Many kids these days get a safe-sex lesson where they learn the basics of the birds and the bees. Sadly, we don’t tend to do similar lessons for the bits and the bytes of computer security.
If you’re like most people, you know that there are certain risks involved with being online, especially in public. You’ve heard the stories about hackers exploiting wi-fi networks at coffee shops and hotels, and gaining control of unsecured devices. But you probably haven’t done anything about it.
Lucky for you, there is an easy way to make browsing the Internet a little safer: a VPN, or Virtual Private Network. VPNs have been getting press for years now, but most computer and smartphone addicts still aren’t using them. Only 27 percent of people globally have used VPNs, according to a survey released by GlobalWebIndex in October. The use is far higher in Asia and South America than in the U.S., where just 16 percent of adults use VPNs.
Even if you’re a computer novice, it’s time to take the plunge. Here are some answers to common questions about VPNs, including why having one is a must.
Why do I need a VPN?
Put simply, a VPN is like a condom for Internet use. When you use a VPN, it creates a private encrypted tunnel that your Internet requests are sent through, re-routing your activity through a server controlled by your VPN provider rather than over a shared wifi network. That way, a tech-savvy interloper can’t use sniffing tools to see you connecting to websites or loading apps. Without a VPN, that information can be up for grabs — and if the websites or apps don’t use SSL encryption, a hacker could see everything you click on or send.
Wouldn’t that be illegal, though?
Yes, but it’s happening all over the place anyway. If you’re connecting to a https site (the ones with a little lock in the address bar), you’re safer from these attackers. But despite pressure from security advocates and even the makers of Firefox, there are still a number of sites out there that don’t use SSL by default, and tools like this $100 “wifi pineapple” are making it easier than ever for network voyeurs to see your information. With minimal effort, hackers could see you browsing on Amazon, reading Wikipedia or news articles, or searching for and watching porn. (Yes, shockingly, many porn sites are unencrypted.)
“If you care about your privacy, you need a VPN,” says Filip Chytrý, a mobile security product manager at Prague-based Avast, which has VPNs for sale.
I never use public wifi networks. Do I still need a VPN?
There are other benefits to using a VPN. Because you’re being redirected through your VPN’s server — potentially in another country — a good VPN can allow you to circumvent Internet restrictions put in place on the network you’re using.
Say you’re a HBO Go subscriber, and you’re on vacation in a country where HBO is unavailable. Without a VPN, you’d get a message telling you that you must reside in the U.S. to get the latest Game of Thrones episode. But with a VPN, you could route your traffic through the U.S. and get your swords and dragons fix.
Lots of Netflix users employ VPNs — so many, in fact, that the movie giant threatens in its terms of service to ban users employing them. In China, VPNs are also extremely popular, as they allow users to circumvent China’s Great Firewall— when they’re not blocked. If you’re traveling to China, and you want to be able to check Gmail or Twitter while you’re there, a VPN is a must as those services are currently blocked in the country.
Which VPN should I get?
I surveyed a handful of security experts to ask which VPN they recommend using. The most frequently recommended VPN was that offered by Private Internet Access, a U.S.-based company with servers in the U.S., U.K., and Switzerland. The company says it doesn’t keep logs of users’ activities — which is important for privacy reasons — and it has a drop-down menu that lets you choose which country you want to appear to be coming from, which is important for TV-binging reasons. The service costs $40 a year, and can be installed on your laptop and smartphone.
Any others you’d recommend?
If you’re just trying to protect yourself from other people at a coffee shop or binge-watch TV while abroad, any basic VPN is probably fine. If you’re a dissident in a repressive country, you probably want to seek out a more robust VPN that supports security protocols like OpenVPN or IPSEC/L2TP, doesn’t keep connection logs, has lots of exit nodes, and is based outside of your country.
“If you live in a country with a repressive government, make sure that you’re using a VPN in a country that is not allied with your government,” says Frederic Jacobs, a security engineer at Whisper Systems. “If you’re a U.S. dissident/activist, you probably shouldn’t have a VPN in the US. If you’re a Belarussian activist, don’t use a VPN in Russia — that would be stupid.”
So, if I use a VPN, I’m totally secure?
Not totally. Many VPN providers use PPTP, a protocol that is “thoroughly broken,” said Christopher Soghoian, a technologist at the ACLU, by email. Using a service with a known vulnerability—like a VPN using PPTP technology—is like locking your bike up with a cable lock in a place where thieves regularly carry around bolt cutters. It’s insufficient protection for your bike and for your data.
And don’t rely on VPNs to protect you from the NSA, either.
“VPNs do not protect you from government surveillance,” said Soghoian. “It is trivially easy for the NSA to track single-hop VPN traffic (by watching your data go in and out of the VPN service).”
If you need to hide from the NSA or another intelligence agency, Soghoian said, the best bet is using Tor, an anonymized browser. “And even then, it isn’t a silver bullet.”
So I’m screwed no matter what, basically?
Well, using a VPN is much, much safer than not using one. But as with any security protection, it’s imperfect.
Soghoian pointed out that, for Americans, sending your traffic out of country via a VPN may actually increase the likelihood that your data will be collected by an intelligence agency like the NSA. That’s because a foreign-based VPN makes you look like a non-U.S. citizen who don’t have constitutional protections against unreasonable searches and seizures of information.
And you have to trust the VPN that you’re using. If the VPN service is compromised, all your protections will be for naught.
“The problem with any third party VPN service, is that you are intentionally routing your traffic through them, and you are relying on them being honest and protecting your data,” says Colby Moore, a security research engineer at Synack. “Overall, its better to use a VPN than not, especially if you are somewhere untrusted. However, you should continue to use HTTPS and secure protocols under the VPN.”
Real privacy sticklers pile these measures on top of one another, creating a multi-layer security stack that increases your data’s chance of staying private. Dan Tentler, a security researcher at Aten Labs, told me that he uses his own custom network, one that combines a VPN with SSH tunnels, VPS machines, and Tor.
“If you double up or triple up technologies you can get some pretty solid results,” says Tentler.
That sounds complicated.
It is. For now, just take our advice, and download a damn VPN.