Virtual private networks (VPNs) have been household technology for a while now, but there’s still a lot of uncertainty around them. This is partly due to the fact that they can conceal online activity that local or national governments deem illegal — up to and including, say, circumventing ID checks for age verification. Consumers aren’t helped by the sheer amount of duds sold in app stores right next to the best VPNs, especially when they’re purposefully exploiting moments that have people rushing to shore up their online anonymity. If you’ve almost decided to start using a VPN, you may be wondering if the services you’re looking at are actually safe.
Unfortunately, the answer is a hard “it depends.” VPNs are technology that can work well or poorly, just like they can be used for good or evil. There’s nothing intrinsically dangerous about using a VPN — whether or not one is safe comes down to who built it and how they’re running it. The good news is that there are easy ways to tell whether you’re using one of the good ones.
The question “Are VPNs really safe?” can also mean something else — “Is using a VPN enough to keep me safe online?” I’ll get into that too, but to spoil the ending: VPNs are important security tools, but they aren’t enough to protect against all digital threats by themselves. Also, to be clear, I’m talking here about commercial VPNs like Proton VPN and ExpressVPN, not commercial VPNs like NordLayer or Cisco AnyConnect.
What makes a VPN unsafe?
There are two main things that can make me call a VPN unsafe: negligence and malice. A negligent VPN doesn’t protect against the dangers it’s supposed to ward off, leaving you more exposed than if you weren’t using a VPN at all. A malicious VPN is designed to make you less safe so the people behind it can profit.
Some ways a negligent VPN might endanger its users:
-
Using outdated protocols with cracked encryption, like PPTP, or homebrewed protocols with insufficient security. A weakly secured protocol might expose your search activity.
-
Allowing leaks by using public DNS servers rather than setting up their own system to resolve requests. This risks revealing what websites the VPN’s users are visiting.
-
Leaking the user’s real location by failing to block or properly manage IPv6.
-
Leaving its servers in the hands of unvetted third parties, who might let them get hacked.
-
Failing to include a kill switch, which puts users at risk of connecting to false servers.
Some ways a VPN can be malicious:
-
Making its money from in-app ads, especially if those ads contain trackers.
-
Harvesting the user’s residential IP address and selling it as a proxy.
-
Tracking the user’s activity and selling it to advertisers.
-
Planting malware on the user’s device.
I want to stress again that none of these risks are inherent to how a VPN works. VPNs aren’t required to be dangerous in any way. There are plenty of good ones, which makes it all the more important to pick the bad ones out of the lineup. In the next section, I’ll discuss how to do that.
How to tell if a VPN is safe
The process of checking up on a VPN starts before you buy it. Before you consider downloading any VPN app, do your research and learn as much as you can. Read review sites like Engadget, but also try to get reports from regular users on social media and app stores. Be suspicious of five-star reviews that are light on specifics — the more positive reviews from actual users, the better.
While researching, look for any cases in which the VPN failed in its mission to protect customers. Did it ever turn information over to police, despite having a no-logs policy? Were any of its servers ever breached by hackers in ways that put other users in danger? Is it cagey about key information, like where it’s based or who its parent company is?
You can also close-read the VPN’s privacy policy, like I do in my VPN reviews. A privacy policy is a legal document that can invite lawsuits if the provider ignores it outright, so most companies prefer to plant vague loopholes instead. Read the policy and decide for yourself if it makes any unacceptable exceptions to “no logs ever.”
If the answer to all those questions is no, your next step is to download the VPN and test it. Every worthwhile VPN has a guaranteed refund within a certain period, so you can use that time to test the factors below. If you like the results, you can subscribe for longer; if not, you can cancel and get your money back. Here’s what to look for during the refund period:
-
Check which VPN protocols are available. The best expert-verified protocols are OpenVPN, IKEv2 and WireGuard. If the VPN uses a protocol other than these three, make sure it’s using an unbreakable encryption cipher like AES-256 or ChaCha20.
-
Test for leaks. You can run a simple leak test using a website like ipleak.net or whatismyipaddress.com. Just check your normal IP address, connect to a VPN server, then check again. If the IP address you see is the same as before, the VPN is leaking.
-
Find the kill switch. A kill switch prevents you from accessing the internet while you’re not connected to its associated VPN. This is critical to prevent certain types of hack that rely on fake servers to work. Most top VPNs have a kill switch or a similar feature with a different name (such as Windscribe’s Firewall).
-
See if the apps are open-source. A VPN making its services available for viewing on Github states powerfully that it has nothing to hide. Anonymity is an inalienable right for individuals, but VPN apps aren’t people — the more transparent the code, the better.
-
Test its other security features. If the VPN has a blocker for ads, malware or trackers, see if it prevents banner ads from loading. Try connecting to a test malware site like www.ianfette.org or httpforever.com and check if the VPN blocks it.
There’s one more factor that generally denotes a safe VPN: paid subscriptions. I’m not going to claim that all free VPNs are dangerous, but if a service claims to be always free with no need whatsoever to pay, you have to ask how it makes money. VPNs that don’t charge for subscriptions usually turn their users into the product, selling their data to advertisers or for use as residential proxies.
Is a VPN enough to keep you safe online?
Another way in which VPNs aren’t totally safe is that they aren’t, by themselves, a total solution for cybersecurity. A VPN does one specific task: it replaces your IP address with an anonymous server and encrypts communication with that server so your real device can’t be seen. This means you won’t reveal your identity or location in the normal course of using the internet.
However, if you reveal information another way, then all bets are off. If you click a sketchy link that downloads malware onto your computer, that malware doesn’t care that your IP address is concealed — it’s already where it needs to be. Similarly, if you leak critical information in a social post, or privately give it up to a phishing scammer, a VPN won’t help.
I put together a list of 12 cybersecurity habits that’ll keep you safe from nearly all threats online. Getting a VPN is one of them, but there are 11 others, including strengthening your passwords, immediately installing updates and conditioning yourself to spot social engineering hacks. Don’t fall into the trap of thinking you’re untouchable just because you use a VPN.
The safest VPNs
It can be a lot of work to figure out whether a VPN is safe and trustworthy. If you just want to pick one you can use without having to open a federal case, check out my best VPN roundup or best free VPN list — or just use one of the suggestions in this section.
Proton VPN, my favorite VPN, is majority-owned by the nonprofit Proton foundation, has open-sourced its entire product family and has never suffered a serious hack or breach. Despite some controversy around its parent company, ExpressVPN remains secure; its servers have been confiscated at least once and found to hold no information.
NordVPN suffered a hack in 2018 and learned the right lessons from it, doubling down on security at its server locations. Similarly, Surfshark was criticized for using a weak authentication method and deprecated it entirely in 2022. Often, a VPN responding correctly to a security breach looks better than one which has never been attacked at all — sometimes strength can only be known in adversity.
This article originally appeared on Engadget at https://www.engadget.com/cybersecurity/vpn/are-vpns-really-safe-the-security-factors-to-consider-before-using-one-130000539.html?src=rss
