A concerned Naked Security reader called Greg recently asked us to say a few words about Virtual Private Networks, or VPNs.
You’ll see why he was concerned in a moment.
Typically, you use a VPN as a way to “re-source” your network traffic from some unpredictable remote location – one that you don’t and can’t control – onto your home network.
To do that, you encrypt all the network packets on your laptop or mobile device, and tunnel them back to your home or office using the internet merely as a conduit.
There, you decrypt them and then send them out as regular internet traffic, just as though you were sitting at home or in the office.
The other end sees your traffic as though it came from the office network, and replies to you there.
Those replies are then encrypted by the office end of the VPN (even if they are already encrypted, for example because you’re visiting an HTTPS web page) and tunnelled back to you.
And your device decrypts them as though the last, untrustworthy hops from office to, say, coffee shop never happened.
Pros and cons of VPNs
The disadvantages are obvious, though not as dramatic as you might think.
Firstly, you have to wait for the ends of the VPN tunnel to synchronise with each other every time you go back online, in addition to waiting for your mobile phone to find and connect to a Wi-Fi or cellular network.
This typically adds only a few seconds, but impatient road-warriors may find it irritating, and security will get the blame.
Secondly, especially if you are overseas, browser packets between, say, your phone in Santa Clara and a nearby server in Mountain View may end up travelling via, say, France and back, twice. (One intercontinental detour for the requests, and a second one for the replies.)
But the advantages generally outweigh the downsides: you are no less secure than you would be at work, and you largely neutralise the risk to your data posed by unknown, sniffable, possibly-hacked Wi-Fi access points.
That means you can take advantage of free Wi-Fi at coffee shops while you are on the road, instead of using your mobile connection at expensive roaming rates.
That, in a nutshell, is a VPN-for-security.
Other reasons for a VPN
But there are other reasons people seek out VPNs, namely the ability to emerge onto the internet from somewhere else.
Firstly, you’re covering your tracks, or at least it feels as though you are.
Secondly, by pretending to be in another country, you can bypass those pesky geoblockers that stop you watching content that isn’t licensed for viewing in your part of the world.
And that, in another nutshell, is a VPN-for-obscurity.
What concerned our reader Greg is that it seems as though some people confuse the two sorts of VPN.
More specifically, many people seem wrongly to be assuming that VPNs built primarily for location-changing purposes are also, ipso facto, good for security, privacy and anonymity.
Not always secure
The recent story of Hola, a free VPN that helps you appear to be somewhere else, is a good reminder why this isn’t the case.
Hola certainly isn’t Tor (The Onion Router), which was created by the United States Naval Research Laboratory with the specific goal of helping its users towards privacy and anonymity on line.
In Tor, your traffic is bounced around along an unpredicatable, changable path, getting encrypted and re-encrypted along the way so that each node in the path can tell only where the incoming packet came from, and where it should send it as its next hop.
You can use Tor without participating in the anonymising parts of the network, and you can participate in the anonymisation without being what’s known as an exit node.
Exit nodes are where the final decrypted content emerges onto the internet, and therefore the place where people trying to track traffic back will first look.
Having said that, VPNs can be excellent tools to improve your privacy, anonymity and secrecy, but you don’t get those features automatically just from the P in VPN.