James Cridland

Why you (probably) don’t need a VPN

As we all begin working from home, a friend shares a typical “Why you need a VPN” piece to their Facebook page.

This piece, like many others, is full of typical scary arguments for a VPN: without one, people can snoop what you’re doing, you’d be mad to do online banking without a VPN, you owe it to your clients to keep your communication safe, etc. This is bullshit.

Not least, this article ends with an admission that the author gets a kick-back from the VPN company he’s recommending/scaring you into, for every new subscriber. This author has just spent time and energy scaring you into purchasing something, then stands to benefit when you do so? That, alone, should lead you to questioning their claims.

Snooping

“The fact is that most of those shared networks (co-working sites and coffee shops) are quite open to snooping”

It’s not just co-working sites and coffee shops: every network lets you see other traffic on that network. It wouldn’t be a network otherwise.

A long time ago, a piece of software called Firesheep let you look around what other users were doing on the network you were connected to. Worse than that, though: if you were looking through Facebook or Twitter, I could steal your login details and pretend to be you. All I needed was you to visit that website once and login.

But things have changed. Most websites at that time weren’t secure — so they started http:// rather than http_s_:// — which means they weren’t encrypted and you could see everything that people were doing on them on the network. Now, every decent website uses https:// and things are quite different.

Visit Facebook (or any other https:// website) now, and the only thing that anyone else on the network can do is to know that someone is visiting Facebook. They can see “facebook.com” in your internet traffic: but everything else is encrypted. They don’t know what page you’re visiting, what you’re typing, or anything else.

Visit your bank (or use their app on your mobile), and the only thing that anyone else on the network knows is that someone is visiting a bank’s website.

In short, as long as you visit secure websites, you’re absolutely safe without a VPN.

(You can’t fool this, by the way. Any decent web browser, as long as you’ve kept it up to date, will spot when someone else is pretending to be your bank, and kick up a bunch of big red warning errors.)

The other side of snooping

If you work from home, the airport, a hotel room and a coffee shop in one day, then these various computer networks know relatively little about you. But if you connect to a VPN, then the VPN company knows everything that you’ve done on the internet that day. Everything.

The article my friend shared promotes ExpressVPN. I’ve no idea who they are, and more concerningly, nor do many people. They’re based in the British Virgin Islands. Turkish police took one of their servers once to peer into it. They’ve released testing tools for VPN services, but only after making sure that their own services passed the tests. They were publicly shamed into making their encryption stronger. But I’m sure they’re fine, and they’re no different to most other VPNs.

But they’d better be fine, right? When you log into any VPN, you’re using a username/password, and then they could know exactly which websites you’re visiting and who you are. They know your originating IP address and therefore your location. And if you always use them, you’re handing an awful lot of information and trust to the VPN company. Whoever they are.

Here’s how to properly ensure your security online

Your responsibility, to clients and others, is to keep your system secure. A VPN, by itself, doesn’t do that: but here are four things that are rather more important than a VPN.

  1. Always check you’re visiting a secure website, one that starts https:. If you’re not, your traffic is visible to other people on the shared network, and to their ISP, and everyone else. The EFF makes a tool called HTTPS Everywhere which automatically chooses secure versions of websites if you mistyped. Never type a password into a non-secure website, and check every time for a padlock icon showing you’re secure.
  2. Always use two-factor authentication when logging in: ideally using a physical key. This means that you need to physically put a key into your computer before a website lets you in: so even if someone has my username and password, they still can’t get access. Physical keys are really cheap ($29 or less), and are the easiest and best way to ensure your security online. Most decent big websites, like Google, Amazon AWS, Xero or others, let you use a physical key. (If your website only lets you use SMS or Google Authenticator, use that, even if it’s not quite as secure — it’s miles more secure than not using two-factor authentication at all).
  3. Never use a shared computer. That sad-looking thing in the corner of the hotel lobby? That blinking terminal in the airport lounge? Don’t go anywhere near it. You’ve no idea whether they’re using a keylogger to steal your passwords (though if you follow #2, that won’t matter as much); and you’ve no idea what kind of malware they’re running either. And the keyboard: look how filthy it is. Ew.
  4. Always keep your device updated. Run updates. Let Chrome update itself when it needs to, as soon as it needs to. Ensure you’re running the latest version of the operating system. When your version of OS is no longer being supported, buy a new computer or phone. Buy Apple or Google branded phones to ensure timely updates, and replace them when you have to.

Here’s why you might want to use a VPN

So, we’ve established that actually, for security, there’s no reason to use a VPN. There’s no reason to be scared or afraid of using coffee-shop wifi. But there are some reasons why you might need a VPN.

  1. Some hotels force you to log in to wifi using your name and room number; and some free wifi makes you register first. This means they may well monitor what websites you visit, and could add that to your visitor profile. (Remember, they can only see the domain name, nothing else). Of course, the only websites you visit are NPR and the Financial Times, so you might not mind about that: otherwise, a VPN will mean the hotel won’t know what you’re visiting. Your VPN company will instead.
  2. You might want to bypass censorship. I once worked for Virgin Radio, but couldn’t access anything from the company when working in Dubai, since it felt that the word “Virgin” might be something more naughty. Some websites block visits from different countries, or redirect you. Some wifi networks don’t want you streaming. A typical VPN will let you ‘pretend’ you’re in a different country, and bypass all this nonsense.
  3. Some horrid places rewrite non-secure websites to inject advertising, or worse, into them. I used to work at a coffee shop which, for a time, replaced all advertising in websites with their ads. This is only possible for non-secure websites, by the way. VPNs get past that, and any traffic shaping that deliberately breaks Skype calls or stops you from using SSH into your server.
  4. Your office may have a VPN to let you connect to shared drives and other things. That’s cool. Use that. (Be aware that your office might push all your internet traffic through their own systems, though).

And go on then, here’s a VPN recommendation

If you must get a VPN, I’d recommend ProtonVPN. It’s run from Switzerland which has super-strong privacy laws, and has two things that many other VPN providers don’t: first, a double-VPN setup that avoids “fourteen-eyes” countries, if you’re super-suspicious; and second, access to TOR, a distributed and anonymous VPN with multiple levels of security. All their apps are open-source. They have a free service, though I pay for the premium service. They’re honest about what VPNs will not secure you against, too.

Most importantly for this article, they don’t have an affiliate plan, so I’ll earn nothing from ProtonVPN even if you buy their service. Which, for any security advice, is really all that matters.