You probably don’t need to use a VPN

Scope

VPNs play an important role in corporate IT. I wish they weren’t relied on as heavily as they are but they do (why hello ‘Zero Trust’, whatever you’re defined as this week).

The picture of a ‘hacker’ being unable to hack you because your connection between your laptop and ‘the Internet’ uses a VPN
Images like this are unhelpful and misleading

DoINeedAVPN.com

On the 26th of March 2021 I came across https://www.doineedavpn.com/ which while not the most consumer friendly UI at the moment, is an excellent microsite.

What does a VPN actually do?

A VPN just connects you from one private network/device to another network.

General VPN services

The VPN services you find online if you Google search ‘vpn’ are selling a VPN service that allows a network/device (typically a laptop, smartphone etc) to connect to the VPN service and then have onward access to the Internet.

VPNs just move some stuff around

In this context, a VPN is just moving stuff around so your Internet Service Provider (ISP) can’t see some things… but the VPN provider now can.

Your Internet Service Provider (ISP)

Without a VPN, Internet-bound web browsing (etc) would leave your device (laptop etc) go through your WiFi router to your ISP— for example, in the UK, BT or Virgin Media — and make the network journey to whatever service is required.

Your VPN provider

With a VPN, Internet-bound web browsing (etc) would leave your device encrypted (probably, hopefully, as VPNs can use bad/weak encryption) and the encrypted connection would still go through your WiFi router to your ISP and then onward to the VPN service.

Comparing ‘trust’

To quote myself from approximately two years ago when I wrote about being safe on hostile WiFi/mobile networks:

Mind the snakeoil

There are more VPN services online than one can count.

Whatever you’re doing is probably encrypted anyway

The vast majority of what the ‘average user’ does online is encrypted: online banking, check emails, Slack, WhatsApp, Medium.com (heh), Reddit and so on all use HTTPS to ensure the connection (and therefore content) is private between the user’s web browser and the service.

There is a time and a place for everything

A VPN could help protect you from a locally untrusted or influencing ISP but it won’t help with anything else.

Do the good stuff

  • Keep your device up to date (aka patched) — particularly your operating system and web browser
  • Visit websites using HTTPS (TLS) and think about using HTTPS Everywhere to help your web browser do that (it also does a bit more)
  • Use a DNS service that both encrypts your DNS activity but also helps you filter out malware and known malicious (like phishing) domains — I use NextDNS with DNScrypt.

Alright fine, I trust my ISP enough

Great. Don’t waste your time/money on a VPN. ‘Do the good stuff’.

I don’t trust my ISP

I assume you’ve arrived at this conclusion reasonably and proportionally (for example, you do want to access free news content but your ISP won’t let you).

Picking a VPN service

I would suggest evaluating based on:

  • privacy — check their privacy policy and legal jurisdiction (avoiding ones known for privacy issues)
  • cost — free isn’t good when it comes to VPN services. I’d be willing to part with $120/year to have a fast, safe(r than the local ISP/WiFi) and reliable VPN service whenever I needed it
  • speed — a slow VPN service will make you sad
  • location — VPN providers with servers all around the globe is better for flexible connecting and travel
  • reputation — without getting caught up in paid reviews and review-spam sites, if a provider has been around for awhile and aren’t being reported with security/privacy issues, they might not be terrible

My employer has a VPN

Great. Fine. Use that (for work).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Samuel

Joel Samuel

The thin blue line between technology and everything else. joelgsamuel.com