VPNs, or virtual private networks, continue to be used by millions of people as a way to hide their internet activity by encrypting their location and web traffic.
But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections much less of a security threat, cybersecurity experts say.
“Most commercial VPNs are snake oil from a security standpoint,” said Nicholas Weaver, professor of cybersecurity at the University of California, Berkeley. “They don’t improve your security at all.”
It’s a development that highlights the changing cybersecurity landscape: Hackers are less likely to target people’s individual devices and instead focus on the login details of their most important accounts.
For years, experts have warned that it is dangerous for ordinary people to use Wi-Fi in a public place like a cafe without taking steps to mask their internet traffic. Someone sharing a Wi-Fi network with strangers was essentially sharing all of their traffic with others who were using it. If someone decided to check their bank balance, for example, they ran the risk that a nearby hacker could steal sensitive information.
VPNs offered a way to counter this problem. VPNs redirect a user’s Internet traffic through their own servers. This can slow down browsing speed, but has the advantage of hiding a user’s Internet Protocol address – which includes their general location – from websites they visit.
But that’s no longer the problem it once was. In recent years, most browsers have quietly implemented an additional layer of security that automatically encrypts internet traffic on most sites with a technology called HTTPS. Indicated by a small padlock by the URL, the presence of HTTPS means that a disturbing scenario, in which a con artist or hacker squats a public Wi-Fi connection in order to monitor people’s internet habits, is not feasible. .
It’s not clear that the threat of a hacker in your coffee shop was ever so real to begin with, but it’s certainly not a major danger now, Weaver said.
“Remember, someone attacking you at the cafe has to be basically AT the cafe,” he said. “I don’t know if they’ve ever been used outside of pranks. And those are no longer relevant now with most sites using HTTPS, ”he said in a text message.
There are still valid uses for VPNs. They are a valuable tool for bypassing certain types of censorship, although other options exist as well, such as the Tor browser, a free web browser that automatically redirects user traffic and is widely praised by cybersecurity experts.
VPNs are also vital for businesses that need their employees to connect to their internal network remotely. And they are a popular and efficient way to watch TV shows and movies limited to particular countries on streaming services.
But as with antivirus software, the paid VPN industry is a booming global market, although its core mission is no longer necessary for many people. Most VPNs market their products as a security tool. A Consumer Reports survey released earlier this month found that 12 of the 16 largest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make matters worse, either by selling customer browsing history to data brokers or by having poor cybersecurity.
The solution is in large part thanks to activists who have lobbied for more than a decade for a safer way to browse the Internet.
In 2010, cybersecurity activists from the Electronic Frontier Foundation, an Internet freedom advocacy group, started a project to encrypt as much web traffic as possible by developing browser extensions to allow users to switching HTTPS and giving websites free tools to enable it.
As more and more people have started using HTTPS where possible, some of the companies that help most people use the internet have stepped up. In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites have started offering HTTPS connections, and now virtually every site Google links to do so.
As of late 2020, major browsers such as Brave, Chrome, Firefox, Safari, and Edge have all integrated HTTPS into their programs, making the Electronic Frontier Foundation browser extension no longer necessary for most people.
“Years ago, no one could imagine that. It’s kind of one of those background wins, ”said Alexis Hancock, who oversees the HTTPS project as the foundation’s director of engineering.
Users now have to worry much less about being hacked by another cafe customer than by a hacker simply sending an email from anywhere in the world to trick them into giving out their passwords and the like. sensitive information, she said.
Hackers “would probably do a phishing attack on you before entering a cafe with free Wi-Fi,” Hancock said. “Sending malicious emails to people is a lot easier to do this kind of campaign. These have been tried and true, unfortunately, ”she said.