Popular Misconceptions About VPNs

Many people use VPNs for their Internet connections, in the attempt to prevent their Internet Service Providers (and others) from seeing what they do while on the Internet.

These VPN services tunnel all of your web traffic (everything you do with your Internet connection, not just data from web browsing) through their servers.

( Of course, VPNs are also used for connecting two remote locations together over the Internet, but that is outside the scope of this post. )

While a VPN service can potentially help to protect your privacy, there are many myths people believe about VPNs.

1 : VPNs will prevent hackers from hacking into my computer

First off, if your computer has an open attack vector facing the Internet, you will eventually get hacked sooner or later.

Secondly, VPNs do not stop malware from infecting your computer (thus allowing a hacker into your computer), nor does it prevent a hacker from learning your real IP address and trying to attack your computer directly.

2 : No malware can get onto my computer while using a VPN

As mentioned above, VPNs do not stop malware from infecting your computer. The VPN service will download that malware-infested file just as happily as your ISP would have.

Your best defense against malware, is a good anti-virus/anti-malware application (e.g., Windows Defender or Malwarebytes), and using common sense when downloading something off the Internet (e.g., does the website you are downloading the file from look sketchy?).

I am aware that some VPN providers provide a feature that blocks malware and ads for you automatically. This is just the VPN provider blacklisting known malware and ad-tracker domains. The VPN itself is not protecting you. It is the blacklists on their DNS servers that are protecting you.

You can provide yourself the same kind of protection by running a Pi-Hole device on your network.

Of course, it is more user-friendly to have a VPN service automatically do this for you, instead of doing it yourself.

3 : VPNs will get past all geo-restricted websites

While VPNs can successfully access geo-restricted web content, some content providers (e.g., Netflix and Steam) disallow VPNs of any kind (according to their Terms of Service). However telling someone that VPNs will always work with geo-restricted websites is just plain false information.

4 : Every “no log” provider really does not log anything

As an IT administrator, I know that not logging anything is pretty much impossible, since logs are necessary to help fix critical problems. While logs can be anonymized, you have no guarantee they are in fact anonymized. It is up to you to decide who to believe when it comes to “no logs”. After all, you are using their network, not your own. Ultimately you are just taking their word for it.

Even if the VPN is telling the truth about not logging (50/50 chance), the VPN’s own ISP most certainly will log all traffic outside of the VPN’s control. So if you are directly connecting to the VPN – with your own residential IP address – your IP is still being logged somewhere.

5 : I can be an outlaw online, since I use a VPN

No VPN will completely protect you if you are doing something to attract the attention of a large, well-connected organization (e.g., a government agency). So if you are thinking about doing something illegal online (via a VPN), you better just forget it. You will get caught sooner or later.

6 : I am completely anonymous to my VPN provider

This one can be semi-true. There are VPN providers that only require an email and can be paid in cryptocurrency (e.g., Bitcoin). However, unless proper steps are taken, your Bitcoin payments can still be tracked.

Also, your VPN provider will know your real IP address, which may help identify who you are.

7 : Anything I send over a VPN is completely secured from prying eyes

A VPN service does not provide point-to-point security. What I mean is that if you access my blog (via HTTPS) through a VPN, your initial connection is encrypted both at the browser and the VPN connection you have established.

However that extra security stops at the VPN itself. Whatever you transmitted to my server gets sent out as if you never used a VPN to begin with after it leaves the VPN’s server.

VPN Service Diagram
Diagram of How a Typical Paid VPN Service Works

If you are using a HTTPS enabled website, neither the VPN provider nor anyone else can look at the contents you are transmitting.

On the other hand, if you use a website that has no HTTPS (HTTP-only), then both the VPN service and anyone else (after the data leaves the VPN) can not only snoop your traffic, but they can also modify it. That would not be good for your privacy.

