Do you really need a VPN?

If you've spent any time on Youtube recently then chances are you're heard a Youtuber promoting Nord VPN.

Before I begin with this I want to say that I have nothing against Nord VPN. I understand they're a company and paying Youtubers is an effective marketing strategy. For what's it's worth their service works as an effective VPN. The question, however, is do you really need a VPN?

Nord VPN has a pretty effective marketing strategy; it's hard to go anywhere people discuss VPNs without someone mentioning Nord. NordVPN promises a range of things including

  • Anti-Malware
  • Protection from Hackers
  • Protecting you on Public Wi-Fi
  • Blocking ads

I want to focus specifically on the main two things that people talk about when discussing VPNs; protection from Hackers, and protecting you on Public Wi-Fi.

There once was a time not too long ago when HTTPS wasn't widely adopted, certificate pinning wasn't a thing, public Wi-Fi didn't have client isolate enabled (most still don't), and intercepting traffic was easy enough to do with Wireshark; but today that isn't so true. In those days of the internet, a hacker could sit in a local Starbucks and use a promiscuous network interface card (NIC) to passively intercept traffic in plain text.

This traffic could include Usernames and passwords, bank account information, private medical information, or basically anything else. Imagine someone being able to read your text messages in full detail; that's about what the world of public Wi-Fi was. There was very little that you could actually do; https had existed as an RFC standard since 1995 but it wasn't widely adopted yet.

Today, however, HTTPS is in wide use. According to close to 52% of the internet uses HTTPS, In 2016 Apple required that every app on the Apple Store uses HTTPS; Google Followed this directive and required all Android apps to use it by 2018. Almost every bank in the world uses HTTPS, almost every major credit card processing system uses HTTPS, and most e-commerce sites like Amazon and eBay use HTTPS as well. Basically, everything that you care about is using encryption to protect your web traffic.

Companies like the EFF have advocated hard for the use of HTTPS on all websites, and have created a browser extension to encrypt web traffic when domains don't have HTTPS enabled. The days of hackers being able to easily eavesdrop on your internet sessions are rapidly ending. Services like LetsEncrypt are making it easier than ever to add a TLS cert to your website, and most web-building services (like Google Sites which I'm using here) enable HTTPS by default without you having to do anything.

Is it still possible that a hacker could break the encryption and access your data? Yes.

Wouldn't a VPN make it more difficult to do that? Again the answer is Yes. A VPN will add another layer of encryption over the already encrypted HTTPS traffic. Since both encryptions are using different keys a hacker would have to break both keys before they could actually view your traffic. But let's talk about this for a second. HTTPS traffic is using AES-128/AES-256 encryption anyways so the statistical odds of someone cracking it is extremely low. People have been trying to crack AES since 2001 when the standard was rolled out.

So what good is a commercial VPN? While HTTPS will prevent someone from viewing details like usernames and passwords in network traffic it won't encrypt metadata. To understand this we need to understand how HTTP->HTTPS works.

When you type in into your web-browser it defaults to HTTP, which is unencrypted. Your web browser makes an unencrypted request for, then when it reaches this site the server issues a STARTTLS negotiation command. Your web browser will receive this STARTTLS and go down its list of accepted encryption algorithms until it finds the highest one the server supports. After that, the entire conversation will be encrypted.

What all this means, and why it's important to understand, is that even on HTTPS the website URL is visible at the initial connection.

Also important on the subject of Metadata is DNS requests. DNS requests are by default sent in plaintext. Google and Firefox are both working on ways to implement DNS over HTTPS and/or DNS over TLS, which would encrypt your DNS traffic (while also ensuring that your DNS traffic is sent exclusively to them and prevent DNS based adblocking); but for right now DNS is plaintext.

Imagine for a minute that you're going to a heavily religious university and you're questioning your sexuality. The network administrators might blacklist websites dedicated to homosexual ideations and/or they might monitor students that attempt to visit them. In a heavily religious school being part of the LGBT community could have adverse effects on you; just look at the Kansas Catholic school that recently fired two gay teachers. In a situation like this even visiting an LGBT supporting website might be enough to draw unwanted attention on yourself. A VPN would prevent this.

Rather than a network administrator seeing you visit the LGBT friendly website, they would instead see your computer sending encrypted traffic to a Nord VPN server. The Nord VPN server would then send your traffic to the appropriate website and back to you.

Another example of where you might want to use a VPN is if you're a high profile internet celebrity, especially one who makes money through live streaming services like Twitch. While videogame companies are getting better at utilizing dedicated servers instead of P2P connections for multiplayer games it's not there yet. It took until 2019 for Call of Duty to use dedicated servers on all platforms.

If you're making money off live streaming video games than P2P connections could be a death sentence. Take a look at some of the things Youtuber VirtuallyVain can do with P2P connections in CoD. Now imagine that someone wants to be nefarious. They could DDoS you, effectively shutting you down for hours to days. Or in the worst cases, they could use your IP and Whitepages to find your address and SWAT you.

While the statistical odds of someone doing this appear to be rather low it is still a possibility that should be considered. A VPN will change your public IP address so when someone like Virtuallyvain tries to DOX you they won't be able to because they'll get back a Nord VPN server instead of your ISP server and City.

Yes the VPN can induce latency to the connection which is a twitch shooter like CoD might be a problem but reducing encryption levels (to zero if possible) can help to reduce the latency.

Finally, there's the obvious use that started to make VPNs popular; piracy. While I never condone the act of digital piracy it is still relevant to talk about it in this context. Before a lot of these major compromises like Equifax happened a few years ago the main focus of commercial VPNs was on protecting torrents from ISP surveillance. I'm not going to comment on this much more, VPNs are still used for this purpose.

So here's the question. Do you really need a VPN? The answer is probably not, but maybe. For the average person, the things a VPN promises you are relatively unnecessary in today's world.