Using a VPN May Make You Less Secure

Subscribe with RSS

Just reading social media, I feel like many people think VPNs do quite a bit of things... that they don't do. In particular, about security. To go through what a VPN does and doesn't do, let's start with

Protect Your Data

Surprisingly, the connection between you and a server is pretty damn secure now. TLS/SSL through HTTPS provides end-to-encryption, and is very widely used. Even this blog uses it; in fact, as far as I can tell, .dev domains must have HTTPS traffic. You'll seriously be hard pressed to find many sites you use which aren't HTTPS anymore, and all web browsers will make it very clear if it isn't.

Even on unsecured wifi, if you're on HTTPS/TLS sites, while everyone on the local network can see your packets, your packets are encrypted blobs.

What your ISP can see is the domain that you're connecting to, and an AES encrypted blob.

Protect Your Domain Lookups

So what a VPN will protect you from, is your ISP seeing exactly where your traffic is going. Instead, it just sees it going into the VPN's address.

However, is that really more secure? Really, you're just picking your poison. Do I want Comcast to know where I'm going, or do I want the VPN company to know where I'm going? Don't trust VPN companies any further than you can throw them. Words are words, they have little weight on their own. Now, I'm not saying that Comcast is necessarily more trustworthy than any particular VPN company, but just take into mind that you are trusting the VPN company. Speaking of that...

No Logs

Seven 'no log' VPN providers accused of leaking logs

No. Just no. Don't believe ANY claims that there a VPN provider doesn't keep logs. Not only is that very unlikely to be true, but unfortunately for any VPN companies that actually don't keep logs, it's logically virtually impossible to prove a negative.

Assume ALL VPN companies are logging information, including when you use it, and what sites you access (but not what content you see; that's just AES blobs thanks to HTTPS).

Even if you run your own VPN service on a VPS/Cloud providers, the VPS/Cloud Provider is keeping logs! Even if you don't! You have to quite literally own your own hardware to make sure there's no logging. And when you own your own hardware, the ISP that that hardware is using is logging your info!

Hosting Your Own

You can certainly host your own, and it's not very difficult to get an OpenVPN instance running. However, that often provides little metadata privacy. If you route all your traffic from personal laptop to a VPS on DigitalOcean... websites can still track you with virtually equally ease. All of your traffic is coming from one source, it's just not your laptop. While that can prevent, say, IP Geolocation, that's pretty inaccurate to begin with, and many of the tracking players will have more sophisticated ways to track you.

On that side, commercial VPNs are better! Because you connect to one of their servers/addresses, which likely changes naturally every time you use it, it does a better job at anonymizing you to the sites and applications you use.

What DOES a VPN provide me?

No VPNCommercial VPNPersonal VPN
Encrypts content
Sees DestinationsISPCompanyYou + Provider
Circumvent ISP/Gov Firewall🚫
Harder to track🚫✅ *🚫
Circumvent Geolocking🚫✅ but requires work
Pirate 🏴‍☠️🚫🚫

* but cookies and browser fingerprints are a bigger deal

Basically, commercial VPNs are great if you want to

  • Avoid government censorship * (cough china cough) (cough also UK cough)
  • Want to watch geolocked content on Netflix
  • Want to pirate stuff without getting angry letters from your ISP

* Although there's seriously not much to protect you from your VPN company ratting you out, ALL VPN COMPANIES KEEP LOGS

* Also, if you're a political dissident, the CCP might get a little suspicious if they see all of your traffic going to one server, every day, 7 days a week. This is something that Tor does much better than a VPN, which re-re-re-re-routes your traffic repeatedly.

Addendum on trust

This is really just "IMO", but I personally have a hard time really trusting any of the VPN companies. I do use commercial VPNs, to do things like actually be able to go on the internet in countries like China, or watch shows on Netflix that are arbitrarily blocked by where you live.

I think that ISPs, while evil in most ways, have more eyes on them, and they certainly have a viable commercial strategy considering my monthly internet bills. I would not be surprised if many of the VPS services, especially the cheaper ones in weird countries, are selling your data on the side. And it's really hard to prove that they're not doing that.

It doesn't help when so many of them have such misleading advertisements.

So I don't route my personal traffic through a VPN.