8 : All VPN services have full control over their servers

While it is true that most (if not all) VPN services own their own servers (dedicated or VPS), this does not necessarily mean they have full, complete control over their servers.

Why? Simple. Unless they acquire their own data-center, the VPN company has no real idea of what is happening to their servers. This may not bother you, but it is a potential vector for a security breach of customer information.

9 : With a VPN, you will be anonymous everywhere you go online

There are three problems with this idea.

First, there is no way to be 100% anonymous online. That is a myth.

Secondly, assuming your VPN is not a bad actor itself, the minute you login into a personal account (e.g., Facebook, Twitter, Google, Bing, etc.), you will have just identified yourself to the remote computer.

Third, a VPN service cannot stop web tracking methods like tracking cookies and web browser fingerprinting.

Now you may be asking, “How does this allow someone to track my online visits?”  Good question. A web browser fingerprint is the identification of someone’s web browser in an attempt to track you regardless of what IP address you are coming from.

Basically your web browser is probed to determine what add-ons you have installed, what fonts are installed on your computer, what video card your computer has (via WebGL), PNG hash, what operating system you are using, your web browser’s 2D canvas, etc. All of this information is combined to form a fingerprint of your web browser.

If you have ever visited a website (without using a VPN) and later on you visit the same website (this time, using a VPN), they can still have a pretty good guess that it is you just by looking at your browser fingerprint you left the last time you visited (without the VPN).

Web browser cookies work in a similar manner. If you do not delete your cookies every time you exit a website, later on when you visit that same website again, they can read the cookie they placed in your web browser and know it is you, even if you are connecting under a different IP address via a VPN service.

Now if the website is say an online retailer, then cookies can be a good thing (your online shopping cart will use cookies, and probably will not work without them enabled). So it depends upon why the particular cookies are used.

web cookies used for good – online shopping cart, logging into your webmail

web cookies used for evil – tracking your visits to spy on you and sell the collected information to 3rd-parties…or worse

10 : “My Internet service gets 100/10 (download / upload) speed, so the VPN service I purchased will give me the same download/upload speed”

This one can sometimes be true, but usually isn’t. You have to understand that there are usually so many customers on any particular VPN server, that the bandwidth is strained between all the users.

If you have 100 people each using 10 Mbps of download bandwidth, there is not going to be much bandwidth left for anyone else to use, if the server does a max of 1000 Mbps.

If you have a 100/10 Internet service, you are doing good if you get 50/8 on a VPN. I am not saying that all VPN servers are slow, but in my experience, most of them are. If you have very fast Internet service, don’t expect to utilize all your bandwidth with a VPN service.

11 : “My VPN service has been audited. It has been verified to not be keeping user logs.”

I have heard of a commercial VPN service being audited to “confirm” no logs are being kept. Unfortunately this means nothing.

You are just having blind-faith in what some audit company says. Unless you have personally inspected each and every section of the VPN service’s network, you really have no clue if they are telling the truth about not keeping logs.

It’s your business whether or not to believe an audit, but I personally consider it unwise.

I hope this post has helped dismantle some myths you may have heard online about VPN services.

So what is the best use for a VPN service?

1) hide your activity from your ISP or untrusted network (does not prevent governments from tracking you down)

2) prevent the remote computer (e.g., web-server) from knowing your real IP address

3) circumvent Geo restrictions (not always reliable and may even be violating the “Terms of Service” of the service you are accessing)

Using a VPN for anything other than those three specific reasons will result in a false sense of security for you. Also, as mentioned before, this all assumes that your VPN provider is a good guy. After all, you are sending your data through their network. Since they have become your “new” ISP, they could sell your data for a pretty penny, and you would be none the wiser.

Please Note: I did not write this post to scare you away from using a VPN provider, but I wanted to make sure people understand that a VPN service is not a “magic pill” that will cure all of your online web privacy problems (as many people seem to think).

Using a VPN for the purpose of preventing your government from spying on you or being 100% anonymous on the web is pointless.


