VPN - A Saturated Market?

Virtual Private Network (VPN) has multiple uses, however for most of us we’re only speaking about one form of VPN - the kind which allows us to access the internet via a VPN tunnel, meaning the services you consume only have connection information from the VPN’s ‘OUT’ endpoint, not from your device, and your Internet Service Provider (VPN) also can’t have information about the data you’re using, just that you’re using it to connect to an ‘IN’ endpoing of your VPN provider. Like so:

sequenceDiagram You->>+ISP: Connect to the internet You->>+VPN IN: Connect to a VPN service 'IN' endpoint server VPN IN-->>+VPN OUT: VPN Tunnel over the provider's network VPN OUT->>+Web: Connects from here You--X+Web: Connect to a web service Web->>-VPN OUT: Only knows the VPN 'OUT' endpoint VPN OUT-->> VPN IN: VPN Tunnel ISP->>-You: Only knows the VPN 'in' endpoint VPN IN->>-You: Knows everything about transaction but is hopefully secure and keeps no logs Web--X-You: Web service response

I’m not going to talk about the other uses of VPN in this post. Maybe another day 😄. This form of VPN is booming business! A new provider touting this feature or that pop up all the time, not to mention service clones, eager to make money off of a trending brand.

The Premise

I’m big on open-source, free software, and privacy. So when I signed on to a VPN service several years ago I did my research and signed up to Private Internet Access (PIA) and I thought they’ve served me well. However, I was recently prompted to look again at what’s happening today with VPN services and things have changed.

I’m not going to produce a Netflix documentary of what’s happening right now with the marketing of VPN providers, but maybe someone should… Let’s just say there’s at least one big and shifty company buying out VPN providers and VPN reiew sites, marketing everything along the same lines with prescribed differences between them, whether their claims are backed by facts or not. If you find a VPN comparison website, be sure to note most of the ones I’ve found are either owned by this same company or have strong affiliate schemes with them. Even my old trusty VPN provider, PIA, was bought by this shifty company (and no one told me!) so obviously I’ve decided to switch. Then there’s a multitude of smaller and shifty companies offering all kinds of “benefits” to their VPN offerings also don’t seem to be backed up by companies I’d trust or facts.

Criteria for trusting a VPN provider

  1. “No-logs” 3rd party audit; is it published or just summary results
  2. Security 3rd party audit; is it published or just summary results
  3. Reliance on open source technologies and standards
  4. Transparency
  5. Availability, speed, and features
  6. Fair business model

VPN Providers

With all that in mind let me give you the short answer - Mullvad VPN is the best VPN provider around for privacy, security, and transparency. They are as open-source as it gets, publish their security and no-logs 3rd party audits fully, practice a fair business model, have been around for a while, and collect the most minimal amount of information on you possible (not even your email).

If Mullvad is not working for you or being out of the 14-Eyes is really important to you even though your provider is regularly audited in a transparent way and keeps minimal information on you to the point where there’s nothing to hand over to authorities even if forced. Try IVPN instead, based in Gibraltar. They are very similar but Mullvad takes the crown in my opinion. Although a little old, I am not the only one who thinks so, the New York Times published an extensive researched article on this a few years ago.

If you’re really into streaming or gaming over VPN, you might consider NordVPN. On paper, they answer a lot of the criteria we’ve discussed, maybe all of it. Add the highest VPN speeds and regularly tuned for geo-restricted content streaming and you’ve got a winner. Well, I personally have a problem when someone says “[I’ve done a security audit but only certain people may see the results]” but they seem to be getting better at publishing more of their audits and their scope. It’s just not comparable with the audits of Mullvad or IVPN at the time of this writing, at least not to the general public. There’s also a bit of a mess with their company holding structure which to me showcases how transparency is just not something they consider seriously. Oh, and their Linux client is CLI only which annoyed me personally. In addition, when I tried them, I got comparable speeds with Mullvad. Mind you I didn’t measure latency for gaming and didn’t try streaming geo-unblocking. They had very prompt customer support but I also had to contact them in order to cancel my free trial so I guess it’s good they reply quickly, but I don’t like that extra hurdle in the first place. In contrast, I’ve yet to need to contact Mullvad’s customer support so I don’t know if it’s quick and helpful, but everything just worked so far. Not so with NordVPN.

I’ve seen ProtonVPN is gaining traction recently but in my opinion they have a way to go before they can compete just because time does its own thing. I still don’t see security and no-logs audits published on their backend (just their clients). And what I do see is too many boasts about ex-CERN employees and their genius - which I do NOT doubt. Still won’t convince me you’re safe or trustworthy as a company. I need transparency for that. So see where they are when you’re considering a VPN provider. I haven’t tested their platform but others seem to be impressed with their speeds and quickly rising server numbers. So it might overtake NordVPN for gaming and streaming jockies. I’d prefer ProtonVPN over NordVPN if those were my choices and their gaming/streaming speeds were comparable.

Using a VPN does not guarantee your safety or privacy

Free of charge VPN providers are a dime a dozen and generally not trustworthy. If you’re using a cost-free VPN software you should check the company behind it to see what sort of mischief they get to with your device and data. Needless to say if you don’t trust the provider - you shouldn’t give it access to all your internet traffic. And your VPN provider would have unfettered access to all data that flows through it.

But even if you’re paying a reputable VPN provider, it’s all about what you’re trying to achieve and the risk vs reward formula. Basically, if you’re targeted by experts - you should be practicing better security measures than just using a VPN. And I don’t just mean TOR over VPN. I mean securing all access points to your network, i.e. your WiFi router - its firmware, functionality, and configuration could make you very vulnerable to all kinds of attacks, especially if you’re attacker has access to your physical vicinity. Airgapping, firewalls, passwords, recovery accounts, multi-factor authentication, hardware keys, killswitches, and a whole bunch more stuff are all important to consider your safety and privacy. Not to mention social engineering attacks and all manner of malware. And even though a good VPN provider is a good first step, you’ll still need to consider your usage practices. For example, if you’re logging into your identified accounts on a browser session, your might be tunneled in via VPN to your web services, but your cookies and information are still verified and being sold to the highest bidder when using Facebook, Google, Apple, Microsoft, and a horde of other products and services. No Man-in-the-Middle, just the Man-in-Control.

Further reading

* Cover image courtesy of Privecstasy on Unsplash

Interesting Links and Reads