MSN Article: VPNs Are Snake Oil Because HTTPS Exists

We’ve seen a lot of articles that offer misleading or outright misinformation. One article says VPNs are snake oil.

Over the years, we’ve debunked a lot of articles published on large “news” websites. Sometimes it’s to set the record straight about copyright. Other times, it’s to basically combat politically motivated disinformation campaigns. With so much bad information being published by larger outlets, it can be difficult to differentiate between what is good information and what is hot garbage. To be fair, a large portion of outlets actually falls in the category of offering a mix of good and bad information.

Still, it is important to know what is actually bad information. Recently, we came across an article that really takes the cake on how bad an article on a major publication can be. MSN published an article saying that VPNs are no longer needed. Remarkably, the author managed to get a quote from an “expert” saying that most VPNs (Virtual Private Networks) are modern day snake oil. From MSN:

But on the modern internet, most people can safely ditch them, thanks to the widespread use of encryption that has made public internet connections far less of a security threat, cybersecurity experts say.

“Most commercial VPNs are snake oil from a security standpoint,” said Nicholas Weaver, a cybersecurity lecturer at the University of California, Berkeley. “They don’t improve your security at all.”

It’s a development that highlights how the cybersecurity landscape has changed: Hackers are less likely to target people’s individual devices and instead focus on the login information to their most important accounts.

So, what is this magical security system in place today that makes VPNs so obsolete?

But that’s no longer the problem it once was. Most browsers have quietly implemented an added layer of security in recent years that automatically encrypts internet traffic at most sites with a technology called HTTPS. Indicated by a tiny padlock by the URL, the presence of HTTPS means that worrisome scenario, in which a scammer or a hacker squats on a public Wi-Fi connection in order to watch people’s internet habits, isn’t feasible.

So, what is the more appropriate reaction to this? Laughing really hard at how incompetent such a statement is or being absolutely horrified that this was actually written and published in the first place? We’re honestly not entirely sure.

So, first of all, if you are looking at VPNs and HTTPS, what you really are looking at is layers of protection. It’s just like COVID-19 protections. Wearing a face mask while in public is a layer of protection. Getting vaccinated is a layer of protection. Is any one method bullet proof? No. Do they help protect you from COVID-19? Yes. A face mask won’t protect you if you rip it off and lick other people’s faces. A vaccine doesn’t mean that you are 100% immune from the virus. As such, if you got a vaccine, that isn’t a license to never use a face mask ever again – nor is it a license to travel from rave to rave after thinking you are completely safe from COVID-19.

In the same sense, HTTPS does offer a layer of protection, but it is certainly far from being impervious from a security standpoint. What HTTPS does is offer a layer of protection between your browser to a website. We can honestly say that a website that implements HTTPS is better than a website without HTTPS. Still, it sure as heck isn’t a be all and end all solution.

What HTTPS does not guard against is online tracking. Websites that use something like Google Analytics, for instance, can still track your activity on your site. Sites that implement ads that have tracking technology can still track you.

What’s more is that HTTPS security depends entirely on the website you visit having implemented HTTPS. If you happen to stumble across as site that is still on bare HTTP, that level of security you were enjoying through HTTPS instantly vanishes. What’s more is that it is actually tricky for website owners to fully implement HTTPS. Some sites might have misconfigured the code for an image, for instance. As a result, a message can be seen saying that the content offered is a mix of protected and unprotected content. If you are relying solely on HTTPS for your security needs, that alone can technically compromise your security.

The security of a good VPN can protect against that. Instead of relying on the security of every website you happen to visit, you are simply relying on the security of your VPN instead. If the websites HTTPS is misconfigured or non-existent, a VPN can help to make up for such a security shortfall.

Over top of that, HTTPS does not protect you from a malicious third party website. If the website has drive by downloads on their site, is a phishing site, or is a scam, HTTPS absolutely does not protect against that. That is what makes telling people that HTTPS is all you need so bad. Some people are going to read that and not think about security at all because all they will care about is seeing that padlock on their browser. You still need ways of protecting yourself from such malicious things online.

Documentation about the security of HTTPS vs a VPN have been around for a while. An example is this:

HTTPS vs. VPN: Which is better?

Each of these tools is better at different things, and they work great together to keep you secure. If you want safe, private, and unrestricted internet access, you need both.

  • HTTPS needs to be enabled on both your browser and on the website you visit, while a VPN will always work as long as you keep it on.
  • HTTPS provides end-to-end encryption, while a VPN provides encryption from your device to the VPN server.
  • A VPN secures all online communications coming from your device, while HTTPS only provides encryption between the website and your browser.
  • HTTPS is vulnerable to certain attacks (like root certificate attacks) that a VPN can sometimes help protect it from. HTTPS encryption is also generally weaker than the encryption a VPN provides.

Neither will protect you from attacks or scams on the websites you visit (unless the VPN offers a tool like CyberSec, which blacklists malicious websites).

Here’s another source on the subject:

Is HTTPS enough for online security?

The short answer is no; unfortunately, it isn’t. First of all, you will still find sites that do not use it – although that is getting rarer. Plus, it cannot protect all the information you send when you go online – it only secures your browser traffic.

