You Probably Don t Need a VPN
“If the fact that you navigated to your bank or Netflix is not thought of as a secret for you and your threat model, then you’re probably good to go without it,” Tobac said.
You probably vpn anymore
binspamdupenotthebestofftopicslownewsdaystalestupid freshfunnyinsightfulinterestingmaybe offtopicflamebaittrollredundantoverrated insightfulinterestinginformativefunnyunderrated descriptive typodupeerror –> 157065279 story
NBC: ‘You Probably Don’t Need to Rely on a VPN Anymore’ (nbcnews.com) 166 –> 166
Posted by EditorDavid on Sunday January 02, 2022 @05:47PM from the encryption-everywhere dept.
NBC News writes: VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic. But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say. “Most commercial VPNs are snake oil from a security standpoint,” said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. “They don’t improve your security at all. “
Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people’s internet habits, isn’t feasible. It’s not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said. “Remember, someone attacking you at the coffee shop needs to be basically at the coffee shop,” he said. “I don’t know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS,” he said in a text message.
There are still valid uses for VPNs. They’re an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users’ traffic and is widely praised by cybersecurity experts. VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they’re a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services. But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people.
Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers’ browsing history to data brokers, or by having poor cybersecurity.
The article credits the Electronic Frontier Foundation for popularizing encryption through browser extensions and web site certificates starting in 2010. “In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.
“Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation’s browser extension no longer necessary for most people.”
You Probably Don’t Need a VPN
Most Americans may be better off not paying for a commercial VPN, according to multiple security experts.
October 4, 2021, 1:00pm
Image: Sergey Lykov
Hacking. Disinformation. Surveillance. CYBER is Motherboard’s podcast and reporting on the dark underbelly of the internet.
You probably don’t need a VPN. Despite all the marketing from VPN companies that you should pay them for a virtual private network to use from your home internet and, especially, from public wifi, most Americans may be better off not paying for a commercial VPN, according to multiple security experts.
The underlying reason: The internet is a very different landscape in 2021 than it was 10 or even five years ago. Although of course some people will still benefit from a VPN, and particularly those with a higher degree of threat against them, most Americans can probably save that $5 or so a month.
Advertisement
“It’s time we retire the stock advice to get a personal VPN,” Bob Lord, former chief security officer at the Democratic National Committee, told Motherboard in an email. “Most people do not need personal VPNs today because the internet is much safer than it was in 2010. Personal VPNs create additional risks. Giving everyone advice that only pertains to some people misdirects them from the steps that will actually help them secure their digital lives.”
Do you have information on VPN companies misleading their customers, or anything else? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].
The main promise of a VPN is that it will encrypt your web traffic, so perhaps your ISP can’t see what sites you’re visiting or a hacker on the same public wifi network can’t snoop and capture your credit card information as you make an online purchase. YouTubers sponsored by ExpressVPN, for example, have said “Don’t let hackers steal your financial details,” and “Working from home? Protect your sensitive data with an extra layer of security.”
But most of the heavily used web is already encrypted in some form. Lord pointed to how nearly 93 percent of all page loads in Firefox in the U.S. are over HTTPS. That’s compared to around 25 percent in January 2014. Huge portions of the internet have been encrypted thanks to Let’s Encrypt, the nonprofit Certificate Authority (CA) which offers encryption certificates to websites for free. Let’s Encrypt was started in 2012, and today over 250 million websites use the organization’s certificates, according to Let’s Encrypt’s website. Whereas it used to cost money for a website administrator to get a HTTPS certificate, now essentially any site can get one.
Advertisement
Google also prioritizes HTTPS sites in its search results, Lord said, which can have the knock-on effect of incentivizing websites that care about their search engine optimization to make the switch, and ushering users to sites that use encryption.
“Browsers have made it harder and more frightening to bypass security warnings and have updated the UI to call attention to non-HTTPS connections (since loading content over HTTPS is the expected behavior),” Lord added.
Security researcher Kenn White added that “for the vast majority of consumers, commercial VPN services add very little value and frankly most incur more security risk for the user.”
“It’s time we retire the stock advice to get a personal VPN.”
One risk is some VPN providers use self-signed root CAs, which allow the creator to read encrypted traffic coming from a computer. White said this is done in the pursuit of malware prevention, but that “is just a different way of saying ‘intercepting your (otherwise) encrypted web and mail traffic.'”
“A good question to ask yourself is: do I trust my VPN company more than my ISP to handle the data of which sites I navigate to? If the answer is yes, then using a VPN may be a good match for you. If you’re unsure or the answer is no, then the risks of a VPN may not make that trade-off worth it, and for many folks with a lower threat model, that is likely the case,” Rachel Tobac, CEO of SocialProof Security, told Motherboard in an online chat.
Advertisement
On that point, at-risk groups will likely still want to use a VPN. I use one when researching people or companies who may later become adversarial before or after publishing an article about them, for example.
Tobac said that although social media, streaming, and banking sites all commonly use HTTPS which protects your credentials or other information entered on those sites, a hacker or ISP may still be able to see that you made a request to visit that site in the first place.
“If the fact that you navigated to your bank or Netflix is not thought of as a secret for you and your threat model, then you’re probably good to go without it,” Tobac said.
In emails to Motherboard, both NordVPN and ExpressVPN pointed out that on smartphone apps it is harder for an ordinary user to tell whether the app is sending data encrypted or not, compared to a normal web browsing session.
“Any tool that can make it super simple for a layperson to increase their protection is a win—and we certainly hope we’ve helped make VPNs one such tool,” ExpressVPN Vice President Harold Li wrote.
NordVPN said in an email to Motherboard that “Americans need commercial VPNs (I guess that’s unsurprising, coming from a VPN service provider). In fact, everyone needs them.” They pointed to how not all sites use HSTS, or HTTP Strict Transport Security, which forces sites to only use HTTPS. The company also said that a VPN with a good DNS filter can prevent people from accessing phishing sites. (A phishing site will still harvest a victim’s credentials if they enter their details into such a site, whether using a VPN or not).
Advertisement
“A good question to ask yourself is: do I trust my VPN company more than my ISP to handle the data of which sites I navigate to?”
“Anyone, without having any technical knowledge, can add a layer of security and privacy with a single click. And because of the channels we use to market our services, we’ve been able to reach people who would never even think about cybersecurity,” NordVPN added. “We strongly believe that recommending people to stop using VPNs will make the digital environment less safe.”
There is at least one thing that some VPNs could help with: blocking malicious ads. The online advertising ecosystem is so dangerous that the U.S. Intelligence Community has blocked advertisements on a network-level, Motherboard reported recently . But online ads are not just a threat to intelligence agencies; Motherboard has repeatedly shown how data brokers harvest ‘bidstream’ data by participating in the online advertising process. This sort of information can include location data.
Some VPNs can block ads by stopping connections to the ad networks’ domains, although not all necessarily do. A browser extension may be a more familiar way of blocking ads, but they also carry their own risks. Last year an adblocker developer sold two of his extensions to a new owner who then added malicious code designed to tamper with victims’ social media accounts, Ars Technica reported at the time .
Or, of course, many customers will use a VPN simply to access online content such as Netflix that is ordinarily locked to a specific region. In which case, go crazy, maybe.
Subscribe to our cybersecurity podcast, CYBER.
ORIGINAL REPORTING ON EVERYTHING THAT MATTERS IN YOUR INBOX.
By signing up, you agree to the Terms of Use and Privacy Policy & to receive electronic communications from Vice Media Group, which may include marketing promotions, advertisements and sponsored content.