Amid the privacy discussions, I’ve seen a lot of talk about VPNs. If you thought VPNs protect your data, start by watching this video: https://youtu.be/WVDQEoe6ZWY
TL;DW/R - Do VPNs encrypt your data? No, they just reroute data that’s already encrypted through their network.
Here’s the way it works. Think about your internet traffic in two parts:
  • domain (for example, “youtube.com”)
  • data - anything sent to and from the domain (specific video URL, passwords, comments, account info, everything)
Your Wi-Fi network needs to know where (to what domain) your data should be sent. Anyone connected to the same Wi-Fi network can see this info.
The data itself is encrypted via HTTPS 99.9% of the time. No one on your network can see your data. 00.1% of the time, if you happen to visit a website that doesn’t accept encrypted traffic, or if the encryption isn’t safe, you get a loud warning from your browser.
When you use a VPN, you’re routing your data to their domain before sending it to youtube.com. That means someone on your network sees you visiting a VPN instead of youtube.com. Obviously, the VPN company sees your domains, because they have to know where your data is going.
Either way - your data is already encrypted, with or without a VPN.
That means the ad: “we protect and encrypt your passwords and data” is, in fact, complete bullshit.
“Should I use a VPN?”
Who are you trying to hide your domains from? The government? Hackers? If either of those is the answer, going after the VPN company or even posing as a VPN company is a great way to collect domain usage from people that want to keep that info hidden. Not saying that’s what’s happening to your VPN company, but you can’t really prove that it isn’t happening either.
If you’re trying to hide domains on a campus or a network with strict monitoring, or you just want to take advantage of location spoofing, fair enough.
Too long, don't read: use a VPN, don't be thick. Is it foolproof? No. Is there a level of trust required? Yes. By the way, FACT CHECK: VPNs DO encrypt your data, and many have DNSSEC implementations like nord and proton for the domain, your article title is flat out wrong.
reply
Encrypting data that’s already encrypted is pointless and misleading.
reply
VPN does encrypt your data! From your computer to the VPN server. So no can see the traffic or DNS query in between.
It also protects from the data that's being collected on you based on the IP, you can't always trust the other side of https to be nice :) loading a small image from a different side can also reveal your IP even if you have all kinds of adblocker/ tracker. And it also helps bypass internet censorship.
Anyone connected to the same Wi-Fi network can see this info.
VPN can protect you from this so that anyone sniffing
Who are you trying to hide your domains from? The government? Hackers? If either of those is the answer, going after the VPN company or even posing as a VPN company is a great way to collect domain usage from people that want to keep that info hidden. Not saying that’s what’s happening to your VPN company, but you can’t really prove that it isn’t happening either.
I do agree with your point about those VPN companies, but VPN like Mullvad goes as far as:
reply
Trusting VPNs with your domain history and IP address instead of ISPs and other third parties definitely makes sense in some scenarios - but I guess that's my point... That's how it needs to be framed instead of "we keep your passwords from being stolen at Starbucks"
reply
Fair enough, but title is wrong though, VPNs do encrypt your data. Even if it's already encrypted.
Still, the encryption of all the network packets that go through your device is better than assuming everything you'll be doing is going to be HTTPS.
Also with a VPN you are basically forcing net neutrality since your ISP doesn't know which domains you are requesting, so they can't throttle your connection based on that.
reply
For all intents and purposes, everything is already encrypted. You have to intentionally go out of your way to send things without encryption.
reply
I was paying for IPVanish for a few months and may or may not have been downloading some torrented movies...
I was very surprised when I got a DMCA warning letter from Comcast... shouldn't that have remained hidden? Been too scared to try that stuff again and cancelled my subscription....
reply
That's why you run he torrent client on a virtual machine behind a NAT network where the host runs the VPN. You might also consider to connect the VPN (on the host) over a public wifi hotspot.
reply
A lot of torrenting clients leak information around your VPN connection. For instance, some torrenting clients send your actual public IP address through your VPN connection to seeders/leachers. There are companies that monitor torrenting, who see your public IP address and send a DMCA notice to your ISP, who forwards that notice to you.
Here's a related article for more information: https://blog.torproject.org/bittorrent-over-tor-isnt-good-idea/
reply
Have you tried "what is my ip"? That's quite unlikely if you didn't mess up somewhere in the setup process
reply
yup, i usually confirm it's giving me an IP in another state before i start downloading conspicuous stuff :P anyway i can afford subscription services these days not worth the hassle of risking a big lawsuit of some sort...
reply
Lol, you're an idiot
reply
You're factually wrong.
