paint-brush
Common Misconceptions About Why VPNs Are Used by@vtech0xnoon
213 reads

Common Misconceptions About Why VPNs Are Used

by Vtech0xNoonJuly 11th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

VPN clients that are used to connect remotely to an office network are an example of **private VPNs** This uses a backend VPN server, installed at the office location. Users install a VPN client (often provided by the IT department) or access a website, with an ID created at the backend for users to authenticate their connection. A VPN connection provides you with a different IP address than the one assigned by your Internet provider. A public VPN does not mean that a user has no privacy on their connection, but in this usage of public, it means an open network.

Company Mentioned

Mention Thumbnail
featured image - Common Misconceptions About Why VPNs Are Used
Vtech0xNoon HackerNoon profile picture


Many people are familiar with a VPN (Virtual Private Networks) from their work environment. It has increased in use among those who work from home. Companies have been implementing these connections to allow users working remotely to connect to the main server.


This helps users connect to the company network using their existing Internet connection. Unfortunately, the internet is an open system without security so a VPN provides a secure connection (also called a tunnel) which companies also require to prevent sensitive information from leaking outside the network.


While VPNs were meant to secure a network connection using encryption techniques, there are some things that users need to understand about why VPNs are used. There are certain assumptions about what a VPN is, but they may not entirely be accurate. There are layers to VPN which provide an abstraction for users from the complexities of the underlying system. Understanding these features help users become more aware of how their VPN connection works.


All VPNs Are Private

VPN clients that are used to connect remotely to an office network are an example of private VPNs. This uses a backend VPN server, installed at the office location. Users install a VPN client (often provided by the IT department) or access a website, with an ID created at the backend for users to authenticate their connection.


Only users who have a VPN account are allowed to connect, while all other users are rejected. These VPN connections are secure since they implement encryption of the traffic to the server. The purpose of private VPNs is to allow access to company data like applications and shared documents. These are important data that need security when being accessed over a public connection.


For general protection over an Internet connection, you have public VPNs. These are available to all users and not restricted to a specific network like private VPNs. Users can subscribe to a public VPN service, allowing them to connect securely when browsing and accessing data from different servers. Connections are made through port 80 (HTTP) via the VPN provider.


A proxy server can also be used to handle traffic on behalf of the user. Public VPNs are open to any user and are available as a subscription service or for free. You can also use a public VPN to access a company enterprise network, but that is not always as secure as a private VPN.


Not all VPNs are private. A VPN connection provides you with a different IP address than the one assigned by your Internet provider. This is like a proxy connection through an external gateway, which means you are using a different network to pass your data. A public VPN does not mean that a user has no privacy on their connection.


It is still private, but in this usage of public, it means an open network (e.g. Internet) that can be shared with all users. Each user is provided with a private link that uses a public network. A private VPN refers to a VPN that is not shared with the public but is exclusive to certain users only (e.g. remote employees or office branches). Both public and private VPNs use the Internet.



Figure 1. Public VPN (L) and Private VPN (R). You can still use a public VPN to access an enterprise network, but a private VPN provides tighter security. A user must still connect using their Internet service provider (ISP), but a VPN uses its own IP address for the user. Most private VPNs are used by remote workers and offices connecting to a company's enterprise network. Public VPNs are used more for hiding a user's identity while browsing the web and accessing websites that are restricted in a particular region or network.



All Traffic Is Encrypted

While a VPN provides encryption, it is only between the user and the server. When a user connects to the VPN server to access resources, the connection is end-to-end encrypted from the VPN location to the user’s computer over the Internet.


One thing to note is that just because you are using a VPN does not mean your traffic is always encrypted. The only encryption taking place is between your VPN provider and your computer.


The traffic is not encrypted by a VPN if a user will connect to a website or server outside of the VPN provider’s network. Many companies implement policies to strictly enforce remote VPN users to only access resources within the company’s data center or cloud because it can prevent data from leaking outside of their network.


