Recent news on a compromised NordVPN server highlights a concern that when you want to use a public VPN, it doesn’t necessarily add any additional security. Some VPN providers want you to think that simply using a public VPN will make your connection perfectly secure, but this doesn’t hold true. While a compromised VPN connection allows hackers access to your Internet traffic, if you use HTTPS to access sites then you still can rest assured that your connection is still secure.
The weakest link in your connection should determine what you access. VPN providers aren’t without fault and can still suffer compromises and risks just like your local connection. Therefore, connections to servers over a secure connection like HTTPS don’t gain additional security by using a VPN, unless you connect to a public Wi-Fi. In the case of a public Wi-Fi connection, a VPN can help prevent some exploits. So, if you use a VPN over public Wi-Fi, you’re totally secure, right? Not so fast. Many VPN connections only pass traffic outside of your local subnet. For traffic inside your local subnet your computer doesn’t pass traffic through the VPN. If a hacker sets a malicious server on your local subnet then this traffic doesn’t get encrypted through the VPN. They don’t even need to create a server since they could also proxy the connection and read your traffic. It’s possible to change this behavior though. Simply put, you should never fully trust your connection when connected to an unknown public Wi-Fi.
In another case, let’s say your connection to the server uses an insecure connection without HTTPS encryption. If you don’t use a secure connection to a server then the traffic between the VPN provider and the final responding server isn’t encrypted. A public VPN doesn’t add additional security to secure connections or insecure connections. It only prevents monitoring through the local ISP connection and individuals that share your local network. To clarify, I’m not talking about private VPNs that you use to connect to your office at work. These necessary VPNs allow access to work resources in an encrypted tunnel that would otherwise be accessible to anyone with access to the connection.
Using a public VPN won’t make you less secure, but when you use a public VPN ensure you still check that your connection to the final destination is secure too by checking the lock in your browser and not passing private information if insecure.