We might be closer than you think to making VPNs useless for the average user.
What People Use VPNs For
What people use a VPN for today differs from what they were designed for.
VPNs were intended to be used to securely extend local networks across the public and insecure internet. They accomplish this by creating an encrypted tunnel to a VPN server, to which both parties connect. Then, each connected device will be able to access all other connected devices regardless of if they’re on the same local network. All of that works without requiring any devices, except for the VPN server, to be publicly accessible on the internet.
As an example, imagine a business with two offices on opposite sides of the United States. One office has a server which contains sensitive information, which the other needs to access. The easy way out is to just make that server publicly accessible, and hope that a username and password are strong enough to prevent hackers from accessing the information. But, if an exploit is found in the server software, it’s game over. Additionally, anyone can attempt to brute force the username/password combination to gain access. Instead, a business can create a VPN server which both offices connect to. Now, the other office can access the server over a securely encrypted connection without the server being publicly accessible. Even if an exploit is found on the VPN server, the hacker would first need to hack into that, and then into the server with sensitive information instead of just the latter.
Today, VPNs are no longer only used by businesses, and a large market exists for the average internet user. VPNs are often advertised as a must-have security feature, allowing you to browse the internet without fear of having your passwords leaked. While there is some truth to that, that’s not the entire story. Remember, most VPN providers are for-profit companies, and it’s in their best interest to sell you their services. Most reputable VPN companies do care about your privacy, as that’s how they make money. But, it’s worth remembering that just like most other advertisements you see, VPN ads are there to get you to buy something you may not need.
So, should the average internet user use a VPN?
You may be surprised to learn that a lot of your internet traffic is already encrypted, even if you don’t use a VPN. That’s because of HTTPS, or the Hyper Text Transfer Protocol Secure, which does much more than just encrypt your traffic. Not only does HTTPS prevent hackers from seeing your passwords, it also ensures that you’re actually connecting to the correct server. If someone tries to pretend to be a website to collect passwords or something, your browser will show a full-page warning that something’s up. You can test this by visiting https://self-signed.badssl.com/:
HTTPS used to be only on websites that handled important information, like your bank’s website. But, with the introduction of free ways to get HTTPS up and running(not to mention SEO advantages), more and more website owners are enabling HTTPS for their website.
Sure, a VPN will add a layer of encryption to your internet traffic. But, that won’t protect you against all attacks. Assuming the VPN encryption is stronger than HTTPS encryption(which isn’t always the case), all it does is protect against hackers in between you and the VPN server. Anyone in between the VPN server and the website you’re trying to access can still attack your session just as easily as if you didn’t use a VPN. That’s because the VPN encryption only exists until your traffic reaches the VPN server. After your traffic reaches the VPN server, the VPN’s encryption is decrypted and your request is sent normally to the website’s servers. The website will then process your request, and send the reply to the VPN server, where it’s then encrypted again and sent back to you.
If you’d like to increase the security of your internet traffic without using a VPN, you can install a plugin like HTTPS Everywhere. The plugin will only allow you to access websites over HTTPS, even if the website’s default is to use plain HTTP. While not a full VPN replacement, it does at least ensure your information is never sent in and unencrypted form.
HTTPS itself is a convincing replacement for the average user who just wants to browse the internet securely. Privacy is different matter, however.
DNS over HTTPS
While HTTPS protects your website traffic from being viewed by anyone except for you, that’s not everything. Your computer can’t just request the homepage of
www.google.com; computers can only access IP addresses. So, there needs to be a way to convert
www.google.com into an IP address before your computer can make the request. That is done via a DNS query, which returns the IP address for a given domain name.
Unfortunately, unlike accessing a website, DNS requests aren’t encrypted by default. That means that anyone who can intercept your traffic(such as your ISP) can essentially see which websites you’re visiting. The non-VPN solution to this is called DNS over HTTPS. Like its name implies, it simply sends the DNS request over a secure HTTPS connection.
In addition, current TLS implementations will always send the fully qualified domain name of the server in cleartext, to support Server Name Indication. Thus a malicious ISP doesn’t even need to look at your DNS queries. — Server Fault
Basically, even if your DNS queries are encrypted, the websites you visit can still be determined.
If you want privacy, DNS over HTTPS is a step in the right direction, but it’s not quite a VPN replacement yet. A VPN will ensure that attackers on your local network won’t be able to see which websites you’re visiting.
VPNs Are Here To Stay
If you just want your passwords and banking information to stay secure, then a VPN is already obsolete. HTTPS keeps your passwords and other information inaccessible for hackers by utilizing strong encryption, no VPN required. However, if you want privacy, you’ll need a VPN. The only way that will change requires a new TLS implementation which doesn’t happen overnight.