When a user wants to connect to a different network, the VPN server will not provide encryption of their traffic. This time the user will connect on a different session that is not provided by the VPN server. Instead, the connection will go through the Internet provider, using an unencrypted connection.



Figure 2. A VPN creates a virtual tunnel through the Internet, which is encrypted. This is between the VPN provider and the user (shown in green arrows). Outside of the VPN, the user traffic is not encrypted. When accessing a website (world wide web) that is outside of the VPN's network, traffic is not encrypted (red arrows).



Traffic outside of a VPN can still be encrypted. This is implemented on the server using the HTTPS protocol or SSL certificates. However, if a server does not use SSL, it is vulnerable and all data going to and from a user is unencrypted.


Protection Against Computer Security Threats

VPNs primarily provide protection for user data and privacy. It does not provide protection against computer viruses like malware, ransomware, trojans, worms, and phishing attacks among others.


Users will still need to have antivirus software installed on their computers that can detect and defend against viruses. A VPN cannot prevent a user from downloading an unsuspecting file that turns out to be a virus. Opening infected e-mail attachments, a common vector for viruses, is also not prevented by VPN software (unless it is a feature).


A VPN creates an encrypted link that protects a user’s connection online, which can prevent identity theft and data leaks. In no way does it protect against other cybersecurity threats like vulnerabilities and known issues. For vulnerabilities, users should keep their systems updated with the latest version. For known issues, users should install patches that are provided by the software or hardware vendor. In no way are these computer threats preventable using a VPN alone.



Figure 3. A VPN does not provide protection against computer threats like viruses unless it was a feature offered by the VPN provider. If the VPN provider is also offering an antivirus service, more value is added.



Users Are Always Anonymous

This is not always the case. If you are using a company VPN, then your user account has your identity attached to it already. Most companies implement logging policies to keep track of user access to resources.


This can aid in audits and when there are data breaches. Guest accounts for VPN connections are not allowed because those can be sources of hacks from the outside. Enabling a guest account will allow non-authorized users to access the internal network, which can lead to more serious security issues.


Many users might wrongfully assume that using a VPN will make them always anonymous. This will allow them to connect to illicit websites. Although they are using an IP address assigned by the VPN provider, once a user goes outside their provider’s VPN network it is a different story. When a user logs in to a website, then they have just revealed their identity. At that moment, the login time and account name can be logged by the website.


Another reason you are not anonymous when using a VPN is the trails digital footprints can leave behind. It is not obvious to tell who the user is based on their IP address alone. It is the metadata that is left behind on websites or servers that a user has visited that can be gathered by forensic sleuths to reveal an identity.


One way websites can track and record user data is through cookies, which most users accept from their Internet browser. While the IP address logged belongs to the VPN provider, other data contain information that can be attached to identity (e.g. e-mail address, username).


Online transactions are also recorded on the server a user has connected to, despite using a VPN connection. If a credit card was used, it will trace back to the user’s identity, so it is not anonymous.


There are different ways to gather data about a user’s identity, even if they are using a VPN. Certain servers that support OAuth authentication protocols allow users to use their existing accounts online to log in to another server.


The server can then track that account which has the identity of the user. While a user can remain anonymous to the public, it won’t be anonymous to the website or server it is connecting to. Phishing attacks can also reveal a user’s identity since a VPN cannot detect or protect against it. In short, you remain anonymous until you leave your digital footprints or fingerprints behind.


Personal Data Cannot Be Collected

Personal data, in the cybersecurity context, refers to PII (Personally Identifiable Information). This includes the birth name from a government-issued ID, social security number, date of birth, health and medical information, and other identification information about a person.


The VPN provider does not collect this type of data, since it is not relevant to making a connection to the server. They do need to verify a user account to validate a connection, but it does not require PII data for the most part.


In the EU, a vendor or service provider on the Internet must disclose their data collection policy (if any) to users. This is part of the GDPR law, which aims to provide data protection for consumers. In some countries, the government or the state has the right to collect VPN data. There must be a disclosure made to users to allow them to opt-out of the service if they feel they are not comfortable with the data collection.


