Disadvantages of Using a VPN?

  • I've got a yearly subscription to a VPN service which is real quick and from the research I did at the time seems to be pretty legitimate, but are there any disadvantages or scenarios where you perhaps shouldn't use a VPN?

    I'm from the UK and I usually just have the VPN setup to automatically route everything through a VPN server located in London.

    If for example, say that I want to connect to my online bank account, am I putting my credentials and packets are risk by having them sent over the VPN server? - I'm assuming that the banks login page is pretty secure already so by routing through a VPN server am I creating extra risk by routing over this third party?

    The question boils down to; are there any situations where you wouldn't want to use a VPN, or is it always beneficial to security?

    (Ignore cost / decreased network performance)

  • Yes, it could be a disadvantage. What is boils down to is how much you trust the VPN provider.

    For most secure protocols, using a VPN will be just as secure because your communications are encrypted by the protocol. If there was a MITM at the other end of the VPN connection they would not be able to do much (apart from a side channel attack, which are usually pretty useless in isolation). Of course, this is assuming the protocols and software are secure, and cannot be not affected by the FREAK attack or other downgrade attacks.

    However, the web is different. The main issue is that the Same Origin Policy does not designate a different origin for plain vs encrypted where cookies are concerned. A cookie set on http://example.com can be read by https://example.com. If there are any cookie handling vulnerabilities on the site then the "secure" connection could be compromised. The Secure Flag does not help here - this only prevents a plain HTTP connection from reading a cookie set over HTTPS, not the other way round. An example could be cookie poisoning like session fixation, or if there's an XSS vulnerability based on a cookie value that was assumed to only have been set via HTTPS. These are really vulnerabilities on the sites themselves, however using an untrusted connection allows them to be exploited.

    So if there is any doubt about the trust of your VPN provider, then disable plain HTTP from your browser and use the internet over HTTPS only. You can do this by setting an invalid proxy server for plain HTTP (e.g. 127.0.0.1:8).

    Of course, you should make sure you are using a secure protocol for your VPN connection too (e.g. not MS PPTP). Also, make sure you use iptables/Windows Firewall properly to prevent any incoming connections to your machine whilst connected to the VPN.

    Another way to block plain-text HTTP is to install the EFF's HTTPS Everywhere and turn on its *block all unencrypted requests* mode. Also, HSTS is becoming more and more common, and especially with preloading nicely mitigates against the particular attack vector of mixing HTTP and HTTPS.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM

Tags used