VPNs, or virtual private networks, continue to be used by millions of people as a way of masking their internet activity by encrypting their location and web traffic.
But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say.
“Most commercial VPNs are snake oil from a security standpoint,” said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. “They don’t improve your security at all.”
It’s a development that highlights how the cybersecurity landscape has changed: Hackers are less likely to target people’s individual devices and instead focus on the login information to their most important accounts.
For years, experts warned it was dangerous for average people to use the Wi-Fi at a public place like a coffee shop without taking steps to obscure their internet traffic. Someone sharing a Wi-Fi network with strangers was essentially sharing all their traffic with others who were using it. If someone decided to check their bank balance, for example, they ran the risk of a nearby hacker being able to steal sensitive information.
VPNs offered a way to counter that problem. VPNs reroute a user’s internet traffic through their own servers. That can slow browsing speed, but provides the benefit of hiding a user’s Internet Protocol address — which includes their general location — from the websites they visit.
But that’s no longer the problem it once was. Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people’s internet habits, isn’t feasible.
It’s not clear that the threat of a hacker at your coffee shop was ever that real to begin with, but it is certainly not a major danger now, Weaver said.
“Remember, someone attacking you at the coffee shop needs to be basically AT the coffee shop,” he said. “I don’t know of them ever being used outside of pranks. And those are all irrelevant now with most sites using HTTPS,” he said in a text message.
There are still valid uses for VPNs. They’re an invaluable tool for getting around certain types of censorship, though other options also exist, such as the Tor Browser, a free web browser that automatically reroutes users’ traffic and is widely praised by cybersecurity experts.
VPNs are also vital for businesses that need their employees to log in remotely to their internal network. And they’re a popular and effective way to watch television shows and movies that are restricted to particular countries on streaming services.
But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people. Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers’ browsing history to data brokers, or by having poor cybersecurity.
The fix is largely thanks to activists who have pushed for more than a decade for a safer way to browse the internet.
In 2010, cybersecurity activists at the Electronic Frontier Foundation, an internet freedom advocacy group, launched a project to encrypt as much web traffic as possible by developing browser extensions to let users toggle HTTPS and giving websites free tools to enable it.
As more and more people started using HTTPS wherever possible, some of the companies that help most people use the internet got on board. In 2015, Google started prioritizing websites that enabled HTTPS in its search results. More and more websites started offering HTTPS connections, and now practically all sites that Google links to do so.
Since late 2020, major browsers such as Brave, Chrome, Firefox, Safari and Edge all built HTTPS into their programs, making Electronic Frontier Foundation’s browser extension no longer necessary for most people.
“Years ago, nobody could imagine that. It’s kind of one of those background wins,” said Alexis Hancock, who oversees the HTTPS project as the foundation’s director of engineering.
Users now need to worry far less about being hacked by a fellow coffee shop patron than by a hacker simply sending an email from anywhere around the world to trick them into giving up their passwords and other sensitive information, she said.
Hackers “would likely do a phishing attack on you before they would walk into a cafe with free Wi-Fi,” Hancock said. “Sending people nefarious emails, it’s much easier to do that kind of campaign. Those have been tried and true, unfortunately,” she said.