"Most users do not need a VPN" - An analysis
A Former User last edited by
Below is the translation of an analysis published on the website of the German tech portal Golem.de - IT News for Professionals in March this year.
Its author, Hanno Böck, is critical of the promises made by various VPN providers regarding alleged security gains and increased protection of privacy.
There is no relation to Opera's built-in VPN: This translation is only intended to draw attention to the fact that the promised level of protection cannot be fully trusted by some VPN providers and is aimed at users who believe that their real identity cannot be disclosed because they are protecting themselves with a VPN.
Most users do not need a VPN
VPN providers aggressively advertise their products as a panacea for security. But in the modern Internet they are of little use and often even entail dangers.
An analysis by Hanno Böck, published on March 14, 2019
- Encryption: most users do not need a VPN
- VPNs as a security risk
1. Encryption: most users do not need a VPN
"Protect yourself on the Internet from hackers and surveillance", "Highest security and encryption", "Stay safe and anonymous online" - with advertising promises of this kind, providers of so-called Virtual Private Networks (VPNs) try to communicate that the use of a VPN increases security and data protection of users. But what exactly does a VPN do - and how useful is its use in the modern web at all?
A VPN uses software to create a usually encrypted channel between the user and a provider's server. All Internet connections of the user are then routed through this channel.
What is actually encrypted?
Encrypting data sounds good, but what is actually encrypted here? A VPN encrypts data only between the user and the server of the VPN provider. But this is not real protection: between the VPN provider's server and the target, the data can still be read unless it is protected in another way.
VPN encryption merely causes the possible point of attack to be shifted. Data connections can no longer be attacked by neighbours in the WLAN or by employees of the Internet Service Provider, but by the VPN provider and its ISP.
A complete encryption between sender and destination of an Internet connection can only be realized if this encryption is negotiated between client and server. That's what usually happens today: The majority of the websites are delivered via HTTPS with TLS encryption and are thus protected against third parties reading along and also against manipulation of the data. Remaining risks can be countered by HSTS, which ensures that unencrypted HTTP connections are no longer possible.
Other Internet protocols such as IMAP for e-mails, messengers or other apps also usually encrypt their data traffic using TLS or have their own encryption technologies, such as SSH. In contrast to VPN, however, this protection applies to the whole distance of a data connection and is therefore clearly the better solution. A VPN has only marginal advantages in terms of security - and these advantages disappear with every website that switches to HTTPS.
Metadata is centralized
What about the second promise with which VPNs are advertised - privacy? Isn't it primarily about the protection of metadata, especially when it comes to mass surveillance?
Here, too, one can question whether a VPN is really a good solution. An ordinary Internet user will normally use a variety of ways to connect to the Internet. At home, he chooses access via DSL or a cable connection, on the go the WLAN of a café or a mobile Internet connection.
Whether a VPN is an advantage or a disadvantage in terms of metadata is anything but clear. Because through the VPN all data connections are centralized at one point. A secret service that wants to monitor data traffic as efficiently as possible would probably be strategically positioned in the network near VPN access nodes.
Investigating authorities allegedly receive non-existent log data
Almost all VPN providers advertise that they do not keep logs themselves. But how trustworthy are these promises?
In a number of cases, logs from VPN providers that allegedly do not log data were used in subsequent investigations. In 2011, a member of the Lulzsec hacker group was convicted of a Sony hack using logs from VPN provider Hidemyass. In 2016, US investigators used IPVanish data in a case of child abuse, and in 2017 the FBI convicted a cyberstalker using PureVPN logs. PureVPN tried to explain the incident with the fact that there are different types of logs and its promise only applied to a part of the logs.
2. VPNs as a security risk
VPNs are of little use when it comes to security, and when it comes to data protection, the benefits are at least questionable. But in many cases VPNs themselves become a security risk.
VPN apps that do not encrypt or overlook IPv6 traffic
In 2014, a research team examined 283 VPN apps for Android phones for their security. The results were devastating: 18 percent of VPNs did not even encrypt their data traffic. 84 percent also failed to route IPv6 connections over the VPN, while 66 percent did not send DNS queries over the VPN. 16 percent of the apps partially manipulated data traffic and, for example, inserted tracking code into unencrypted HTTP web pages.