Posted in Computers, Internet and Servers, Security, VPN

Dynamic and Static IP Address Differences

To access the Internet, your Internet Service Provider (ISP) assigns you an IP address. This allows you to talk to other computers on the Internet. Most people do not even think about their IP address they have been assigned, much less what type of IP address they have.

There are two kinds of IP addresses, static and dynamic.

Static addresses never change on you. Even after many months (or even years), the IP address you have been assigned stays the same. Dynamic addresses, on the other hand, usually change every few weeks (or months). Most people probably are assigned a dynamic address for a month or two at a time.

Pros of Static Addresses

  • Allows you to easily host web services (e.g., email, DNS, websites)
  • Helps prevent websites from mistaking you for being an abusive user. This is because when using a dynamic IP address, someone else had previously used that address, and may have been committing abusive behavior online. However, when using a static address, you (and whoever else has access) are the only ones using your address.
  • Allows for a more stable VPN connection, because a dynamic IP may change any moment, and this will break the VPN connection.

Cons of Static Addresses

  • ISPs usually require you to purchase a “business” Internet package to be able to obtain a static IP. This may cost more money per month than a typical residential Internet package.
  • Everywhere you go online can be easily tracked, since you use the same IP address everywhere you go online (a VPN can help with this problem).
  • If someone starts constantly abusing your IP address (e.g., DDoS attack), you likely will not be able to quickly request a new static IP address from the ISP.
  • If you have a unique host-name assigned to your static IP (necessary to host an email server), you will have less privacy than someone who has a typical residential, dynamic IP address without a custom host-name.

Pros of Dynamic Addresses

  • Usually can easily change your assigned IP address (helpful to stop someone who is abusing your computers; e.g. DDoS attack).
  • Since your IP address is “generic” (used by several other people), you are more anonymous than a static IP constantly browsing the web.

Cons of Dynamic Addresses

  • Hosting web services will not be very stable, since you are using a dynamic IP address that may change anytime on you (note: using a “dynamic IP” DNS service is more of a “jury-rig” than a proper solution).
  • Some web services may think you are a trouble-maker, since someone else may have had your IP address previously and used it to abuse web services.
  • ISPs may deny you the privilege of running any web services unless you have a “business”-grade Internet package (most people using a dynamic IP do not have a business account at their ISP).


Posted in Computers, Internet and Servers, Operating Systems, Security, VPN

Browser Fingerprinting: What Is It and What Should You Do About It?

A web browser fingerprint is the identification of someone’s web browser in an attempt to track you regardless of what IP address you are coming from.

Basically your web browser is probed to determine what add-ons you have installed, what fonts are installed on your computer, what video card your computer has (via WebGL), PNG hash, what operating system you are using, your web browser’s 2D canvas, etc. All of this information is combined to form a fingerprint of your web browser.

Now you may be asking, “How does this allow someone to track my online visits?”  Good question.  People can make use of this fingerprinting to track you even if you take measures to deter people from monitoring your online activity (e.g., using a VPN).

If you have ever visited a website (without using a VPN) and later on you visit the same website (this time, using a VPN), they can still have a pretty good guess that it is you just by looking at your browser fingerprint you left the last time you visited (without the VPN).

This is how websites like YouTube still show you relevant recommendations, even if you use another IP address to access their web service.

Is there any way to stop browser fingerprinting? Not really. You can help confuse trackers into thinking you are someone else by spoofing the fingerprint, but this is not guaranteed to always work.

A browser fingerprint spoofer basically “lies” to a website giving it false information about the web browser. This of course causes the fingerprint to be different than it normally would be. The result? A website thinks you are someone else regardless of the IP address you are connecting from.

(This does not take into account tracking cookies. Websites can also track you with cookies, regardless if they use web browser fingerprinting techniques.)