There are certain VPN services that offer free use, but there is a catch. Since the service is free, they have sponsors who might require data collection from users. In this case data about network usage statistics is gathered from a user.


This can include websites visited, types of web browsers, and operating systems. Those are not so much intrusive, but more personal information can also be collected through surveys or third parties who use the data for market research. Beware of the tradeoffs when using free services.


Restricted Websites Can Always Be Accessed

A VPN can help circumvent security policies on a network. In some countries, a VPN allows users to connect to restricted websites. Although this is possible, if the VPN is blocked then users won’t have access.


Government regulators can block the VPN provider from their network to prevent users from accessing a website or using an app. Other times, it is the website that bans users from certain regions of the world. These are due to political or censorship reasons.


It is like a game of cat and mouse. Since most VPN providers can use port 80, it is not blocked or else there will be no access to all websites on the Internet. In that case, regulators block the VPN server providing the connection by its IP address. VPN providers can always change the IP address of their server, allowing users to reconnect to their service. It will work until it is blocked.


Although this is the case, users can choose other VPN providers if the one they are using gets blocked. It is probably not ideal to keep changing providers because of the cost. Other users will use free VPN providers, as an alternative.


Figure 4. If a VPN provider is blocked by an Internet service provider (ISP) or by the backbone network, users will not be able to access blocked websites.


Faster Internet Speeds

A VPN was not created to increase Internet speed for users. When it comes to performance, a VPN can actually cause some latency in the network connection. This is due to the encryption of the user’s traffic.


This will also depend on the VPN provider’s network in terms of bandwidth available and the performance of their system. If the VPN provider has outdated equipment that cannot meet fast broadband speeds, then more latency is added on top of the latency from encrypting your connection.


There are instances when VPNs can appear faster than a standard Internet connection. If the Internet provider was intentionally throttling a specific service on their network (e.g. streaming video) then using a VPN might provide faster speeds. The user will be able to bypass any throttling of the service because they are connecting to the VPN provider’s network where the service is not being affected.


VPNs Are Trustworthy

Unless you know the VPN provider personally, that is not always true. If you are using your company VPN to connect to internal servers in the office, it can be trusted. The system is managed by an administrator, who has granted you access to an account, with permission from the organization. You can rely on them for access, as long as you are permitted.


Outside of an office VPN, you do not have trustworthy sources. These are not trusted sources, because you don’t know if the VPN provider is honest or not. It becomes a matter of trust and the hope their service works. Unfortunately, some users get hacked this way.


Sometimes the VPN client software is actually computer malware that installs a keylogger file to capture sensitive data from a user (e.g. passwords). Even worse, it can encrypt your data and ask you to pay a ransom to recover it (e.g. ransomware). Always be careful when using a VPN that has no good track record or legitimate web presence.


Synopsis

A VPN is a vital tool for security and privacy over an Internet connection. It is ideal for users who are at risk of working with sensitive data and connecting over the public Internet. The Internet is a public data network, which has no built-in security for connections so this makes a VPN a very important consideration.


A VPN provides encryption of a user’s data traffic, preventing data from being easily captured and read. VPNs today are implemented by software, which users run as a client on their computer or another device (e.g. smartphone). It can also hide a user’s presence on the web, by using a VPN provider’s IP address. This gives users more privacy when browsing the web.


Knowing about VPNs will make you know when it is necessary to use one in today’s interconnected world. There is privacy but It does not keep users completely anonymous while they are online.


It is great for circumventing blocked websites, but that can be thwarted. VPNs do not increase Internet speeds, but there are instances where it can if an Internet provider throttles traffic intentionally on their network.


Be careful of the public VPN provider you use because they are not always trustworthy. Your personal data can still be collected. You can trust your office VPN, but not those offered for free or as a service. Finally, a VPN does not provide overall cybersecurity protection, only encryption of a network connection to a provider. Using an antivirus is still highly recommended.