Posted on by

Five Common VPN Myths — And Realities

When it comes to all things VPN and cybersecurity-related there are a few common myths that get bandied about.

Some of these are deliberately seeded by people that have a vested information in giving you bad advice (read: VPN sellers).

Other people, in my view, imagine that the threat to their privacy is greater than it actually is.

Here are some of them — and my take on why I think that they are wrong — in as plain a language as possible.

1. “Everybody Needs a VPN”

If you want to Netflix and chill US-style, then yes, you might need a VPN

If you are based in Brazil and you want to watch content that Netflix has only made available for US audiences — then yes, you need a VPN.

Actually you don’t — a proxy could, in theory, do the same geolocation trick — but these days there’s no reason not to use a VPN instead. (Proxies act as gateways to your traffic, providing the same IP address masking, but your traffic does not travel to the proxy server in an encrypted tunnel like a VPN).

When you connect to a Virtual Private Network (VPN) server, your internet traffic, and DNS requests (if configured properly) are encrypted and tunneled.

And because your packets travel through a VPN server, they inherit that server’s public IP address. Netflix, and other major content providers, regulate access to their multimedia libraries on the basis of their users’ IP addresses.

That is to say: if your IP address geolocates to an address in Brazil you will be shown the Brazilian version of Netflix without any action required on your part.

And if your address geolocates to an address in the US you will get Netflix US — unless Netflix has decided to block traffic from that VPN server.

If you’re a millennial then you almost undoubtedly already know all this — although you mightn’t realize that there’s a good chance you’re violating the provider’s Terms of Service (TOS) by spoofing your real location.

But say you have zero interest in masking your geolocation and you are browsing the internet from your trusted home network.

You (hopefully) have configured a strong WPA2 password are periodically monitor the network for unauthorized devices. Or you just plug an ethernet cable into an RJ45 jack.

Given that the vast majority of websites now interface over the encrypted version of the HTTP protocol (HTTPS) your traffic between the server is secure.

Unlike when you’re using a VPN, your Internet Service Provider (ISP) can get a good picture of what websites you are visiting. This is because it can see your DNS lookup requests (unless you are using a third party DNS service like OpenDNS). And even though the contents of the data packets are encrypted, your ISP can still see where they’re headed (then, by running a reverse DNS lookup it can figure out which website you were trying to access; although there are some exceptions in which that information isn’t unique, such as when multiple websites share the same IP address). 

It can also see any communications you hold over unencrypted means and it can simply read the contents of unencrypted packets — allowing the ISP, in theory, to pry into what was uploaded and served when you visited a website. And if you enter passwords into an unencrypted website, serving traffic over HTTP, then it can see those too (but you should not be entering passwords into unencrypted websites in the first place.)

If you are a reasonably security-conscious internet user then none of the above above should be a problem for you and — although it might be useful to have from time to time — you most certainly do not need a VPN — at least not all of the time.

2. VPN A > VPN B

Years ago, VPNs were best known as technologies which large enterprises deployed to help secure remote access to their networks.

That’s still an important use-case. Although these days, with a little bit of cloud computing you can even set up your own VPN server in the cloud — so the playing field has (substantially) leveled now that VPN technology is mainstream.

When most people talk about using a VPN subscription these days (unless they work in a particularly security-sensitive industry) they are not talking about setting up a corporate or private VPN but rather renting access to a commercial VPN that is privately managed: tools like ExpressVPN, NordVPN and a surprisingly long tail of others.

Because the market is so crowded — and they all basically do more or less the same thing — VPN providers go to great pains to distinguish themselves from their competition.

They do this by citing differences like:

  • The choice of connection protocols they offer. If, like 90% of VPN users, you are simply using a VPN for geolocation purposes, this really needn’t concern you. If you’re using really legacy hardware then you might want to find a provider using an old-school protocol such as Point to Point Tunneling (PPTP). But most users will manage just find with whatever protocol is on offer — or OpenVPN.
  • A Linux GUI: Most Linux users I know are proficient enough to follow some basic documentation and configure a few connection scripts to connect to commonly accessed servers. Sure, a Graphical User Interface (GUI) is nice — although ExpressVPN has a Command Line Interface (CLI) that is extremely easy to use — but it’s not necessary for most users.
  • Zero logs: Some VPN companies are based in obscure islands that are probably most familiar to you as places where multi-millionaires base their shell companies. The idea here is that because these islands are not party to any major signals intelligence (SIGINT) agreements, and typically have extremely lax privacy laws, the VPN companies will be able to get away with keeping absolutely no logs about you — including even your IP connection address. To which I ask: why would your average law-abiding internet user possibly need that? These companies are typically vociferous about their logging policies — but can you really put your trust in any third party? If you are really getting up to no good online — and there’s a good chance that those asking about log policies are — then you probably have the technical acumen to run your own VPN server and online infrastructure. This is just about the only way to guarantee that nobody, but you, knows who is connecting through.

Why do I say that providers do basically more or less the same thing?

