Security Awareness Month: VPNs

What’s a Virtual Private Network (or VPN)?

When we write a letter (the snail mail kind), we put our finished message in an envelope, address it, put a stamp on it, lick it, seal it, and mail it. VPNs are like envelopes for our digital messages that are otherwise like sending letters as postcards where anyone can read our messages.

How do I choose the right VPN?

First, a word of caution. What you read isn’t what you get. The Internet is good at getting us to buy things we don’t need by telling us it’s “the best” this or that. Choosing the right VPN is important because we are going to trust it with our privacy and security.

Here are two good questions to ask when choosing a VPN provider:

  • Will it protect my privacy and security the way it claims? Does it leak DNS queries? Does it keep log files? Does it have any unsavory billing practices? (we want these answers to all be NO)
  • What have others said about using it? (Reviews aren’t always what they seem – dig deeper)
  • Is it friendly to use? (try one out for a month or two and decide if it fits you or not)
  • How much does it cost? (make sure these answers are clear and reasonable)
  • Is it appropriate for my needs? (read down a bit further to learn what a threat model is)

What is a Threat Model?

A threat model refers to online situations a person commonly encounters in that will compromise their privacy and security. Each person’s threat model is unique, as unique as our fingerprints.  While many of us use many of the same websites and services, we all have parts of our online lives that are unique to us. Before selecting a VPN, it’s worthwhile to understand your own threat model:

A common model: “I use a lot of free WiFi”

If you frequently connect your devices to free WiFi at cafes, restaurants, airports, hotels, and car dealerships, you are more vulnerable to unsavory people out there who are taking advantage of those insecure networks to compromise your privacy and security. To add to this, people who work at coffee shops, restaurants, car dealerships and other small businesses don’t have time or expertise to configure their WiFi securely, either, so it makes sense to have some protection.

Is a VPN a Silver Bullet Against All Threats?

Nope. Using a VPN will give you greater privacy and security in many scenarios, like the one above, but it is not a replacement for the protection offered by 2-factor authentication and keeping the software on our devices up-to-date. Those measures are essential, whether you use a VPN or not. If you choose to use a VPN, while it offers you a greater level of privacy, there are some scenarios where it can’t protect you.

Complete Anonymity

Many VPN services claim they can make you fully anonymous online. Full anonymity is technically impossible. Even though websites you visit won’t be able to know your true IP address, any VPN provider will know your true IP. Therefore, while you can certainly sign up for many of these services anonymously, the moment you connect to their VPN servers, they’ll know your true IP address.

Bandwidth Throttling

It’s not uncommon for Internet Service Providers (or ISPs) to throttle your Internet connection once you’ve used up a certain amount of bandwidth for the month. There’s nothing use of a VPN can do to help you bypass that since your connection to any VPN servers is established over the connection provided by your ISP.

Sophisticated Censorship

In that same vein, some ISPs use a technology called Deep Packet Inspection (or DPI). DPI makes it possible for them to identify, throttle, and/or even block traffic through their service that goes over a VPN. While they won’t be able to decrypt (or read) that traffic, they can do others things like slow it down or prevent it from passing through altogether.

There are indeed some clever ways to bypass DPI but sophisticated censorship programs can always just block VPN traffic if they choose. VPN connections are like “cars” that travel on the “roads” of the Internet. Those “roads” aren’t made of concrete but that from of a set of protocols called TCP/IP, which means that someone in control of those “roads” can always block whatever “cars” they wish, including VPNs.

Be a Savvy Consumer

We avoid making specific, product-biased recommendations here but we’re happy to offer some guidance on how to make your own choice.

Be aware that too many VPN services make false claims that their services provide complete anonymity, foolproof security, bypass all censorship, bulletproof streaming, and more malarky. However, the technical capabilities and limitations of VPNs are well known. Any provider that claims otherwise is either lying with intention to mislead you or doesn’t fully understand what they’re selling.

Whatever you decide fits your personal threat model, do make sure to continue to use strategies like 2-factor authentication and keeping your devices’ software up-to-date. Combined with a dependable and friendly-to-use-VPN, they offer you a way to protect your privacy and security while using the Internet from anywhere you choose with much more peace of mind.