Helping people with computers... one answer at a time.

A VPN or Virtual Private Network is a fully encrypted and private internet connection via a VPN provider. I'll look at what protection it offers.

I use a VPN - how and what are the protections of this versus just connecting through my ISP? What limitations does this have? Can they "see" what I'm doing (like using a Bit Torrent), and that is coming from my account?

A VPN, or Virtual Private Network, is an approach to safely connecting to a remote resource. Depending on the VPN that privacy can extend from one end of the connection to the other, or it can protect you only for a certain portion.

I'll describe the different scenarios and how you are, and perhaps are not, protected by a VPN.

No VPN At All

I'll use this scenario as the base: you're in an open WiFi hotspot, and connecting to a remote resource like Ask Leo!:

Network Path on Open Wifi from your laptop to Ask Leo!

The red dotted lines are unencrypted - in other words open - connections.

Typically the largest area of concern is the connection from your laptop to the WiFi router. That open WiFi signal traveling through the air can be "sniffed" or read by anyone in range with a laptop and the appropriate software.

Network Path on Open Wifi from your laptop to Ask Leo! highlighting the sniffable open WiFi connection

WPA Encryption

The normal reaction is to use WiFi WPA encryption to the hotspot to remove the sniffing vulnerability:

Network Path on Open Wifi from your laptop to Ask Leo!

There are two problems with this approach:

  • Most open hotspots simply don't use encryption - that's how and why they're "open".

  • Even if used, it's only the connection to the WiFi device that's protected - everything past that point in the diagram above remains "in the clear".

That last point is important because, for example, someone could connect to the WiFi router directly to sniff the traffic, and of course all of the traffic is also visible to the Hotspot's internet service provider to which that hotspot is connected.

A VPN Service

To protect yourself further, a VPN is a common solution.

Network Path on VPN Connection from your laptop to Ask Leo!

Using a VPN provider gives you a very high level of security - the entire path from your laptop to the VPN provider is securely encrypted. No one along that path can see your data; not other WiFi users, not the people managing the hotspot and not even the hotspot's ISP.

In an open WiFi or other situation with questionable security (such as connecting to the internet at your hotel), a VPN is a great solution.

But ... it's not perfect.

There are two things to note:

  • Your data leaves the VPN provider's servers unencrypted. That means that the VPN provider, as well as any other networking equipment between them and the server you're accessing can see your data. In practice this is extremely rare.

  • You're adding additional steps between you and the server you're accessing - typically this slows down the connection somewhat. How much varies based on the VPN service you're using, their capacity, and the server you're attempting to access.

So, no, the ISP you're connecting to the internet through can't see that you're using bittorrent, only the VPN service can. However your ISP would still see that you're sending and receiving an awful lot of data.

End-to-End Encryption

The only truly private solution is end-to-end encryption. Unfortunately that isn't possible in many cases.

Https is end-to-end encryption. That means that connections you make which use https are completely encrypted along the entire path from your machine to the remote server you're accessing. That's why banks and other services that allow you to access sensitive data all should be using https. Many web-based email providers are now also providing full https connectivity. However not all sites support https. Sites which don't deal with sensitive information - like Ask Leo! - typically don't provide https access.

SSL is end-to-end encryption. When configuring a POP3, IMAP or SMTP connection in your email program, if your email provider supports it choose SSL or TLS - that way your email uploads and downloads - as well as your login information - is completely encrypted along the entire path to your mail server.

Your own VPN can be end-to-end encryption. Services like Hamachi, which allow you to set up your own VPN that interconnects your own machines are also fully encrypted.

Article C4668 - December 2, 2010 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Jos
December 3, 2010 11:08 AM

"That means that connections you make which use https are completely encrypted along the entire path from your machine to the remote server you're accessing." So is it safe to use a public wifi spot for internet banking?

"Is it safe" is an absolute that I just can't answer yes or no - there are to many variables. That being said, as long as I was using a trusted VPN provider and had all the appropriate additional security measures on my laptop (most notably a firewall) then I'd feel OK doing it myself.
Leo
04-Dec-2010

Me
December 3, 2010 7:40 PM

For the most part, yes. The data that is sent from your computer, through the hotspot and to the bank servers, and vice versa is secure. Beware however that someone else also connected to that hotspot is able to "see" you. It is possible for them to install software which allows them to see what you are typing. They could use that information to see your bank information.

