You Need a VPN

The internet is nothing more than a giant transit system of packets being sent between servers. Security was an afterthought: the original architects were simply thrilled that the packets arrived at all. As a result, most traffic is sent over plain HTTP, which makes it trivial to intercept by packet-sniffing. A simple network analysis tool can be employed to monitor nearly everything you do online. The information gleaned can be used by anyone: an eavesdropper at the coffee shop, the NSA, even your ISP.

A safer version of HTTP exists called HTTPS, which encrypts the information before being sent to the server. HTTPS will often be employed on pages that handle secure information, such as credit cards or login info. Despite our best efforts, however, HTTPS is not yet available on all websites. One reason is that the enhanced security of HTTPS creates more overhead for the website, as each packet sent requires an authentication 'handshake'. It increases the amount of time the page takes to load. Finally, operating an HTTPS website required purchasing a renewable HTTPS certificate from a certificate authority, which drives up the cost of maintaining the website. For a static website which holds no user data or sensitive information, the promise of 'security' simply may not be worth the trade-off.

Table of Contents

How a VPN Works

A VPN, or Virtual Private Network, works by extending and internal, private network over a larger, public space. When a VPN is active, a device from outside of the physical location of the private network is assigned an IP address as though it were within the network. VPN's are often used on corporate networks in order to allow employees who are working remotely to be able to access the employer network without having to be physically connected to the network. This would allow the employee to access network-shared documents, internal servers, etc. For example, an employee on their home wi-fi that is signed into an office VPN with a network-connected printer should theoretically be able to turn on their corporate VPN and then be able to queue the document on the office printer and pick it up when they head into the office.

Though not its original purpose, the VPN has two important side-effects:

  1. Because information coming from the corporate network may be sensitive, all of the packets sent over the VPN tunnel are encrypted.
  2. Because the machine is assigned an IP address within the private network, all information sent to the outside web appear to originate from the VPN's IP address. That is to say, if you sign into your employer's VPN and then sign into Facebook while the VPN is turned on, Facebook may show you having signed in with your employer's IP address, not the IP address of your home wi-fi.

VPN's Are Not Just for Teleworking

When your computer is connected to a VPN, all of the information sent through the VPN is encrypted between your computer and the VPN server. This means that anyone intercepting packets along the way would find the packets encrypted. While the encryption will be of varying strength and could theoretically be broken, this should be enough to ward off the Coffee Shop Hacker and make him turn towards easier targets on the network.

Encrypted packets also stop your ISP from seeing your browsing habits. This is because using a VPN means that the VPN server acts as a middleman for all of the packets sent to and from your computer. If you sign onto Facebook, your computer does not send the request directly to Facebook: it sends the information (encrypted) to the VPN server, which then sends the request to Facebook, and returns Facebook's reply back to your computer over the VPN tunnel.

Without a VPN, your ISP (Internet Service Provider) would see every domain on the web you connect to, and any cleartext data that is sent their way. With a VPN turned on, however, your ISP would see your computer sending data to the VPN server, but they wouldn't be able to see what is being sent.

Finally, because the query appears to come from the IP address of the VPN server rather than the IP of the user's home wi-fi, VPN's can be used to bypass georestrictions. VPN's are very popular in countries where Netflix is not offered, for instance. By using a VPN with a US-based server to sign into Netflix, the user appears to be in the US, and Netflix will allow the user to access US-locked media.

Warning: Don't use your work VPN to browse privately. It may be safe from prying eyes at the coffee shop, but your employer might still be able to see it!

Where to Find a VPN Provider

Finding the "perfect" VPN is incredibly difficult, if not impossible. All that establishing a private VPN really requires is a remote server and a protocol to establish the secure tunnel from your device to the server. You could even setup your own on a private AWS server if you so desired. The relative ease of setup has inspired many companies to create low-cost VPN solutions as demand has soared. Unfortunately, the lack of standards and accountability limits our ability to objectively rate VPN providers and the integrity of their offerings. The following URL is an independently-maintained list of various VPN providers and their supported features:

VPN Comparison Chart

The above is not the be-all-end-all resource. But thus far, it's the best we've got. You can also check out some of the recommendations at Privacy Tools.

At the bare minimum, any VPN service that you purchase should provide the minimum guarantees:

Warning: Be very suspicious of free VPN providers. Anything you are not paying for directly is likely being "subsidized" by another transaction, namely the selling of your browsing history to advertisers.

