end of the tunnel. This hides (somewhat) your public IP address from remote systems you access.

Therefore, the main purpose of this technology is to help hide where you come from and what you have accessed. It also helps to secure the content of any unsecure websites from being accessed by anyone between you and your VPN provider. (WiFi/local network snooping, ISP tracking, local government tracking)

How does a VPN service connection work ?

A VPN redirects your Internet traffic through a remote VPN server which then NATs your traffic. This hides your IP address and encrypts all of the information that is sent or received between you and the VPN server.

When using a VPN:

  • Your metadata is hidden
  • The contents of the unsecure websites are encrypted up to the VPN server.
  • The secure websites are encrypted again (remember, HTTPS is already encrypted) basically slowing down your access (but not providing any benefit).

What are the benefits of a VPN Connection ?

  • No Tracking – Your ISP can’t track where you are going or where you are from and it makes it harder for the Government to.
  • Unsecure website content encrypted – The contents of unsecure websites are encrypted from your system to the VPN server. The ISP will not be able to see the contents of unsecure websites at your end and associate it with you. However, once the packets leave the VPN server heading to and from the destination server, they are no longer encrypted and whilst there are no longer directly associated with you (the connection will seem to originate at the VPN head-end), the packets can be easily be read at the server end or on an intermediate system.

All your important websites should already be secure (banking, email, social networks, etc)

  • Net neutrality – Hide your IP region from the destination systems and an ISP which doesn’t conform to Net Neutrality

Net neutrality aims to make sure that your ISP would treat access to all websites/online services is provided equally. For example, ISPs would be disallowed from prioritising traffic to their own streaming service over Netflix. These laws are aimed to provide a connection which is as fast as possible to ensure a good user experience.

  • Accessing Blocked Sites – One of the many uses of a VPN is to access sites which are blocked on your local network (such as at your school or workplace) or in your jurisdiction. This works because all traffic is sent through the VPN server, meaning the local network can’t see which websites you are accessing. Since they cannot see which websites you are visiting, they have no way to selectively allow or disallow access to websites. However, they can simply block access to the VPN server.

What your VPN Service does NOT protect you from

While VPNs can be useful in certain cases, they don’t protect you from everything. Here is an incomplete list of what a VPN will not protect against.

Your VPN Provider

All using a VPN does is shift the danger from your ISP to your VPN provider and/or their ISP. Remember, data is only encrypted until it reaches the VPN server. All requests to unencrypted content will still be sent unencrypted over the internet from the VPN provider. This is yet another reason to be using HTTPS for important websites. HTTPS ensures that there’s at least one layer of encryption until a request reaches its destination, protecting against the majority of hacking risks.

Arguably, the biggest risk when using a VPN is the VPN provider itself.

Comment on: Commercial VPNs leaking data

DNS

Your computer can’t just access “google.com”, or any other website. It must first convert the domain name into something it can use to send/receive information over the internet: an IP address. In order to make that conversion, your device will contact a DNS server which will convert the human-readable URL of a website to an IP address. The problem with this is that the provider of the DNS server you are using (likely your ISP’s) can keep a list of all domain names you’ve asked to resolve tied to your IP. While a VPN makes sure websites cannot see your IP address, some VPN services don’t route DNS queries through them.

Cookies

Cookies are pieces of information which a website will store on your device. Each subsequent visit to a website, will result in your browser sending over the local store of cookies. This is required on the modern internet and allows websites to store information about your specific session (e.g. to keep you logged in, store opt-ins/opt-outs, etc.). While cookies can be very useful, they can also be used to track you, regardless of your IP address.
For example, if you have ever visited a site without a VPN, a website can store a cookie and the IP address you used for that visit. Then, even when you are on a VPN, they can use the cookie to know it is still you, and therefore your IP. By the way, there are tools to figure out if an IP belongs to a VPN server or not. One such tool is a simple IP lookup; if the ISP is a VPN company, then the traffic is probably coming from a VPN server. This can be used in combination with cookies to figure out the last IP address you used to access the site that does not belong to a VPN.

Conclusion

VPN security services can improve privacy and provide improved access and performance to restricted/limited sites. But, despite what the VPN security providers would have you believe, this type of service does not substantially improve the security of your information as it travels across the internet.

Apparently –  Tom Scott is of the same opinion.

Menu