The myths of VPNs
Some days ago, a group of servers belonging to multiple VPN providers has been breached.
After this events, many people have expressed doubts about the real usefulness of VPNs.
In my opinion, VPNs are great privacy tools, but some providers tryes to sell their services as the ultimate solution for cybersecurity issues.
Obviously, is not that easy!
About this topic, I’d like to suggest the reading of this article by Matt Traudt (a tor developer): “You want Tor Browser … not a VPN“.
In the post, Matt talks about some usecases usually settled with a VPN, but that can actually be tackled using TOR.
Untruth: VPNs protect you from local network hackers
This is usually claimed in the context of open WiFi networks such as those at airports or coffee shops, and is basically correct. As long as you have a reputable VPN company and they set up their software correctly, then VPNs help.
Today, well over 2/3 of web traffic being protected by TLS and all (not scientifically determined, just a baseless claim by me) of sites worth using have and force HTTPS on clients. TLS and the CA system has its issues, but your average little coffee shop hacker is not going to be able to attack it nor convince your browser to downgrade to clear text, so you were already fine. All this hacker is going to learn is the sites that you are visiting: not your account name, not your password, and not what you do on that site.
Untruth: VPNs protect you from getting malware
If you believe your adversary can attack TLS, then I argue it is foolish to believe your adversary is only capable of existing on the protected link between you and your VPN and is unable to exist on the unprotected link between the VPN and your ultimate destination. This is a strong adversary and they probably have a sufficiently global presence to attack you.
Untruth: VPNs prevent tracking done by websites and big Internet companies
Yes, they change your IP as it appears to the websites that you visit. There is a hell of a lot more to being anonymous or preventing tracking than your IP address.
First of all, perhaps the VPN gives you an IP address that no one else is using. Or perhaps you are tech savvy and set up your own private VPN server on a VPS for yourself. Cool. Now that IP address identifies you instead of your home one. You gained basically nothing.
Furthermore, i suggest watching the following video by Tom Scott: a great demystification of VPN provider’s offers.