Isaiah Sarju

@isaiahsarju

Do I Need a VPN if I Have Nothing to Hide?

VPNs are for everyone. This is why.

Yes. End of story. Stop reading and get one. Do it. Now.

Ok. I’m here to do more than just tell you to get VPN. Let’s break down why you need VPN (even if you have nothing to hide).

First off, unless you are King Bach, and stream much of your life to the entire world, you probably have some things that you wish to keep private. But even if you are a professional “sharer”, chances are you have secrets you want kept or simply things that the entire world doesn’t need to know about. King Bach probably doesn’t want the world to know his social security number (SSN), who he’s emailing, and every website that he visits. A VPN can help with that.

Stolen Credentials

Much of the information transmitted online is vulnerable to eavesdropping. Many websites still refuse to use Hypertext Transfer Protocol Secure (HTTPS) even though they ask for sensitive information, such as a username and password.

Let’s take a look at this in action. Below is an example of an insecure login page. Notice the absence of “HTTPS” in the URL bar. This enables an attacker who is on the same network to do what’s called a packet capture, or sniff credentials as they’re submitted to the website.

Insecure Login Page

Other websites are partially secured, only submitting credentials over HTTPS, but then all subsequent communication is sent insecurely over HTTP. The result is that an attacker with network access may be able to tamper with the initial login site and change the login to HTTP without your knowledge. The code below shows this change — something a normal user would not notice.

Submission URL Tampered and Changed to HTTP

If credentials are sent over HTTP, they are visible to attackers using readily available tools (such as Wireshark). Here’s an example of submitting the form over regular HTTP and stealing credentials using Wireshark.

Stealing Credentials

The above situations are bad, because the attacker can completely steal your login credentials. Even if an attacker isn’t able to steal your credentials by tampering with the submission URL during the login process, they can hijack your access to the website. This happens by taking your “session cookie,” and impersonating you on the website. Here’s an example of stealing the session cookie without any initial URL tampering.

Stealing Session Cookie

Compromised Privacy

Even if all of your browsing is done over HTTPS, snooping eyes can still learn things about you that you may prefer to keep private. Using the same methods that they used to view your password and steal your cookie, an attacker can sniff your DNS traffic and look at what domains you’re headed to. If for instance you like to look at GIFs on GIPHY, the attacker could see when and for how long you browse on that site. They would not be able to see the GIFs you look at, but they could start developing a profile of your internet use, for the purposes of crafting subsequent targeted attacks.

Background Traffic from the nsurlsessiond Background Process

In addition to the surfing that you do via a web browser, there are background processes running on your computer and phone that are constantly looking for updates, syncing, and just all around generating network noise. Use a local firewall like Little Snitch or NetLimiter to see all the background data that your computer sends.

A skilled attacker can use this noise to learn more about you, such as what apps you use. An attacker could then use this information to perform a targeted phishing attack against you.

But I’m not a Target

There has been a belief that only criminals, or those “with something to hide”, used VPNs. And they do. But us regular folks should also use them to add a layer of security to our internet activity, protect our privacy, and convince a would-be attacker that we’re simply not worth the trouble.

This is a post from Isaiah Sarju of Revis Solutions . If you like this post be sure to clap, check out his other posts on the Revis Solutions Blog, and follow on Twitter @isaiahsarju, @revissolution

More by Isaiah Sarju

Topics of interest

More Related Stories