How Secure Are VPNs? A Guide for 2020
A virtual private network (VPN) is essential in protecting your online security. We know it, most other outlets know it, and if you landed on this article, you probably know it, too. How secure are VPNs when they’re put under the microscope, though? In this guide, we’re going to answer that question.
We’re going to talk about how a VPN can secure your connection, as well as how far that security reaches. The point of our exploration into this topic isn’t to sell you on a VPN. Rather, it’s to give you a better understanding of how this tech works, as well as the security risks you need to be aware of when harnessing it.
If you want the short answer, VPN security is almost entirely dependent on the provider. You don’t need to shop around, though. Our best VPN service, ExpressVPN, checks all the boxes when it comes to security, as you can see in our ExpressVPN review. Plus, it has a 30-day money-back guarantee, so you can sign up risk free.
How Secure Are VPNs?
There’s nothing inherently secure about a VPN, and you may wonder if VPNs really work. As we explain in our breakdown of virtual private networks, the tech is simply used to allow users remote access to an otherwise private network. Businesses have used VPNs for years to allow employees to access company resources remotely.
For small applications like this, the user simply needs a username and password. An employee connects to the company’s VPN with their login, and voila, they have access to the internal network as if they were physically connected to it. It’s a private network, one that’s created virtually and protected with login credentials.
All About the Protocol
The protocol that negotiates this connection makes the difference. The point-to-point tunneling protocol — an early and popular option for the situation described above — doesn’t offer any additional encryption to your connection (read our VPN protocol breakdown). It’s fast, but it’s not secure, with many known exploits.
So if you’re using PPTP with your VPN, your connection isn’t very secure. Thankfully, that’s not a problem in most cases. There are a handful of services that still support PPTP — read our PureVPN review for an example — though most commercial VPNs have done away with it (read our Private Internet Access review for that).
Nowadays, OpenVPN is the go-to protocol for most providers. It still negotiates a remote connection to a network of servers, but it adds an additional layer of encryption on top of that. The extra encryption makes your connection slower — read our description of encryption to learn why — but it’s also much more secure.
Your security with a VPN is largely determined by the protocol (we’ll get to privacy soon). OpenVPN, which is paired with AES, is the gold standard for every VPN service. The key size may vary, though that has little impact on the overall security of AES. At the time of writing, there are no confirmed exploits of AES if implemented properly.
Encryption is only getting better, too. Multiple VPN services have started implementing WireGuard, which is not only faster than OpenVPN but also more secure. It uses the new ChaCha20 cipher, which, again, has no known exploits at the time of writing. Read our full what is Wireguard piece.
As long as the VPN provider is using some combination of these protocols and ciphers, you shouldn’t have to worry about the security of your VPN tunnel. That is, so long as the VPN provider has everything implemented properly.
Perfect Forward Secrecy
That brings us to perfect forward secrecy (PFS), an incredibly important — though seldom discussed — topic for VPN security. AES may be secure like Fort Knox, but that doesn’t mean it’s impenetrable. Ethan Hunt was able to take down a heavily guarded CIA base in Mission Impossible, and he didn’t do it through brute-force tactics. Extravagant as it may be, the same concept applies to encryption.
Trustwave, a cybersecurity research team, was able to crack AES all the way back in 2013. In a postmortem, the team found that the most important vulnerability was key reuse. That’s where perfect forward secrecy comes into play.
In short, perfect forward secrecy ensures that all future sessions are considered “new” in the realm of encryption. When you connect to a VPN server, that server maintains encryption keys in order to encrypt and decrypt your traffic. If those keys are reused, someone can listen in on the encrypted connection and wait until they can crack a single key.
It’s an inherent flaw in security, not unlike the few minor flaws from the CIA base in Mission Impossible. Perfect forward secrecy ensures that future traffic isn’t compromised by previous sessions by refreshing the encryption key. Countless services have PFS as a core security pillar, including ExpressVPN and Private Internet Access.
What About Privacy?
Determining how safe VPNs are reaches further than raw security practice, though. Privacy is a major player, and it’s what separates secure VPNs from insecure ones. Your connection is encrypted when using a VPN, as determined by the protocol, but it doesn’t remain that way for the entire route of your connection.
At the VPN server, your connection is decrypted. It has to be, otherwise sites like Netflix wouldn’t be able to see your requests (read our best VPN for Netflix guide). Your requests may be hidden from your ISP and government, but the VPN server still needs to understand them in order to execute.
This is where the popular “no logs” claim comes in. Services like CyberGhost, ExpressVPN and NordVPN use an anonymization process at the server level, which either refrains from storing personal information in connection logs or does away with them entirely. With your initial connection encrypted and your connection logs off the books, you’re totally safe.
That’s just in theory, though. Certain VPNs — IPVanish and Avast SecureLine VPN come to mind — have been caught logging user data, despite claiming otherwise. It’s not simply a matter of looking at the cryptography and making a decision. By and large, you simply have to trust the privacy policy of the service you’re using.
Thankfully, some VPN providers have gone further with independent audits (for example, VyprVPN). Others, such as Private Internet Access and Windscribe, have proven that they don’t log information, even under subpoena.
