What is a VPN? Well, like most things in IT it’s an acronym for Virtual Private Network. So that makes it all clear now doesn’t it? I’m sure if you’re here then no, that doesn’t do much to help.
So let’s start with the Private Network part. At home, you have multiple devices, all connected to your home network. On this network, your devices all can talk to each other without any issue, and typically you don’t worry about that occurring. Additionally, when someone not on your network tries to look at your traffic, your router/firewall will keep them out and prevent them from getting into your Private Network.
So, where does the Virtual part come in? Well, a VPN creates a tunnel over the Internet between two Private Networks and encrypts all the traffic in that tunnel. Even though you are now going over the Internet, since you have this tunnel, this Virtual Private Network, the data is heavily encrypted and secure from prying eyes.
Why does this matter on may ask? Well, a VPN requires a client and a server, and all traffic in-between these two endpoints are encrypted. The servers job is to decrypt the traffic coming from the client, and encrypt the traffic going to the client. This is where a VPN comes in to play.
Companies such as NordVPN provide the VPN server that you rent from them, and the client is, well, your computer or phone. What this does is create a VPN tunnel between your device and the VPN server. When you surf the Internet, the data goes to the VPN server encrypted, then leaves from the server to the Internet as normal. When it comes back, the server encrypts the data and sends it back. This is how your information is safe from prying eyes on the Internet, sort of.
When you are on public WiFi, the data is not generally encrypted, so your data is easily intercepted. When you use a VPN is this instance, your data is encrypted over this public WiFi, which provides the security. The caveat to this is that as data leaves the server to the Internet, it is not in the VPN tunnel any longer or encrypted, so anyone on the far side of the server can still intercept traffic that is not secured using some other method, such as SSL.
Using a VPN is also useful when one does not want their ISP to be able to track where they are going on the Internet, or when you wish to appear like you are coming from a place other than where you physically are. The latter is useful when you want to watch, say Netflix, and you are traveling overseas. Due to licensing agreements, the same shows that are available when you are in the US may not be available when you are in, say, Canada, and vice versa. By connecting to a VPN server in Canada, you are coming from a Canadian location, so you can now watch the Canadian Netflix content.
Moving the conversation back to using a VPN, marketing would like you to think that using a VPN magically makes all your traffic invisible and safe, but, that’s not true, totally. When you use a VPN, it shifts the risk down the road, but doesn’t remove it. Outside of the legal implications of using a VPN to bypass geographic licensing restrictions, it’s dangerous for one to think that their traffic is completely safe just because they are using a VPN.
First, and foremost, if you are using a VPN for security, you are putting your trust in that company providing the VPN service, because in order for them to provide you this service, they have to encrypt and decrypt the data on your behalf, meaning they have all the access to your data that you are trying to protect. One issue with this that I see is companies like to sell data in order to turn a profit, and you are giving one company all that access now, even if you are using an SSL based connection, the VPN server has to maintain state and know where you’re going and where you’ve been. Granted your data itself is safe in the SSL encryption, that’s only part of the story.
It is possible to run a VPN at home or on a hosted service such as AWS or Azure, where you own the server and control the server completely. The data is still unencrypted leaving that server, but between your device and the server it’s secure. For instance, running a VPN server on your home network that you connect into, secures your traffic on any WiFi you may connect to, back to your home network.
One of the big misconceptions is that VPN’s are associated with security. The perception is that a VPN will render the computer or mobile device immune malware because it is “secure”. Well, it does no such thing. Web page injection, DNS poisonings, script embedding, and any number of other avenues of attack are in no way effected by the use of a VPN.
All the VPN does is encrypt the data, nothing more. It’s like putting your package inside a lockbox with only a sequence of numbers known only to the provider. Anyone else intercepting the box will have no idea what’s inside the box or what the source/destination is. If they sniff on the other side though, your address as the originator is still able to be deciphered in some cases.
In closing, I hope that this helps to bring down some of the misconceptions of what a VPN is, what it isn’t, and break through some of the marketing ploys. Also think about this, these services cost money to provide, so how does these “free” VPN providers pay the bills? Well, quite frankly instead of you paying for the product, you are the product in the form of ads and data being sold. Be skeptical of the “too good to be true” situation.
Be careful, be safe, and have a healthy dose of skepticism.