How secure is VPN?

The Internet connection offers practically infinite possibilities for socialization, entertainment, and research. With it also came new threats and countermeasures against them. A VPN (Virtual Private Network) is one of the most common methods to protect your online activity. But how safe is a VPN connection, really? Are free VPNs less protected? Security is a serious matter, so don’t get misled by colorful online banners. Here we deal with the question comprehensively.

Security, privacy, and anonymity

If you are to truly understand your online safety, then you need to know the difference between those basic terms. Many sources use them interchangeably, which could be misleading. 

Security is protecting yourself from harm. On the Internet, this means safeguarding any sensitive data that could be used against you. Examples of unlawful data usage include stealing money, compromising confidential information, or damaging reputation. That’s why it is crucial to prevent data breaches in online banking, payment systems, medical and company resources. Your private internet access deserves protection, too. Giving out too much information to the wrong people can cause serious stress and anxiety.

Privacy is keeping whatever you deem fit only for yourself and the people you choose. For example, private browsing mode keeps websites from leaving some traces on your computer. Violating your online privacy does not necessarily cause damage (like when someone has access to your emails but doesn’t read them). It is still a data breach, though. When sharing information about yourself, you willingly resign from part of your online privacy, and that is natural.

Anonymity is about hiding who you are. Every browsing session leaves behind far more virtual tracks than you’d expect. Those could be used to identify you as a person. Anonymity is vital when freedom of speech is at stake, as it prevents anyone from finding out who issued certain statements.

Having the main security terms cleared out, let’s get straight to the point of how safe a VPN is. That’s a little too general, so let’s rephrase it:

How does VPN secure communication online?

By its very principle, every VPN service constructs a secure tunnel between your device and a VPN server managed by the VPN provider. The primary reason is to hide your real IP address and replace it with a fake one – that of the VPN server. This is a way to avoid geolocation, as the IP is linked to your geographical location.

Safe VPN thanks to an encrypted connection

While researching VPN security, you must realize at some point that every VPN service possesses the features of an encryption service. It provides maximum security with an algorithm rendering any input impossible to decipher.

There is a wide range of such mathematical procedures. The most popular in Internet history is the AES (Advanced Encryption Standard). Thanks to its openness, experts around the world have been freely testing it for security flaws. But no serious security breaches were ever discovered in it. Many open-source programmatic libraries support AES, so it’s relatively cheap to create free services which take advantage of it.

Encryption is a must-have feature of a reliable VPN. It gets Internet traffic not only redirected but also protected. Even when fully intercepted on the path to the remote server by a potential attacker, it is unreadable.

Now, you could think of it as redundant. HTTPS protocol also protects your private data. It is increasingly prevalent and used by every respectable website. Hence, the sensitive data you enter into a browser ought to be safe: personal details, login credentials, credit card numbers, email contents, and other personal data. But there can be exceptions.

Some services switch back to faster, unencrypted HTTP protocol when not dealing with sensitive user data. Some are still not encrypted by default. Others could simply contain vulnerabilities. VPN encrypts the Internet traffic to add an extra layer of security, regardless of whether another one works perfectly or not at all.

VPN kill switch: protection in case of failure

This is a relatively small but crucial feature. No system in existence is perfect. Mistakes do happen from time to time, so any internet connection can fail.

This can be coincidental, for example, when too many VPN users request remote access to the VPN server at the same time. But hackers don’t wait for the web traffic to be accidentally interrupted, they do the DoS (Denial of Service) attacks. The point is to overload a VPN server (or your device) until it hangs or behaves unexpectedly and is more vulnerable to data breaches. This technique has always been one of the most dangerous security risks in Internet history. So if anything bad happens to the VPN tunnel or the remote server and the VPN connection drops, there can be basically two different consequences:

1. Switching to a normal, unprotected mode, as if a VPN software was intentionally disabled.
2. Shutting down your internet access to prevent any unprotected online activity.

The second option might look extreme, but it actually increases VPN security. When staying safe online is your priority, then it’s better safe than sorry. A kill switch gives you time to make a decision. You can either wait for the tunnel to the private network to be restored or turn the VPN software off. Afterward, you browse at your own risk. But your web traffic will be suddenly exposed, for example, to your Internet service provider. Your real IP address will be exposed to whatever remote server your online activities lead you to, like one of the streaming platforms. With a kill switch, an error in private Internet access doesn’t equal a data breach.

Known VPN security risks: data leaks

A reliable VPN company strives to keep its software free of errors and its virtual private networks running smoothly, whether it’s a free VPN or a paid version. However, not all VPN services are safe from all known data breaches. An example is DNS leak protection, explained in another article.

This might cause the list of websites you visit to leak into unauthorized hands despite using a VPN connection. Safe VPN providers have their own DNS servers and ensure all DNS queries are directed along the encryption tunnel, not to the Internet service provider.

There is a technology capable of bypassing a secure tunnel to the VPN server called WebRTC. It is a very useful feature of browsers. It allows direct end-to-end communication with minimal delay. As a consequence, both sides must know each other’s IP addresses. Unfortunately, this way, your true IP address might leak to an attacker. Safe VPN should at least disallow WebRTC if redirecting it through the private network proves too complex.