Because there are some differences but for most people these are the only ones that really matter:

  • The VPN speed: How good are the servers? And just remember something: VPN servers can never give you a faster connection (whether an uplink or downlink) than the one you already have from your ISP. This is simple networking logic and the only exception is if your connection is being throttled between your local network and your ISP. This happens very, very seldomly.
  • The server network: How many servers does the provider operate? Where are they?

3. “You Need a VPN Whenever You Connect to Online Banking Or Buy Something Online”

This is really a subset of point 1 but because it is repeated so often is merits its own point.

Are the cybercrooks (proprietary terminology) out to get you whenever you purchase something online?

Well, they could well be, but thankfully banks and online retailers realize this and have instituted protective mechanisms.

These include things like giving Paypal users the ability to use Two Factor Authentication (2FA), simple anti-social engineering measures like displaying passwords in hashed format (and by social engineering I mean somebody peering over your shoulder), and making sure that all their sites run on HTTPS.

What you should not do is use these websites from any untrusted network.

Does that mean any network other than your own one? Not necessarily.

Packet sniffing on mobile networks is difficult.

What you want to be careful about is sending credit card details digitally whenever you’re using somebody else’s WiFi network who isn’t your friend (and how much do you trust your friend?)

Think public hotspots, etc.

In these scenarios things like Man in the Middle (MITM) attacks and phishing scams become credible threats and using a VPN might be warranted.

Or you could just wait until you’re back home before going on that Amazon splurge.

4. VPN-Over-TOR (Or TOR over VPN) is Fool Proof

If you have a predilection for getting up to mischief online then you are probably already familiar with The Onion Router — better known as TOR.

In simple terms, and unlike a VPN, Tor works by shuffling your traffic around between a bunch of different servers (intermediate relays) and then exiting it, unencrypted, to the internet.

The final link in the chain is called the “exit node”.

And because anybody manning the exit node can see the traffic emerging from the network, it makes sense for people like law enforcement and intelligence agencies to covertly man these. Which they do — plus a lot more (I don’t pretend to know anything but the basic details of the cat and mouse playbook here, but I trust that the people preventing cybercrime are very good at what they do!).

(This vulnerability exists for both VPN-over-TOR and TOR-over-VPN).

And here’s the problem:

You can use VPN-over-Tor to hide your TOR usage from your ISP. That might be prudent.

There are setups where VPN encryption is tacked onto the end of the TOR relay.

But ultimately your traffic needs to emerge unencrypted onto the internet.

5. The More Encryption The Merrier

There are some things that makes sense to have in large quantities.

Right now, having a beefy supply of toilet rolls isn’t the worst ideas that has ever been floated.

But if you’re intent on using a VPN, do you need to use two or three of them just to get a secure connection to the internet?

These products are commonly labelled as ‘double VPN’ etc — and the idea is simply that the traffic will be tunneled through not one but two (or more) VPN servers on its outward journey to the internet.

As I pointed out earlier, the traffic has to emerge without VPN encryption at some point.

So what’s the point of doing the dance twice?

The premise at work here is that double encryption is stronger than single encryption.

The strength of your VPN encryption is as good as the cipher encrypting it. Even if somebody had an array of supercomputers at their disposal and wanted to break the cipher encoding your encrypted packets doing so twice might only slow them down marginally.

For most users doing simple things online (like watching Netflix) using a regular VPN connection should be more than enough to obfuscate your IP and DNS requests from people that might be prying: like your ISP. And in all honestly, your ISP is probably not prying.

Yes, VPNs Have Their Place. But Do You Need One? Probably Not.

The most truthful answer to anybody that asks: “do I need a VPN?” is “it depends on what you might be using it for?”

If you want to mask your geolocation for whatever reason than a consumer VPN subscription might be a prudent investment.

If you’re worried that your ISP might be spying on you thinking realistically about the probability of that actually being true might be a more prudent strategy.

If you’re really intent on getting up to no good, then you probably know everything above — and a hundred times more.

Both TOR-over-VPN and VPN-over-TOR have vulnerabilities.

And you almost certainly don’t need a double or triple VPN configuration.

VPNs are a useful technology that address a variety of uses.

But some common sense is required to distinguish baseless marketing claims from reality.

Some More Advanced VPN FAQs

If all my browsing traffic is relayed over HTTPS why do I need a VPN at all?

Reason 1: HTTPS only protects the HTTP protocol; VPN tunnels and encrypts all internet protocols which your computer is receiving and transmitting over.

Reasons 2: Your ISP can simply call up a log of which IP addresses you were querying and run a reverse DNS query to determine which alphanumeric URLs (domain names) these were relating to!

This is because while the packets are encrypted the metadata (where they are heading to) is not. So although your ISP can not, for instance, see what you queries on Google it can see that you visited Google.com. Additionally the contents of the encrypted packets themselves cannot be inspected. So your ISP can see (roughly) what you visited but not what was contained in the content that you received — assuming that it was served over HTTPS.

This is not the case when you are browsing over a properly secured VPN connection — both your target IP and DNS queries are carried within the VPN tunnel so this information is not available to your ISP.

You might also enjoy:

TorGuard VPN (Ubuntu Linux GUI) How to: Set Up Open DNS On A Partner Router in Israel ThunderVPN for Android What Myths About Israel Bother You?

Published by Daniel Rosehill