Is a VPN really enough? (2024)

One thing that's always recommended when we discuss privacy and security while using the internet, is the use of a VPN. While it can be argued that a VPN is not necessary in every case, and in fact might not actually protect you as you might think it would, it's still a really good idea in a wide variety of situations:

• If you are conducting financial or personal information related communications on a public network- the local coffee shop or something. My recommendations here would be to not do that if you can help it: personally I don't install banking apps and so on on portable devices
• If your concerned about a specific threat, like a government or 'tactical adversary' snooping on your connection- in which case It's advisable to take a couple other precautions over and above just a VPN ( which is a topic for another discussion). Also, in this case in addition to avoiding prying eyes, you may be 'masking' where you are connecting from to avoid detection of your actual location- in which case a VPN is not always ( usually) adequate protection. ( Again, a topic best saved for another discussion, as is the reliance on a service like TOR).
• If you are connecting to a remote network with specific security requirements and controls, like a company intranet- in which case something like the below concept might not be effective, except that simply snooping locally on network traffic ( which the article below mentions as a potential problem even without a VPN).

This is a really interesting write-up of a potential vulnerability that both explains how a VPN works and some of the stuff going on under the hood when you connect to the internet, and also demonstrates how a VPN might be defeated.

I like the mitigations they suggest, but they are pretty technical and not really practical in my experience for most people ( Not to mention that in this article and proof of concept, the application in a Microsoft environment isn't really well addressed, for understandable reasons from a researchers point of view) . Since the central issue is the use of a DHCP server in the local environment this is both the main vulnerability and begs the easiest solution: don't use a DHCP client for secure communications if you can possibly help it. This also isn't usually practical for folks who connect to multiple public networks- you'd have to enable and disable DHCP along with connecting/disconnecting from the VPN in order to use each network: this can be scripted or done manually, but it's an extra level of 'needing to do something every time' and can be a training issue : I'd guess at best you'd get 2/3 of users to do it if it wasn't completely automated. The detections are a similar issue: they have to both be implemented and responded to. This also can be done automatically and even invisibly to the user, but it's still policy and action intensive- not really practical for a user or even a medium-sized business to accomplish on their own consistently .

So, the question I'd anticipate - and have heard and seen discussed- from most people concerned about this, regardless of their technical level is- should I bother with a VPN at all?

In this specific case, it's relevant to note that there isn't evidence of this actually having been in use (yet) and also the exploit would require some level of local administrative access. Note that the DHCP client need not be altered, you'd just be taking advantage of the way DHCP works , but you do need the client to accept DHCP from a source you control to take advantage of it. While most 'attackers' would consider this trivial, it seems like it's pretty specific : and at that level, you would have other problems you'd be dealing with as well that have to do with someone hiding in your local network environment.

All of that having been said: having and using a VPN is just one layer of internet security. Think of it as one more thing you can do to protect yourself, your business, your work, your data. The point is that to really be effective, it has to be used along with other measures and policies in order to 'work' for you.

If you have questions ( or comments) regarding cyber security and personal data provicy, my DMs are always open .