This Bridge is the Root

View Original

Are Consumer VPN Providers Advertising Truthfully?

Consumer VPNs have become increasingly popular in recent years as individuals seek to protect their privacy and security while browsing the internet. However, despite their growing popularity, many consumer VPNs may not be as secure or as private as advertised.

Firstly, it's important to understand how a VPN works. When you connect to a VPN, your internet traffic is routed through an encrypted tunnel to a remote server, which then accesses the internet on your behalf. This can make it appear as though you're accessing the internet from a different location and can provide an added layer of security by encrypting your internet traffic.

The Claim

Many consumer VPNs advertised on YouTube and on podcasts claim that they secure your internet traffic when you’re traveling or in public. That if you don’t use their service, your passwords, banking information, and other sensitive information could be stolen. Some claim to block ads and malware. Some services claim to keep your search and browsing history private.

Are these claims true? Half-truths? Or are they completely made up?

The Reality

Let’s walk through the claims one-by-one.

Sensitive information could be stolen:

The claim that if you’re sitting in a coffee shop browsing free open W-Fi that your internet traffic could intercepted and stolen. Well, here’s the truth, if you’re browsing on unsecured Wi-Fi, your network traffic can absolutely be intercepted by anyone else nearby. The problem arises when you start asking the question, is there anything they can do with that traffic? Unlikely but possible.

The truth is that nearly all internet traffic is secured with TLS encryption these days. In fact, most web browsers will warn you when you navigate to a plain HTTP webpage now.

How did we get here? Years ago, little of the internet was TLS secured, mostly just banking and healthcare websites. There was a slow migration towards widespread HTTPS, but around 2010, browser addons such as FireSheep, drew attention to how easy it was to session jack cookies on unsecured Wi-Fi and addons such as HTTPS Everywhere helped users accelerate their usage of HTTPS.

So, passwords, banking information, and sensitive information are unlikely to be stolen even on unsecured Wi-Fi, because nearly all websites use HTTPS. This does not however guarantee that every site that you visit has TLS encryption enabled and you should always double check that that websites that you’re visiting, especially if you’re going to be entering a password or any sensitive information, is showing the lock symbol in the URL bar.

Browsing history is private:

This claim, I’ll place solidly in the plausible category. When we look at the first claim, your network traffic isn’t just HTTPS. For clients to access those HTTPS secured websites, they need to exchange information in plain text, such as DNS and certificates.

DNS traffic can be exchanged over HTTPS, however, it’s possible to block access to these servers and force clients to fallback to unencrypted DNS. Additionally, TLS certificate headers are exchanges in plain text. Between DNS and certificate headers, this information could provide an attacker with information about which sites you are visiting, but if the information exchanged with the server is encrypted, it’s safe.

For example, an attacker might be able to figure out that I’m talking to Google, but they won’t be able to tell what it is I’m searching for. Or they might be able to see that I’m surfing Facebook, but they won’t be able to steal my password or see which pages on Facebook I’m visiting.

This doesn’t resolve the issue of websites using cookies to track your browsing history across the internet, that’s an entirely separate issue.

Additionally, this might be the time to question if your chosen VPN provider is to be trusted. If the information that you would be putting out on unsecured Wi-Fi is sensitive to you, your VPN provider will be able to access that information as well, and by extension, so will law enforcement. A VPN does NOT protect you if your provider is subpoenaed or hacked.

Blocking of ads and malware:

This is another claim that I’ll place in the maybe category. If your VPN provider can block ads or websites with known malware, or is implementing host-based malware prevention software, then you might be covered. But ultimately, this isn’t a feature that’s exclusive to the use of a VPN, or even dependent on it.

Unrefuted Claims

Some VPN providers have started to shy away from the security claims in their advertisements due to explanations like the ones I’ve provided here. Some now chose to focus on how a VPN can assist in making websites think you’re in a country you’re not actually in. And these claims are mostly true.

Most websites, particularly media sites such as YouTube and Netflix, will use IP geolocation databases to determine which content you can and can’t view due to licensing agreements and other legal reasons. By using a VPN provider, you can use IP addresses that are geolocated in other countries and bypass those filters.

Unfortunately, it’s not difficult to block the IP addresses used by VPN providers, which could pose a problem for long-term use of the VPN providers.

Choose Wisely

Not all VPNs are created equal, but look out for the following aspects to determine if the consumer VPN you’re looking at is the right one for you:

  1. Logging policies: Many VPN providers claim not to log user data, but some do. This means that your internet activity could potentially be monitored and logged by the VPN provider, defeating the purpose of using a VPN for privacy.

  2. DNS leaks: A DNS leak can occur when a VPN fails to properly route your DNS requests through its servers, potentially exposing your internet activity to your internet service provider.

  3. Legal and jurisdictional issues: VPN providers are subject to the laws of the countries in which they operate. Some countries have strict data retention laws, which may require VPN providers to log user data and turn it over to authorities upon request.

  4. Company Reputation: Some free VPN providers may include malware in their software, which can compromise the security of your device. Consider the reputation of the company and keep an eye on the news to make sure they haven’t been compromised. A company that is compromised could also leak user data.

In summary, while a consumer VPN can provide some added security and privacy, it's important to choose a reputable provider that takes user privacy seriously. It's also important to understand the limitations of a VPN and the potential risks involved in using one. Ultimately, a VPN should be seen as just one tool in a larger strategy for protecting your online privacy and security.