VPNs and browsers — staying secure while online

In business, we’ve used Virtual Private Networks (VPNs) for years. But I’m now seeing recommendations that consumers use VPN software to make internet connections more private so sites can’t snoop on your surfing and other communications. As someone who runs a website that uses IP address reputation as a guide to know who is and is not reputable on my site, I can tell you that using a VPN often assigns you an IP address that’s less than stellar. As a result, if you attempt to access sites that check for reputation, such as your bank, you may find yourself blocked.

I’m not against the concept of consumer-based VPN software, but I’m not convinced it’s the security panacea many think it is. Users think it’s keeping sites from tracking them, or keeping them safe when surfing on coffee shop Wi-Fi. They think it keeps prying eyes from reviewing our web traffic. But all VPN software is not created equal. I recently read new research from Consumer Reports that tested various VPN platforms; I was surprised to find that the top VPN providers included vendors I’ve not even heard of.

As the publication points out in the article and related white paper, ultimately you decide who or what you trust while online. Do you trust your ISP or a VPN vendor to watch what you connect to? If you don’t trust your ISP, you might want to change to a different ISP, one that has a better reputation. Also consider that nearly all of the websites we visit now support https:// and thus, the transmission to that site is protected by an SSL certificate and can’t be intercepted if you go online using public Wi-Fi. As pointed out a while back in Wired, concerns about the use of public Wi-Fi are now lessened as we’ve moved to an always-https:// world.

One security suggestion I have is to use different browsers based on what you are doing online. Use one for more sensitive tasks such as online banking, and another browser for generic surfing. As Consumer Reports notes, instead of focusing on a VPN, consider “using a password manager, setting up multifactor authentication, enabling HTTPS-only mode on your web browser, and blocking ads or trackers with a tool like Privacy Badger or uBlock Origin.”

Microsoft is in the early stages of beta testing a setting in its Edge browser that will proactively protect against zero-day attacks. Given the increasing number of zero-days in Chrome, which Edge is built on, this is a wise move by Microsoft. Included in version 98.0.1108.23 released on Jan. 14, the zero-day protection, as Microsoft notes, can “enhance your security on the web.

“[It’s] a browsing mode in Microsoft Edge where the security of your browser takes priority, giving you an extra layer of protection when browsing the web. Administrators can apply the following Group Policies to end-user desktops (Windows, macOS, and Linux) to help protect against zero days. These policies also make [sure] that important sites and line of business applications continue to work as expected. This feature is a huge step forward because it lets us mitigate unforeseen active zero days (based on historical trends). When turned on, this feature brings Hardware-enforced Stack Protection, Arbitrary Code Guard (ACG), and Content Flow Guard (CFG) as supporting security mitigations to increase users’ security on the web.”

There are three new group policy and registry settings to control this, but you can try it out on a standalone basis by downloading the Edge canary channel version. In the browser, click on the three dots in the upper corner and click on settings. Now click on Privacy, search, and services. Scroll down to Enhance your Security on the web and choose whether you want to use Balanced security or Strict. Note that this setting is also available in the regular version of Edge, though it does not appear to have the same protections as in the beta version. (Remember to also enable I the super-duper secure mode wrote about.)

When reviewing options for privacy and security, remember there is a variety of privacy focused software listed on “Nomoregoogle.com.” Often, I see the obvious side effects of online tracking in my search engine process: I’ll search for an item and the next time I go online, I see exactly what I searched for pop up in ads. Thus, review your options for search engines other than Google. I routinely try different search engines using the same terms to see what results come up. You’ll usually see different offerings based on which search engine you use.

So when do I use VPN software? Honestly, it’s when I want to pretend to be located in another country to get around arbitrary geo-blocking that limits access to certain websites. (There are videos I like to watch that are blocked from the United States; when I use a VPN that broadcasts an IP address from another country, I can access the video.) But, like Consumer Reports, I’m of the opinion that a VPN does not protect internet surfing from prying eyes. Instead, it simply moves that risk from your ISP to the VPN vendor.  As Consumer Reports notes, instead of using VPNs, prioritize blocking ads or trackers with tools like Privacy Badger or uBlock Origin.