A popular free VPN is the service Hola. In 2015, a group of security researchers identified remote code execution vulnerabilities and other vulnerabilities in Hola. Irrespective of concrete security gaps, Hola's concept is based on the fact that data traffic is not routed via servers, but via other users.
This puts users of the application in enormous danger themselves. If a Hola user uses a connection for illegal purposes, they may fall back on other users without being aware of it. The fact that the Hola website is delivered insecurely via HTTP by default is probably the least of the problems.
Of course, these are extreme cases of dubious providers. But naïve users who hear that they should use a VPN for more security hardly have a chance to judge which providers and products are reputable.
In summary one can say: The benefit of VPNs in terms of security is hardly available in the modern web thanks to HTTPS. Anyone using services that are not delivered via HTTPS by default should insist that these services take the security of their users seriously - or look for alternatives.
When it comes to data protection, it is doubtful how much VPNs bring. It strongly depends on how much you can trust a provider. Questionable VPN providers often deliver software that is itself full of security risks.
VPNs only useful for niche applications
VPNs can be useful for some niche applications. This can sometimes be used to avoid annoying geoblocking locks. For users in countries where the Internet is censored, they offer a way to retrieve blocked services. Of course, the risks remain. If you want to use a VPN in such cases, you should make sure that it works with standard software, because most security risks are due to questionable in-house developments of VPN providers. The Wireguard software has a comparatively good reputation here.
For the normal web user, however, the risks clearly outweigh the potential benefits of a VPN in terms of security. And if you're seriously looking for a strong data protection solution, you'll be better off with a Tor browser.
Source: VERSCHLÜSSELUNG: Die meisten Nutzer brauchen kein VPN 2019-03-14
blackbird71 last edited by
What is often overlooked by users in seeking a VPN (or similar) for "privacy" are their own personal answers to questions of: what exactly is the user trying to keep private and from whom? Asked another way, what are the real-world consequences of the information-flow "privacy" being betrayed? The answers can range anywhere from a user trying to protect against a spouse somehow knowing what sites and traffic one is viewing all the way to attempting to hide from national censors/snoopers while seeking "prohibited" information (or even covertly communicating with an enemy faction). Hence the consequences of "losing privacy" may range from 'embarrassment' up to a prison term (or even execution).
Given that the use of a VPN (even including Opera's 'VPN' proxy) always necessarily reveals the IP of the initial-contact VPN server, since that must be openly affixed to the packet headers to route the traffic up to the server, a foundational privacy limitation of all VPNs is that the communication leg from the user's system through the ISP server on to the VPN server will always betray to a snooper that a VPN is being contacted by the user, regardless of the depth or success of any other traffic analysis of the packet contents. A competent traffic analyst will have access to a fairly up-to-date index list of virtually all the commercial VPN server IPs in use. In some scenarios and locales, merely using a VPN is sufficient for sanctions upon the user, or at least placing them on a "watch" list for more intensive scrutiny.
My counsel to anyone considering a VPN is to first answer the critical question of whether it seriously/legally matters to their local authorities whether or not they are even using a VPN, since such usage will easily be apparent to any snooping that exists there. This is usually a national/politically-driven issue, so the answer depends on the locale's "rules" and sanctions and the related risks a user is willing to run for whatever purposes. Beyond that, the Golem.de information is spot on regarding real-world VPN limitations to security/privacy.
sgunhouse Moderator last edited by
The most obvious case where you should have a VPN is if you are using an open WiFi network. If you're in a store or restaurant or hotel that provides free wifi and they don't give you a password, then anyone in the area can snoop on you.
If you're trying to get around a snooping partner you need a private window (not kept in history) rather than a VPN. If you're worried about government-level censorship they can probably block VPNs anyway. And trying to get around geoblocking ... possibly, but you may be violating laws as well as the site's TOS in doing so and therefore I can't endorse it.