So what do I recommend to do to help stop browser fingerprinting? Well you can do the following (my opinions, of course):

That should help protect your real fingerprint from being found out. I should note that spoofing your fingerprint may end up breaking certain websites. You will just have to try it out.

Please keep in mind, a browser fingerprint spoofer can end up making your fingerprint unique to everyone else’s fingerprint. This can cause you to stand out like a sore thumb, and cause you to be even more easily tracked. 🙁

This is because most people are not using a fingerprint spoofer and it would become obvious that you (and maybe a couple of other people) are the only ones faking your browser fingerprints. In other words, you do not “blend into the crowd”.

Another trick is to turn on Mozilla Firefox’s “resist fingerprint” feature. This feature, among other things, causes your web browser’s fingerprint to match that of the TOR web browser. This makes you blend into the crowd of TOR users, since they all should be using the same fingerprint.

To turn this feature on:

  • at the about:config webpage (on Firefox), find the option privacy.resistFingerprinting and set it to true, then restart the web browser

However this feature (in my experience) causes some websites to break (animations are slowed down, current time of day will not be correct, etc.) This all helps to prevent websites from fingerprinting the browser.

Please remember that there is no way to be 100% anonymous on the Internet. Always someone out there who can track you. All you are doing is making it harder to be tracked.

I hope I have helped someone with this blog post. It took me a bit to write it, but it is worth it if it helps. 🙂


Posted in Computers, Security, Software, VPN

What Can People Tell from My IP Address?

So what can people tell by looking at your IP address? That is a good question. I will go through the different ways people can try to figure out who is behind an IP address.

Before we start, I need to make sure you know that just because someone has your IP address, does not mean that they can easily figure out who you are. This is because ISPs (Internet Service Providers) keep this information confidential, and usually only law enforcement agencies (with the proper papers) can even have a chance to find out who is / was using a particular IP address.

Also, please keep in mind that many IP addresses are “shared”. There could be dozens (if not hundreds) of computers behind one IP address. So even if you found out who is in charge of an IP address, that information does not prove that the IP administrator is the same person who did something malicious. It could have been any one of those “computers” that did the malicious deed.

Here are different ways a “non-connected” (an average Internet user with no ties to any government agency) can try to figure out who you are.

Geo-Location

This is when someone uses an online service to get the location of an IP address. One such online tool is located here:  https://iplocation.com/

The problem with IP Geo-location services is that they are typically inaccurate. You never know for sure if the user is anywhere close to where these services say they are. In addition, if the user is using a VPN service, they are usually not anywhere close to the stated location anyway.

Summary:  Geo-Location lookup services are typically useless to find out someone’s true location.

Reverse IP Lookup

This is when someone does a reverse lookup on an IP address to determine if there is anything identifying the user (typically a domain name that is associated with an IP address).

If someone can pair the domain name with an IP address, this might give away who is running a particular IP address.

However, this method is usually useless since most people are going to have an IP address that does not have any custom reverse lookup name. This is especially true for people using a dynamic IP address via a residential connection.

Even if you find a unique domain name being used for an IP address’ reverse name, you still would have to know who registered the domain name.

Summary:  A reverse IP lookup usually does not provide any useful information (especially for residential IP addresses).

Being Careless Online

This is when you give out too much information about yourself on the Internet. This would make it a whole lot easier for someone who is running a website (e.g., a web forum) to know who you are, regardless of the IP address you are connecting from.

Summary: Being careless online with your information does not help you to stay anonymous.

As you can see, most (if not all) average Internet users would have a hard time trying to figure out who is behind an IP address, without someone purposely exposing information about themselves.

Therefore, unless you are doing something to attract the attention of a large, well-connected organization (e.g., a government agency) or giving out too much personal information online, you should be fine.

In addition, using a reputable VPN service will pretty much prevent any average Internet user from ever knowing your true IP address, much less your true location.


Posted in Computers, Internet and Servers, Security, VPN

‹ Older Posts Newer Posts ›