Reader question, answered: If I have https, do I need a VPN?

I recently got another letter from a reader that can serve as a great foundation for an article. Our reader asks:

Is not the encryption provided by my browser on the data I exchange with an https: site sufficient to protect the data? My understanding has been that it is. If so, a VPN is not needed for this purpose. Furthermore if so, it’s perfectly safe for me to exchange private data (say, account info with my bank or stock broker) over any public, open network.

Of course, VPN’s provide several other valuable functions, but as I understand it they do NOT provide any additional security to the actual data exchanged. VPN providers would likely not want to highlight this.

There’s a lot to unpack in our reader’s letter. Let’s dig into each question/statement one-by-one.

Perfectly safe

Separate from the technical questions, our reader makes an assertion I think deserves an immediate and somewhat forceful correction. Our reader states:

It’s perfectly safe for me to exchange private data (say, account info with my bank or stock broker) over any public, open network [using https].

Let’s get this out of the way: It is never, ever, in any way, ever “perfectly safe” to exchange data over the internet, whether via a public, open network (shudder) or even from your home or office.

If reading ZDNet regularly tells you anything, it’s that there are security breaches and security flaws throughout our networks that occur with constant, never-ending, and pretty much overwhelming regularity.

Also: The best VPN services for 2020 CNET

I’m not going to go into either all the breaches or even all the ways message traffic can be intercepted while in motion. Suffice to say, our data is never “perfectly safe,” and so we must always take action to protect ourselves, our data, and by extension, our financial and physical security.

Just because you’re not paranoid doesn’t mean they’re not out to get you.

Because of this reality, we often practice a belt-and-suspenders approach to all of our security practices. That means, even though we may have one level of security, it’s never enough. That method of security may be cracked or buggy, or there may be some other reason it’s leaky. It’s always best to have multiple approaches to keeping safe.

Is https enough?

Let’s start with what https does. It secures (through encryption) an http connection between a website and your browser. That means that the contents of what you’re transmitting are unlikely to be read or changed between your browser and the website.

But you are not in control of this connection. It’s up to the website operator (and any associated services it calls on) to be sure to properly set up and operate the secure connection.

Not all websites use https, so anything you do on an unencrypted connection is visible. What’s actually of far greater concern with unencrypted traffic is that an attacker (usually called a Man in the Middle attack) can modify what is sent, injecting tracking bits — or worse, malware — into the stream.

The most visible of these are Great Cannon-style attacks that inject JavaScript and HTML payloads into unprotected web traffic. These payloads then conduct denial of service attacks (hence: cannon) against targets of interest to the hackers.

No one wants their web browser unwittingly turned into a denial of service weapon.

Another thing to consider about https encryption is it only encrypts your web traffic. Any other internet activity is not touched by the https protocol and therefore requires its own encryption. Examples of other activity include web-based video games that might send your account, password, and even credit card information in the clear; an e-mail program; or even a locally run accounting program.

So, yes, https does help. But it’s only one security accessory in a belts-and-suspenders-security ensemble.

Wireless router encryption

There’s another encryption element that sometimes comes into the chain. That’s the Wi-Fi encryption you get when you use a Wi-Fi router with a password.

Of course, here’s another point of risk: You have no way of telling if the Wi-Fi router has been spoofed, and you’re really sending all your data through a pineapple or some other data spoofing device.

VPN encryption

This statement by our reader is a little tough to unpack: “VPN’s provide several other valuable functions, but as I understand it they do NOT provide any additional security to the actual data exchanged.”

I think what our reader is saying that VPNs provide other services, but they don’t provide any other data security services. But VPNs do. They also encrypt data.

VPNs absolutely do provide data security services. Packets are encrypted from the local browser to the VPN service provider. All packets.

Now, it’s important to understand where this encryption helps and where it doesn’t. If you’re on your web browser in a coffee shop and you’re talking to your bank’s web interface, your traffic is encrypted in your browser, goes from your device to a local router, to the local ISP, across a whole bunch of hops, and then to your bank, where it’s decrypted.

Https will encrypt that entire pipe, but only if everything is set up correctly.

Now, if you’re using a VPN (with https or not), your data is encrypted on your computer. If you’re using https, the https-encrypted data is encrypted again by the VPN. That data then travels over the usual hops to a VPN server, is decrypted once (the VPN’s layer is removed), and sent on to your bank.

The benefit of VPN encryption is from your device to the VPN provider on the internet. This protects nearly all coffee shops, airports, and hotel lurkers who might try to snag your data in motion.

Thinking about security

When it comes to thinking about mobile security, it’s important to keep in mind the endpoints and what’s being encrypted. Let’s look at the last three we discussed:

  • https: Encrypts web traffic between the web browser and the webserver.
  • Wi-Fi: Encrypts all network traffic between the mobile device and the Wi-Fi router in your local coffee shop, hotel, airport, etc.
  • VPN: Encrypts all network traffic between your mobile device and the VPN service provider on the internet.

Can you see how these different elements encrypt and decrypt at different points? Also, keep in mind that any one (or more) of these security services may be compromised. Plus, of course, there are other levels of encryption, like encrypted SSL and TLS tunnels between websites and payment providers.

By using multiple layers of encryption, each unable to see into the other, you’re reducing the chance that any one compromised network will compromise you.

Other VPN services

As we’ve discussed in our various VPN reviews and guides, different commercial VPN services provide different added value. Some mix in anti-virus. Some mix in some identity protection services.

But all VPNs provide another very important security service: IP address obfuscation.

If you use a VPN, you get an IP address from the VPN provider. This is the IP address recorded by various services on the web. This allows you to protect your identity in terms of where you’re located, what ISP you’re using, or even what country you’re in.

For some of us, this is a less critical service. For others, especially those dealing with stalking or other personal protection worries, VPN location protection services are essential.

Bottom line

So, in answering my reader’s question, do they need a VPN? It’s up to them. But is https the be-all and end-all of internet security? Oh, hell no.

What tools do you use to protect your security? Let me know in the comments below.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.