Have you ever wondered if VPNs Really do much for your privacy and security? You see I’ve been using VPNs for a long time. Mostly to hide my IP address from the ISP so they wouldn’t send my parents angry letters about my internet usage. Sometimes I’d sign into sketchy Wi-Fi and wanted to double wrap. Circumventing geo-blocks and censorship when traveling also came in handy. But something always felt fishy about VPNs, since instead of trusting the ISP that you do know, you decide to trust some guys in Europe and an ISP that you don’t know. I decided to check out what the VPN providers themselves were saying about this stuff. “Malicious websites could infect your devices with malware unless you use.” VPN apps to keep your activity and identity private while you browse, stream, email, or download. Protect all of your devices with just one click.
Internet security is that easy! I guess Internet hacking is also that easy. Selling online security and privacy as being all about VPNs is like telling people health and well-being is all about face masks which sounded a little bit like snake oil to me, so I decided to take a look at the history of snake oil. And what I learned was actually kind of interesting. A long time ago, Chinese immigrants moved to San Francisco to build the railroads of America and brought with them snake oil from the Chinese water snake as an ancient traditional medicine to treat arthritis and joint pains, since it contains 20% EPA, a type of omega-3 fatty acid known for its anti-inflammatory properties. Cowboy entrepreneur Clark Stanley started hawking it as a cure-all that turned out to be beef fat, chili peppers, camphor, and turpentine.
Stanley got slapped with a symbolic fine of $20 by the government, leaving him a wealthy man and spawning an industry of other products, and salesmen just like him You see, the problem with VPNs is that just like snake oil, it’s fantastic in its original form and function which is to bridge two remote sites together, or allow an individual to securely connect to a different network. The whole point is to tunnel your Internet from a network of lower trust to a network of higher trust. A corporate VPN, for instance. It’s kind of like entering a wormhole to get from Point A to Point B, bypassing everything in between. But things start to get dicey if you’re going from a high to low trust, low to low trust, or an “I don’t know” level of trust. And right now, it feels like a lot of fear-mongering in this industry.
We got everyday folks convinced VPNs are what they need to keep themselves private and secure, but in reality, they’re just paying for slower speeds, time spent training machine learning algorithms, and being lumped in with all the spammers and hackers abusing these services. Sometimes you just have to remind people that most of their web browsing is already encrypted without a VPN and securing your DNS traffic in Firefox or Chrome is literally just a click. I pulled Alexa’s top million websites and wrote a script checking for HTTPS support and found that most of the first 90 thousand did. At this range, we’re looking at sites, which I’m sure we all visit every day.
Worst of all is when companies want you to install their custom VPN client, forward your DNS over to be “leak-proof”, and even install their certificate authority on your device, which is like charging people you can man-in-the-middle them. But at the same time, isn’t there some value in masking your IP address when surfing the Internet? We need to dig deeper. When your computer talks to a server, it sends packets tagged with a source and destination IP. These traverse the local network and a series of ISPs to reach the final destination. Anything logging traffic in between can see your source IP address, which can get geolocated to within a few zip codes away from your home.
Your IP is probably shared by hundreds of other people and rotates regularly, so it’s only an approximate location, not where you sleep at night. With a VPN tunnel, the original packet gets encrypted and wrapped in another IP header with the VPN server as the destination. The server will unwrap the packet and forward it through its own ISP, using its own IP address as the source. Devices sitting before the VPN server can see your source IP, but not the destination. Devices sitting after can see the destination but not the source. The zones of visibility in the network path are now partitioned. Say hi to Elliott. Elliot wants to save the world by being a hacktivist.
He uses a VPN to mask his IP address but doesn’t factor in all this other stuff. Instead of disappearing, Elliot leaves a blazing trail for the Feds to follow. Elliott goes to jail. The end. Here’s the deal. Focusing on just the IP header is focusing on just the tip of the iceberg. When you look at a network packet, there’s metadata present across all layers of the OSI model. Depending on the vantage point of an observer in your network path, there are different visibility levels in your packet.
In the spirit of custom scores, only 1 out of a hundred eighty-five providers get over 9 stars on my red to the green color scale. So now you might be wondering: “What are the use cases where a VPN makes sense? Should I even try to mask my IP address? How do I not get spied on doing this? Before you can answer this kind of question first you want to figure out what your threat model is. Is it cybercriminals? Big tech companies? Your government Developing the right threat model can help tailor your level of paranoia accordingly so it’s not over or underweight. For most people, practicing digital hygiene and cleaning up your online identity isn’t that complicated. Use a unique password for every site.
Use a unique email for every site. Use hardware security tokens for two-factor authentication. Use random answers for recovery questions. Go through all of your settings on your accounts. Sanitize your social media. Use virtual machines and multiple phones for different kinds of activities. Don’t click links or scan QR codes without analyzing them first. Set up a commercial address so you don’t receive mail at home. Keep apps to a minimum and avoid pirated software. Use a host-based firewall to alert on outbound connections that you manually need to verify for every app. If you’re traveling and tempted by public Wi-Fi, just bring your own Internet through a portable hotspot or by tethering off your phone. None of these options involve using a VPN, yet do far more for your security and privacy overall. Now, don’t get me wrong, but there are cases where you probably should mask your IP address.
Circumventing IP blocks to watch Netflix, getting around national firewalls, bypassing download limits, performing offensive security assessments, conducting OSINT and research. Maybe you just want to keep your home IP address out of breach dumps for people to collect and target you specifically. In these cases, I strongly recommend renting a cloud VPS and just do it yourself, whether it’s Wire guard, Shadow Socks, a web proxy, or even good old SSH tunneling. This way you understand the technology a bit more and now use a wormhole that you created, and can personally control some of the infrastructures of the exit node. But wait. Remember that one out of a hundred eighty-five? The team behind that provider does seem a bit more trustworthy than the others. I’m not going to say who, but I will share some things to consider if you don’t want to set up a VPN yourself.
Here’s how you find a good VPN, and that’s two things: humanity and reputation. Humanity means knowing the people who actually own and operate a service. You can reach out and they’ll talk to you. The more shell companies, anonymity, and third parties involved, the less humane it becomes. When things go wrong, it’s easy to opt-out of being accountable. Reputation takes years to build and a moment to lose. If a provider’s brand new, it’s hard to imagine they’ve put in enough work to build it up. You want people who are honest about their mistakes, communicate early and often, and take action to fix things, even if it means massive self-sacrifice just when it’s really inconvenient to do so. You want people who have skin-in-the-game, personally using their own products so there’s an incentive to protect and make it better, with something valuable at stake.