Security of free VPNs

There are free VPN services out there, proudly announcing their obvious advantage. It’s a fair point because running a VPN is a costly business. It requires a powerful server, a very fast internet connection, and maintaining a near-zero failure rate, which requires hiring experienced IT professionals.

So most of the popular VPN services are paid subscriptions. A free VPN is usually simply a limited version, an incentive to buy the premium. As such, it’s very probable that the applications and private network architecture are identical for both. It’s just logical to create one solution, a VPN safe enough for paying customers and present a restricted one as a free VPN.

The difference may be in configuration. It either limits Internet traffic or controls displaying advertisements. It’s up to you to decide if that’s acceptable. Another way to sustain free VPNs is by taking advantage of a pool of residential IP addresses. It requires a community of VPN users. They agree to contribute by adding the home IP address to the common pool, which is usually cheaper than running expensive servers.

A safe VPN doesn’t equal safe users’ data

The situation might be worse with VPN services claiming to be 100% free. One should ask immediately: how do they make money? The pessimistic answer is: by selling users’ data to third parties.

That’s why it’s important to read the terms of service first. How many times did you have no idea what you’re agreeing to? If you just wish to install a product quickly, that might be OK. But we’re talking about serious online privacy risks here. If you don’t trust your Internet service provider, then you should find a trustworthy VPN provider. How to pinpoint one?

• Make sure it’s a VPN. Some online services claiming to be free VPNs are, in fact, proxy servers. Those are cheaper and also change your IP address, but don’t secure communication as a safe VPN does.
• Read the terms of service. Those should be accessible and clear, not written for lawyers only. You should be able to learn how users’ data is handled. Sharing basic information is necessary for technical reasons, but references to sharing your data with advertisers might raise suspicions.
• Check if connection logs are stored. It’s a small change that makes a big difference. Handling internet protocols produces large amounts of logs. Those could be kept for maintenance reasons and promptly erased if unnecessary. Or kept indefinitely as a raw source of information about your every online activity.
• Verify the reviews. Independent audits are crucial to ensure safety in people’s online activities. There are comprehensive articles about both paid and free VPNs regarding online privacy. Those often clear out the details about how a given VPN works, as far as it might be told from an outside perspective.

What a VPN cannot do

Even the most secure VPN does not guarantee absolute secrecy. Legally operating companies still need to obey local laws. Some governments, for example, obligate IT administrators to store certain connection logs even for several years. This could be used by law enforcement in investigations. If you’re that sensitive regarding your privacy, check the registration country of a given VPN provider. Its policy could affect your private browsing.

The mentioned AES algorithm is proven to be virtually impossible to crack. That’s why it protects a big portion of worldwide online activity, operating behind many Internet protocols. Still, a VPN service using it could contain flaws. Those are typically quickly fixed by responsible authors in updates or patches. Make sure you have the last stable VPN app version.

When wondering how secure is using a VPN, remember the distinction between privacy and anonymity. You don’t want to protect yourself too much. When posting content online, you first log on to the social media platform. There, you voluntarily publish whatever you wish to, being far from anonymous. Therefore, there is no point in increasing privacy when you don’t want to keep everything private.

Lastly, remember that even the most secure VPN covers only what lies within its responsibilities. It creates an encrypted connection to the VPN provider’s server and alters your IP address, but doesn’t fight malware. You still need antivirus software and a bit of caution.

• Avoid open, public Wi-Fi networks.
• Use private browsing or incognito mode on computers you don’t trust.
• In safety-critical online activities, choose multi-factor authentication to confirm your identity. It’s more troublesome than entering the login credentials, but it protects online banking systems and priceless company resources.
• Don’t neglect your mobile device! Using a VPN on it is just as important as on desktops. Many VPN providers have created apps for all the popular operating systems: Windows, iOS, and Android. Browser extensions are also available if you can’t install a separate app and still wish to safeguard your private browsing.

Security of residential VPN

Popular VPN servers are placed in data centers. This simplifies maintenance and lowers costs. Such datacenter secure tunnels can be bought in bulk. The more popular they are, the easier it is to learn all about them so online entities can recognize incoming VPN connections.

If you use such a virtual private network, then you could get partially exposed. Your IP address would still be cloaked, but some websites will know about VPN usage and block it. This prevents circumventing geo-blocking or a more serious matter. Many illegal online activities are ‘hidden’ with such cheap VPNs. Cautious web pages protect themselves by blocking Internet traffic from suspicious data centers.

Residential VPN is different. Its users agree to participate in a pool of shared IP addresses. Any address can be used by another user instead of the real IP. They remain authentic, private IPs, for example, of someone’s household. Hence the name ‘residential VPN.’ There is no reason to treat them with suspicion, so they won’t be blocked. This increases privacy and anonymity. Just remember, the tradeoff is that your IP is used for another VPN user’s Internet access. 

In order for a VPN to enhance your online security, you need to understand its principles. Choose your VPN provider with care, remembering that nothing comes absolutely free. Paying with money is often far better than risking privacy in the name of hiding your location.

BackNext article