Now that many of us are working from home, we are being bombarded with ads and offers to be safe, and use a VPN. This is a scare tactic. VPNs are totally redundant for MOST purposes.
What is a VPN?
A Virtual private network (VPN) is a secure tunnel that encrypts traffic between its endpoints. If traffic is already encrypted between your computer and a destination, a VPN is totally redundant.
- For the past year or so, almost all Web addresses URLs) use encryption, as evidenced by https:// in the URL, and a closed lock in the address bar:
- By law, all financial transactions must be encrypted, and generally require two forms of authentication.
- All reputable mail servers require at least encryption of your credentials (TLS), and usually full encryption (SSL). Check your mail settings to be sure you have taken advantage of these things. Below is my Thunderbird setting for gmail:
What is the other endpoint of the VPN?
A VPN only encrypts traffic between you and the endpoint. But where is that endpoint? It is at the VPN provider! From there, the traffic goes unencrypted (by the VPN) to its destination. What good is this?
Well, there is a good use case for a VPN—connection to your employer. A VPN provided by your employer encrypts everything between your computer and the employer's internet portal. This can serve several purposes:
- All your traffic going through the tunnel can be unencrypted, so that the employer can snoop and see whether sensitive material is leaking into or out of the company. This is used by a local defense factory.
- The VPN software can isolate the user's computer from his local network resources to provide additional security for the company.
- The company can scan the user's computer through the VPN to detect malware.
In the above cases, the company pays for and provides the VPN software.
Do you need a VPN for public WiFi spots?
No, with a few caveats.
- Nowadays, most airport (for example) WiFi systems require some sort of logon. They may or may not offer an encrypted channel between you and the WiFi provider. But if you are doing email and even banking, as explained above, your traffic is automatically encrypted.
- But this safety assumes that your computer is secure. This means that the operating system and all your applications are up-to-date, and that you have proper anti-malware software. (See https://jamesrome.net/drupal/patching.)
- You should NOT have to download extra software to use the WiFi. Any such software could be a source of infection. For example, it could install a key logger that would record your keystrokes before they enter your encrypted connection!
Legitimate (?) uses for VPNs that terminate at the VPN provider
- To change your country of origin, for example to access country-restricted content.
- To hide your identity and network activity from snooping governments.
I follow computer security closely, and cannot recall a case where there was a case of hacking via encrypted internet traffic. It is much easier to hack your computer. (See https://jamesrome.net/drupal/ComputerSafety.)
Buying a VPN is a waste of money. And using a VPN may hinder your ability to do things on your local network, such as accessing remote drives.