A lot of people worry about information security, and perhaps rightly so. We are steadily plagued by ransomware, data breaches, phishing attacks and password stealers; being reminded of good security habits regularly is generally a good thing. Normally, this does not result on angry people. Except for on the Internet of course, and perhaps in particular on Twitter, the platform made for online rage.

Here’s a recent Tweet from infosec awareness blogger John Opdenakker (you can read his blog here https://johnopdenakker.com):

A little challenge #infosec friends. Explain what a VPN is and how it can improve privacy and security. Keep it simple such that non tech ppl understand. Bonus points if explained in 1 tweet 😃.

— John Opdenakker (@j_opdenakker) September 27, 2020

If you click this one you will get some responses, including some harsh ones:

Ok, kid, it feels as if we're doing your homework for you.

— Steve Thompson (@poohstix16) September 28, 2020

And another one. Felt like an attack, perhaps it was an attack?

Which VPN vendor paid you to write this, and how much?

— Dag-Erling Smørgrav (@desdotdev) September 28, 2020

So far the disagreement is not quite clear, just that some people obviously think VPN’s are of little use for privacy and security (and I tend to agree). There are of course nicer ways of stating such opinions. I even tried to meddle, hopefully in a somewhat less tense voice. Or maybe not?

I think he may think "privacy VPN's" bring questionable benefits. When they promise "no logs" it is usually to a degree a lie, and you put a lot of trust in a VPN provider, typically based on the British Virgin Islands or similar, with often opaque owner structures.

— Håkon Olsen (@sjefersuper) September 28, 2020

This didn’t really end too well, I guess this was the end of it (not directed at me but at @desdotdev.

You telling me that I lie while you don’t understand the risks and what a VPN does. That’s beyond irony man.

— John Opdenakker (@j_opdenakker) September 28, 2020

This is not a very good way to discuss something. My 2 cents here, beyond “be nice to each other”, was really just a link to this quite good argument why commercial VPN’s are mostly not very useful (except if you want to bypass geoblocking or hide your ip from the websites you visit):

I agree the comment was not very constructive but his argumennts (in this thread) are not unfounded. This writeup sums up similar arguments in a good way: https://t.co/tU3nZ4j6kD

— Håkon Olsen (@sjefersuper) September 28, 2020

Risks and VPN marketing

For a good writeup on VPN’s not making you secure, I suggest you read the gist above. Of course, everything depends on everything, and in particular your threat model does. If you fear that evil hackers are sitting on your open WiFi network and looking at all your web traffic to non-https sites, sure, a VPN will protect you. But most sites use HTTPS, and if it is a bank or something similar they will also use HSTS (which makes sure the initial connection is safe too). So what are the typical risks of the coffee shop visiting internet browsing person?

• Email: malware and phishing emails trying to trick you into sharing too much information or installing malware
• Magecart infected online shopping venues
• Shoulder surfers reading your love letters from the chair behind you
• Someone stealing your phone or laptop while you are trying to fetch that cortado
• Online bullying threatening your mental health while discussing security awareness on Twitter
• Secret Chinese agents spying on your dance moves on TikTok

Does a VPN help here? No, it doesn’t. It encrypts the traffic between your computer, and a computer controlled by the VPN company. Such companies typically register in countries with little oversight. Usually the argument is “to avoid having to deliver any data to law enforcement” and besides “we don’t keep logs of anything”. Just completely by coincidence the same countries tend to be tax havens that allows you to hide corporate owner structures as well. Very handy. So, instead of trusting your ISP, you set up a tunnel to a computer entirely controlled by a company owned by someone you don’t know, in a jurisdiction that allows them to do so without much oversight, where they promise not to log anything. I am not sure this is a win for privacy or security. And it doesn’t help against China watching your TikTok videos or a Magecart gang stealing your credit card information on your favourite online store.

One of the more popular VPN providers is ExpressVPN. They provide a 10-step security test, which asks mostly useful questions about security habits (although telling random web pages your preferred messaging app, search engine and browser may not be the best idea) – and it also asks you “do you use a VPN”. If you answer “no” – here’s their security advice for you:

It is true that it will make it hard to snoop on you on an open wireless network. But this is not in most people’s threat models – not really. The big problems are usually those in our bullet point list above. ExpressVPN is perhaps one of the least scare-mongering VPN sellers, and even they try to scare you into “but security/privacy anxiety” buying their product. The arguments about getting around geoblocking and hiding your ip from the websites you visit are OK – if you have a need to do that. Most people don’t.

When VPN’s tell you to buy their service to stay safe online, they are addressing a very narrow online risk driver – that is negligible in most people’s threat models.

So what should I do when browsing at a coffee shop?

If you worry about the network itself, a VPN may be a solution to that, provided you trust the VPN itself. You could run your own VPN with a cloud provider if you want to and like to do technical stuff. Or, you could just use your phone to connect to the internet if you have a reasonable data plan. I would rather trust a regulated cell provider than an unregulated anonymous corporation in the Caribbean.

Email, viruses and such: be careful with links and attachments, run endpoint security and keep your computer fully up to date. This takes you a long way, and a VPN does not help at all!

Magecart: this one can be hard to spot, use a credit card when shopping online, and check your statements carefully every month. If your bank provides a virtual card with one-time credit card numbers that is even better. Does a VPN help? No.

Theft of phones, laptops and coffee mugs? Keep an eye on your stuff. Does a VPN help? Nope.

Online bullying? Harder to fight this one but don’t let them get to you. Perhaps John is onto something here? If you feel harassed, use the block button 🙂

Don’t worry, as far as I’m concerned there’s no discussion anymore, i blocked him. He had a chance to discuss in a decent way but choose to reply to my initial tweet in a rude and disrespectful way. Also he can’t bring 1 valid argument to the table and he’s just wasting my time.

— John Opdenakker (@j_opdenakker) September 28, 2020

Secret Chinese agents on TikTok? No solution there, except not showing your dance moves on TikTok. Don’t overshare. Does a VPN help? Probably not.