Do VPNs help my security?
Separating the marketing from security when it comes to VPN providers
VPN companies like PrivateInternetAccess and NordVPN have been marketing themselves for years as safe ways to be able to use the internet from public locations, like coffee shops and airports.
Today, this advice is largely outdated. In 2022, I and numerous other security experts agree that consumer VPNs aren’t useful for most people. Let’s explore why.
How Public WiFi hotspot hacks work
There are a few common ways of hacking people on a public wifi network:
Listening In
WiFi is essentially a short-distance radio, and that means an eavesdropper nearby (who knows the WiFi password) can listen in on the communication, such as your web browsing.
Today, that’s no longer much of a risk. Almost all major websites and mobile apps require encryption with TLS (HTTPS), so that means data is encrypted at your computer and on the websites’ servers. Someone in the middle has no way of decrypting that data, so nearby hackers can try to eavesdrop all they want and just be left with a pile of garbage data.
Evil Twins & SSLStrip
An “Evil Twin” attack is when a hacker sets up their own WiFi hotspot imitating a real one such as at an airport or coffee shop, and hoping people will connect to it. They then forward traffic to the real public wifi network, while intercepting all the victim’s internet traffic.
Emerging in 2009, SSLStrip is another way hackers can try to compromise people using a shared wifi network. To use it, hackers can either hack an existing public wifi network; or setup their own “evil twin,” hoping to trick victims. Then, when you try to visit a web site like “gmail.com,” it attempts to trick your computer into thinking the hacker’s computer is actually the web site. Then, it snoops on you while forwarding data from the real web site, to make it seem everything is working normally. To do this, the hacker has to make it so only unencrypted http:// (and not encrypted https://) is used, otherwise encryption would stop them from eavesdropping and accessing information like your password.
This was a big risk back in 2009, but in 2022 it is highly unlikely this tactic is still going to work. That’s because most major web sites now use something called HTTP Strict Transport Security, or “HSTS.” Basically, HSTS makes it so if a hacker tried to impersonate a site like gmail.com on a public wifi network, your web browser would refuse to connect to it. Instead, you’ll just get a big red warning message saying something is wrong with HTTPS, so the page won’t be loaded. The browser won’t even let you override the error. This stops SSLStrip attacks in their tracks.
Phishing
Since the widespread use of encryption makes Evil Twin setups near-worthless for eavesdropping, hackers have paired it with a tried-and-true tactic: Phishing.
“Evil Twin” networks will try to disconnect you from the real public WiFi network and have you connect to their impostor WiFi hotspot. Then, they’ll redirect you to a fake WiFi login page. There, they’ll try to get you to enter your account passwords (such as Google), or try to get you to download malware claiming it’s necessary software to enable internet access.
In 2022, phishing on public WiFi is still a risk. But, since these wifi login prompts happen before you can connect to the internet, VPNs won’t help here. The phishing would have already happened before you could login to the VPN.
Privacy
VPN providers advertise that if you use their service, it will hide your IP address and geolocation; improving privacy. While that’s technically true, the way most people use VPNs this would not be the case.
For example, let’s say someone logs into a VPN provider in Sweden from a US airport. “Aha!” they might think, “now those advertisers won’t be able to track me anymore.”
But that’s just not true, since the way modern adtech works often piggybacks on accounts you log into, like Gmail and Facebook. If you’ve logged into Facebook and visit another site that has the Facebook like button, it’s trivial for Facebook to put 2+2 together and determine you’re logged in from a VPN, and attribute the browsing back to you.
Checkered Pasts
The commercial VPN business grew from a seedy underbelly of the internet, catering to software pirates and hackers. Early on, VPN providers found their niche in offering a way to prevent people using BitTorrent from receiving copyright infringement notices from their internet provider. Many even advertised on sites like ThePirateBay. Some targeted actual hackers with their advertising — tacitly promising to keep them safe from copyright or law enforcement with “no logs kept.”
A number of top VPN providers, including PrivateInternetAccess and ExpressVPN, are now owned by a company called Kape. Far from coincidently, Kape also bought up numerous “VPN Review” sites. These sites claim “editorial neutrality,” but they advocate the companies Kape owns as the best VPN options available.
Kape is no stranger to controversy. Under its former name CrossRider, it was known for making software which was easily abused by hackers to hijack users’ browsers to inject advertisements. Since the CrossRider days the company has been under the leadership of Teddy Sagi, a billionaire who in 1996 served several months in Israeli prison for bribery and fraud, and information on his offshore finance activities was featured in the Panama Papers.
VPN providers, by their very nature, have to intercept all of your internet traffic in order to forward it on. So, it’s very important to trust that company.
What to do instead
There are some added things you can do to prevent any public wifi hacks, and will give you far more protection for free than paying for a VPN:
- Keep on top of security updates for your browser, apps and operating systems. Don’t let Chrome run with the yellow/red “Update” icon showing!
- Use CloudFlare’s free 1.1.1.1 and WARP services. WARP is essentially a free consumer VPN. CloudFlare is far more trusted by security professionals than commercial VPN providers.
- Use the EFF’s HTTPS Everywhere and/or Privacy Badger plugins. This will make sure that whenever possible, your data is encrypted between your computer and the website; making eavesdropping highly unlikely, and the Privacy Badger will strip away adtech trackers.
- If you want to privately browse the internet without fear of being tracked, use the Tor Browser instead of a VPN or private browsing window.
In 2022, each of the above measures will do more for your personal security for free than paying for a VPN.
