When and why it's useful to use a VPN

in Project HOPE2 months ago (edited)

image.png

There are several reasons to use a VPN and, without going too much in details, these can boil down to the following:

  • hide internet activity
    as users have a reasonable expectation that whatever is done on the Internet is private, but oftentimes it's very easy to spy on any activity instead.

  • use public or guest Wi-Fi with fewer risks
    because there are very few circumstances that are more dangerous than a free hotspot, as explained in more detail below.

  • bypass local network restrictions
    to access content that, for one reason or the other, might be blocked by network administrators for reasons of opportunity (e.g. social networks in an office) or censorship (e.g. an oppressive government).

  • secure your privacy
    as everyone is entitled to safe communication, yet that is not granted by the standard web protocols without a secure overlay.

Most users may think that modern Internet communications are secure by design, but there are some misconceptions in the general knowledge that may be misleading and give a false sense of safety.

This website uses HTTPS, so it's secure

While most websites today make use of HTTPS and Brave itself (similarly to desktop-class web browsers equipped with the very useful HTTPS Everywhere extension) is enabling it for those that guiltily still don't, that is only protecting the content of web traffic between device and site: a lot of other potentially sensitive data that is exchanged outside of that (such as DNS requests that identify the destination website, and query parameters inside the URL used by search engine requests) remain visible in plain text and subject to network sniffing. For the more technically inclined, Ericlaw has written a detailed and comprehensive description of the limitations of HTTPS.

From a security standpoint, any time a device is outside its "home" network (that is, a network that is trusted and considered safe as managed by the user itself) it will then connect to and operate on a network that should be considered insecure by definition: they typically boil down to any random free Wi-Fi network available wherever and, for mobile devices, the cellular network.

Look Mum, free Wi-Fi!

The classic scene depicting people being hacked while surfing by a coffee shop is not dramatization: actually, it is accurate and realistic.

Public Wi-Fi hotspots are more or less a hacker's playground and represent a real threat: no sensitive operation such as accessing sensitive information or - God forbid - online banking should ever be performed there without additional layers of protection.

There are multiple reasons for this, starting from lack of access control: for convenience and ease of use, most public hotspots don't require a password. Visitors log in to a captive portal and are generally only required to accept some boilerplate terms of use about (in increasing order of severity) not committing acts of terrorism, perpetrate child trafficking, or downloading pirate music while on the network. Because of that, all traffic is not encrypted and anyone on the same wireless network can capture it and read its content. And - if a Wi-Fi password is required - then it's usually written in BIG LETTERS on the wall for all patrons to know, so people from across the street can't surf for free - but everyone inside is sharing the same encryption key, and therefore can capture and read everyone else's data packets.

Using free Wi-Fi without a password is tantamount to talking out loud in a crowded public place about personal matters; using free Wi-Fi with a password on the other hand is much better, as it's just like talking out loud about personal matters in a room full of people.
Either way, everyone else can listen (and someone will).

I'm on mobile, I'm ok

Of course, mobile networks (such as 3G and 4G) are encrypted, but that alone does not provide any kind of robust security. As explained by Prof. Bill Buchanan,

3G/4G network only supports encryption from phone to the base station, along with the possibility of it using a weak encryption cipher... and there is no encryption applied to the data when it reaches the wired network. To be fully secure, we must overlay our security with SSL/TLS, SSH, or a VPN tunnel.

(source: "What is the encryption in 3G/4G networks?")

The paper by Prof. Buchanan explains how in 2010 it was already possible to crack the encryption of GSM and 3G networks, and even with stronger ciphers in place today there is no encryption on the wired network after mobile base stations.
Therefore, while being better than public Wi-Fi, a cellular line must not be mistaken with a secure channel.

What to do then?

hackervpn.jpg
If privacy and security are of utmost concern, a VPN is a safe and practical way to obtain them. While the service comes for a price, not all VPN providers are equal, and "more expensive" doesn't necessarily mean "better". Some specific features must be present for an operator to provide an adequate level of service, and to help to make an educated choice they are nicely summarized in this article by TechRadar. When looking for this kind of information it is worth remembering that several VPN vendors are writing their own, which can be biased towards their specific features, so it's better to use an independent publication as reference.

As a rule of thumb, if an article contains lines such as "Unless you use an effective and reliable VPN like XYZ" or it is on top of search engine results with a title such as "Best VPN providers reviewed", then steer clear - it is likely advertising junk. Instead, reputable technology outlets such as PC Magazine, TechRadar and Tom's Guide regularly publish reviews of VPN services, and those can be considered good guidelines.

