VPNs – How Safe Are They?
With security and privacy being such a hot topic, the subject of VPNs and VPN services is a hot one right now. In my opinion, everyone should use a VPN service. Home users, mobile users, companies, enterprise, everyone. Not only does it protect you from hackers but also from ISP spying, the government and anyone who wants to know what you do online. But how safe are VPNs?
VPNs have several dependencies that dictate how safe a VPN is:
- The company providing the service.
- The logs that company keeps.
- Availability of anonymous payment options.
- Shared IP addresses.
- Encryption and connection type.
The company providing the service
VPN technology itself is safe. The company providing the technology is where you need to look. Do they keep abreast of developments? Perform their own intrusion and hack testing? Do they update their software as soon as vulnerabilities are discovered?
VPN applications are susceptible to code or program weaknesses just like any other application. A lot of work goes into keeping them as tight and as secure as possible but occasionally weaknesses are found. The mark of a good VPN provider is how fast they update their services to fix that vulnerability.
The logs that company keeps
There is no point going to the expense of using a VPN if the company offering the service logs everything you do. In that case, you may as well let your ISP track you and save the money. Many good VPNs will offer a ‘no logs’ service where their VPN servers and routers do not keep logs on who connects or what traffic is passed through them.
It is these logs ISPs, governments and law enforcement use to track what you do online. Without logs, nobody knows who was where and when.
There are two types of logs, usage logs and connection logs. Usage logs are a record of what you do, where you go and what you download. These are what are used against you. Connection logs collect metadata about when you connected, how long you were connected for and if any errors occurred. They do not contain incriminating information.
Most VPN providers will not keep usage logs but may use connection logs for quality and troubleshooting. Sometimes VPN providers will need to perform real-time monitoring of traffic for troubleshooting but otherwise, they should publicly state that they keep no logs.
Some countries require mandatory logging, so it pays to check where your VPN provider of choice is based. Some European countries are safe, such as Sweden, Netherlands, Luxembourg and Romania. Some Caribbean countries are relatively safe to as they do not mandate logging. Check before you buy.
Anonymous payment options
Many VPN providers offer the ability to pay for their service anonymously. This will usually be with Bitcoin but other services may be offered. These are usually only for the seriously privacy minded. It prevents your VPN provider knowing your name, address and anything about you except your IP address. You can still be identified by that IP address though so your mileage may vary.
For most of us, it isn’t the fact that we can pay for our service anonymously that makes the VPN safer. It is the fact that such a service is offered at all. It means the company values privacy and takes it seriously. That is what is more important.
Shared IP addresses
Most VPN providers will buy entire IP address ranges and use them in a pool for their users. They can also configure their IP addresses so that they are shared amongst multiple users at once. That means nobody actually knows who is doing what while online as the path will be muddled.
This, along with no real-time monitoring or logging means it would be incredibly difficult to identify one particular user visiting a particular website or downloading a specific file.
Encryption and connection type
There are several types of VPN encryption, PPTP, OpenVPN, SSTP, L2TP and IKEv2 are just a few. Some of these have weaknesses. At the time of writing, the best encryption method on the market is OpenVPN, then IKEv2 and then perhaps SSTP. Do not use a VPN that utilizes PPTP encryption as this is known to be weak.
Encryption is a deep and detailed subject and is quite fascinating but mostly out of scope of this article. However, it might also be useful to know the minimum settings for an OpenVPN connection should be RSA-2048 bit handshake, SHA-1 or SHA256 Hash Authentication and a Blowfish-128 or AES-256 bit cipher. Many quality VPN providers will have these as defaults.
So how safe is a VPN? Very safe if you get the right one. A VPN provider who keeps no logs, who shares IP addresses, offers anonymous payment options and the ability to connect using OpenVPN is definitely worth investigating.