A Virtual Private Network (VPN) allows a component from a trusted zone to be accessed from an untrusted zone. This technology enables a user to access company data from Starbuck Wi-Fi. It was a clever way to ensure that individuals that needed access, had access when they need it from wherever they were in a secure manner.
This article explains why VPNs have a purpose, but why the layperson does not need a VPN.
What is a Virtual Private Network (VPN)?
In layman’s terms, a VPN creates a secure tunnel that makes privates networks accessible from public networks.
Imagine you work at Google. You want to access a document on the Google network, but you are at Starbucks. A VPN opens a doorway, a tunnel, into the Google network that allows you to access that document. Without that doorway, tunnel, you would not be able to access it because locked behind a “private” network.
A VPN gives organizations assurances that a) you as the user are allowed into the organization’s network, and b) you as the user are allowed to access that file through appropriate authentication.
VPN tunnels are secured by using encryption technology that is used as a wrapper that protects content as it travels from your computer to the network. This technology helps reduce the risk of a Man in The Middle (MiTM) attack; an attack where someone on the network can see what you’re doing.
The Argument for a VPN
The layperson checking their bank, sifting through their Facebook, Instagram and Twitter feeds, or even engaging via E-mail, does not need a VPN.
The case for a VPN boils down to two key points:
Everything else is just noise.
VPN and Security
The security argument:
VPNs help protect you from anyone trying to access your personal information and other data you send and receive.
This is specific to:
- Data can be Stolen – Man in the Middle (MiTM) attacks;
- Encryption – it’s all about the military-grade stuff;
Data Can Be Stolen
When someone says data can be stolen, they are referring to a Man in the Middle (MiTM) attack. MiTM attacks allow a bad guy to see what you’re doing on the same network if the data is not encrypted (i.e., in plain text).
96% + of the information flowing on the web today is encrypted. You can also argue that 100% of large, legitimate, sites are also encrypted. If they are not, then you should really question doing any interactions with the site, especially if it’s an e-commerce site.
A few years ago I wrote how HTTPS doesn’t secure websites, but what I didn’t talk about is how HTTPS does help improve the security for online users. I went on to write an article explaining how HTTPS actually works.
In today’s secure-by-default world, MiTM attacks have become exponentially harder on public Wi-Fi.
The one argument that VPN providers make that could be debate-able is that HTTPS/TLS is specific to browses, while VPNs are for the device. There was a time where this argument was applicable, but that is becoming less so in this modern digital age. Modern applications today use HTTPS/TLS to encrypt data in transit via Application Programming Interfaces (API).
The silliest argument is this idea that VPN’s offer “military-grade” encryption. There is no such thing as military-grade encryption. The military uses the same level of encryption as everyone else. Talking about encryption can be extensive, so I’ll save you the headache. The military uses the same encryption that the rest of the world does.
VPN and Privacy
The privacy argument is:
VPN’s mask things like your IP address, location, and search history, to keep them from being tracked by websites, internet browsers, cable companies, internet service providers (ISPs), and others.
This is only partially true, but it doesn’t talk about the fact that privacy is a trust game. Yes, you will mask things from ISP’s, but you’re essentially shifting that insight to the VPN service provider instead. VPN’s do nothing to mask search history on browsers, the data collected via cookies on sites (specifically Google) or via the ads on the sites you’re visiting or applications you’re using.
Is it better, or worse, that a VPN provider has your location information? can see what sites you are visiting, or their IPs? That’s the real question you should be asking yourself. Do you trust the VPN you’re using more than the ISP you’re using?
If the concern is that they sell your data, then what are you doing to ensure your VPN provider isn’t already doing that? And how are you navigating the myriad of VPN resellers and providers? Do you know who is running your VPN service?
Privacy is a weak argument for why a layperson needs a VPN. It does little in the world we live in where your privacy is encroached every day by your online activities.
If you are truly concerned about your ISP knowing your IP, or knowing the domains you’re visiting, you can do that with DNS technologies like CleanBrowsing, just as easily as you can with a VPN and for free. If the argument is that DNS is not secure, no worries you have a number of DNS resolvers with encryption options like DNS over HTTPS (DoH) and DNS over TLS (DoT) to help with this.
The Lay Person Does Not Need a VPN
You do not need a VPN for everyday online engagements. The web as a whole as becoming more secure over the past ten years.
There are legitimate reasons, and parts of this world, where leveraging encryption technology like a VPN is a necessity (think communist regimes and dictatorships). If this applies to you, then you should ignore everything in this article as privacy is absolutely your top concern. But I do challenge you to think about whether a VPN will help you achieve your desired end state. If what you are doing is truly has the ability to cause you harm, then you should be considering platforms that truly offer you anonymity like TOR, or other similar networks.
For those in western societies, however, the arguments are marketing tactics that take advantage of a user’s ignorance on how the technology works and the need to feel safe online. It abuses emotional sentiment around the need for things like “security” and “privacy”.
Who doesn’t want to be safe on the web, or ensure that people are not seeing their data? A majority of the web is “secure,” and privacy is a big, complicated, subject. I would spend more time worrying about what companies like Google, Facebook, and others are doing with the data they are collecting than whether an ISP can see the domain you visited.