Security — VPNs: An honest review

Nicola Moro
12 min readJul 8, 2022

--

Disclaimer: I do not mean to start any discussion with VPNs users. I also used VPNs sometimes and I’m not saying these are useless services, by any mean. I would only like to share my point of view about these services: I am completely open to any comment or different idea about them.

A managed switch with multiple ports and cables connected
Photo by Jordan Harrison on Unsplash

If you don’t live on Mars and you like watching YouTube videos, then it is almost guaranteed that you have seen one of those VPNs ads or some sponsored messages from your favorite you-tuber praising the most recent VPN service. Thanks to their massive marketing campaigns they are reaching millions of people every day, generating a market worth $ 33.42 billion in 2021 with a compound growth annual rate of 14.7%. A huge market, which to me is absolutely worth to explore.

If you actually do live on Mars, instead: gosh, please invite me over…

Since I guess I’m not getting many invites, today I’d like to share my point of view about these services and try to explain how they work, when they are actually useful and when they are not. Networking is harsh stuff so I will try to explain concepts in the easiest way possible, sometimes glossing over some precision.

We will start to see briefly how connecting to a website works first, and then we will see some statements from VPNs providers to understand what is totally and what is only partially true.

Let’s start!

When you connect to a website

When you look for some website on Google, you simply type its name in the search bar and click on the link that the search engine provides to you. You only see the top of the iceberg, because there is a lot going on under the hood there. What really happens could be summarized as this:

  1. Your browser sends a request over the net to your ISP (Internet Service Provider), starting from your router to the ISP servers, to resolve the name of the website you chose (say www.Facebook.com).
  2. Your ISP redirect the request to its default DNS (Domain Name Server): you can think of DNS like a huge table of records, tracking all the websites and pairing them with their respective IP address. This one actually resolve the name of the website into a usable IP address (www.Facebook.com becomes 89.125.36.145) and sends back this new address to the browser again.
  3. Your browser now sends this new request to connect to 89.125.36.145 to the ISP, which will contacts the server listening on that address.
  4. The server will respond giving back the page requested, usually index.html holding the main page of the website, and gives back the html code to the browser.
  5. Finally, the browser renders the content of the html page.

It is a lot of stuff.

What a VPN adds

Using a VPN basically means adding one more step to the connection to the website.

We first connect to the VPN, and then it will handle the requests towards the other website we are looking for. Step by step, this type of connection should be something like this:

  1. We first connect to the VPN server: we request to our ISP to resolve the request towards the VPN service, not directly to the website like before. This passes thru a DNS request, as always, after which the ISP gives back a server connection to us.
  2. We are now connected to the VPN server, which will handle every request to the other websites we are looking for. From now on, the ISP will only see requests to the VPN server, which will forward the requests, modified, to the requested websites.
  3. The website server will see a request coming, but from the VPN server’s IP address, not from ours. So the website will respond to the VPN server.
  4. The VPN server then forwards to us the answer from the website, in the classic html page format.
  5. Finally, our browser renders the page.

There is much more other than this under the hood, but for the joy of simplicity we will keep it abstract as this. When needed, we will go deeper in the next session.

What is really important to get from this is that when we use a VPN service, we could almost say that we are substituting our ISP with another one, that is the VPN server. This will be really important in the next section.

What most VPNs claim

Now that we have some simple bases about how a standard connection to and from a web server works, I’d like to discuss about what are the classic claims from a VPN service to attract their public, giving you my point of view about them.

Navigate privately

It is true that a VPN adds a layer of privacy, as we saw before. But this does not mean that using a VPN means to navigate in absolute privacy. Let’s suppose I want to connect to a particular website without my ISP knowing it. Yes, the VPN actually hides the website I’m connecting to, but on the other hand my ISP can still see many other information: date and time of the connection, band width taken by my request, my user agent and so on. Plus, the most important thing: my ISP can actually see I’m connecting to a VPN server! There are many countries out there that do not allow the users to connect to a VPN and, even if we are allowed, the ISP could infer that we are connecting to something unusual, potentially dangerous and potentially bad or not permitted by the ISP or the law.