Frequently Asked Questions

How does someone spy on my browsing on a public wifi?

All information is sent and received on the internet by exchanging packets between the website's server and the end-user's laptop. Unless the site is using HTTPS, these packets are transmitted in plaintext. With freely available traffic analysis software (such as the ubiquitous Wireshark), it is trivial to intercept or inspect a packet in transit that is being sent on your network. This is known as "packet sniffing". If the contents of those packets are opened, a third party within your network can see exactly which websites you're visiting, what queries you're sending to your favorite search engine, and what you're posting on your blog. Website credentials, like your username and password, can be captured, too.

Why am I more vulnerable in a coffee shop than at home?

It is generally assumed that no one is going to be on your home wifi except for you, your family, and any visiting friends that you might have given the wifi password. On a public wifi at a Starbucks, however, you have no idea who else is currently logged in to the network. The risk extends to any publicly-accessible network: a library, an airport, a university dorm's wifi, etc.

How do I know that my VPN provider isn't spying on me?

This is a fundamental problem with VPN's: you don't. When you decide to run your traffic through a VPN, you are essentially putting a middleman between yourself and your traffic's destination. The VPN provider functions as a courier: you put your packets in the courier's care so that no on else will intercept them, but you are intrinsically trusting the VPN provider not to look at the packets, either. If the VPN provider is not trustworthy, this may be no better than running without one. It is up to you to find a VPN provider that you are willing to trust. Even though virtually every VPN provider will claim that they will not inspect your data, it is difficult for them to prove it. VPN providers may enact certain policies to increase that trust, such as a strict no-logging policy. Unfortunately, getting a VPN provider to "prove" that they don't keep any logs is easier said than done.

Should I use a VPN all the time?

Using a VPN constantly will depend on what you are trying to achieve. If you're only trying to protect yourself from malicious eavesdroppers at a coffee shop or airport wifi, then you can safely turn off the VPN when you're at home. On the other hand, if your concern is stopping your ISP from spying on your activity, or from sites you visit on the internet knowing your true IP, then using a VPN at all times would be more beneficial.

Always double-check that your VPN is actually doing what it says by using a site or search engine to check your IP. You should be able to type "What is my IP" into your favorite search engine, and it will usually return your public IP and often a map based on the geolocation of that IP. If it shows the IP and geolocation of your VPN, then it is working as intended. If it shows your real IP and current location, however, your VPN is not doing its job.

Will a VPN provide complete anonymity online?

No. VPN's were not designed for anonymity. The fact that the real IP Address is masked is more of a byproduct than the true purpose. It is still possible to build a 'profile' of you based on the websites you visit, even if you visit them through a VPN. They will still have a record of the VPN's IP address visiting the website. For example, if you sign onto your Facebook using a VPN server based in Germany, Facebook still has a record of you visiting the website--you just did so under a German IP Address. If that same IP Address were then used to send an anonymous e-mail to a school calling in a bomb threat, the authorities would still have sufficient evidence to tie you to the bomb threat, even though you used a VPN. True anonymity is very, very difficult: if that is your end-goal, you would be well-advised to use something like Tor in addition to a VPN.

I turned on the VPN, and now this site says that someone logged into my account from overseas!

Certain websites like Facebook, Gmail, Paypal, etc. have various safeguards that are built-in to try to prevent people from logging in with compromised credentials. Essentially, when you log into Facebook, it keeps track of the IP Address from where you logged in and a rough geolocation corresponding to that IP Address. It uses this to build a profile of 'you' and where you've previously logged in. By doing so, it has a built-in early warning system that can trigger if an IP Address from halfway across the world suddenly logs in using your credentials. For instance, if you have a five-year history of logging into your Facebook exclusively from the georegion around Chicago, and suddenly your account is accessed from an IP Address in India, Facebook will assume that you have been hacked and send you an alert. Facebook has no way of knowing whether that IP is a foreign entity or you logging in through a VPN. And so if you start using a VPN to change your external IP from your hometown of Chicago to a server in the Bahamas, Facebook would similarly trigger an alert when it starts to see you logging in from the Bahamas. This is not necessarily a bad thing, provided you know why it's happening.

The sign-in messages will eventually go away if you use the same VPN server repeatedly. Google or Facebook will learn to associate that IP with your profile and stop considering it unusual.

Additional Resources

How VPNs Work