Do you really need a VPN?

If you've spent any time on Youtube recently, then chances are you've heard a Youtuber promoting Nord VPN.

Before I begin with this, I want to say that I have nothing against Nord VPN. I understand they're a company, and paying Youtubers is an effective marketing strategy. For what's it's worth; their service works as an effective VPN. The question, however, is, do you need a VPN?


Nord VPN has a pretty effective marketing strategy; it's hard to go anywhere people discuss VPNs without mentioning Nord. NordVPN promises a range of things, including

  • Anti-Malware

  • Protection from Hackers

  • Protecting you on Public Wi-Fi

  • Blocking ads


I want to focus specifically on the main two things that people talk about when discussing VPNs; protection from Hackers and protecting you on Public Wi-Fi.


There once was a time not too long ago when HTTPS wasn't widely adopted, certificate pinning wasn't a thing, public Wi-Fi didn't have client isolate enabled (most still don't), and intercepting traffic was easy enough to do with Wireshark; but today that isn't so true. In those days of the internet, a hacker could sit in a local Starbucks and use a promiscuous network interface card (NIC) to intercept traffic in plain text passively.


This traffic could include Usernames and passwords, bank account information, private medical information, or anything else. Imagine someone being able to read your text messages in complete detail; that's about what the world of public Wi-Fi was. There was very little that you could do; HTTPS had existed as an RFC standard since 1995, but it wasn't widely adopted yet.


Today, however, HTTPS is in wide use. According to welivesecurity.com, close to 52% of the internet uses HTTPS; in 2016, Apple required that every app on the Apple Store uses HTTPS; Google Followed this directive and needed all Android apps to use it by 2018. Almost every bank in the world uses HTTPS, virtually every major credit card processing system uses HTTPS, and most e-commerce sites like Amazon and eBay use HTTPS. Everything that you care about is using encryption to protect your web traffic.

Companies like the EFF have advocated hard for HTTPS use on all websites and have created a browser extension to encrypt web traffic when domains don't have HTTPS enabled. The days of hackers being able to eavesdrop on your internet sessions quickly are rapidly ending. Services like LetsEncrypt are making it easier than ever to add a TLS cert to your website, and most web-building services (like Google Sites, which I'm using here) enable HTTPS by default without you having to do anything.


Is it still possible that a hacker could break the encryption and access your data? Yes.


Wouldn't a VPN make it more challenging to do that? Again the answer is Yes. A VPN will add another layer of encryption over the already encrypted HTTPS traffic. Since both encryptions use different keys, a hacker would have to break both keys before they could view your traffic. But let's talk about this for a second. HTTPS traffic is using AES-128/AES-256 encryption anyways, so the statistical odds of someone cracking it is extremely low. People have been trying to break AES since 2001 when the standard was rolled out.


So what good is a commercial VPN? While HTTPS will prevent someone from viewing details like usernames and passwords in network traffic, it won't encrypt metadata. To understand this, we need to know how HTTP->HTTPS works.


When you type in www.gravitywall.net into your web browser, it defaults to HTTP, which is unencrypted. Your web browser makes an unencrypted request for www.gravitywall.net; then, when it reaches this site, the server issues a STARTTLS negotiation command. Your web browser will receive this STARTTLS and go down its list of accepted encryption algorithms until it finds the highest one the server supports. After that, the entire conversation will be encrypted.


What all this means, and why it's essential to understand, is that even on HTTPS, the website URL is visible at the initial connection.


Also noteworthy on the subject of Metadata is DNS requests. DNS requests are by default sent in plaintext. Google and Firefox are both working on implementing DNS over HTTPS and/or DNS over TLS, which would encrypt your DNS traffic (while ensuring that your DNS traffic is sent exclusively to them and preventing DNS-based adblocking); but for right now, DNS is plaintext.


Imagine for a minute that you're going to a heavily religious university, and you're questioning your sexuality. The network administrators might blocklist websites dedicated to homosexual ideations, and/or they might monitor students that attempt to visit them. Being part of the LGBT community could have adverse effects on you; look at the Kansas Catholic school that recently fired two gay teachers. Even visiting an LGBT supporting website might be enough to draw unwanted attention to yourself in a situation like this. A VPN would prevent this.


Rather than a network administrator seeing you visit the LGBT-friendly website, they would instead see your computer sending encrypted traffic to a Nord VPN server. The Nord VPN server would then send your traffic to the appropriate website and back to you.


Another example of where you might want to use a VPN is if you're a high-profile internet celebrity, especially one who makes money through live streaming services like Twitch. While videogame companies are getting better at utilizing dedicated servers instead of P2P connections for multiplayer games, it's not there yet. It took until 2019 for Call of Duty to use dedicated servers on all platforms.


If you're making money off live streaming video games, then P2P connections could be a death sentence. Take a look at some of the things Youtuber VirtuallyVain can do with P2P connections in CoD. Now imagine that someone wants to be nefarious. They could DDoS you, effectively shutting you down for hours to days. Or, in the worst cases, they could use your IP and Whitepages to find your address and SWAT you.


While the statistical odds of someone doing this appear to be relatively low, it is still a possibility that should be considered. A VPN will change your public IP address, so when someone like Virtuallyvain tries to DOX you, they won't be able to because they'll get back a Nord VPN server instead of your ISP server and City.

Yes, the VPN can induce latency to the connection, which is a twitch shooter like CoD might be a problem, but reducing encryption levels (to zero if possible) can help to reduce the latency.


Finally, there's the obvious use that started to make VPNs popular; piracy. While I never condone the act of digital piracy, it is still relevant to talk about it in this context. Before many of these major compromises like Equifax happened a few years ago, the main focus of commercial VPNs was on protecting torrents from ISP surveillance. I'm not going to comment on this much more; VPNs are still used for this purpose.


So here's the question. Do you need a VPN? The answer is probably not, but maybe. For the average person, the things a VPN promises you are relatively unnecessary in today's world.