Additionally, regarding of the content of the connection, the VPN is basically useless: every connection which uses the HTTPS protocol is encrypted, so even if the ISP can see where I am going, it cannot see what I am doing on that website. For example, if I connect to Facebook, the ISP cannot see if I am posting a new photo to my feed or posting a help request to the assistants of the website. It can’t see the difference.

You can easily distinguish HTTP from HTTPS from the little gray lock symbol before the website name on the top search bar: if the lock is present, then your connection to that website is encrypted and your data are safe, even if you don’t use a VPN.

Nowadays, it is basically considered a crime to still use HTTP over HTTPS, so luckily HTTP websites are disappearing faster and faster from the scene. If you happen to use a website using the old HTTP protocol, do not insert any personal information on that website and, if possible, leave immediately.

The last consideration about navigating privately we should cover is: privately from who? It is true that we are hiding our activity to our real ISP, but as I sad before we are basically switching the role of our ISP with the VPN server. This means that, even if most of VPN services promises a no-log policy and no collection of data of any sort we are simply trusting them: we have no way to verify that they really are not holding records of our activity. But what if they actually do collect our data? Maybe to sell them, as many free VPNs have been caught doing, or to grant an access to the government in case of any suspect of violation. The VPN becomes the new ISP, basically, and if you don’t want to trust your real ISP, you should not trust the VPN service too.

Hide your position to see streaming content from other countries and get the best prices for you purchases

This is true: a VPN can hide your position to the end service you are connecting to. This is because, as we explained before, the final website will see a connection coming from the IP of the VPN server: it won’t see your home router IP. This means that the website you are requesting will not know who you are or where you, it will only receive the request from the VPN server, knowing its position and IP address. If you don’t log in to the website, of course…

At this point, though, the important question should be another one: are we really permitted to access websites and services this way?

Truth is: oftentimes, yes. But there are important exceptions. One of the most claimed statements from VPN companies is that you can access services like Netflix or Amazon Prime Video from another location to see the content available in other Countries. The problem with this practice is that most of the time this is actually prohibited by the service rules. Netflix itself has often clearly stated that this practice is prohibited and that this behavior could lead to a permanent ban of the account.

More resources:

Il punto informatico, HT Tech and The Sun.

Military grade cryptography

VPN services often state that they use military grade encryption to secure the connection and the data moving between clients and servers. And it is totally true: most of the time AES encryption is used to cipher the data, and AES is a cipher algorithm used by many governments and military around the world. Since it’s way faster and less resource hungry to compute the result than RSA: AES has quite become the standard in cryptography, when you can use it.

But to be completely honest then, they should say that this is nothing special: even the standard HTTPS uses AES and RSA encryption to cipher the data in a standard everyday connection. So it’s basically a tie here, it’s nothing special.

Blocks advertisement and malware

I won’t even elaborate on this one. There are so many ways to block ads that a payed VPN service won’t even mean a thing here. Plus: blocking malware? How should a VPN block you from downloading malicious code or software? I think it’s better to rely on the good old antivirus for now.

Navigate securely on public WiFi networks

Middleman attacks on public WiFi networks are not so common as you might think nowadays, but yes, sure: they could still be a problem. With the growth of free public wi-fi networks around the world, the probability of attacks just raises up. Basically what happens here is that the person managing the network (or a hacker who breached in) starts to sniff packets sent from the hosts connected to the network, trying to steal credential and gain information about what, when and who is connected to the local network and where is he going. It’s actually really simple to do this, with software like WireShark for example.

The thing here is the same as before: you don’t really need a VPN to hide your data if you are browsing towards an HTTPS website, since the data you are sending are encrypted and sent over a secure socket (SSL). This means that the bad guy behind the network can only see where you are going, let’s say, on Facebook, but he can’t see your typed account name or password, the content you are looking for an the one you are sharing.

It is a completely different story for HTTP websites, instead: old HTTP protocol is not encrypted, and in this case the bad guy can see the data you send to the website passing in clear text on the network.

What keeps you the most safe is avoid browsing on websites that still use the HTTP protocol (you can clearly see it on the search bar at the top), do not navigate to sensible services like bank, health care websites and similar while connected to a public network, especially if it doesn’t use HTTPS and, finally, when not at home always prefer the mobile network when you can (4G, 5G).

