A VPN, or Virtual Private Network, is one approach to securely connect to a remote resource. Depending on the VPN, that privacy can extend from one end of the connection to the other, or it can protect you only for a certain portion.
I’ll describe the different scenarios and how you are, and perhaps are not, protected by a VPN.
No VPN at all
I’ll use this scenario as the base: you’re at an open WiFi hotspot, connecting to a remote resource like your email or your bank.
All the connections are unencrypted. That includes:
- The connection from your laptop to the wireless access point (aka hotspot).
- The connection from the wireless access point to the ISP providing the internet connection.
- The connection from that ISP to the rest of the internet.
- The connection to the specific service you’re using.
The largest area of concern is the connection from your laptop to the WiFi access point. That open WiFi signal traveling through the air can be “sniffed” (or read) by anyone in range with a laptop and the required software.
Lately, however, there’s been concern about the fact that your ISP can monitor what you’re doing. Specifically, they can see every remote site or service you connect to, and can examine all unencrypted data you exchange with those servers.
This secures the path between your computer and the WiFi’s access point. Hopefully, it’s how your home WiFi is configured, so as to prevent nearby homes or others from connecting to your WiFi, and through it, to your network, without the appropriate encryption password.
There are problems with this approach.
- Most open hotspots at coffee shops, airports, and elsewhere don’t use encryption; the password requirement would confuse their customers more than it’s worth. That’s why these hotspots are called “open”.
- When WPA is used, it protects only the connection between your computer and the WiFi access point. Everything past that point in the diagram above remains “in the clear”.
That last point becomes important, because all the traffic is visible to the hotspot’s owner, should he or she care to peek, and to the internet service provider to which that hotspot is connected.
A VPN service
To protect yourself further, a VPN is a common solution.
A VPN securely encrypts the entire path from your computer to the VPN provider. No one along that path can see your data: not other WiFi users, not the people managing the hotspot, and not the hotspot’s ISP.
For open WiFi, or other situations with questionable security (such as connecting to the internet at your hotel), a VPN can be a great solution.
But it’s not perfect.
There are some things to note.
- The connection is only secured up to the VPN’s servers; the connection from the VPN provider’s servers to the final destination is once again unencrypted. That means the VPN provider, as well as any other networking equipment along the rest of the way, may be able to see your data, and can at least see which servers you’re connecting to.
- You’re adding steps between your computer and the server you’re accessing. The practical effect of this is that your connection becomes slower. How much slower varies based on the VPN service you use, their capacity, and the servers you attempt to access.
- Not all VPN services support all protocols. For example, your web browsing might work, but your attempts to use BitTorrent might not.
- Not all remote servers allow connections through VPNs. One non-security-related reason to use a VPN is it can make you appear as if you’re located in another country. As a result, many services — such as streaming video services — block connections using VPNs.
- Not all governments allow VPN connections to services out of their countries, so as to effectively censor what their residents can view.
The ISP you’re connecting through can’t see, for example, that you’re using BitTorrent, but the VPN service can. Your ISP would still see that:
- You’re using a VPN (and which VPN service you’re using).
- You’re sending and receiving an awful lot of data.
The only true privacy is achieved with end-to-end encryption. Unfortunately, that isn’t possible in many cases, since it must be supported by the service to which you are connecting.
Https is end-to-end encryption
Connections you make via https are completely encrypted along the entire path from your machine to the remote server you’re accessing. That’s why banks (and other services that allow you to access sensitive data) should use https. Most web-based email providers also provide full https connectivity. In fact, more and more sites — including Ask Leo! — are switching to support https.
Similarly, when configuring a POP3, IMAP, or SMTP connection in your email program, if your email provider supports it, choose SSL or TLS. That’s the underlying encryption protocol used by secure connections like https. That way, your email uploads and downloads — as well as your log-in information — is completely encrypted along the entire path to your mail server.
Note, however, that even when using https, your ISP can still see which sites you connect to. Only a VPN can hide that information from them.
Https over a VPN?
Just to complete the picture, if you’re using a VPN, and you connect to an https web site, your data is doubly encrypted for part of the trip.
- The VPN protects you between your computer and the VPN service.
- Https protects you between your computer and the service to which you’re connecting.
There’s really no practical harm. One benefit is that the VPN prevents your ISP from seeing which site you’re connecting to.
Leo Notenboom has been programming computers since 1976, and answering questions about them online since 2003. For more, see askleo.com.