9

I've got a yearly subscription to a VPN service which is real quick and from the research I did at the time seems to be pretty legitimate, but are there any disadvantages or scenarios where you perhaps shouldn't use a VPN?

I'm from the UK and I usually just have the VPN setup to automatically route everything through a VPN server located in London.

If for example, say that I want to connect to my online bank account, am I putting my credentials and packets are risk by having them sent over the VPN server? - I'm assuming that the banks login page is pretty secure already so by routing through a VPN server am I creating extra risk by routing over this third party?

The question boils down to; are there any situations where you wouldn't want to use a VPN, or is it always beneficial to security?

(Ignore cost / decreased network performance)

Crizly
  • 2,597
  • 4
  • 18
  • 29

7 Answers7

9

Yes, it could be a disadvantage. What is boils down to is how much you trust the VPN provider.

For most secure protocols, using a VPN will be just as secure because your communications are encrypted by the protocol. If there was a MITM at the other end of the VPN connection they would not be able to do much (apart from a side channel attack, which are usually pretty useless in isolation). Of course, this is assuming the protocols and software are secure, and cannot be not affected by the FREAK attack or other downgrade attacks.

However, the web is different. The main issue is that the Same Origin Policy does not designate a different origin for plain vs encrypted where cookies are concerned. A cookie set on http://example.com can be read by https://example.com. If there are any cookie handling vulnerabilities on the site then the "secure" connection could be compromised. The Secure Flag does not help here - this only prevents a plain HTTP connection from reading a cookie set over HTTPS, not the other way round. An example could be cookie poisoning like session fixation, or if there's an XSS vulnerability based on a cookie value that was assumed to only have been set via HTTPS. These are really vulnerabilities on the sites themselves, however using an untrusted connection allows them to be exploited.

So if there is any doubt about the trust of your VPN provider, then disable plain HTTP from your browser and use the internet over HTTPS only. You can do this by setting an invalid proxy server for plain HTTP (e.g. 127.0.0.1:8).

Of course, you should make sure you are using a secure protocol for your VPN connection too (e.g. not MS PPTP). Also, make sure you use iptables/Windows Firewall properly to prevent any incoming connections to your machine whilst connected to the VPN.

SilverlightFox
  • 33,408
  • 6
  • 67
  • 178
  • Another way to block plain-text HTTP is to install the EFF's [HTTPS Everywhere](https://www.eff.org/https-everywhere/) and turn on its *block all unencrypted requests* mode. Also, [HSTS](https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security) is becoming more and more common, and especially with preloading nicely mitigates against the particular attack vector of mixing HTTP and HTTPS. – user Mar 04 '17 at 13:00
3

A VPN maskerade you real IP by using the VPN IP instead. The VPN IP is shared by an unknown number of persons, and its usage is public as long as the person subscribe a contract to the VPN provide.

Therefore, by using a VPN:

  • You open yourself to attacks such as IP spoofing, it will be trivial for someone else to use the very same IP address than you,

  • Possibly your IP address may be blacklisted due to the activity of another VPN user, which may result into limited or refused access into some websites.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • Agreed, using a VPN is very likely to reduce the trust that the destination service (your bank, email host, etc) has in you and make them more likely to say "nothanks go away" so it might be a nonstarter anyway if your VPN host is large/sketchy enough to have a bad reputation. – Jeff Meden Apr 24 '15 at 15:27
3

Trust is obviously key, since you are trading trust in your local connectivity (whatever path your connection takes through your local ISP, the coffee house wifi, etc) for trusting the connectivity of the VPN service and their internet path. If it's a large and reputable VPN provider compared to a coffee house wifi, then you are probably going in the right direction. If it's a lowest-cost Eastern-Europe based outfit then maybe not so much. Personally I would be more keen to trust a VPN through my own equipment (i.e. a server I am hosting via a reputable connection at home/office or on AWS/Azure/etc) when the question is do I use the starbucks/hotel wifi vs a VPN. If it's a question of sufficiently anonymizing my traffic, then a third party VPN would come into play.

Jeff Meden
  • 3,966
  • 13
  • 16
  • The Wifi and the VPN are not at all exclusive. Actually, it is when using untrusted wifi that using a VPN would make most sense for privacy purpose (ie. wifi **+** VPN, and not "wifi vs a VPN"). Moreover, confidence is secondary as long as the remote server is providing SSL access: SSL is precisely designed to allow a secured exchange over an untrusted network. – WhiteWinterWolf Apr 24 '15 at 15:30
  • Sorry if I was unclear but I definitely meant "using the Wifi to get to the VPN", since the VPN is useless without a local internet connection. The point of the VPN is then to make the local connection oblivious to your traffic, which is what I imply with the language of "trusting the VPN instead of the local connection". Also, SSL is a great measure but sadly has seen a few issues lately, so for the sufficiently paranoid an untrusted connection is only useful to get to a VPN (which hopefully is validated via private key) Hope this helps! – Jeff Meden Apr 24 '15 at 15:35
1

This is not technical security, but when using a VPN you may attract unwanted attention on your activity. I have to find the exact source of a case I read about where someone performing illegal activities was detected because he was the only one on the whole network using TOR.

EDIT: This is not the example I was looking for but close enough: Tor User Identified by FBI

WoJ
  • 8,957
  • 2
  • 32
  • 51
0

Maybe worth mentioning that a VPN you run is a different matter than a VPN you don't.

On a VPN you run, you do gain security in some situations involving potentially hostile networks (wifi springs to mind, but ultimately, I guess this would be any network you don't manage). On a VPN you don't you might be protected from the network you are actually on, but in effect, you are exposed to the VPN provider, and whatever might be between their servers and your target.

This is (of course) also true if a VPN you might run, but presumably, you would have different priorities than a VPN provider (notably, you might very well be happy to pay a bit more to be on a reputable network).

You might want to check the 'Anonymity and Security FAQ' for Tor (starting here: https://www.torproject.org/docs/faq.html.en#WhatProtectionsDoesTorProvide)

Everything that says pretty much holds true for your situation, with the added caveat that someone, somewhere, may be able to link your account with the VPN provider to you.

iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
0

The main problem I've found is: when you open a VPN connection all apps in your machine may use that VPN. If you have more than one user executing apps in the server that opens a VPN connection, you have a very important hole of security. VPN solutions are great, but they must be combined with another type of security barrier to use them.

  • I'm not sure that I understand the hole in security you talk about. If 2 users are on the same machine, and each user opens a network connection that involves the VPN, you are saying that the users can see each other's traffic? Wouldn't they see each other's traffic anyway without the VPN? – schroeder Apr 24 '15 at 23:11
  • Many people thinks that a VPN connection is enough security and they forgot that the whole client machine has access to the VPN making the target network weaker. – Manuel Lucas Apr 25 '15 at 19:02
0

With the hype that has surrounded VPNs historically, the potential pitfalls or "weak spots" in the VPN model can be easy to forget. These four concerns with VPN solutions are often raised.

  1. VPNs require an in-depth understanding of public network security issues and proper deployment of precautions.

  2. The availability and performance of an organization's wide-area VPN (over the Internet in particular) depends on factors largely outside of their control.

  3. VPN technologies from different vendors may not work well together due to immature standards.

  4. VPNs need to accommodate protocols other than IP and existing ("legacy") internal network technology.

Generally speaking, these four factors comprise the "hidden costs" of a VPN solution. Whereas VPN advocates tout cost savings as the primary advantage of this technology, detractors cite hidden costs as the primary disadvantage of VPNs.