Disadvantages of Using a VPN?

Yes, it could be a disadvantage. What is boils down to is how much you trust the VPN provider.

For most secure protocols, using a VPN will be just as secure because your communications are encrypted by the protocol. If there was a MITM at the other end of the VPN connection they would not be able to do much (apart from a side channel attack, which are usually pretty useless in isolation). Of course, this is assuming the protocols and software are secure, and cannot be not affected by the FREAK attack or other downgrade attacks.

However, the web is different. The main issue is that the Same Origin Policy does not designate a different origin for plain vs encrypted where cookies are concerned. A cookie set on http://example.com can be read by https://example.com. If there are any cookie handling vulnerabilities on the site then the "secure" connection could be compromised. The Secure Flag does not help here - this only prevents a plain HTTP connection from reading a cookie set over HTTPS, not the other way round. An example could be cookie poisoning like session fixation, or if there's an XSS vulnerability based on a cookie value that was assumed to only have been set via HTTPS. These are really vulnerabilities on the sites themselves, however using an untrusted connection allows them to be exploited.

So if there is any doubt about the trust of your VPN provider, then disable plain HTTP from your browser and use the internet over HTTPS only. You can do this by setting an invalid proxy server for plain HTTP (e.g. 127.0.0.1:8).

Of course, you should make sure you are using a secure protocol for your VPN connection too (e.g. not MS PPTP). Also, make sure you use iptables/Windows Firewall properly to prevent any incoming connections to your machine whilst connected to the VPN.


A VPN maskerade you real IP by using the VPN IP instead. The VPN IP is shared by an unknown number of persons, and its usage is public as long as the person subscribe a contract to the VPN provide.

Therefore, by using a VPN:

  • You open yourself to attacks such as IP spoofing, it will be trivial for someone else to use the very same IP address than you,

  • Possibly your IP address may be blacklisted due to the activity of another VPN user, which may result into limited or refused access into some websites.


Trust is obviously key, since you are trading trust in your local connectivity (whatever path your connection takes through your local ISP, the coffee house wifi, etc) for trusting the connectivity of the VPN service and their internet path. If it's a large and reputable VPN provider compared to a coffee house wifi, then you are probably going in the right direction. If it's a lowest-cost Eastern-Europe based outfit then maybe not so much. Personally I would be more keen to trust a VPN through my own equipment (i.e. a server I am hosting via a reputable connection at home/office or on AWS/Azure/etc) when the question is do I use the starbucks/hotel wifi vs a VPN. If it's a question of sufficiently anonymizing my traffic, then a third party VPN would come into play.

Tags:

Vpn