Bucky
December 4, 2010 12:15 PM

Great article, with clear diagrams. I had previously thought VPN provided the same protection as HTTPS, but now realize the difference. Thanks!

Michael Horowitz
December 7, 2010 4:32 PM

Clarifying email security: What Leo said about SSL for email is true, but a bit misleading. This type of secure email is only secure between you and your email server(s). It is not end to end security.

For example, when sending email with SMTPS it is only secure between you and your SMTP server. The transfer of your message to the POP/IMAP server of the recipient is not secure. The transfer of the email from the recipients POP/IMAP server to the recipient is also not secure (unless they use secure webmail).

Sandy Smith
December 7, 2010 11:39 PM

To Michael Horowitz... let's say you use Hotmail with TLS for SMTP and send to a recipient that supports TLS (maybe another Hotmail user)... we know you are on an encrypted port to the sever (different than truly encrypting the message btw,) but I believe you have a shot at the email making it ALL the way to the recipient "securely" if they support TLS. But I don't know... I don't know if after the email reaches the server it doesn't change from the encrypted port to 25 and then off to the recipient. I have written people about this (even web based email companies) but nobody ever answers...

I believe can answer that, given that I run my own mail servers. While there's a *chance* that it's encrypted, in general server-to-server email is not encrypted. At a minimum it's only the connection that's encrypted, meaning that when the email arrives at a mail server it is decrypted, stored on that server, and then if the next connection is encrypted the mail is only encrypted as it is sent. The email is always in its unencrypted form when stored on a mail server, even if only temporarily. (I'm explicitly talking about the encryption provided by the connection - if your message BODY is encrypted with something like mime or PGP, or you have a separately encrypted attachment then that remains throughout the transfer, and is in fact the only way to get end-to-end encryption guaranteed.)
Leo
08-Dec-2010

Sandy Smith
December 8, 2010 12:18 PM

Thanks for your comment... I was actually the one who posted the link below a few weeks back when you were talking about encryption... I thought it might be misleading if it wasn't revealed to the user/reader the "full" story regarding the difference between using an encrypted port (SSL/TLS) and encryption of the actual email (PGP, etc)...

http://luxsci.com/blog/the-case-for-email-security.html

I only care about encryption over the network - that the email is protected during the sending process... We know we can achieve that using SSL/TLS to the server - but from the server to the recipient is what is in question... if they also have SSL/TLS enablement - I am hoping it is "encrypted" during the entire sending process - from server to server... That is what I am trying to figure out...

Once again, thanks for taking the time...

"if they also have SSL/TLS enablement - I am hoping it is 'encrypted' during the entire sending process - from server to server" - it may NOT be. There may be intermediate mail servers through which the email is routed that may or may not use encrypted connections.
Leo
09-Dec-2010

Geraint Duck
December 9, 2010 3:24 AM

Check out:
https://www.eff.org/https-everywhere

It provides a Firefox extension which aims to automatically use https encryption for every website that offers the functionality, but doesn't turn it on by default (and there are a lot of webmail programs that do not).

My own concerns were somewhat heightened a few weeks back when a different Firefox extension came out that was able to pick up any unencrypted login cookies from the network you were on - this includes both Hotmail and Facebook login information.

That's a very useful extention, and I do recommend it, but ... it doesn't live up to its name. It does not magically make https happen everywhere; it cannot. It only enables https access for those sites that actually support it. That's an important distinction lost it it's name. I wouldn't want people to think they're actually covered everywhere when they are not. (It also ONLY applies to web connections and not services like POP3/SMTP mail, or many others.)
Leo
09-Dec-2010

Sandy Smith
December 9, 2010 11:57 AM

Maybe I should be more specific... most credit card statements are done paperless now - if a thief or sniffer can get your username and password - see what credit card is being used - he/she could start pounding away and "guessing" the rest of the numbers and try to make fraudulent purchases. In the last 5 months I have had 2 credit cards taken by fraud even though I have never lost my wallet. This has led me to look further into email security like SSL/TLS.. doing what "I" can to ensure my incoming/outgoing is secure. Of course part of that is never using the first part of your email as a username and making sure your passwords are different. But even in doing ALL of this, hit twice in a year.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.