VPN heresy, or Why you might Want to think twice about using one

People here (and in the now gone Facebook page) may notice me pushing back against the conventional (and often podcast sponsoring) wisdom that using a VPN for security and privacy is a good idea, especially when using public WiFi.

While I won’t go so far as to say that nobody should ever use a VPN service, I do believe that they introduce risks that many people are not aware of, and so cannot make an informed choice as to whether or not they should use one. Generally, I believe that. “If something isn’t safe to do with a (non-work) VPN then it’s not safe to to do even with a (non-work) VPN.”

Anyway, I’m just some guy on the Internet (I work in information security, but none of you know me from Adam :slight_smile: ), so it’s wise to take my mild ranting with a grain of salt.

However, someone with more credibility than I have has now put out an article on this topic: https://nakedsecurity.sophos.com/2019/05/31/foreign-spies-may-be-hiding-in-your-vpn-warns-dhs/

As with all things in information security, whether or not you should do one thing or another is a question of which risks are acceptable to you and which are not. Blind recommendations to use this or do that without understanding the trade offs in risks are, well… risky.


Read the article; not sure what I read though. So, are “foreign adversaries” not interested in corporate networks or networks of telecoms providers? Maybe they’re just trying to make the point that a vpn doesn’t make you inherently safe?

I don’t think it’s that state level actors aren’t interested in corporate networks; it’s more that non-corporate VPNs act as highly trusted aggregators of a lot of network traffic, so that compromising them, or infiltrating them (or running them) yields a high return on effort.

If someone compromises my corporate VPN, chances are that they are, or can be, deeply enough into my network that having access to the VPN gateway is of minimal additional benefit.

That’s not to say that that’s not a problem: it most certainly is, but it’s a different problem fundamentally. With consumer VPN services, you must assume a deep level of trust with an entity with which you have no relationship other than that you purchase VPN service from them and they promise that they won’t do anything nasty. However, with a corporate VPN the trust relationship you have with the service provider is already there as they are your employer. It can be compromised but at least you don’t have to worry about ill intent on the part of the VPN service provider.

1 Like

I’ve read the article, and the related material, and even though I agree with the fact that you should always be careful where you get your VPN service I totally do not agree with the premise that not using a VPN is better. In my day to day business I see too many people that have their credentials compromised and their bank accounts emptied because someone listened in on a starbucks wifi network.

A VPN will protect you against a real life attack, while the article and the reports from DHS are vague and lack any real substance. “foreign actors may” “foreign actors have the capability” Ok, and where is the actual data?

For clarification: to me the US is a foreign actor…

I ask myself: who would benefit most from you not using a VPN? I think the DHS might be at least in the top 5 of that list…

My tip would be use the VPN service you feel is safe after looking at the available documentation and user reviews, or use a personal VPN. I use a VPN service and a private VPN solution to safeguard my wifi traffic.

I agree, their accounts are usually emptied through their creditcard. I should have mentioned that.

1 Like