Organizations consist of numerous consumers. In our business, we interact with both businesses and the individuals within them who are keen on protecting their data in every possible way.
One common question we encounter is, “Are consumer VPNs necessary?” Over the past few years, consumer VPNs have surged in popularity, with major companies frequently advertising on television. These ads claim that your privacy is at risk and that their VPN can protect your data from spying by sending it through a secure tunnel, allowing you to surf anonymously and worry-free. At first glance, this seems like a no-brainer.
Let’s examine some of the common claims in more detail.
My internet traffic will be encrypted.
Most modern web-based services already use TLS encryption, which means your data is encrypted in transit. If the connection is secure, it remains secure. Encrypting the initial traffic to a VPN gateway does not change the fact that the underlying request is already encrypted. If it isn’t encrypted, it will remain unencrypted when it leaves the VPN environment. A VPN does not convert a clear text protocol into an encrypted one, leaving room for sniffing regardless of the VPN.
I can browse anonymously.
A significant selling point for VPN services is that because requests are processed within their network, they are not visible to ISPs or local networks where the endpoint might be. While this is true, it comes with several caveats. For instance, if you are signed into your Google account while browsing, your data is still being collected. Similarly, if your browser has tracking cookies, your data is being collected. The notion that a VPN keeps your online behavior anonymous is quite limited. Additionally, you are merely shifting who has visibility into your traffic. The VPN service still has access and can be subpoenaed to release information about your account. In short, a VPN will not mask your online activity and is not a license to engage in illegal or questionable activities.
VPN will protect me against local attacks.
Using a VPN may protect against local attacks by limiting inbound communications, but this can also be achieved with an endpoint firewall and proper diligence. Moreover, if the network is untrusted (public, open networks), the initial connection to the VPN may still be at risk.
Conclusion.
With all this said, the choice really based on your comfort level. There is a layer of protection provided by the VPN provider. They can offer certain protections within their environment, but it is not foolproof, and most do not provide full transparency about what is being tracked or logged. Running a port forwarding SSH shell can offer many of the same benefits with less cost and fewer data leakage concerns. Using endpoint protections such as a firewall and disabling non-essential services is always good practice. For those who prefer convenience, a consumer VPN may be useful, but it won’t eliminate all risks or privacy concerns; it merely shifts them to the VPN provider. Ultimately, it’s important to verify that the services you choose meet your needs and that you understand how they work and who may have access to your data.
If you are looking for information on how best to secure your organization’s remote users, contact us at CTInfoSec.