If you work remotely, you might use a Virtual Private Network (VPN). If you don’t use a VPN, you might’ve at least seen this term before. When you use a VPN to browse the internet, the data that would be directly sent to and received from websites is instead routed through a server owned by the VPN provider. As a result, the Internet Protocol (IP) address you use to visit websites is the server’s address, rather than your own. Additionally, data sent to and from the VPN server would be encrypted so that eavesdroppers couldn’t learn about what you’re accessing. VPNs often use public key encryption, which was explored in a previous blog post. Both encryption and IP masking result in increased privacy.
According to Norton, applications of VPNs include accessing streaming services in another country and hiding one’s browsing habits from internet service providers. However, a VPN is particularly useful when you need to connect to an unsecure, password-free public Wi-Fi network, such as one offered by a café or an airport. Bad actors using the same unsecure public network can perform a sniffing attack. This is an attack in which they analyze (or “sniff”) packets of data sent over an unsecured network in order to steal sensitive information, such as browsing habits, login credentials for a bank website, the private contents of emails, etc. By masking your IP address and encrypting your data, the risk of suffering from a sniffing attack is greatly reduced. Thus, in addition to providing privacy for privacy’s sake, VPNs can provide a form of security as well.
However, the technology VPNs are based on isn’t strictly used for security. VPNs rely on tunneling protocols. According to Kaspersky, datagrams of a tunneling protocol (such as IPsec or OpenVPN) are used to contain data packets of different protocols that are used for web browsing or accessing services. These tunneling protocol datagrams can’t be easily analyzed, which means the data they contain is safe, so anyone working or doing business remotely can do so without worry. However, as mentioned by the website of Secure Shell (another tunneling protocol, often abbreviated as SSH), VPNs aren’t the only application for tunnels. In fact, according to Kaspersky and the SSH website, bad actors who manage to gain access to a company’s network can use tunneling to exfiltrate sensitive data and transmit malware. Because the data packets are encapsulated within tunneling protocol datagrams, they can’t be inspected by firewalls or other security-related scanners.
Although VPNs are useful for protecting your data at unsecured Wi-Fi hotspots, they aren’t all perfect and trustworthy. Just like any other type of software, VPN software can contain vulnerabilities in the source code that can be exploited by bad actors. In January, Sean Gallagher of Ars Technica reported about a vulnerability in corporate VPN software that allowed bad actors to steal customer data from Travelex and hold it for ransom. He also reported about how hundreds of VPN servers used by government agencies were vulnerable as well. In addition to being potentially insecure, some VPN services may not give you the privacy you desire. Although VPN services may hide your browsing history and IP address from websites, internet service providers, and bad actors, some of these VPN services may also collect your “private” browsing history to sell to third parties. Depending on the VPN service you choose, you may find yourself trading one group of eavesdroppers for another. Andrea Arias of the FTC provided several tips for choosing a good VPN service, including the following: reviewing permissions requested by the service’s application, ensuring that the service uses a strong encryption algorithm, and reading the terms of service and privacy policy of the service to learn if they share your data with third parties. VPNs are useful tools for providing privacy, and to some extent, security. However, it is up to customers to find the tools that work for them.