Question about VPN security vs privacy

Lately I’ve seen an increasing number of articles that are skeptical of VPNs over security reasons (Tom Scott had a popular video and now Motherboard). They always mention HTTPS making VPNs obsolete as a security measure against man-in-the-middle attacks.

But what about privacy? Don’t VPNs hide your IP address? Isn’t that a major advantage if you’re concerned about surveillance capitalism and want to boycott the Big Tech economy as a political stance?

Also isn’t hiding your IP address good opsec against targeted harassment? So a security benefit in that regard?

Am I missing something? Why are those advantages never mentioned?

People who are ignorant about computer technology often conflate the web with the internet. There’s more to the internet than HTTP, and a (well configured) VPN protects all of that, whereas HTTPS does not.

I think the point they are probably making is the marketing saying VPNs keep you safe from criminals in a way that people have heard about but is no longer an actual issue due in part to it being so widely known. Specifically MitM attacks. Everyone “just knows” that if you go to your bank website at a coffee shop it’s dangerous, even though that is no longer the case. But the ads “warn” you about it and scream that buying their VPN solution is the only way to protect yourself.

I am a huge fan of using VPNs, I hate the way they are marketed with fear and lies. Communicating this becomes difficult if you want people to use VPNs, but they don’t have the time or interest to learn about all the things that VPNs actually help protect you against. It gets complicated fast, especially when you try and talk about tracking because it depends so much on how you use the internet and what tracking you are trying to avoid.

The easiest thing that I’ve found is almost always true and upsetting to most is that ISPs package and sell your usage information to make more money off you. If you just mention the tracking, some people “have nothing to hide”. So, a service that you are likely already overpaying to use is tracking, packing, and selling your data to who knows where and that data include a lot more information than you’ve ever considered. This explanation isn’t affected by how you browse, so you don’t have to get into if you log in to facebook/google/apple they can track you no matter what and all the tactics those brands use to monitor and track you without needing your IP address. I’d like to get into that here, but I have to run… eak

Just that statement alone would make me wary of Tom Scott

Someone who says that has very little idea of how this technology (cryptography) actually works or they’re just lying

I am interested in that topic also. I am personally using a VPN everyday with all my online devices (smartphone, tablet, computer, …). I think, just like you, that VPNs are actually useful to hide your IP address and avoid surveillance capitalism. However, I would think that a VPN is one tool among others. Hiding your IP address isn’t the only thing you must do to protect your online privacy. And what these articles probably mean is that if you’d want to be a 200% privacy freak, you’d have to stop using most of your devices useful features or even big websites as Reddit.

Yes, the IP address can tell a bit of informations about you but we must not forget every other things which give your identity to websites you visit everyday as browser fingerprinting for example or the DNS server you choose or didn’t choose. If we take the example of fingerprinting, you’ll have to give many features up which are sometimes essential for websites to work correctly.

I think it’s a benefit/risks balance. If the benefits (hiding your IP address) isn’t worth the risks (having your data exposed/spied by a shady VPN company for example), then don’t use a VPN at all.

Well, that won’t make me stop using VPNs as they make me feel kinda secure when I’m browsing the web but hey … these guys might be right.

There’s also bypassing censorship and unblocking Geo blocked streaming content that’s also a major advantage of VPNs.

So I read the article. I think it’s misguided, at best, or possibly disinformation. It’s true that VPNs are not a magic bullet, and you do need to be aware of how the internet works, but they do offer some level of privacy and security. Without a VPN, your ISP can snoop all traffic, potentially modify it (which has happened before with ISPs injecting ads), use shaping techniques to make your connection slower for certain content, etc. With the VPN, the ISP only sees you are making a secure tunnel to some other server, but not anything beyond that. They can’t see what websites you visit, or modify the traffic in any way. And you have no idea who is buying that data and compiling profiles on you for some later day.

That said, just hiding your IP is not everything. For example, if I visit two unrelated websites and I don’t have an account or login (and cleared cookies and cache or used private browsing). With a VPN, the website owner knows nothing about me. They don’t have my IP or location, or really any personal information. But if they use Google Analytics, then now Google can see that “someone” with that IP and device characteristics has visited both of those websites. If at some point later I login to my Gmail account, now Google can link those two website visits to me. In this case, I will still have to trust my VPN provider and Google, but I don’t have to trust my ISP or the owners of the website.

