I have VPN, don’t need a helmet

Wearing a helmet while doing something inherently dangerous is going to be safer… for your head.

The downside of putting on safety gear is the sense of invincibility it can produce. Put gloves on and it is ok to punch each other in the head repeatedly. Put on a helmet and slam into each other at full speed. Turn on your VPN and go to any website you want, click on any link in an email that suits you. Put on a condom and… well you get the point.

So is it that added security is not relevant?

VPN’s are to security what tin foil hats are to anonymity

Let us get clear on the problem we wish to resolve first. You are surfing the web and worry malware and worms will invade your pc, steal your bank password and corrupt your children. Well placed marketing tells you that it is the coffee shop WIFI, with their no password sleazy service that will be your undoing.

Do not fear! Bob’s VPN is here top save you with the safety of sending all your traffic out of the country and to them. Your IP address will be super secret, ensuring that when you visit https://theuselessweb.site/ducksarethebest.com they cannot infect your PC, nor violate your privacy by telling everyone about your fowl obsession.

Just so we are clear, to secure your traffic you will be sending all of it, through a source you are not familiar with and ensure they have the keys to it. Remember my friend if you use a free service and cannot tell what they are selling, then what they are selling is you. 

HTTPS - TLS - SSL - VPN: If it has an acronym it must be good!

At the time I am writing this article, email phishing is still the number one malware delivery engine by a landslide. Same answer for ransomware, worms and an uncomfortable amount of spam. If you are a company and worry that someone will hack in, the best way into your services is social hacking (email again being number 1). The common factor here is people. Such a simple solution, just remove all the people!

This means the most likely pathway to delivering awfulness is a mechanism that VPN does nothing for, neither does that firewall or all the ACL’s you put together, rather what makes it through is likely on port 25. But really the defense that failed was PEBCAK… (Problem Exists Between Chair And Keyboard). Security is about education, lack of trust on the users part and a package of prevention with a strong dose of detection.

So you are saying VPN’s are useless?

No, not at all. VPN’s are a tool, a very specific tool for solving specific problems. Much of their existence in the consumer market has been completely removed by the prevalence of sites adopting https, but this still does not render them useless. Ask yourself honestly, what is it that a VPN is actually doing? Others have answered this already of course: https://www.kaspersky.com/resource-center/definitions/what-is-a-vpn

A couple of my personal thoughts even about that overall very accurate article for you to keep in mind:

1. States that your IP address is hidden. 
2. Not from the VPN provider
3. Why is that important to you?
4. It encrypts your traffic, true
5. This is the same encryption level https already provides

My main issue with VPNs is that they are sold as snake oil. It is a cure all for any scary sounding security issue you hear on the news. The result we see is users signing up for them, reducing their useful bandwidth (you just chose to send ALL of your traffic through a choke point, potentially one outside of your home country), then the user feels more confident in dangerous behavior. Think of this like putting on a proper motorcycle helmet, then donning shorts and a t-shirt before taking to the race track. I suppose it will be easier to identify you, but you are only protecting your head.

Don’t hit a screw with a hammer

“The only thing dumber than the helmet is the helmet law, the point of which is to protect a brain that is functioning so poorly, it's not even trying to stop the cracking of the head that it's in…” Jerry Seinfeld 

VPN’s, helmets, sneeze guards, firewalls, face masks, etc. These are all tools intended to solve a problem. To utilize the tool we have to understand its purpose, its limitations and above all, that the use of said tool should not give you a false sense of security. 

Now what?!

• Don’t pass information to a site that isn’t https.
• Aren’t 100% sure the link in that email is safe, don’t click on it.
• Still want to get there, google your way there on your own.
• Take the time to educate yourself on how to be safe on the internet.
• Don’t wear a helmet with shorts and a T-shirt.