You Probably Don't Need a VPN

Do you live in North Korea or Iran? Is your totalitarian government cracking down on dissidents? These are serious concerns for some, but for the rest of us it might be time to re-think the modern threat model.

Why to people use VPN services?

I think at the very core of the VPN subscription market is the belief that as a consumer it’s possible to buy privacy. That’s simply wrong. Privacy is a process, not a product. No amount of $5/month subscriptions will make you safe.

What makes people buy VPN subscriptions isn’t a desire to understand and improve their online habits and implement a comprehensive security plan, it’s fear and uncertainty. And that’s deliberate by the marketing enterprises that surround those services.

Even more egregious is the idea that our privacy is already gone and the only way to get it is to buy it back.

Using a bad VPN service is worse than using none at all… By a lot.

When you’re sending traffic through one of these services, you’re handing 100% of your traffic through their servers. For this to be secure, you need to put a lot of trust in the service.

You need to trust that your provider isn’t keeping any logs at all. Realistically, this isn’t the case. Server operators need to know when things go wrong, and analyzing logs is a big part of that. I have spoken to experts that ingest upwards of 100,000 logs per second from high volume production servers. Operating a system of that scale blind doesn’t happen. If they tell you they’re not collecting logs, they’re lying to you.

You also need to trust that their servers are 100% secure. This means no BMC’s open to the internet allowing unauthorized access.

These are problems made up by VPN providers. When you just use your own internet connection you don’t need to worry about a commercial third party holding activity logs.

The hackers have your IP address, does it matter?

There’s a limited amount of information somebody can learn from your IP address. Using MaxMind’s GeoIP database somebody can learn (maybe) what country you’re in, (possibly) which region, and (even less likely) the city you live in.

Using public whois data we could learn the internet service provider somebody is using. Not terribly useful, but it is more information to glean.

Finally, a hacker could port scan your IP or look you up on shodan. And see…. Probably nothing. Most home routers come with a pre-configured firewall that denies all non-stateful connections from the outside world.

The only legitimate threat a VPN service protects you from is a DDoS attack. In this case, the provider would be hit instead of you, and you would be forced to re-connect to a different server. That being said, I don’t know how often DDoS attacks target individual home users but I can guess that it’s probably pretty rare.

All a VPN does is put your traffic somewhere else

There’s no magic. A VPN is exactly what it sounds like, it’s a Virtual Private Network. Your traffic gets wrapped up, tunnelled somewhere else, and dropped back out onto the internet at a location you don’t control. This process doesn’t add privacy to your browsing habits, and it certainly doesn’t prevent you from being tracked.

Your traffic is already encrypted

The argument that VPN providers are needed so your traffic can be encrypted may have held up 20 years ago, but today the majority of sites default to HTTPS. Why do you need to re-route all your traffic through a third party when it already has a secure TLS tunnel to the owner of the site?

And with services like LetsEncrypt, it’s even easier to get a valid and trusted TLS certificate. In the next ten years, we can expect up to 80% of public sites to support strong encryption. Simply put, it’s not worth it.

There are better ways to take control of your privacy

Instead of buying privacy as a service, build it yourself.

  1. Use multi-factor authentication
  2. Use a trustworthy content blocker
  3. Use a browser extension to block malicious javascript
  4. Use a password manager, and not the one built into your browser.
  5. Don’t use Facebook and Google services.
  6. Use HTTPS Everywhere
  7. Do your updates 😄

You will notice, none of these involve tunnelling your traffic through questionable servers. That’s because VPNs are snakeoil.

comments powered by Disqus