One case where hiding your IP is very beneficial is in the case of stalkers. Let’s say you post on some web forum and one of the moderators is a creep and wants to stalk you. Well if you use a VPN they might only have your email address (and you could always use a throwaway email), but if they have your IP address then they can know in general where you live and might be able to use that to launch an attack (i.e. hack your computer and steal private information) or even show up at your door with a gun. Yes, the IP is not an exact location, but if they know the city you live, and some other information (maybe you use your full name in your email address, you gave your birthday when you signed up for the forum, etc.) then it is not hard to find your real address.

Not to mention public wifi, coffee shops, hotels, airports, etc. While HTTPS does protect against many things now, and the situation is much better than it was 10 years ago, it’s still a good idea to be on the safe side when on a untrusted network. For example, you could be at Starbucks and browsing the web. Yes HTTPS protects against password stealing, but a lot of traffic is still in the clear. A hacker in the shop could sniff your traffic, possibly see DNS requests, so they wouldn’t know exactly what you are doing, but they could at least see the domain names. So maybe now they know which bank you use, maybe where you work, what kind of hobbies you are interested in, etc. This doesn’t seem particularly useful, but they could compile this information and craft a pretty convincing social engineering attack. For example, if they know you visited Wells Fargo and Amazon at around the same time, maybe they will call you and say they are from the Wells Fargo fraud department and noticed an unusual charge at Amazon and that they need to verify your information, or something like that. Using a VPN would eliminate this risk.

Honestly, there are not many or any cases where a VPN would not be a good idea. The only downside is the trust you give to the VPN provider. If they are well respected (and please do research) then you can reasonably assume they are no worse than your ISP, which we know for sure are logging and selling the data. And we know for sure that public wifi is insecure and should not be used if you value privacy and security. And VPNs do help somewhat with big tech surveillance, but not without other measures in place (like disabling javascript, ad blockers, etc.). So honestly, you should be using a VPN. Those people either don’t know what they are talking about or are purposefully giving bunk info.

Why are those advantages never mentioned?

Probably because most people like to think they “have nothing to hide” except from hackers.

Hiding your IP is one of the benefits. The site you are visiting has no clue (and thus can’t log) where you are. Remember that the cops/spooks can find out not only where you are, but who you are.

Another benefit is that your ISP doesn’t know (and thus can’t log) the sites you visit.

Folk who live in overtly repressive countries can also visit forbidden sites.

You could try decentralized VPNs if you don’t trust centralized ones.

Most attacks are on the browser, recently there are images rendering vulnerabilities on IOS 14.7 that caused Apple to make an urgent patch .

You need a secure virtual browser, not a virtual network ( with VPN your browser is still downloading codes with a different IP)

www.APLens.co is a disposable browser works in smartphones and desktop

That’s probably true for most people. But how do you explain that Tom Scott or Joseph Cox are campaigning against VPNs? They definitely know the difference.

I don’t think any vpn no matter how well configured it is can hide your http traffic because it is an insecure connection.

I agree, VPNs alone only do part of the job. I am just questioning my practice and wondering if I was misunderstanding the issue… Good to know you share my view then!

I don’t know these people. Maybe they distrust centralized solutions (which VPNs are), or they distrust VPN providers. Maybe they’re pushing back on corporate VPNs (which would be stupid of them). Maybe they have an agenda. Maybe they’ve been bought by a government and are participating in an anti-privacy campaign. I don’t know what their motivations are.

But I know computer network technology. If we get to a place where all network packets are encrypted, VPNs can go away. We’re a long way from that, though, and regardless: anyone who is making the argument that VPNs are made obsolete because of HTTPS is either ignorant or is intentionally spreading misinformation.

That’s mistaken, it performs client-side encryption regardless of if you are using HTTP

I second this comment. Here’s a small list of things that VPNs protect you against that HTTPS doesn’t:

1. Packet sniffing/manipulation at ISP
2. Packet sniffing/manipulation at LAN
3. IP disclosure to LAN admin
4. IP disclosure to ISP
5. IP disclosure to the end website
6. DNS poisoning at LAN (Although DNS over HTTPS is a thing, most DNS packets continue to be unencrypted)

VPNs help you bypass regional censorship if there is any, which is usually done by using one or more of the things I mentioned above.

On corporate VPNs, there’s actually more secure alternatives to those these days…

Only your connection from your device to the vpn server is encrypted. If the vpn server is connecting to an http website that connection still remains insecure and it is open game to snoop on that traffic.