Defacto Tech Support
I always get asked by friends and family: “what VPN should I use?” Inevitably, I complicate the answer by responding “well, what are you trying to defend against?” In a world where security has become part of dinner-table conversation I thought it would be helpful to create a reference point for how I help people choose a VPN service (or not) to use.
VPNs, like all security tools, have trade-offs depending on the technology and service provider you use. Choosing what trade-offs to make based on your risk profile and usage requirements is the crux of any security optimization.
The Big Picture
When I talk to people about any security tool, one of my first goals is to help them understand the re-allocation of trust they are making. It’s an easy thought exercise to start evaluating the “trade-offs” you are making. With VPNs, the simple explanation is that you are shifting your trust from your local internet connection to your VPN provider. With that in mind, the trade-offs become more tangible: what third-parties do they introduce to your data and information supply chain? Does this actually accomplish what you want? The goal isn’t to discourage someone from using a VPN, but to make them acknowledge the re-allocation of trust and protect them from a false sense of security that frequently comes with their new power. Are they trading a known risk for an unknown risk?
I want to…
These are some quick Friday afternoon thoughts on the use-cases I frequently run into when someone is looking for a VPN. For brevity, I am going to ignore the possibility of running your own VPN and focus exclusively on commercial services.
Limit the Monetization of my Data
It is fairly common practice that ISPs inspect DNS traffic and browsing activity to create additional revenue streams through targeted advertising. When friends or family use this as a primary reason for wanting a VPN, I often talk them out of it. First, a majority of ISPs allow you to opt out of this activity from your account or billing page. Second, you can easily encrypt your DNS traffic by configuring it directly from your router to a provider that offers DNS over TLS, or by setting up a Pi-hole on your local network. This is much easier to manage and results in way fewer headaches than routing all of your traffic through a VPN. Finally, accept that on the internet everyone is trying to make money from you at all times — do you honestly think your $1/month VPN provider isn’t?
Avoid a Hostile ISP or Government
Sometimes people want to hide their activity from their ISP because they are living abroad or traveling for work. In this case the ISP is the hostile network, but they can still control their local network (think WiFi). For these folks I typically emphasize the following considerations:
Encryption/Security
What protocols and encryption is the VPN using? I Highly recommend WireGuard above all other protocols because of it’s limited attack surface and default affinity for strong encryption. You should also be able to answer who owns the VPN service, what their logging policy is, and who they use to host their service. It is important you recognize they will effectively be your new party of trust.
Reliability and Performance
Can I be confident that this service will support my needs if I rely on this for all my internet traffic? If folks on your network start cheating to get around the VPN, it becomes much less effective.
Compatibility with Routers and other Network Gear
Many services offer configurations that can plug in to routers for adding first-mile protection to your whole network.
Exit IP Diversity and Users per IP
Folks who are new to VPNs are often surprised when they get blocked from services or end up on captcha pages. If you aren’t as concerned about being anonymous, consider gravitating towards services that offer private IPs or fewer users per IP address. You are much less likely to be caught up in IPs with poor reputations being used for nefarious purposes.
Use Public WiFi
For folks doing less international travel, but who might post up at the local Starbucks, the more relevant threat might be their local network or WiFi. A VPN can be a good way to lock down the data over this un-trusted network. In this scenario it is important to look at:
The Endpoint Software
Are you still leaking other data (i.e. DNS)? Is the software running on your device trust-worthy?
Speed and Efficiency
Usually shared connections are already slow, consider services that prioritize speed or use lightweight protocols (such as WireGuard) to setup your encrypted traffic.
be Anonymous
This is the use-case many people want but don’t want to admit. VPNs can be effective ways to blend in with other users online and mask your identity. Some of the considerations while considering this use-case are:
Purchase Methods
If you are doing something you don’t want attributed to you, it may be wise to consider how you are paying for the service and what breadcrumbs you leave behind.
Company Ownership
Remember that your true IP will be visible to the VPN provider. Are you positive you trust the company operating the VPN? What about thier vendors?
Actual Logging Policy
“No logging” is a common lie in the VPN industry. Be skeptical of these claims and take the time to understand the actual privacy policy for your service provider and their vendors.
Unique Users per IP
Your activity isn’t as anonymous if you are the only one using an exit point! Consider whether or not you want to hide in the noise of lots of users or not.
My Setup
When I use a VPN I am nearly always trying to protect my traffic from my ISP or local network. I am not trying to be anonymous. For that reason I choose to use Cloudflare’s Warp VPN service. Why? They are familiar with securing and running infrastructure around the world; They are a known US based company; They are transparent about not providing anonymization in their network and their logging policies; They use the WireGuard protocol which is fast, has a small footprint, and is always tuned to use strong encryption.
Interested in VPN Data?
Spur is dedicated to building data-sets and tools that help our clients prevent fraud and abuse on their platforms. One of the ways we do that is by understanding and evaluating anonymous network infrastructure around the internet. Get in touch with us today if you are interested in learning more!