3:31 pm - 09/03/2017 | Categories: Security
“Use a VPN!” often seems to be the go-to advice for everything security and privacy focused online. But let’s be clear, they are far from the fix-all they are often made out to be.
Admittedly the title is provocative and overly dramatic, I don’t really believe they shouldn’t be used at all. Instead I want to question some of the echo-chamber that surrounds their support in the hope users may take greater consideration next time they use their VPN in regards to protecting their security.
So what is a VPN?
With all the hype around them, many stumble into using them without ever really getting to grips with what exactly a VPN does.
A VPN is a (virtual) Private Network that is used to establish a secure remote connection by encrypting the traffic being sent. The encryption is key as it keeps your network traffic private as only the VPN server you’re communicating with is able to understand the data being sent.
What are VPNs used for?
When talking about VPNs it’s easy to think of the somewhat sketchy activity that is associated with them such as
- Bypassing internal firewalls (Such as accessing blocked sites at a public library)
- Disguising your geographical location online by using a different public IP address
Though it’s important to remember they are a force for good too! Being used much more commonly to
- Improve your security on an untrusted network (Such as Public WiFi)
- Enabling secure communication between networks, often found in many schools and businesses to allow users access to on-site resources remotely from home
However I’m mainly focusing on the privacy and anonymity angle to using them and the security issues that come with it.
So what’s the risk?
In bypassing the network through encryption you are entrusting all your security to the VPN company, creating a single point for your security which can easily become a weakness. You become dependant on them to do the right thing with your data which can become a backwards step for anyone using a VPN for privacy reasons. Just as the government and corporations can breach your privacy and snoop on your data, so too can whatever VPN provider you’ve chosen.
Many VPN providers keep logs on their users, which means records are kept on who is using the service which may include their real IP addresses along with log in and log out times. If privacy is your main concern, you can easily shoot yourself in the foot by choosing a VPN which actually tracks what you’re doing. The worst part is this information can then be used against you as evidence if you get up to anything illegal while using the service, more on that later.
But my VPN doesn’t keep logs and makes … Promises!
Nobody lies on the internet right? Sadly we don’t live in a perfect world where everybody tells the truth. You wouldn’t give a stranger your social security number and bank details just because they said you could trust them, would you? If the answer is no (Hopefully) then you shouldn’t blindly place your faith in a VPN, you should subject them to the same security rigors as you would anyone else.
Don’t believe me? Just look at HideMyAss, A once highly popular VPN service who like many others famously claimed a non-logging policy – but guess what? They kept logs. They stored records on every users IP address and the times they used the services.
All this came to light when HideMyAss were approached by law enforcement over the LulzSec hacks, threatened by the FBI and court orders, the provider was soon forced to hand over its records containing incriminating evidence which is said to have led to the arrest of Cody Kretsinger, a member of the group.
Now, depending on your usage of VPNs this may seem far-fetched. But there’s an important lesson to be learnt here, because when your VPN claims to be a huge privacy advocate, remember nobody is going to go to jail for you. No matter how lofty their morales and ideals are, when it comes down to it, if they keep logs on you, they’re going to feel the full force of the law over them.
Ultimately If it comes down to a choice between handing the logs over to keep their business or lose it all for just one of their users paying a small monthly fee – I think we all know what they’ll choose.
Choose a VPN provider you can trust – Admittedly this is easier said than done, however it’s not impossible.
It comes down to what you want an expect from your VPN, if your browsing intentions are entirely legitimate and security is your main concern then you’ll be fine with most VPN services (although I’d recommend shying away from any brand new services with little reputation). However if anonmynity and privacy is your concern and you’re planning on something such as hacking you need to ensure you have a VPN you can trust, otherwise you may well be doing more harm than good.
If you do decide you really do need a VPN then make sure to always:
#2 – Do your research
Turn to your search engine of choice and carry out some research by querying “service + logging” for example to see if anything surfaces. You should also check out some reviews on the service you’re interested in before you hand over any money.
#3 – Check the location
I’d recommend not going for a US-based company and instead opting for a service based in a country with strict privacy laws.
#4 – Company Transparency
It goes without saying that you really shouldn’t trust that sketchy russian site with little information. Just because the service is about being anonymous, that’s no reason for the company to hide behind a veil. Look for a VPN provider that is transparent about itself such as revealing its location and even publishing transparency reports detailing legal requests. If you’re looking for a reccomendation then Cyberghost VPN is great in this regard along with IP Vanish being another solid choice, I’ve used both of these services in the past before.
Though I’d prefer you take the time to do your own research before rushing to any conclusions. Stay secure out there.
That’s right, I’m back – woot woot. No doubt the articles were sorely missed, right…? Anyway, should be publishing more regularly from now on.