Tidy '24: Security Week 4 - VPNs

It's Tidy Tuesday!

We're getting close to the end of Security Month here in Tidy '24, and there are just two more topics I'm going to work in. Today, it's time to explain a little about virtual private networks (VPNs), and discuss when and why you might want to use one.

Are they helpful? Necessary? Safe? The short answer is "maybe." For the longer answer, read on!

IMPORTANT: There are a few VPN misconceptions addressed towards the end. They're critical to understand if you're considering (or already using) a one, so please don't skip that part!

A virtual private network, or VPN, is fundamentally a mechanism that lets your computer, phone, or tablet operate as though it were part of someone else's network. It's "virtual" because you're not physically on a different network, as if you plugged in your device somewhere else. However, through encryption and behind-the-scenes network routing, it looks to everyone else like you are physically on a different network.

Typical Home Internet Use

For example, when you're at home, your phone is set up to use your own Wi-Fi connection to access the internet. This means your phone talks to your router, which talks to your modem (maybe the same device as your router), which passes all of your network "traffic" to and from your internet provider (Cox, Comcast, AT&T, Verizon, etc.). Your internet provider is responsible for directing this traffic where it needs to go, which means they are at least generally aware of what resources you are accessing online.

Now, because of widespread modern security standards, this doesn't mean that your internet provider can see everything, like usernames and passwords, and all the content on all the sites you visit. Anytime you see "https://" in a URL, the "s" means you're using an encrypted connection to transmit the data. Many years ago, there was a widespread push to switch everything from unencrypted "http://" over to the encrypted protocol so that even general web searches and public forums would be transmitted securely. While unencrypted resources can indeed be fully snooped—undetected—by your internet provider, it's extremely rare to find yourself using such a connection these days.

Internet Habit Profiling and Geolocation

So, if providers can't snoop your data, why do VPNs matter? Why would you want to act like you're on someone else's network?

Well, remember that I said providers are at least generally aware of what you're doing. So, while they can't see all the encrypted content, they still know you're visiting some page on reddit.com or myfavoritenewsprovider.com. If they didn't know that much, they couldn't route your request to the correct web server, which is precisely what you're paying them to do!

Furthermore, the sites you're visiting can typically see the IP address your requests come from. Contrary to what many ridiculous TV shows would have you believe, an IP address can't be correlated to your home address in just a few seconds—at least not without significant additional legal and technical legwork. However, public databases allow anyone (even me!) to instantly estimate an IP address's geographic origin within about 50-100 miles. This lets websites know your country, state, and maybe even county or city.

Now, for any of a hundred privacy, security, or general paranoia-related reasons, you might not want to hand over a constant stream of your internet usage habits to the large, monolithic, personally unaccountable tech corporation that you're paying to provide internet access, and which necessarily controls whether and how quickly you can access online resources. And you might prefer if the sites you visited couldn't guess your location even within 100 miles.

At the very least, this stream of your internet access "metadata" makes it trivial for companies to build a profile that they can sell to advertisers to feed you targeted ads. Always browsing REI's website? Let's give you ads for camping gear! Are you visiting Walmart's site from a southern state in the middle of a heat wave? Let's sell you a fan!

Of course, those examples aren't particularly nefarious; in fact, you might actually appreciate targeted ads for things you planned to buy anyway. However, it only takes a little imagination to figure out how this same information could be used in very different ways.

The VPN Solution

This is where a VPN comes into play. When you establish a connection (often called a "tunnel") to a VPN provider, your device is reconfigured to send all of its traffic through this tunnel to the server on the other end. Then, that network is responsible for routing it to the resource you're actually after. The only thing your primary internet provider can see is that a lot of data flows between you and one particular server somewhere else. They might know it's a server that belongs to a VPN provider—maybe—but that's all.

"NOW WAIT JUST A MINUTE, JEFF." I can already hear the objection. "DIDN'T YOU JUST ADD ONE EXTRA HOP AND TURN THE VPN PROVIDER INTO THE ONE WHO CAN SNOOP?"

Well, yes. That's precisely what happens when you use a VPN service.

But it's still worth doing, even knowing this, because VPN providers actually care about your privacy.

Do they really, though? To know meaningfully, you need to see whether any particular provider has (1) passed external audits and/or (2) come out unscathed in any legal challenges. It's easy to claim you don't keep traffic or IP address logs; providing nothing to a petulantly demanding government is the real test.

Fortunately, multiple providers fit these criteria:

• Proton VPN (also of Proton Mail fame) gets consistently stellar reviews and has passed external audits for multiple years.
• NordVPN is another service that consistently passes audits.
• Private Internet Access has a similar no-logs policy and came out clean after being challenged in an FBI-involved case.

I've found that it's nearly impossible to find consensus in the tech/security world about which VPN providers are trustworthy (or "the best"), and at some level, you simply have to pick who you're willing to trust. PCMag has a list of 10 of the best providers by their standards if you'd like a few more suggestions.

Addressing Misconceptions

Before you rush out and sign up for a VPN service, you should understand what a VPN doesn't do:

• A VPN does not make you anonymous
• A VPN does not make you untraceable
• A VPN does not encrypt other services that wouldn't otherwise be encrypted
• A VPN does not prevent your own browser from tracking/saving your browsing history

In contrast, VPNs do two main things:

• A VPN prevents your "first hop" internet provider from snooping your traffic
• A VPN masks your IP address from the sites you visit

The first point may not be compelling if you browse from home most of the time. However, it's more important if you're at a coffee shop, airport, or similar public location with free guest Wi-Fi. Those networks are notoriously risky.

The second point (IP masking) means that you can often bypass IP-based geographical filters, which is more often an issue outside of the US, though sometimes it affects us here as well. Many VPN providers offer "exit nodes"—the servers that pass your tunneled traffic out to the regular internet—in many different countries. You have only to choose which country you want to come out of, and that's what the websites you visit will assume based on your IP address.

Typical VPN Use Cases

To summarize, here are a few of the situations where a VPN provides value:

1. You want to minimize your ISP's ability to build an internet usage profile. In this case, use a VPN everywhere, even at home.
2. You use public Wi-Fi and want to protect yourself from bad actors sniffing for easy targets. In this case, use a VPN whenever you aren't on your home network.
3. You want to access resources that are geographically restricted in your area. In this case, use a VPN with a properly chosen exit node that puts your traffic on the internet where it needs to be whenever you want to access those resources.

Remember, using a VPN does not mean you're anonymous, invisible, and free to do crazy and illegal things without repercussions. Virtual private networks are simply one of many tools you can use to help protect yourself from certain risks or overbearing restrictions.

One other thing I'll mention briefly: VPNs generally cannot increase your internet access speed, but for a few reasons, they can (and often do) decrease it. This is due to additional encryption overhead and sending data on otherwise unnecessary hops all over the planet before setting it free on the "open" internet. High-quality, non-free VPN providers are usually fast, but they're not magic. This reduction in speed, whether slight or significant, is to be expected.

For what it's worth, I subscribe to a VPN service and use it on public networks. I don't currently use it at home all the time, but this is more from habit than a conscious choice.

Whether you choose to do the same or not, at least now you might be better equipped to make an informed choice!

Have a good week, and happy data-taming!

If you're not already subscribed, make sure to join the weekly newsletter email list with the simple form below. You can also bookmark the Tidy '24 Calendar page for a master list of every currently published Tidy '24 topic.