why you shouldn't use a VPN
timeless security
☆: Monday, October 21, 2019. ∆: Monday, March 22, 2021. Belief: very likely.

VPNs are a pretty weird topic. If you watched a YouTube video and saw a sponsored ad for a VPN, and now believe you need a VPN, allow me to rain on this parade: VPNs are (probably) not a good tool for you. If Ansible scripts and trust models aren’t your thing, stay far far away from VPNs. Unless you have a good reason, don’t buy them, don’t use them, and don’t trust them.

non-colloquial VPN edge cases

In this post, I refer to VPNs primarily in terms of commercial setups that are marketed to consumers for privacy. Other types of VPNs are more traditional and let you traverse network boundaries. Corporate VPNs fall into this category. Feel free to use these to your heart’s content – with the goal of extra service access and not security or privacy.

what are VPNs good for?

VPNs are single hop proxies. They encrypt all of your traffic between you and the VPN site, but not after that.

When you use a wireless or wired network, it’s easy for an operator (and usually anyone else) to see some basic parts of your traffic. This is usually which websites on the internet you’re connecting to, or more generally, which servers your computer is speaking to.

It’s easy to see if you’re on Google, or if you’re on some shady pornography site. Put another way: if you’re on a website or using an application that might be unsavory to some, this is easily detectable without a VPN. The actual content is unknown thanks to a lovely technology called TLS (colloquially, HTTPS or SSL). Some of the time, like when your browser says that a website isn’t secure, the provider can see 100% of what you’re sending. This is far less common now than it used to be.

If you’re playing Internet games, the vast majority of games do nothing to encrypt your traffic. This means that it’s not only obvious when you’re playing a game, it’s probably obvious if you say something silly in chat. If you’re playing on a custom game server where you need to login with a username and password, both of those are clear as day to anyone eavesdropping, too.

VPNs are good for:

  • Evading censorship/filtering, imposed by school/government/parents
  • Encrypting unencrypted traffic (now rare)
  • Evading geoblocking from sites that don’t detect VPNs very well
  • Hiding your location and origin information from a specific website operator (like a corporate competitor)
  • Morally questionable but legal things (like, attempting to circumvent restrictions on buying tickets)
  • Specific reasons that you understand and have built a threat model for

what are VPNs bad for?

  1. Illegal things. I mean wait, they’re really good for that!
  2. Privacy / “evading big tech tracking.” A VPN won’t stop Google from tracking you unless you use an entirely new account, and never access it outside of the VPN.
  3. Online banking. They don’t give you any extra protection and may reduce it (see below).
  4. Things you want to be fast

Do not get a VPN simply because you saw a sponsor video for a VPN.

death by a thousand cuts

protocol overload

There are, at this point, six major VPN protocols and quite a few minor ones. They are: OpenVPN, IPSec, SSTP, IKEv2, PPTP, and WireGuard. Most VPN providers provide a subset, but not all of these protocols as options. They all have varying levels of complexity, and at least two, PPTP and IKEv2, are known to be insecure or have insecure default implementations. Many VPN providers, especially app based ones, will offer you a single protocol without telling you what it is or what the tradeoffs are.

WireGuard, which is modern and by most measures the most well designed, is offered rarely.

pure overhead

No matter what VPN protocol you go with, your connection will always be slower. This is due to two factors: protocol overhead and bandwidth on the VPN provider side. Protocol overhead comes from just using the technology. No matter which protocol you go with, some amount of speed is lost because it takes more data to do everything. VPN provider bandwidth is the second thing: bandwidth is not cheap, and providers will often sell more capacity than they have. Downloads and streams of data will always be slower on a VPN.

