We currently live in an exceptional time: a global pandemic where beyond the public health crisis and national security issues we see a mass movement to working from home.
Various technological challenges are born from seismic changes to worker patterns/behaviours: geographical diversity is definitely one of them.
This post is triggered by a discussion that it came up in a UK cross-government security forum as to whether home users, on a personal device doing personal things, should be encouraged to use a VPN or not. The VPN would not be provided by the organisation given the personal use.
VPNs play an important role in corporate IT. I wish they weren’t relied on as heavily as they are but they do (why hello ‘Zero Trust’, whatever you’re defined as this week).
My post here is talking about when an individual (for personal or professional reasons, but not as provided by an employer) uses a VPN service.
On the 26th of March 2021 I came across https://www.doineedavpn.com/ which while not the most consumer friendly UI at the moment, is an excellent microsite.
What does a VPN actually do?
A VPN just connects you from one private network/device to another network.
It is the characteristics of the VPN service and components of the target network that determine what you actually ‘get’ from the VPN: access to private file stores, onward access to the Internet, access to intranet web pages or something else.
General VPN services
The VPN services you find online if you Google search ‘vpn’ are selling a VPN service that allows a network/device (typically a laptop, smartphone etc) to connect to the VPN service and then have onward access to the Internet.
By default, these VPN services are ‘captive’ or ‘full tunnel’ whereby, once connected, all of your non-local (for example, a ‘local’ connection might be to the WiFi printer in your house) network activity (browsing websites, etc) are routed through the VPN service.
The subliminal or overt claim here is that this is ‘secure’ or otherwise better for you because they add security of some kind or some other privacy angle such as keeping your habits private from a government.
VPNs just move some stuff around
In this context, a VPN is just moving stuff around so your Internet Service Provider (ISP) can’t see some things… but the VPN provider now can.
Your Internet Service Provider (ISP)
Without a VPN, Internet-bound web browsing (etc) would leave your device (laptop etc) go through your WiFi router to your ISP— for example, in the UK, BT or Virgin Media — and make the network journey to whatever service is required.
Your ISP, generally, knows what website (but generally not webpage within the site) you are visiting. They still can’t see stuff like online banking (they know you banked, but not that you paid a bill or loaned money to a friend).
ISPs are also tasked with blocking bad stuff ranging from illegal activity to copyright theft. ISPs can also influence or monitor Internet usage to enforce local laws, for example, limit access to news content or communication systems.
Your VPN provider
With a VPN, Internet-bound web browsing (etc) would leave your device encrypted (probably, hopefully, as VPNs can use bad/weak encryption) and the encrypted connection would still go through your WiFi router to your ISP and then onward to the VPN service.
The VPN service would then ‘terminate’ the VPN, which at this point is just an encrypted tunnel and do what your ISP would have done: provide a network connection to the Internet so you can connect to the service you want to.
In this case, your ISP knows you connected to a VPN service but that is it. The VPN service can now see all of what your ISP would have: that you visited a website (but probably not the page/content).
VPN providers are subject to legal mechanisms just like ISPs. They can be instructed to divulge user activity or block content.
To quote myself from approximately two years ago when I wrote about being safe on hostile WiFi/mobile networks:
I don’t explicitly trust ExpressVPN but I trust their VPN service more than I trust a network which I believe to be hostile.
So, the really big question is: who do you trust more… your ISP or the VPN service provider?
Mind the snakeoil
There are more VPN services online than one can count.
Some are well established companies who really exist to provide a service and take user security/privacy seriously.
Some close down as quickly as they pop up and have outright nefarious intentions (manipulate your Internet usage to inject advertising, monitor/log it so they can sell behavioural statistics etc).
Whatever you’re doing is probably encrypted anyway
The vast majority of what the ‘average user’ does online is encrypted: online banking, check emails, Slack, WhatsApp, Medium.com (heh), Reddit and so on all use HTTPS to ensure the connection (and therefore content) is private between the user’s web browser and the service.
If a service does not use encryption, a VPN does not help with this. The connection will still be unencrypted from the VPN service to the service in question. The VPN only adds encryption so your ISP can’t see what is going on.
There is a time and a place for everything
A VPN could help protect you from a locally untrusted or influencing ISP but it won’t help with anything else.
A VPN can readily do more harm than good (even if the VPN service provider isn’t malicious) by giving people a false sense of security — malware is still a thing, they can still be phished, unencrypted websites are still unencrypted websites.
If you really don’t trust your ISP, I hope for your sake that you have free choice to change to one that you do. If you can’t, you likely have some other restrictions and concerns not discussed in this post.
If you’re being encouraged to use a VPN but not provided with a VPN service, given what is discussed in this post, I would take that advice with a big ol’ bucket of salt.
Do the good stuff
- Keep your device up to date (aka patched) — particularly your operating system and web browser
- Visit websites using HTTPS (TLS) and think about using HTTPS Everywhere to help your web browser do that (it also does a bit more)
- Use a DNS service that both encrypts your DNS activity but also helps you filter out malware and known malicious (like phishing) domains — I use NextDNS with DNScrypt.
Alright fine, I trust my ISP enough
Great. Don’t waste your time/money on a VPN. ‘Do the good stuff’.
I don’t trust my ISP
I assume you’ve arrived at this conclusion reasonably and proportionally (for example, you do want to access free news content but your ISP won’t let you).
I generally recommend* TunnelBear to people who ask me which VPN provider they should use. TunnelBear put a good amount of effort into being trustworthy (it doesn’t mean they 100% are, but that they try to do so, which is all you can ask!) — you should still ‘do the good stuff’ listed above.
You should also consider whether you need a full VPN, or whether something like Tor suits your needs.
*TunnelBear do not know about this post. I am not paid or otherwise compensated to recommend them.
Picking a VPN service
I would suggest evaluating based on:
- cost — free isn’t good when it comes to VPN services. I’d be willing to part with $120/year to have a fast, safe(r than the local ISP/WiFi) and reliable VPN service whenever I needed it
- speed — a slow VPN service will make you sad
- location — VPN providers with servers all around the globe is better for flexible connecting and travel
- reputation — without getting caught up in paid reviews and review-spam sites, if a provider has been around for awhile and aren’t being reported with security/privacy issues, they might not be terrible
My employer has a VPN
Great. Fine. Use that (for work).