VPNs encrypt data. They do encrypt data even when it already is encrypted. They do not just reroute.
What you're describing is (can be) a proxy.
Get your facts straight before trying to educate others
reply
I think you missed the point of the post
reply
Also, don't conflate a VPN subscription service with a self-hosted VPN. If you host your own VPN and use it to access other self hosted services on the same LAN, the encryption benefit is much stronger since there is no man in the middle from when the VPN packet is decrypted to the final handshake with the destination.
reply
Self hosting a VPN to set up secure access to to servers you control is a perfectly reasonable use case for VPNs, and is not how most people use them, or how they’re advertised to most people. Most people think VPN = hacker at Starbucks can’t see my password. But putting a server or API or web app behind a VPN different, and perfectly legitimate
reply
What's the difference in security with a self-hosted vs hosted VPN server?
reply
The purpose of using a VPN you control is to restrict access to an app or data. You have to be authenticated into the VPN to access whatever you’re putting behind it. Companies do this kind of thing all the time - they’ll built an internet app, or store client data, and put it behind a VPN so that you have to be logged into the VPN to access it.
Technically, you can do the same thing with a hosted VPN server (a lot of companies do this as well), it just requires trust in the third party.
In other words, it’s a way to put something on the internet for you to access from anywhere as long as you’re on the VPN.
A personal use case for this would be setting up your own backup drive that you can access from anywhere via the internet. Putting it behind a VPN allows you to do this. You could also use your VPN while traveling abroad to stream services that might not work in other countries.
reply
Fact check your "Fact check":
Maybe YOUR VPN doesn't encrypt. But a good VPN does encrypt data regardless if its already encrypted with SSL. Why else would you need to keep up with a secret key or identity for some VPNs? That key is used to asymmetrically encrypt data client side so the VPN can decrypt and forward to the destination.
Many corporations don't use SSL for internal websites because those are only accessible via the corporate VPN anyways and thus traffic is already encrypted by the VPN.
Agree that VPN marketing tends to oversell the effectiveness of this encryption. For example, if the SSL keys are leaked from the sites you visit, then all your requests during the session who's keys were leaked is now able to be SSL decrypted and read. This is because the VPN decrypts the data before sending to the destination who handles the SSL decryption.
The VPN encryption really only obfuscates the data from your ISP and any other middlemen between the VPN client and server.
A VPN that doesn't encrypt is just a proxy.
reply
To clarify what I mean by this - the data encryption is redundant and unnecessary, and it implies that the data wasn’t already encrypted to begin with.
reply
The encryption VPNs do is not redundant because you cannot assume all data is encrypted. Furthermore, it is not unnecessary because it has the effect of obfuscating data from your ISP.
reply
What’s an example of non encrypted data you’re thinking of?
reply
reply
Yeah, some websites don't automatically redirect to HTTPS when you intentionally go out of your way to use HTTP. By default, they're either HTTPS, or they're static and not accepting data in the first place.
FWIW, this list is pretty out of date, you can check it out for yourself.
If your website doesn't automatically redirect to HTTPS, the worst thing that can happen is, you're on a network with an evesdropper, they send you a phishing link that's HTTP, you click on it, and type in a password that they can see. Maybe there's a reason you're being targeted, but in that case, a) you probably know how to look out for phishing, and b) there are more effective attacks you can attempt to steal someone's password besides trying to spy on unencrypted traffic.
Also, if your website doesn't automatically redirect to HTTP, I can guarantee you're getting 2-3 emails every month from some bug bounty researcher about it.
reply
Haha, before clicking on that link I thought about the video of Tom Scott and it was this video
However, regarding this:
When you use a VPN, you’re routing your data to their domain before sending it to youtube.com. That means someone on your network sees you visiting a VPN instead of youtube.com. Obviously, the VPN company sees your domains, because they have to know where your data is going.
That's not necessarily true. You still need to make DNS requests for the domain since your need to know yourself where you data should end up. And this DNS request might even still go to an ISP DNS server so your ISP still knows what sites you visit, not only the one with home router access or other WLAN users (with packet sniffing).
But depending on the VPN configuration, you might use DNS over HTTPs and a VPN DNS server.
But good post nonetheless. I don't like how VPNs are advertised, either.
If people want privacy, they pay for their lack of knowledge. But if they just want to work around geo-blocking, they get what they want, I guess.
reply
deleted by author
reply