why you shouldn't use a VPN
timeless security
☆: Monday, October 21, 2019. ∆: Monday, December 2, 2019. Belief: very likely.

VPNs are a pretty weird topic. The acronym is “virtual private network,” which sounds cool. They’re advertised all over, and smart people will run ads claiming they’re useful for security and privacy. Allow me to rain on this parade: unless you’re an expert, or you lower your expectations, VPNs are not a good tool for you. If Ansible scripts and trust models aren’t your thing, stay far far away from VPNs. Don’t buy them, don’t use them, and don’t trust them.

non-colloquial VPN edge cases

In this post, I refer to VPNs primarily in terms of commercial setups that are marketed to consumers for privacy. Other types of VPNs are more traditional and let you traverse network boundaries. Corporate VPNs fall into this category. These are meh in terms of protocol support, but they let you access shared network resources that you wouldn’t normally have access to withut being on the network. Feel free to use these to your heart’s content – with the goal of extra service access and not security or privacy.

On a consumer front, AmpliFi Teleport offers a “corporate style VPN” for home use, letting you access a NAS or something from a remote location. This is also relatively okay.

what are they good for?

VPNs are single hop proxies. They encrypt all of your traffic between you and the VPN site, but not after that.

When you use a wireless or wired network, it’s easy for an operator (and usually anyone else) to see some basic parts of your traffic. This is usually which websites on the internet you’re connecting to, or more generally, which servers your computer is speaking to.

It’s easy to see if you’re on Google, or if you’re on some shady pornography site. Put another way: if you’re on a website or using an application that might be unsavory to some, this is easily detectable without a VPN. The actual content is unknown thanks to a lovely technology called TLS (colloquially, HTTPS or SSL). Some of the time, like when your browser says that a website isn’t secure, the provider can see 100% of what you’re sending. This is far less common now than it used to be.

If you’re playing Internet games, the vast majority of games do nothing to encrypt your traffic. This means that it’s not only obvious when you’re playing a game, it’s probably obvious if you say something silly in chat. If you’re playing on a custom game server where you need to login with a username and password, both of those are clear as day to anyone eavesdropping, too.

To recap, VPNs are good if you’re:

  • Trying to get around geographically blocked content, like Netflix in the UK.
  • Using insecure websites, and you trust a VPN provider more than your network operator.
  • Browsing sketchy sites on networks you shouldn’t be on.
  • Playing games where you care more about security than lag.

death by a thousand cuts

Key benefits aside, VPNs are really terrible, for a lot of reasons.

protocol overload

There are, at this point, six major VPN protocols and quite a few minor ones. They are: OpenVPN, IPSec, SSTP, IKEv2, PPTP, and WireGuard. Most VPN providers provide a subset, but not all of these protocols as options. They all have varying levels of complexity, and at least two, PPTP and IKEv2, are known to be insecure or have insecure default implementations. Many VPN providers, especially app based ones, will offer you a single protocol without telling you what it is or what the tradeoffs are.

WireGuard, which is modern and by most measures the most well designed, is offered rarely.

pure overhead

No matter what VPN protocol you go with, your connection will always be slower. This is due to two factors: protocol overhead and bandwidth on the VPN provider side. Protocol overhead comes from just using the technology. No matter which protocol you go with, some amount of speed is lost because it takes more data to do everything. VPN provider bandwidth is the second thing: bandwidth is not cheap, and providers will often sell more capacity than they have. Downloads and streams of data will always be slower on a VPN.

Some VPN providers promise faster routing. They may route faster, but you still lose speed due to overhead and bandwidth. VPNs that advertise this feature typically achieve lower latency, but that’s about it.

trust in the devil

Many VPNs are operated by relatively unknown companies. Most VPN companies put “VPN” in their name and only do that one thing. This can make it really hard to earn your trust. Maybe you don’t care? It’s like giving all of your Internet traffic to a stranger and saying “promise not to look!” This is the kind of thing that sets off alarm bells with the likes of PC Magazine, who expressed skepticism about ExpressVPN for keeping its business address and operators anonymous. If you think ExpressVPN is a no name, they advertise heavily on relatively popular podcasts. They’ve definitely got money, and they’re getting an audience with no corporate accountability.

Many are operated in the United States, and those VPNs are subject to the whims of the US Government. VPNs outside of the US government are outside of the law of the US, but are now prime targets for US intelligence. You can count on a VPN hosted in a country with an intelligence community to be monitored by that country.

Some VPN providers say they don’t log traffic. That might be true, but how can you tell? What if they change their mind? What if a court decision forces them to change their mind?

On October 21, 2019, NordVPN confirmed they were hacked over a year earlier in March of 2018. They spent that period of time advertising on urbex YouTube channels, and had website copy that said “Imagine [sic] VPN as a hack-proof, encrypted tunnel for online traffic to flow.” Meanwhile one of their competitors, TorGuard also got hacked. These may be isolated incidents, for sure, but there’s no audit of these places. There’s no proof they’re not pwned. It’s a huge dice roll, and putting all of your traffic through them is risky business.

Even if you pick the right service run by the best people with the best intentions, VPNs are huge targets. If you can hack just one, you hack everyone using the service. Hooray!

when and how do you pick a VPN provider?

Still not convinced? At least do it right.

In the limited case where you need to be discreet, like trying to hide which sites you visit from a coffee shop owner, you have some good options. I personally suggest using Cloudflare Warp, just because it’s free, run by people with a solid mission, and you know what you’re getting. They don’t require an account, nor a payment, and they use WireGuard, which is heavily praised for being much faster and more secure than alternative protocols.

From a technical perspective, WARP is a VPN. But it is designed for a very different audience than a traditional VPN. WARP is not designed to allow you to access geo-restricted content when you’re traveling. It will not hide your IP address from the websites you visit. If you’re looking for that kind of high-security protection then a traditional VPN or a service like Tor are likely better choices for you.

WARP, instead, is built for the average consumer. It’s built to ensure that your data is secured while it’s in transit. So the networks between you and the applications you’re using can’t spy on you. It will help protect you from people sniffing your data while you’re at a local coffee shop. It will also help ensure that your ISP isn’t hoovering up data on your browsing patterns to sell to advertisers.

If you need more protection or if you’re on a computer, I highly suggest setting up your own VPN server with Algo. You’ll have to pay for the server hosting, but that means that you just have to trust a cloud provider like Google, Amazon, Microsoft, or DigitalOcean, and Trail of Bits (just during initial setup). They also have a very strong mission statement, which is worth reading in full, but here’s a snippet:

Really, the paid-for services are just commercial honeypots. If an attacker can compromise a VPN provider, they can monitor a whole lot of sensitive data. Paid-for VPNs tend to be insecure: they share keys, their weak cryptography gives a false sense of security, and they require you to trust their operators. Even if you’re not doing anything wrong, you could be sharing the same endpoint with someone who is.

If you can’t setup your own VPN, and you don’t like Warp, you’re better off without a VPN1.

  1. If you think you’re not better off without a VPN, and you’re trying to do sketchy stuff, perhaps stop trying to do sketchy stuff. In the words of Zoz Brooks: “If this small amount of thing is too much effort for you, then Internet scofflaw is probably not the job for you. You should work for the government instead.” [return]