< Ali Reza Hayati

Myths About VPNs
1058 words. A 6 minute read.

There’s a lof myths and wrong advertisements about VPNs. Lots of people believe VPNs make you private or completely safe. It’s not completely true. Most VPNs are designed to just hide your identity for some people or organizations, and your internet service provider. Not all of VPN providers’ claims are true.

VPNs Prevent Password Stealing

Password stealing was a threat a few years ago with something named “ARP spoofing attack”. Attacker made a computer pretending to be a network hub and steal everything including plain text passwords that went through that Wi-Fi network and it required a very little technical knowledge to perform the attack.

Or they could compromise the hub itself and look at all the traffic that was going through it. VPN providers claim that they send data over an encrypted tunnel. That may be correct (based on the provider).

But you know who else sends data and traffic through an encrypted tunnel? Every single website with a padlock in the browser (using SSL/TLS connection), every iPhone app since 2016, every android app since 2018. Anything that sends any personal data now uses a trusted encrypted tunnel, HTTPS, that padlock.

Unless you’re using websites or apps from the past, if anyone tries to intercept your data, it won’t work. Now people on the network can see what sites you’re connecting to, so, just the name of your bank, and they could see the contents of the dated websites, the ones that don’t use an encrypted trusted tunnel, HTTPS. Some browsers like Google Chrome show a “Not Secure” badge before the website’s address.

That’s all. No passwords, no bank details. Those attacks don’t work anymore. One VPN company even had their advert banned by the U.K. regulator because of those misleading claims.

VPNs Use Military-Grade Encryption

Military-grade encryption means AES which is the same encryption that’s baked into every web browser and app. You’re using military-grade encryption reading this article. it’s not wrong that (some) VPNs use military-grade encryption, it’s just not special either.

VPNs Stop Your ISP Spying on You

That is true, to an extent. Yes, without a VPN, your internet service provider, your ISP, can see what domain names you’ve been connecting to. that can be very good reasons to hide those. Your country may allow ISPs to sell that data to advertisers, or to build a profile on you. Maybe you’re studying at a fundamentalist Christian college, and you don’t want university administrators knowing you’re questioning your faith, or questioning your sexuality. Some ISPs also priorities some apps, sites, and traffic types over others, and a VPN means that they can’t do that.

Or maybe your government is planning to introduce an ill-advised and often-delayed block on adult content and you want to work around it. That’s all reasonable. Metadata does give away a lot of information and wanting to keep that private is a fair idea. But that’s not what a lot of the VPN ads are implying. They’re implying that your ISP can read the content of your messages.

And again, if there’s a padlock in the browser, or if you;re using a modern app, that’s not true. And if you do use a VPN, all you’re doing is changing who can see the metadata. Your ISP can’t anymore, but the VPN company can. Because at their end of the tunnel, they have to look at the metadata to work out where to send your traffic to. But maybe that’s worth it for you.

VPNs Don’t Keep Logs

It is a brave move for a VPN not to keep any logs, given that if that’s true, their service will inevitably be used for a lot of really awful illegal stuff. Some do claim that, some have even brought in independent auditors to try and prove that they don’t keep any logs. And you can’t have 100% certainty of that, but they have got as close as you reasonably can.

So if you’re planning an assassination and your priority is absolutely covering your tracks, then sure, I guess a VPN might be worth it. But to customers, a VPN that doesn’t keep logs is indistinguishable from one that’s been compromised by hackers, or that’s been given a little government black box that they don’t understand but they have to plug into their systems and not tell anyone about.

Or from a VPN where a single employee has been bribed and has started logging things for just a few accounts. To be clear, I do not think any of the VPN services are a front for the FBI, or Russian mobsters, or some state-sponsored plausibly-deniable intelligence operation. Genuinely, they are almost certainly not, and I do not want to scaremonger.

Any company that was found to be logging stuff without permission would be bankrupt soon after, it would be a very very bad business decision. And the enormous amount of money that VPN companies suddenly have probably comes from overenthusiastic venture capital firms. Actually, it almost certainly comes from them.

But if you wanted to see what the most paranoid, security-conscious people are connecting to, and you wanted to install software on their systems that is designed to read all their network traffic and then redirect it through a single choke point, then setting up a VPN service with a huge advertising budget would be a great way to do it.

VPNs Bypass Censorship and Help You Use Streaming Services

And that’s the real reason a lot of people use VPNs. Are you going to China, or somewhere else that blocks off access to a lot of web sites? That’s a fair reason. Do you want to watch another country’s streaming content, or download just enormous amounts of BitTorrents without being tracked? Those are valid uses of VPNs, even if they are legally questionable.

It’s just that “great for pirating stuff and getting around the law” is the sort of marketing that gets a company in trouble, and “we stop bad people stealing your passwords” is the sort of marketing that scares people into buying something that they might not need.

So What VPNs Are For?

If you want to hide your identity, pretend you’re in another country, or make sure your connection is secure as you work out the lethal doses of particular chemicals, then go and buy a secure, privacy-focused VPN.

29 Oct 2019 #privacy