Toxicantidote The great VPN fallacy

The great VPN fallacy

May 2021


Over the last few years, I have seen a massive rise in adoption of, and advertisements for virtual private networks (VPNs). The ads are all fairly similar, and suggest that with their VPN, you will be safe from third parties with nefarious intent. Unfortunately, the reality isn't that simple, and the abilities of these systems seem to be grossly overestimated. That's not to say that they serve no purpose though. Lets explore what a VPN is and isn't.

What is a VPN?

At a high level, a VPN allows two geographically seperate networks to behave as if they were in the same location. In a practical sense, this means that you could set one up between your home, and the home of one of your friends, and the two networks can behave as if they are one big network.

Now why might you want to do this? Traditionally it will be because one party wants to share something from their network, without exposing it to the wider internet. As an example, lets look at network connected security camera system for a chain of retail stores. For this, we assume that all the cameras across all the stores are monitored from a central office, which might also record the footage. This chain could set up a VPN between the head office and each of the retail stores, so that the head office can access the cameras as if they are on their local network. It will greatly simplify their administration of the system, and reduce the number of staff needed to watch cameras.

Throughout this article, I will be referring to VPN services. This refers to companies who offer a VPN for internet access, rather than the traditional point-to-point links. The former is the focus of this article.

How does it work?

Your internet service provider doesn't have a direct link to every location on the internet. It will collaborate with other providers locally (and globally) to route data to its destination. Essentially, data you send through the internet will:

  1. Go through your service provider
  2. Be sent to another provider who is closer to the destination
  3. Repeat the previous step several times until reaching the destination's provider
  4. Arrive at the destination
A diagram of this is shown below:
Normal network route

A VPN doesn't change this fundamental operational principle of the internet. Data still has to go through multiple steps to get to the destination. A VPN will simply wrap this data up, encrypt it (usually) and send it to another location. The other end of the VPN will then decrypt this data and send it out to its destination. Data sent with a VPN involes a couple of extra steps:

  1. Wrap/encrypt data
  2. Go through your service provider
  3. Be sent to another provider who is closer to the destination
  4. Repeat the previous step several times until reaching the VPN service's provider
  5. Arrive at the VPN provider
  6. Unwrap/decrypt data
  7. Forward to the destination. For a VPN service, there are extra steps after this:
    1. Be sent to another provider who is closer to the destination
    2. Repeat the previous step several times until reaching the destination's provider
    3. Arrive at the destination
A diagram of this is shown below:
Network route with a VPN

Additionally, because data going over a VPN has to take a longer route to get to its destination, this will increase the amount of time it takes (latency). For most applications, this won't matter, but it could degrade experiences in online games and other time-sensitive applications.

What a VPN doesn't do

As stated previously, many VPNs are marketed as an all-in-one solution to maintain your privacy online, but this isn't a silver bullet. Essentially a VPN is just masking data and making it take a detour. There are many things it won't protect you from. For this article, we're looking at VPNs that are not part of or sold by an anti-virus vendor, as those usually have extra protections.

Dangerous websites and viruses

Most dangerous websites exploit weaknesses in your computer's software to steal information or otherwise exploit you. A VPN doesn't modify the data coming back to you, so it will be oblivious to this kind of attack.

Prevent tracking by websites

While a VPN will make the data from your computer appear to come from somewhere else, it won't change the data. Many tracking/analytics services have complex trackers that generate a 'fingerprint' of your computer, to uniquely identify you across any website which uses that service. The most obvious example of this is targeted advertising, such as Google or Facebook ads. Using a VPN won't stop you from being tracked, it will simply make you appear to be from somewhere else. The tracking/analytics services developed this functionality before the explosion in VPN services so that they could effectively track users browsing between multiple locations. For example, the same laptop could be used at home, at a coffee shop or maybe even at school, and the tracking code would still be able to identify that user at each location.

Protect you from the VPN operator

This issue is often overlooked. By using a VPN service, you are implicitly trusting the VPN operator to:

For the first point - it would be nice to trust that all VPN operators will do the right things, but there are surely many shady operators out there. Their software could give them a direct line in to your PC, bypassing the protection offered by your internet service provider's security systems. When you are using a VPN service, you are essentially saying "I trust this VPN service more than I trust my internet service provider". You are placing your trust in an operator who might not even be in your country, rather than a service provider (who usually is). For countries with opressive reigimes, this may be trust well placed. For countries where this isn't an issue, it's a gamble that isn't really worth taking.

Next up - the operator getting hacked. The VPN operator may geniunely be making their best effort to keep their systems secure, but even the most experienced operators can make mistakes. Attacks on VPN operators may also be attractive for hackers, as it could allow them to intercept data to and from many users simultenously.

Last is tracking. Information about what someone does online can be valuable, both for marketing and for ill intent. Your operator could track your online habits and sell this on to a third party. These operators are not held to the same standard as service providers, including privacy laws.

What it does do

At this point you may think it seems like a VPN is completely useless, but that is not true. Possible uses for a VPN service include:

What can I do instead of a VPN?

The easiest first step is to install reputable internet security software. At a bare minimum, look for software that includes virus protection and a firewall. These two features should allow you to detect dangerous applications on your computer before they do any harm, and stop hackers from connecting to your PC. Modern security software will often include a raft of other protections, such as a secure web browser mode for online banking, and scanning of websites before you access them.

Beyond this, you should also be security concious. If something sounds too good to be true, it probably is - especially on the internet. If you want to buy things online, avoid entering your credit card details directly in to websites. Instead, consider using Paypal to mask your payment details from the vendor. Never enter your personal details (credit cards, name, address, etc) in to a website that doesn't use an encrypted (HTTPS) connection.

Some of the activities criminals currently perform include (but are not limited to):

As time progresses, online fraud is becoming more and more sophisticated. Be aware, be suspicious. Even the most savvy users can (and do) fall victim.