4 VPN Myths Debunked

by | Mar 8, 2020 | Privacy, Cybersecurity | 0 comments

Get posts like this one in your inbox by signing up for our newsletter.

It seems like every other ad and sponsorship on YouTube is for some VPN provider. While VPNs definitely have a purpose, they’re not a one-size-fits-all solution. There seems to be a lot of VPN myths and general misinformation about VPNs on the internet. Hopefully this post clears some of that up.

How VPNs Work

Before I get into debunking some VPN myths, it’s important to understand how a VPN works. Put simply, a VPN creates an encrypted tunnel between you and the VPN server. Once connected, all of your internet traffic goes through that tunnel. The important thing to note about the tunnel is that it only exists between your computer and the VPN server. Once the traffic reaches the VPN server, it gets decrypted and sent to its original destination. The destination server will then send the response back to the VPN server, which will then send the data through the encrypted tunnel back to you.

If your internet traffic is already encrypted, the VPN will still add another layer of encryption around that. Otherwise, the VPN tunnel will act as the only encryption layer, which only exists between you and the VPN server. Once the unencrypted traffic leaves the VPN server to be sent to its destination, it’s no longer protected. It can be read and/or modified without you or the VPN server knowing.

Myth: VPNs Keep Your Personal Information Secure

As previously mentioned, VPNs do provide a layer of encryption. But, so do all websites that process your personal information. If you look at the URL bar of your browser right now, you’ll see a little padlock icon. This indicates that the connection to the website is occurring over HTTPS. HTTPS is a protocol that encrypts the data being sent and received between your browser and the website’s servers. On top of providing encryption, HTTPS also provides data integrity and verifies the website’s certificate. The former feature ensures that what you’re receiving is what was sent by the server. The latter feature ensures that you’re communicating with the correct web server, and not an attacker’s.

If the website doesn’t use HTTPS, then your browser will let you know that the website is not secure. You can check this yourself by going here, and starting to type something in. If you look at your URL bar, you’ll see a red warning which indicates the input form isn’t secure.

Myth: VPNs Prevent Your ISP From Tracking You

This one is partially true, but not to the extent you think. HTTPS not only encrypts the contents of the website, but also the URL. However, due to how the internet works, the domain name of the site you’re visiting isn’t encrypted even when using HTTPS. Additionally, your ISP can keep track of DNS queries you make, which can be used to know which domain names you’re visiting. However, besides the domain name, everything else in the URL can’t be seen by your ISP (assuming you’re using HTTPS).

What Is DNS?

You can learn more about how this works here, but basically DNS is like the phone book for the internet. Similar to phone numbers, every server on the internet has an IP address which your computer needs to know in order to communicate with it. However, instead of typing IP addresses into the URL bar, we use domain names. So, there needs to be a way to resolve the domain name into an IP address. Instead of looking up a business name and getting a phone number, you look up a domain name and resolve it to an IP address.

By default, your router is probably configured to use your ISP’s own DNS servers. There are many reasons to switch away from these, such as for increased performance and privacy concerns. However, switching away for the latter reason doesn’t really do much because DNS isn’t encrypted. This means that even if you use a DNS server not run by your ISP, they can still read all of your queries.

DNS over HTTPS

It’s worth nothing that you can solve the DNS issue without using a VPN; to simply encrypt your DNS queries, you can use DNS over HTTPS or DoH. This sends your DNS queries over an HTTPS connection, which prevents your ISP from knowing which domain names you’re resolving. However, they can still know which sites you’re visiting based on the unencrypted headers.

Myth: VPNs Prevent Websites From Tracking You

The only thing a VPN does in this regard is change the IP address websites see. Considering that an IP address isn’t a really useful identifier to begin with, changing it doesn’t do much. Because many devices can be behind the same router and therefore IP address, just relying on the IP address isn’t very accurate. As such, many websites and analytics tools keep track of who you are through the use of cookies. As VPNs don’t block cookies from reaching your browser, they don’t really make it that much harder to track you. Additionally, many services require you to log in, in which case you’re voluntarily handing them an identifier to track you with.

That being said, for websites that do rely solely on IP addresses to track you, using a VPN can help. Additionally, some websites and analytics tools use your IP address to estimate your location, in which case using a VPN can help. However, getting locations from IP addresses isn’t always accurate or reliable, especially because you could be using a VPN or proxy.

Myth: You Need To Use A VPN When On Public Wi-Fi

This myth has more truth to it than some of the others, but it’s still not entirely true. Most public Wi-Fi hotspots don’t use a password, which means anyone can connect to them. It also means that you’re not benefiting from WPA2’s encryption. Those two problems combined means that anyone close enough can potentially see the packets being sent between you and the router. Since there’s no password, those packets aren’t encrypted, and an attacker with the right equipment can see inside them.

As previously mentioned, most of the internet is already encrypted with HTTPS. If you’re accessing a website over HTTPS, then even if you’re on an insecure Wi-Fi network, no one can intercept and read your data. That doesn’t necessarily mean you’re safe; since DNS isn’t encrypted, it’s possible for an attacker to modify the DNS response and direct you to another website. Even without a VPN, there are some ways to mitigate this such as HSTS which forces your browser to only communicate over HTTPS. Due to how HTTPS works, even if you are directed to the wrong web server, they can’t have a valid HTTPS certificate which will trigger a warning in your browser. But, that only works for websites you’ve already visited. You can also solve this problem by using a browser extension like HTTPS Everywhere.

Overall, using a VPN is probably the easiest way to mitigate most of the privacy concerns of using public Wi-Fi, but it’s far from the only option.

Using A VPN Can’t Hurt

As long as you’re using a reputable VPN provider with a no logging policy, you probably aren’t hurting your privacy too much by using it. If it makes you feel safer, then paying a couple dollars a month for a good VPN service can be worth it. However, as the internet continues to move towards an all-encrypted future, you may want to reconsider in a few years.

Newsletter

Sign up here to be one of the first to know when we publish a post, as well as other exclusive blog updates.