VPNs are not for security

TL;DR

VPNs provide a privacy advantage, if you don’t trust the local network or internet connection. But they do not provide a security advantage, unless combined with a web filtering technology. And you don’t need a VPN to get safety and other web filtering protections.

Added to that, they may create a privacy concern, if the VPN provider is using their service to collect data on their customers’ traffic.

Background

The Old Threat

Back in the olden days (let’s arbitrarily say before 2015), browsing to a website didn’t always use encryption - it was plain old HTTP, without the trailing ‘S’ or the nice little padlock in the address bar. In that case, someone running a malicious Wi-Fi network could capture all the traffic, and because it was unencrypted read everything going back and forth between users and remote websites. An attacker could easily run a spoof Wi-Fi network in a cafe, hotel or airport, and hoover up loads of user data.

Back then private VPNs were relatively rare; far more common were enterprise or corporate VPNs.

Ye Olde Enterprise VPN

A traditional corporate VPN was used to connect your computer into the office network, as part of a now old fashioned model of keeping all company devices inside the safety of office network. That meant you could access the other services running inside the office, like the old file share or accounting platform. Or most importantly, the Active Directory server that authenticated all the user accounts.

So, many companies ran a VPN server in the office that allowed remote users to connect in as if they were physically in the office. It’d run on a server in the office - the kind of device that nowadays you’ll most likely hear about because of a new zero-day vulnerability or ransomware attack.

What about VPNs now, in the 2020s?

Whilst VPNs were great when most websites weren’t using HTTPS, these are the days of ubiquitous encryption; Most modern browsers warn about plain old HTTP (or just block it), and will force users onto the HTTPS version of a site.

Plus all the other traffic coming out of your laptop or phone is using the same or similar encryption. That means that the same malicious network attacker can still see what your device is talking to - be it a website or some other service with an address they can look up and attribute - but all the content is private and encrypted. So the worst case is some loss of privacy, but not loss of security.

But lately VPNs do seem to be increasingly popular, although the typical use-cases have shifted. Using a VPN to bypass local restrictions on certain platforms may now be the most common use case. We can divide that use case into three common scenarios. Ranked in terms of general acceptability: the ‘good’ justification of bypassing local restrictions implemented by authoritarian regimes, ’neutral’ country switching to get a different range of streaming programmes to watch, and ‘bad’ attempts to bypass local enforcement of age restrictions for pornography or other services.

But what about their purported security benefits?

Actual Security Benefits

VPNs can be good for security, if they are also providing a DNS service that does some kind of filtering of malicious content. This in the case for ProtonVPN and their Netshield offering, for example. NordVPN seems to have something similar, although their website isn’t clear that it’s a DNS filtering solution.

But there’s a key point to make: you don’t need a VPN to do this. In terms of filtered DNS services, there are free options like Cloudflare’s family service on 1.1.1.2, or a newer EU alternative. You can specify the default DNS provider on all user devices, and on most routers ¹, so such filtering services are an option for everyone.

Finally, it’s also worth pointing out the potential problem with commercial VPN services: by pushing all of your traffic through a VPN service, you are guaranteeing that the service provider can see what sites and services you are using (but again, not the content of your traffic). That would clearly be a reduction in privacy. Thankfully most of the big services trumpet being a “no-log” service, but that’s a difficult claim to externally prove.

It’s not just me

I’m not alone in this opinion. One prominent example of consensus is from the relatively new Hacklore project, which is an admirable collective initiative to stop the spreading of common security misconceptions. On VPNs, Hacklore says:

VPNs can hide your IP address from the local network, but they’ll still see any unencrypted traffic that your apps or operating system transmit. For most people, the encryption built into your apps already provides strong protection. VPNs make sense only for specific use cases, like bypassing local censorship or connecting securely to a work network. Users of Apple products should consider using iCloud Private Relay service which is built into iPhones, iPads, and Macs, and which costs less than many commercial VPN services.

I didn’t know about iCloud Private Relay, so that’s a good tip.

Advice for Geeks

If you want an actual recommendation: I’ve used ProtonVPN in the past, and it’s easy to use and reasonably priced.

But you don’t have to pay for a subscription for a VPN product. It’s hard to argue with setting up PiHole on a Raspberry Pi - which if setup as the default DNS provider blocks lots of advertising content for all devices on the local network - and also using that Pi as an exit node on a personal Tailscale network.

That lets you connect your devices up, use the Pihole for ad-free DNS out of the house, and functions as a VPN back to home. Plus the same setup can use Mullvad as an exit node, if you want a personal VPN that terminates somewhere other than home. You can do all this for almost free; it’ll just be the cost of buying and running a Pi.

If you need more than a personal setup, for relatively low running costs you can run a Wireguard VPN service in the cloud.

Notes