VPN companies often create a lot of confusion with their unfortunately deceptive marketing. Promises of complete anonymity, privacy and “military” grade security are commonplace when you see their ads or visit their sites. The problem is that they’re mostly selling snake-oil to unwitting people. As tech people, seeing others fall for their misleading marketing really hurts to see. In this blog post we’ll go over 3 common misconceptions that people have about VPNs.
1. VPNs are not a cure-all
Non-technical people generally have the misconception that VPNs mask your real location and that you become completely anonymous. The problem with that idea is that there are many other ways of identifying a user other than their IP address. For example, many do not understand that you must clear your cookies to get rid of all past sessions before connecting to your VPN. Websites know what IP you were using before you got on your VPN, if you visit the site(s) again. They’ll still know who you are due to your existing session cookie. There are also many ways to do browser fingerprinting. Your user agent and other unique browser signatures can help a tracker narrow down who you are. If you have JavaScript enabled in your browser (most do), sites may be able to see even more information about your browser. Factors such as screen size, installed extensions, plugins and fonts all assist trackers in identifying you. For more information and to see what information you’re exposing we recommend the following sites:
ipleak.net
panopticlick.eff.org
2. VPNs are not the best way to keep safe
VPNs are often thought of as the best defense if you’re trying to protect yourself when using a public network. The fact is, HTTPS and DNS over HTTPS (DoH), DNS over TLS or DNSCrypt are just as good. You don’t need to dish out money to some fishy VPN provider who promises not to log and thrives off of uninformed users. You can use already available and free technology. Most sites on the internet use HTTPS now and there are plenty of free DNS resolvers that support the standards mentioned above. The only thing you need to worry about on a public network is using sites that serve content in plain HTTP. Instead of using a VPN, we’d recommend that you use Tor Browser if you need better protection. Tor is free and open source software with hundreds or thousands of volunteers that operate ‘Tor relays’. Tor bounces your connection through at least 3 relays which are randomly selected and rotated. If you use HTTPS or plain TLS to connect to your destination, even the exit relay cannot see what you’re doing. With Tor, you can also safely visit plain HTTP websites, as the exit relays can only see that the connection came from a middle relay. The middle relay also can only see that the connection came from a guard relay. This provides a more superior level of anonymity, as there isn’t only one hop or provider giving you those routes. The Tor daemon also provides you with the ability to use it as a SOCKS proxy. You can route your existing applications through Tor if they have the ability to use a proxy.
3. VPNs are not completely anonymous
Nothing is completely anonymous, although you can achieve better anonymity when using other software. While using a VPN, you’re simply forwarding all of your connections through an encrypted tunnel with their network now being the endpoint. There’s really nothing special about that, besides the fact that you may be mixed in with other users and your existing network can’t really see what you’re doing. With VPN provider’s commonly deceptive practices, it’s hard to trust them, or at-least, it should be. Why or how would you transfer all of this trust to a single provider? If you’re doing this, you’re not really solving the issue, only putting a band-aid on it. You also must think about how you pay for your VPN. If you pay via PayPal or another payment processor, you’re exposing yourself then and there. Why not transfer that trust to a mostly trust-less platform, like Tor?
Although VPNs are very easy to use and they come with shiny looking software, they’re not what you should be using. Especially if you’re looking to remain anonymous. Use battle-tested and open source software that’s designed to be a full-suite for privacy and anonymity seeking users. Use Tor.