Can You Be Tracked if You Use a VPN?
This topic gets messy, so buckle in. Before getting too deep in the weeds, let’s talk about what a VPN does. A VPN encrypts your traffic and assigns you a new IP address. Your connection is encrypted to the remote server, then anonymized. From there, you’re still accessing the internet, just through a different server.
That’s important to note, as your online activity is still present regardless of your new IP. Someone online may not be able to trace the connection back to your local computer, but they can still see what you do online. If you want to use a VPN to talk trash on forums and the like, know that someone can still track your online activity.
Someone can track your actions online, even if you’re using a VPN. However, they can’t track your connection. This means that no one knows what requests you’re sending from your local machine. The sites you’re on and whatever you’re doing on them can still track what’s happening, though they won’t be able to tie that activity to you.
This is where things get messy. If you’re using a VPN and search for something precarious on Google, the tech giant won’t know that it was you who searched it. That is, unless you’re signed into a Google account. Then, regardless of your encrypted connection and new IP address, Google still knows that it was you who searched for a particular topic.
It’s a small example, and one with minimal impact, but it showcases some of the potential issues when using a VPN. Online tracking is a multifaceted system, with companies like Google pulling data from multiple pools. A VPN is not a free pass to do whatever you want online. It’s merely a step — a rather large one — in securing your online privacy.
VPNs provide the framework to protect you against tracking that you may not be aware of. However, they don’t protect you from data you willingly hand out to companies like Google, Amazon and Facebook. For example, if you have a Twitter profile with your personal information, Twitter can still gather data from you, VPN or not.
ISP and Government Tracking
With the messy bit out of the way, let’s talk about ISP and government tracking. Again, the same rules apply. If you do something online using your own personal information, someone can track it through the public forum. However, your government and ISP can’t track what you’re doing online otherwise.
That’s because of the initial encrypted connection. Instead of routing your connection to your ISP and opening it up to government snooping, a VPN encrypts your requests so that both authorities don’t know that it was you who sent it. As we’ll get into in a moment, the security of modern VPNs is nearly impenetrable, so you’re protected on that front.
Can a VPN Be Hacked?
A VPN can absolutely be hacked, though not in the way you might expect. As mentioned above, commercial VPN services use top-notch encryption to secure your connection, usually in the form of AES-256 or ChaCha20. Both of these ciphers are the best of the best, keeping prying eyes at bay and your online activity private.
In short, you shouldn’t worry about someone hacking your personal VPN tunnel. It’s a fool’s errand, one that requires a few dozen supercomputers and about a trillion years of spare time (we’re not exaggerating here). However, VPNs can be and have been hacked in other ways.
For example, NordVPN, a service we rate very highly in our NordVPN review, suffered a data breach in 2018. Although frightening, this breach didn’t affect the service or any of the users on it, outside of prompting NordVPN to swiftly audit its entire network. It wasn’t the VPN service that failed, though. It was the security of one of the data centers in NordVPN’s network. We can say that NordVPN is safe to use.
The Data Center Problem
VPN services rarely, if ever, own and operate the servers in their network. It’s just not practical; data centers can cost millions of dollars to start, and starting them in the most remote areas of the globe doesn’t make sense. Rather, a VPN service will rent or purchase server space from an existing internet service provider.
AirVPN, for example, has some data centers run by M247 (a popular VPN connection hub for multiple other services). In this case, AirVPN isn’t selling the server space. Rather, it already has the server space with an existing ISP and is selling you software that negotiates a connection with that server.
The VPN tunnel isn’t a concern; external ISPs are. They’re the weak link in the connection chain, depending on the ISP’s security measures. In the vast majority of cases, the security measures are fine (after all, an ISP wouldn’t be getting business if it had subpar security). However, in the rare case that something slips through the cracks, it usually comes at the data center level.
We’re only talking theoretically, though. The greatest VPN hack to date is undoubtedly the one NordVPN suffered, and even then, the problem was isolated to a single VPN server.
A hacker can attack a VPN. That said, they’re unlikely to target the VPN tunnel itself. If you want a service that operates its own data centers, check out our ProtonVPN review. Although ProtonVPN still uses external ISPs, it maintains a small set of servers in a former military bunker.
Final Thoughts
VPN safety isn’t a binary topic. It’s filled with multiple variables, all of which can determine if you’re protected online. Still, services like ExpressVPN, CyberGhost, NordVPN and Private Internet Access hit all the marks they should, and in the process, leave your connection much safer than it was before.
We strongly recommend that you use a VPN. Just be sure to use one that can keep you safe. Let us know what service you’re using in the comments below and, as always, thanks for reading.
Jacob Roach is a Midwesterner with a love for technology, an odd combination given his corn field-ridden setting. After finishing a degree in English at Southern New Hampshire University, Jacob settled back under the Arch in his hometown of St. Louis, MO, where he now writes about anything tech. His main interests are web technologies and online privacy, though he dips his toes in photography and the occasional card game as well. You can reach him at jacob[at]commquer.com.