Some VPN providers promise faster routing. They may route faster, but you still lose speed due to overhead and bandwidth. VPNs that advertise this feature typically achieve lower latency, but that’s about it.

trust in the devil

Many VPNs are operated by relatively unknown companies. Most VPN companies put “VPN” in their name and only do that one thing. This can make it really hard to earn your trust. Maybe you don’t care? It’s like giving all of your Internet traffic to a stranger and saying “promise not to look!” This is the kind of thing that sets off alarm bells with the likes of PC Magazine, who expressed skepticism about ExpressVPN for keeping its business address and operators anonymous. If you think ExpressVPN is a no name, they advertise heavily on relatively popular podcasts. They’ve definitely got money, and they’re getting an audience with no corporate accountability.

Many are operated in the United States, and those VPNs are subject to the whims of the US Government. VPNs outside of the US government are outside of the law of the US, but are now prime targets for US intelligence. You can count on a VPN hosted in a country with an intelligence community to be monitored by that country.

Some VPN providers say they don’t log traffic. That might be true, but how can you tell? What if they change their mind? What if a court decision forces them to change their mind?

On October 21, 2019, NordVPN confirmed they were hacked over a year earlier in March of 2018. They spent that period of time advertising on urbex YouTube channels, and had website copy that said “Imagine [sic] VPN as a hack-proof, encrypted tunnel for online traffic to flow.” Meanwhile one of their competitors, TorGuard also got hacked. These may be isolated incidents, for sure, but there’s no audit of these places. There’s no proof they’re not pwned. It’s a huge dice roll, and putting all of your traffic through them is risky business.

Even if you pick the right service run by the best people with the best intentions, VPNs are huge targets. If you can hack just one, you hack everyone using the service. Hooray!

torrents, usenet, and warez

So, you want to download stuff illegally? Okay, so, just to discourage you: the vast majority of people who download stuff illegally don’t use VPNs. Just a protip to you: few people get legal action from downloading Photoshop, anime, or porn. Sometimes people who seed popular things get legal notices in the mail. Guess what? If a legal threat is real, a VPN company will definitely sell you out. They aren’t going to fall on a sword for you unless it’s truly frivolous. The only reason why pirates don’t end up in jail is because people don’t go after pirates. Small fish are not worth catching. They go after distributors, sellers, and other people making a profit. That doesn’t mean that it’s okay though. It just means that a VPN won’t do any good or do any bad here. If you’re going to pay some VPN company, pay the person you’re stealing from instead.

Now, if you want to illegally download illegal stuff or do illegal things: look. The feds can and will find and arrest you. Using NordVPN before you send your plans to invade the US capitol is like expecting a bed sheet to stop a bullet.

People who do illegal things get raided and a VPN won’t stop that from happening. If you are planning on doing illegal or evil things, and you know that what you’re doing is something that you want to hide, a VPN will not help you. You will be caught. You will be arrested. You will go to jail and/or die.

when and how do you pick a VPN provider?

Still not convinced? At least do it right.

In the limited case where you need to be discreet, like trying to hide which sites you visit from a coffee shop owner, you have some good options. I personally suggest using Cloudflare Warp, just because it’s free, run by people with a solid mission, and you know what you’re getting. They don’t require an account, nor a payment, and they use WireGuard, which is heavily praised for being much faster and more secure than alternative protocols.

From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.

WARP, instead, is built for the average consumer. It’s built to ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you. It will help protect you from people sniffing your data while you’re at a local coffee shop. It will also help ensure that your ISP isn’t hoovering up data on your browsing patterns to sell to advertisers.

If you need more protection or if you’re on a computer, I highly suggest setting up your own VPN server with Algo. You’ll have to pay for the server hosting, but that means that you just have to trust a cloud provider like Google, Amazon, Microsoft, or DigitalOcean, and Trail of Bits (just during initial setup). They also have a very strong mission statement, which is worth reading in full, but here’s a snippet:

Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data. Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators. Even if you’re not doing anything wrong, you could be sharing the same endpoint with someone who is.

If Warp isn’t your thing, and you can’t setup Algo, try a VPN provider from a company that doesn’t advertise magic: maybe Mullvad? Make sure you use WireGuard, and avoid installing a VPN client app.