The main promise of a VPN is that it will encrypt your web traffic, so perhaps your ISP can't see what sites you're visiting or a hacker on the same public wifi network can't snoop and capture your credit card information as you make an online purchase. YouTubers sponsored by ExpressVPN, for example, have said "Don't let hackers steal your financial details," and "Working from home? Protect your sensitive data with an extra layer of security."But most of the heavily used web is already encrypted in some form. Lord pointed to how nearly 93 percent of all page loads in Firefox in the U.S. are over HTTPS. That’s compared to around 25 percent in January 2014. Huge portions of the internet have been encrypted thanks to Let's Encrypt, the nonprofit Certificate Authority (CA) which offers encryption certificates to websites for free. Let's Encrypt was started in 2012, and today over 250 million websites use the organization's certificates, according to Let's Encrypt's website. Whereas it used to cost money for a website administrator to get a HTTPS certificate, now essentially any site can get one.
Do you have information on VPN companies misleading their customers, or anything else? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email email@example.com.
One risk is some VPN providers use self-signed root CAs, which allow the creator to read encrypted traffic coming from a computer. White said this is done in the pursuit of malware prevention, but that "is just a different way of saying 'intercepting your (otherwise) encrypted web and mail traffic.'"Some VPNs may collect more information than users anticipate, and in some cases expose that data too."A good question to ask yourself is: do I trust my VPN company more than my ISP to handle the data of which sites I navigate to? If the answer is yes, then using a VPN may be a good match for you. If you're unsure or the answer is no, then the risks of a VPN may not make that trade-off worth it, and for many folks with a lower threat model, that is likely the case," Rachel Tobac, CEO of SocialProof Security, told Motherboard in an online chat.
"It’s time we retire the stock advice to get a personal VPN."
"Anyone, without having any technical knowledge, can add a layer of security and privacy with a single click. And because of the channels we use to market our services, we’ve been able to reach people who would never even think about cybersecurity," NordVPN added. "We strongly believe that recommending people to stop using VPNs will make the digital environment less safe."There is at least one thing that some VPNs could help with: blocking malicious ads. The online advertising ecosystem is so dangerous that the U.S. Intelligence Community has blocked advertisements on a network-level, Motherboard reported recently. But online ads are not just a threat to intelligence agencies; Motherboard has repeatedly shown how data brokers harvest 'bidstream' data by participating in the online advertising process. This sort of information can include location data.Some VPNs can block ads by stopping connections to the ad networks' domains, although not all necessarily do. A browser extension may be a more familiar way of blocking ads, but they also carry their own risks. Last year an adblocker developer sold two of his extensions to a new owner who then added malicious code designed to tamper with victims' social media accounts, Ars Technica reported at the time.Or, of course, many customers will use a VPN simply to access online content such as Netflix that is ordinarily locked to a specific region. In which case, go crazy, maybe.Subscribe to our cybersecurity podcast, CYBER.
"A good question to ask yourself is: do I trust my VPN company more than my ISP to handle the data of which sites I navigate to?"