Keep searches safe and private

Again, you don’t really need a VPN to keep your searched safe and private, unless you are browsing to unprotected or poorly coded websites. And, besides this, there a lot of ways to keep your searches safe and private. Some examples may be using Mozilla Firefox instead of Chrome, using DuckDuckGo instead of Google search web engine, using Tor to navigate to .onion domains and much much more. I won’t repeat myself again here, but basically a VPN is a bit an overshoot for the everyday activity of the common user. Not a bad service! Just a bit an overshoot…

Protect your identity online

This claim is really interesting, because so called phishing attacks are growing more and more nowadays. A phishing attack is an exploit in which someone tries to steal, extort or deceive you to obtain your credentials to one or more services online. This type of attack has become more and more popular during the years, since it is relatively simple to set up and, unfortunately, much more effective than it should be. To be clear, every time you receive an email asking you to log-in to receive a prize or renew some service, usually written in a strange or incorrect English, or a message from Amazon telling you you spent a ton of money you don’t even have on a purchase: that’s a phishing attack.

Now, unless you activate some particular services sometimes provided by the company, a VPN won’t do much here. Most phishing attempts start from mails, which then redirect the user to a fake website used to collect their login credentials. It literally takes half an hour to recreate a fake login page for the most common social networks, mail providers or bank accounts, and another half to set up the system that hijacks the inserted credential inside a hidden database of stolen usernames and passwords.

Unfortunately, the best protection from this type of attacks is to stay alert and keep smart, which is the reason why the most hit by these attacks are elderly or uninformed people.

The golden rule to follow here is this: “If it is too good to be true, then it’s not”. If you never subscribed to win a prize, you won’t win it. If you never purchased something from Amazon or Whish, you didn’t. Never share your passwords with anyone, especially if is someone who should be from technical assistance who is asking you your credential. If they are from the IT tech support, they won’t need your password to solve your problem, and if they need them they are fraudulent.

Last but not least, I’d like to stress the importance of checking the URLs you are connecting to! If, while connecting to Facebook, you are browsing something like “www.praisebook.com” or “www.frostbook.com”, there is no chance that is the real Facebook. There is no way big companies change their domains overnight and even if they do so, when you look for their names on Google, it will drive you to the correct domain and you won’t see any difference.

Just be careful and stay alert!

Let’s sum up!

So, now that we know a bit more about how a VPN work and what it really does, should we pay for a service like this? It depends, of course.

In most cases, you won’t need a VPN. Browsing the web is safe enough with the right setups and tricks and paying for one more layer of security isn’t that much worth. Plus, this could also be a double edged weapon: the lack of experience and knowledge about how to properly use an instrument, can lead to more damage than not using it at all.

There surely are cases in which a VPN is not only suggested, but necessary to connect to the internet remaining free. I’m talking about countries with censorship of the content online, where human rights are not taken too much into consideration or where sexual freedom is not accepted and your personal freedom is in danger. And even so, like we said before, your ISP can actually see you are connecting to a VPN and infer you are doing something prohibited online, so the government could block you or, even worse, force the VPN provider to give them your real IP address and location.

Of course, another scenario in which a VPN is a good tool to use is when you are actually planning to do something illegal or prohibited online. Most of the VPNs are actually used only by hackers and cyber-criminals, to lead their attacks in full anonymity and hiding their real position. But I guess it’ not really likely that they pay for advertised VPNs: it’s more plausible that most of the times they put together one by themselves. If you are a criminal reading this and planning to use a VPN, at least build one by yourself…please…

We did it to the end! Much longer than I expected, and still so much to say, to be honest… I hope you enjoyed reading the article and I hope you find it useful!

If you did, please consider following the blog: I will post IT related stuff, about security, algorithms and programming. And even if you won’t, I want to thank you anyway for reaching the end of this article!

Thank you so much for reading, as always.

Nicola

--

--

Nicola Moro

Interested in programming, algorithms, math and having a good laugh! If you want to contribute, share a ko-fi with me! https://ko-fi.com/nicolamoro20269