Remember VPN does not mean anonimity nor immunity

While there are several valid reason to use a VPN, it is extremely important to remember that VPNs do not provide any anonimity or immunity, as all they do is to tunnel a connection through a protected channel from one point to another; the exit point - which normally is one out of many gateways managed by the chosen VPN provider - is still connected to the public internet, and from there onwards all data, unless encrypted by a protocol such as TLS, is vulnerable again.

Sort:  

Great informations on VPN usage like this one is highly needed, in my country as a result of poverty a lot of people are quick to jump over free Wi-Fi and even carry out banking transactions through it therefore exposing their banking details to scammers freely.

I'm glad you find my post useful. In general there is little information about VPNs and, where there is, it's bloated with marketing claims as VPN services have become ubiquitous in the last two years. Yet not all VPNs are the same, and it is also important to know there are several things that VPNs don't do - such as provide anonymity and protect from user profiling. For that, other tools must be used - but all VPN providers would like the public to believe that "a VPN is the final security for everyone against everything". It is really not like that.

 2 months ago 

Wow.
Definitely, it is very difficult to be sure with the connections that we are using from our phone and from where we can connect.
I particularly avoid and never connect to public free Wi-Fi networks.

That is a good practice; in case of need however, public Wi-Fi can be used without too much concern for basic tasks that don't pose security risks (e.g. browsing the latest news).

 2 months ago 

Dear @lbarbera

Another interesting choice of topic. I've been constantly hestitant about using VPN as I like to watch youtube videos of my fav subscribers (customized feed). And as far as I understand - if I would use VPN then my feed would be completely different?

I've been also wondering if those users who are using VPN are not attracting more attention as suspisious accounts/users? Like someone who is hiding so shall be monitored extra?

The classic scene depicting people being hacked while surfing by a coffee shop is not dramatization: actually, it is accurate and realistic.
Public Wi-Fi hotspots are more or less a hacker's playground and represent a real threat: no sensitive operation such as accessing sensitive information or - God forbid - online banking should ever be performed there without additional layers of protection.

So ... all starbucks and free airport wi-fi are a hackers playground and I shall be extra careful there?
What about co-workspaces? Where many people are coming to such a places simply to work online (digital nomads often do).

ps. I wonder which VPN would you recommend yourself?

cc: @unbiasedwriter - you may find this subject interesting.

Have a great monday ahead of you :) Upvote on the way.
Yours, Piotr

Hi Piotr! Thank you for commenting; I'll do my best to address your questions, which are very interesting on their own - and indeed extend the conversation on many interesting points.

If I would use VPN then my feed would be completely different?

Likely not at all: the YouTube feed is built upon your profile (linked to a Google account, if you are logged in to YouTube with it, or a local anonymous profile otherwise). Therefore, your preferences, subscriptions and all the likes are retained.

I've been also wondering if those users who are using VPN are not attracting more attention as suspisious accounts/users? Like someone who is hiding so shall be monitored extra?

In theory it is possible. However, only an adversarial situation where users are actively monitored - like an authoritarian political regime - would be interested in this kind of control. In general, on the internet nobody cares if a VPN is used. Specific exceptions exist, e.g. streaming services (like Netflix) that rely on strict geolocalization are using 3rd party services (e.g. MaxMind) to identify if a user is behind a VPN, as they have to enforce digital rights that depend on the specific country where the customer is located (for example the content catalogue for Germany can differ from Poland and the Netherlands and a show available in a country may not be available elsewhere).

So ... all starbucks and free airport wi-fi are a hackers playground and I shall be extra careful there?

Yes. Better safe than sorry. Of course that also depends on the activity: browsing the web for reading news is pretty much safe, while banking online is not. Similarly sensitive operations - such as performing cryptocurrency transactions - are not advisable without some additional security layer.

What about co-workspaces?

Shared network, same as a Starbucks. How much do you trust your neighbour? Throwing in a VPN when performing sensitive operations won't hurt.

I wonder which VPN would you recommend yourself?

I refrain from specific suggestions as I am an independent advisor and I like to keep it this way :)
For this reason I have included in my post some guidelines about reputable tech outlets that periodically evaluate the major VPN providers and rank them, with good details about pricing and features. Just don't fall for marketing claims.