If you’re reading this post, then likely you’ve decided using a virtual private network (VPN) is “for you.”

However, for any reason you have not arrived at this conclusion, reference the links in “Decide if a VPN is right for you.”

Decide if a VPN is right for you

Before beginning research on choosing a VPN provider, avoidthehack highly recommends becoming familiar with VPNs by:

• Learning the basics of VPNs
• Deciding whether a VPN suits your personal cybersecurity and online privacy goals, wants, and/or needs
• Understanding the limitations faced by all VPNs, regardless of provider.

VPNs are not a silver bullet and should not be considered a “one-stop shop” (despite what aggressive VPN marketing claims) for security or privacy. A VPN is not a drop-in replacement for basic security hygiene and privacy-friendly best practices.

Should you self-host your own VPN?

The short answer is: it depends.

Very generally, self-hosting a VPN is not recommended because of the lack of other users’ traffic for your traffic to blend in to. This lack of network traffic “camouflage” makes you unique, which potentially makes it easier for websites, web services, and web apps to track you/your device by cross-referencing various data points.

Many people may be connected to and using any given centralized VPN provider’s server at any given time. At minimum, we can assume all users have the same IP address (due to being connected to the same server) and therefore have the same “exit node.” This makes it harder for the various websites, web services, or web apps to pick out who is who, even if multiple users visit the same website at different times.

With a self-hosted VPN, more than likely your traffic will be coming from the same “node” the entire time – over time, it may become easy for whoever is interested to track and profile you.

Typically, a self-hosted VPN is recommended in cases where users want to connect to their home network while in a different physical location. While this can be useful, as it fits the original use for VPNs, it can also be dangerous for inexperienced users because some portion – usually a device – of the home network needs to be exposed to the public internet.

Users concerned with exposing a home device to the public internet can also use a hosting provider – typically a VPS – to self-host VPNs. However, depending on the host provider and their internet service provider (ISP), your network traffic may be logged regardless. If this is the case, it can easily defeat whatever privacy advantage gained from using a self-hosted VPN – you would only “hide” your traffic from your primary ISP.

What about decentralized VPNs?

Decentralized VPNs borrow from the relay hop model seen on the Tor network (but don’t use the Tor network). Decentralized VPNs have grown in popularity in recent years and frequently incorporate blockchain technology to render services.

However, as of writing, it looks like most decentralized VPNs only route traffic at most 1 hop away. This differs from the typical Tor model which sends internet traffic through at least 3 different hops, with the “exit node” changing periodically. A decentralized VPN’s 1 hop provides little defense in the event of a compromised node.

This isn’t to discredit or to dissuade users from using a decentralized VPN; in some cases, using one may prove adequate. However, it can be argued that the best decentralized VPNs are no more privacy-friendly than trusted, “no-logs” centralized VPN providers.

Avoid most “free” VPNs

Free VPNs are the epitome of the old internet rule, “if it’s free, then you’re the product.”

Free VPN apps on the Google Play Store have also been found to be nothing more than disguised malware. The malware can range from annoying “adware” designed to display numerous ads on your device, using it’s available resources and generating revenue for the malware developers.

In more severe cases, free VPNs can be cover ups (“bait”) for malware designed to steal (harvest) information on your device. Information harvested typically extends beyond unwarranted data collection from commonly installed apps – malware frequently harvests sensitive data like passwords, cryptocurrency wallet keys, browsing histories, and network traffic.

Even if the “free” VPN isn’t malware in disguise, it’s important to remember VPN providers have a high level of access to your network traffic routed through them; VPN providers essentially “replace” the ISP in the network chain.

Like many traditional ISPs in the US, free VPNs have a history of collecting, logging, storing, and sharing/selling user information they have access to – like browsing data and DNS queries. Many free VPN providers collect information not at all necessary for rendering VPN services and their clients/apps can aggressively collect information about your device without explicit knowledge.

In some cases, free VPN providers have shared data with cloud providers, governments, and anyone willing to supply some cash in exchange for the data; they have also been accused of using device resources, such as CPU power, to mine crypto for themselves (cryptojacking)!

Data collection/retention/privacy

One of the most important things to look for in a VPN provider is the contents of their data privacy – specifically data collection and any possible retention of collected data – policies.

No-logs policies

The presence of an independently audited no-logs policy is the best case scenario here.

Many VPN service providers boast no-logs policies, only for it to come out after some event – usually involving law enforcement – logs were collected all along.

Naturally, this spells disaster for the users regardless of what was logged. If the VPN provider collected PII, then these logs could be used and tied back to a user’s true identity.

However, it is impossible for us as users to 100 percent verify any VPN service provider’s “no-logs” claims. Therefore, efforts of transparency can prove important to note. It’s often worth digging deeper than what the marketing claims (or conveniently leaves out) on the VPN provider’s website, considering questions such as:

• Does the VPN provider offer a publicly accessible audit of their no-logs claims?
• Are there transparency reports that disclose requests received by government entities?
• What was the date of the last audit?
• Is an audit on a VPN provider’s no-logs policy conducted regularly?
• Does the VPN provider voluntarily share information – such as logs – with…

*** This is a Security Bloggers Network syndicated blog from Avoidthehack! RSS authored by Avoidthehack! RSS. Read the original post at: https://avoidthehack.com/choose-vpn