Is VPN essential to use online transactions

Infopackets Reader Janie T. writes:

" Dear Dennis,

I wanted to know if I should use a VPN (virtual private network) to connect to my bank website. A service I came across called saferweb.com claims that they will encrypt my connection, but I don't know if they can be trusted or not. What do you think? PS: I love your daily infopackets letters - they are very informative. "

My response:

This is a good question. When visiting saferweb.com I noted the following statements on their site: "Safer Web gives you an extra layer of security against Internet hackers. By hiding your IP, we keep your online activity anonymous and private. Using a VPN keeps your browsing activity private and secure."

Those statements certainly make it sound like it would be triple secure connecting to your bank, but I suggest otherwise. I'll try to answer that question in depth below; in fact, I'll even answer the question "Should I use a VPN?" as well (even if not connecting to a bank), for those who are considering using a VPN service.

So, How does a VPN Work?

A VPN (virtual private network) is software that connects your computer to another computer (a VPN server) somewhere else in the world. The connection between your computer and the VPN server is encrypted. That is what a VPN is, but a pay-for VPN service offered by a third party is slightly different.

Let's look at an example:

Let's say you purchased a VPN service online. Let's also assume that the VPN service has VPN servers located all over world - and there's even one located in China, which you decide to connect to, for lack of better judgment. So, let's assume you decide to launch Internet Explorer and access website abc.com in the browser. When you access website abc.com using your VPN connection, the server in China is asked to carry out that request. From there, the China server then makes a connection* to website abc.com, which it then relays that information back to you using the VPN.

HTTPS + VPN = Fully Secure. HTTP + VPN = Not Fully Secure

So is your encryption secure if you simply plug in a VPN? The answer is no.

Let's look at this question a little more closely.

Regarding the asterisk in the previous section above (see: connection*): If website abc.com does not use secure http (https) to serve its web pages, then your connection to abc.com is in fact not secure; the only thing "secure" is your connection between you and the VPN server in China.

In other words, using a VPN to access a non-secure website (ex: http://example.com) will only anonymize the traffic between you and the VPN server - should you be worried about being spied upon; it does not provide a secure connection from the VPN server outward UNLESS the connection outward uses https to serve up its web pages (ex: https://example.com). The website will only serve up https webpages if it uses a security certificate (SSL) that has been signed by a certificate authority.

How a VPN works: a Notation Example

Using the example above, I'll use notation for brevity. The connection would look like this:

You -> China (secure via VPN) : China -> http://abc.com (not secure because abc.com uses http and not https) = you're only 1/2 way secure in your connection to China, but not from China and onward. If website xyz.com was secure using https, then the connection might look like this: You -> China (secure via VPN) : China -> https://xyz.com (secure because xyz.com uses https) = you are using a 100% secure connection.

So, Should You Use a VPN when Connecting to Your Bank?

Frankly speaking, I don't think it's a good idea. It certainly does not add any extra layer(s) of protection - especially with respect to SaferWeb's claims. In fact, using a VPN to connect to your bank may backfire on you.

Provided that your system is not infected with malware, your operating system is up to date with the latest security patches, and you're using the latest web browser version of Firefox, Chrome, or Internet Explorer, then connecting to your bank should be perfectly secure and nothing else needs to be done. Millions of people do it like that every day.

Using the notation example: if you are connecting to your bank without a VPN, then the connection would look something like this: You -> Bank (secure, because you're using https already). So is there any point of using a VPN to do this?: You -> China (Secure because of VPN) : China -> Bank (Secure because of https)? Probably not.

How can Using a VPN Service Backfire on You?

It's also worth pointing out that if a VPN server was ever compromised, any and all communication between you and the VPN server can be sniffed and potentially decoded. So if you ask the question "is using a VPN [server] secure"? I would say, "only if the server itself is secure," which is likely impossible to prove. Servers are managed by human beings, and human beings are prone to error, so it stands that there is a possibility that the server may not be secure. Also, servers, just like PCs are prone to exploits, and if not patched in a reasonable period of time, can be compromised.

Lastly (and perhaps most importantly), if you try and connect to your bank using a VPN server located in China, I am guessing that your bank is going to throw up some major red flags (no pun intended), and possibly prevent you from logging in. The way the banks sees it, someone (a computer, or server) from China is trying to access your local bank account. Is that a good thing? Probably not.

Now, if you repeatedly use random VPN servers to anonymize your traffic (which happens to be another feature offered by VPN services), AND you try and connect to your bank on a regular basis, then I'm guessing the bank is going to throw up some more red flags. The way the bank sees it: a computer, or server located somewhere in the world keeps trying to access your bank account - and it keeps happening from different places around the world. Is that a good thing? Definitely not - at least, not the way the bank sees it, because cybercriminals often use VPNs to anonymize their web traffic as well. It would be a safer bet if you just stick to using your local IP address when accessing your local bank.

What about SaferWeb's Comments that "VPNs are Safe"?

As for saferweb's statements regarding VPNs, let's take a look at those now that we have a little bit more knowledge about how VPNs work:

  • They say: Safer Web gives you an extra layer of security against Internet hackers. I say: using our examples above, that is only true if the entire connection is secure and the VPN server is also secure. Also, a hacker can 'hack you from the inside' if your system in infected with malware, so a VPN will not prevent you from being "hacked".
     
  • They say: By hiding your IP, we keep your online activity anonymous and private. I say: yes and no. If you are worried about being spied upon locally by governments, or are otherwise paranoid, then using a VPN is probably a good idea. That said, you should also ensure that your antivirus, antimalware, operating system, and web browser are all up to date and infection free in addition to using a VPN, otherwise you can still be spied on because your information will still propagate outward somewhere onto the Internet whether you use a VPN or not.
     
  • They say: Using a VPN keeps your browsing activity private and secure. I say: yes and no. This is really only true if the connection is 100% secure. Even so, if someone was to compromise a website you were previously connected to, they could still access information about you. A VPN won't protect against that type of an attack.

So, Should You Use a VPN Service?

Whether or not you decide to use a VPN service (such as those offered by SaferWeb, for example) really depends on your circumstances.

If you need a VPN service to simply anonymize your IP address - for example, to gain access to certain services (such as accessing content that would otherwise not be available to you due to geographical restrictions), then yes, a VPN service is going to help you. If you are asking whether or not a VPN service is going to make you more "safe" online, then I would say - read this article, and then compare it to your circumstances, and then make your decision.

As for VPN's themselves - they are the greatest thing since sliced bread, really. I use my own VPN using OpenVPN (a freeware program), which allows me to connect to my remote web server in New York. Since I already own a server, I don't need to pay for a VPN service to access my server; I simply made my server run the 'server service' and I use a 'client' to access the server. At any rate, the traffic to and from the server is completely encrypted and no one can access the server without going through the VPN, first. So in that respect, it is fantastic because it offers unparalleled protection from outsiders / hackers, etc. If anyone needs help setting up something similar in order to access a remote system through another system, you are welcome to contact me for help.

Additional 1-on-1 Support: From Dennis

If you are still not sure about whether or not a VPN is going to help in your circumstance, you are welcome to contact me for help. I can also assess your PC's health - in case you are unsure whether your PC is vulnerable online. Simply contact me for help and I will connect to your system and review and discuss your options with you 1-on-1.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question - or even a computer problem that needs fixing - please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.