It’s quite safe is the initial answer. But, it’s like saying a padlock is safe against burglars. VPN came into vogue ever since the NSA fiasco happened and now the masses are ever more careful about their safety on the Internet. This contention has gained so much momentum because of the fact that IT industry stalwarts like Google, Microsoft and the like were put into scrutiny as regards to user data safety. It that light, it has to be understood that VPN is not at all a new technology. It has been there for quite sometime, more than 20 years, in fact. Before understanding the aspects of safety of VPN, the long form of the abbreviation has to be understood. V stands for “Virtual”, P for “Private” and N for “Network”. Tersely speaking, it’s a private network that is not real. The best suited way to explain this using a company scenario. Suppose John works at IBM R&D centre. He’s working on the next big processor. He has got some design files, and he has to travel with the files in his laptop, which if leaked could be disastrous for IBM. Enter VPN, IBM sets up an IBM server, connects it to the home network on one side and exposes a secured channel on the Internet. Now, John travels, connects to the VPN server over the Internet, and is safe from any snooping happening. His network traffic effectively “tunnels” through the Internet and reaches his home network. This is what a VPN is at its bare bones.
Now coming to the safety part, safety of a VPN system has two sides like a coin. Furthermore, just like a coin, it has the fine edge too.
The two sides of the coin are called Privacy and Security. And it depends on you to choose the side of the coin. The security is ensured by hiding your data on the network using encryption. Whereas privacy means that the snooper (if any) would not know your identity. For the general public, unlike corporates, there are service providers of VPN. To use such a service, a user has to get a VPN client, the server IP and some credentials. Then just switch on the client and all your traffic from your computer to the server is secured. Anybody would want security and privacy at the lowest price. The market knows the demand is this, so practically speaking it’s hard to find such a service. It has to be noted that anyone with a 24×7 running computer and an Internet can setup a VPN service for the general public as the core server software is freely available (eg. OpenVPN). Then you might ask how to choose a service? The answer will be clear once security and privacy are understood with regards to VPN.
How many times have you heard “my password is stolen”, “my Gmail got hacked! “, “someone stole my pictures”? These all are cases wherein the password was seen by a snooper on the network. To give you an example of the simplicity of the attack, a person just has to connect to an open Wi-Fi network, say at an airport, setup a simple dummy Gmail login page and route all traffic through his/her computer. And viola, the snooper has your password. The network was compromised, there was no SSL security and you had no VPN. Now, what if you had VPN? The snooper will get your data albeit it would we all gibberish aka ciphered. But it has to be noted that only the traffic between your computer and the VPN is encrypted.
Beyond the VPN server, your data may even go in plaintext if the end server’s web address starts with ‘http’, versus ‘https’ for added security (the ‘s’ in ‘https’ stands for SSL i.e. Secured Socket Layer). As you can see, VPN is only the part answer to security. The complete answer includes you; when you make sure you only connect to Web addresses that start with ‘https’. For the extreme case that a law-enforcing authority wants to spy on your traffic, the odds are zero that they would be able to read it in its encrypted form. This is made sure by having an encryption standard that has AES (Advanced Encryption Standard) or atleast Triple DES (Triple Data Encryption Standard). But, beyond the encryption aspect of safety, privacy comes into picture.
Continuing further on Privacy, it has also to be understood that any government agency would check a user’s logs and this is possible only if the VPN service provider keeps it. This is the grey area that was mentioned above.
Some providers keep logs forever and use it to profit (the free providers), some purge the logs and only use it to bill you and some are very ambiguous in telling about their logs policy.
Make sure to choose a VPN service which does not keep logs or purges it regularly. Some trustworthy ones are:-
- CyberGhost VPN
- Avast! also has a VPN service called SecureLine, which also has a mobile version (for both Android and iOS).
Coming back to our question, “How safe is a VPN?”, its now clear that there are two major aspects of safety: Security and Privacy. Additionally, the edge of the coin of safety is what steps you take. Some questions you can ask to yourself are:-
- Do I use open Wi-Fi networks? (You shoudn’t)
- Do I secure my home network? (You should)
- Do I check ‘https’ or do I open alot of ‘http’ sites? (You should)
- Do I do bank transactions on an open Wi-Fi? (You shouldn’t)
- Do I open unknown mails in my inbox (You shouldn’t)
Once you have done your part, then choosing a VPN service makes sense, otherwise there would me more loopholes left open by you, than can be closed by using a VPN. The good rule of thumb is to have a complex password and having a firewall (like ZoneAlarm) installed on your computer. An added advantage to help your privacy would be to use an IP anonimity service like Tor. Tor is a free software with world-wide servers that do not expose your IP address to the Internet. That is, you give requests to the Tor network and the Tor network fetches those websites for you, while keeping your identity under the wraps. The best part is that the Tor client has been made for Windows, Mac and Linux. A neat trick that you can do is re-write your MAC address in the network card and re-write your IP address. That way, anyone doing a trace back to your network request would not get your original network identity. Several software are freely available that can do this.