Your apps communicate with the Internet more than you’d think – and you need to protect everything, not just what happens on your browser. HTTPS can also be susceptible to specific attacks (like Root Certificate Attacks) that a VPN can protect you from.

What is a VPN?

A VPN (short for Virtual Private Network) is a technology that helps you become private and secure online. If you want to learn about it in-depth, we have a detailed article about VPNs right here. Like I’ve mentioned before, VPNs are commonly associated with encryption, and that’s entirely true.

When you use a VPN, it becomes a “tunnel” that you use to access the Internet, bypassing your Internet Service Provider (ISP). During this process, it encrypts all the data you send and uses various security measures to ensure that you are very hard to trace, private, and secure. A VPN will also hide your IP address and can make it seem like you’re in a different place, all while you’re at home on your couch.

Yet, the article dismisses all of this as just hyperbole:

But like with antivirus software, the paid VPN industry is a booming global market despite its core mission no longer being necessary for many people. Most VPNs market their products as a security tool. A Consumer Reports investigation published earlier this month found that 12 of the 16 biggest VPNs make hyperbolic claims or mislead customers about their security benefits. And many can make things worse, either by selling customers’ browsing history to data brokers, or by having poor cybersecurity.

The fix is largely thanks to activists who have pushed for more than a decade for a safer way to browse the internet.

Over the last few years, there has been growing momentum to flip the script on security. Microsoft has been touting its Defender product as the security method of choice of anti-virus protection. Of course, throughout its history, Microsoft hasn’t exactly been known for its security prowess. So, some have been saying that third party anti-virus software is a thing of the past thanks to added security on a Windows 10 operating system. Of course, PCMag has pointed out that despite many different developments being deployed to protect users from viruses, third party anti-virus software is necessary:

If you’re using a Windows computer or an Android device, you should most definitely install a third-party antivirus utility. Windows Defender is getting better, but it’s not up to the best competitors, even the best free ones. And Google Play Protect is ineffective.

Mac users need protection too. One study showed that last year Macs got infected at a higher rate than PCs. That could well be due to the Mac’s long-standing reputation for resisting malware. As for iOS, Apple got it right, right from the start. These platforms have security built in such that it’s nearly impossible for an attack to succeed (nearly, but not completely). That protection also means it’s nearly impossible to write an iOS antivirus. Use the time and money you saved not installing iOS protection to triple-check all your other devices.

On another site, we see the conclusion that you might need both a VPN and anti-virus software for better security:

Do You Still Need Antivirus?

Overall, you probably still do need antivirus software, but some types of devices need it more than others. The only operating system that you absolutely do not need to install antivirus software on is iPhones. However, Windows, macOS, and Androids still need antivirus software.

If I Have A VPN, Do I Still Need Antivirus?

In a nutshell, yes, you still need a VPN even if you use antivirus software. Why? Because comparing VPNs and antivirus software is like comparing apples and oranges. While VPNs encrypt your device’s IP address and web activity, antivirus software guards against viruses and malware, so there’s no overlap in their capabilities. However, some antivirus options come bundled with VPNs, so you may be able to knock out two birds with one subscription.

Recap

Although some devices may have built-in protection against viruses, using third-party antivirus software is a necessity, be it free or paid. Below, we’ve answered some of the most common questions we get about antivirus software, so read on if you’ve still got some question marks in your mind.

At the end of the day, the original MSN article is just really bad. There are more threats to your security beyond someone hacking your wi-fi at a local coffee shop. What’s more is that people use VPNs for a huge variety of reasons beyond business purposes and protecting against the hacker at a coffee shop. VPNs can circumvent region locking, help protect against online tracking, guard against ISPs tracking and traffic shaping, can guard against government surveillance and censorship, and a whole lot more. So, the idea that VPNs are worthless from a security standpoint is plain wrong.

What’s more is that MSN probably should retract the article and issue an apology to users. It’s difficult to calculate just how many things are wrong with this article, but we tried to offer a few ways that it was.

If I was a user who happens to not use a VPN, I don’t think it is wise to begrudge users who do. Another thing is, users use the Internet for a variety of reasons. I might use the Internet for browsing around for news articles. Others might use it for gaming. Some might use the Internet for buying and selling shares in the stock market. The way I use the Internet probably won’t be the way you use the Internet. Similarities do happen, but that’s about it. Because of these differences, people’s security needs will differ. That is partly why there are so many different options to secure your Internet connection and your computer.

For those reasons – and many others – trying to suggest that VPNs are either worthless or completely worthless just doesn’t fly. Just because you feel you don’t need a VPN doesn’t automatically mean that VPNs are worthless.

Full Disclosure: Freezenet uses Google Analytics and Google Adsense. Google Analytics is specifically used to track what pages are being used by users in general and what pages aren’t. Adsense is for generating revenue that pays the cost of servers and the domain name. If you use ad blocking and tracker blocking, I am perfectly OK with that. I respect your decision as a user. Still, if you are blocking our ads and find our site useful, please consider supporting us in other ways. Currently, we have Patreon and Ko-fi set up and we hope that, someday, we’ll have more options for you to help support us in the future as well.

Drew Wilson on Twitter: @icecube85 and Facebook.



Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.


%d bloggers like this: