Do I need to have a VPN on my Apple device?

Bostonb4 wrote:

I’m retired and keep getting offers for VPN purchases. Do I need the additional cost?

No. You don’t need a “coffee shop” VPN.

The “coffee shop” VPNs badly solve a problem that hasn’t existed in a decade, while adding substantial connection overhead, and badly solve it in a way perfect for collecting personally-identified metadata.

iCloud+ Private Relay and ODoH with TLS does just fine, providing not only end-to-end connection security, but also privacy.

If you have higher-than-usual security requirements, you’re headed for your own VPN server such as Algo, potentially toward Tor, and potentially toward a mesh VPN. Or toward a more careful and complete review of your requirements and adversaries, as VPN and Tor traffic can be visible to an adversary with pervasive network access.

You will likely receive conflicting advice concerning the use of VPNs. 

Insofar as public WiFi hotspots are concerned, where your internet traffic can be both monitored and potentially manipulated by bad/malicious actors, use of a properly configured reputable VPN service is certainly recommended by knowledgable Infosec Professionals.

Public networks have a considerably higher risk profile than private networks - the latter, by design, being considerably more secure. Unknown to many, while some of your internet traffic is end-to-encrypted, some protocols (e.g., DNS) is natively transmitted “in-clear”. Unencrypted protocols can leak considerable information about your device and your activities; not only can this traffic be intercepted and analysed by anyone that shares the same network, this traffic can be manipulated and altered. 

Employing a correctly configured VPN ensures that all your traffic that is transmitted on the “untrusted” public networks cannot be monitored or manipulated.

In more detail...

Part #1

Much of the hype and negative comment that you will observe throughout the Apple Support Communities are derived from a bias against, or a fundamental misunderstanding of, VPN technologies and their uses/benefits - in addition to misguided faith in Apple products being immune to cyber-threat. In many cases, negative viewpoint will be based upon consumption of misinformed commentary of others; such commentary often reinforces preconceived faith in both invulnerability and perceived immutable truth.

It is impossible to provide an in-depth discussion of Information Security and IP networking with the limited space that this forum allows. The following is intended to provide brief overview and insight - from which you are free to ask additional questions, draw conclusions as to efficacy, and/or make informed decision as to potential benefit in securing your internet communications.

Enterprise applications may use VPN technologies to securely connect remote users to corporate systems - security benefit being derived through the entire path being protected. Commercial VPNs, as used by private individuals, do not offer protection over the entire path as the encrypted tunnel terminates at the VPN Gateway from which your traffic is routed over the internet to its destination(s). Properly configured commercial VPN services do, however, provide useful mitigation against very specific threats. In using these services, It is important to understand the risks against which a commercial VPN can provide useful protection - and those that it can not. A commercial VPN cannot provide total protection against all monitoring of your internet traffic - as the end-to-end path is not protected by the VPN in its entirety.

A high proportion of your traffic (such as browser traffic) already benefits from encryption (e.g., TLS) without use of a VPN - but some protocols (such as DNS) are entirely “in-clear” and can be intercepted and manipulated. Header and routing information are also unencrypted - and is available to anyone that is able to monitor your local network connection. Where utilised, VPN encapsulation ensures that all your traffic, including unencrypted data, is contained within the VPN tunnel away from prying eyes and threat actors.

One of the arguments against the use of commercial VPN is that all your traffic is routed via the VPN provider”s VPN Gateway. This of course is completely true - however, in many cases presents no greater risk to you, or your privacy, than routing all your internet traffic via your ISP or mobile phone operator.

I wasn’t going to continue here, but here are some other views from sources I respect (extracted from my user tip):

• Something to think about→Don't use VPN - GITHUB
• Here's Brian Krebs on VPN security (or lack thereof)→Why your VPN may not be as secure as it claims
• And here is late news from the from the US Cybersecurity & Infrastructure Security Agency The Feds Have Some Advice: Don't Use a VPN. The reasons they give:

• Why not use a VPN to encrypt all of your online traffic? “Personal VPNs simply shift residual risks from your internet service provider (ISP) to the VPN provider, often increasing the attack surface,” CISA’s guidance fairly explains. “Many free and commercial VPN providers have questionable security and privacy policies.”
• (Plus, almost all sites now encrypt data flowing between them and a visitor’s browser. Either your ISP or your VPN can tell you’re visiting PCMag.com, but not that you’re reading this post.)

LotusPilot wrote:

You are missing the point entirely. The VPN is not a solution in its own right - but is one layer of comprehensive/complimentary risk mitigation strategy.

That is fundamentally where we disagree. There is never any advantage to using VPN with any Apple device except to access a private network, as the name says: Virtual Private Network. I don’t consider it to be complimentary to a risk mitigation strategy; I consider it as a way to increase risk, not mitigate it, as the US Cybersecurity & Infrastructure Security Agency The Feds Have Some Advice: Don't Use a VPN says. And in my experience the FCC’s technical capabilities are very limited, and driven by industry (such as VPN/Antivirus vendors). The FCC quote is wrong in the first sentence:

• If you regularly use a public Wi-Fi hotspot, consider using a virtual private network (VPN) that will encrypt your data.

Your data is already encrypted with strong end to end encryption, at least for Apple products, and for Microsoft, Google, and all other major technology vendors. There are no current reports of TLS encryption being broken. See this recent article: Cracking SSL Encryption is Out of Human Reach

Part #2

Reputable “paid” commercial VPN services have no vested interest in your internet traffic beyond statutory obligations imposed by the authorities in whose territory in which they operate. Again, from a regulatory a technical perspective, this is no different to your ISP or mobile phone operator. Reputable commercial VPN services are fully and profitably monetised by service subscriptions.

Free or “low cost” VPN operators are funded differently. Clearly, these VPN operators have cost overheads that must be fully funded; such services are often funded through commercial advertising served via the VPN connection, or traffic analysis and data mining - this data being sold-on to other interested parties. Dishonest VPN operators may attract business with express intention of misusing your data - or to facilitate criminal activity.

Looking now areas where commercial VPN provides useful threat mitigation…

Assuming that your home wired/WiFi network is secure - and that other network devices using the network are trusted - use of a VPN within your local network offers no significant benefit. By contrast, public WIFi networks (such as Airports and Hotels) are high risk; other users of these networks can access and manipulate your network traffic - and it is here that a commercial VPN provides useful protection. Here, when using a VPN, all your traffic is fully protected from actors over the high-risk elements of the network path - between your client device and the VPN Gateway.

Lawrence Finch wrote:

Please explain how other users of public networks can access and manipulate your end-to-end encrypted traffic.

This isn’t the place for an in-depth tutorial, but a brief overview may help those interested in this topic. The following outline is intentionally limited in technical detail.

At the physical level, WiFi is effectively a shared-ethernet technology, managing network traffic. All client devices on the network segment can “see” network traffic from all other clients.

By definition, “open” WiFi networks (as typically found in public WiFi networks) don’t use WiFi encryption to protect the radio network from interception. As a result, all unencrypted traffic on the WiFi link is easily intercepted by anyone using readily available WiFi tools and packet sniffing software.

While much of a user’s internet traffic may benefit from TLS/SSL, many network protocols remain in-clear (e.g., DNS) and easily intercepted, analysed, and manipulated unless this unencrypted traffic is also tunnelled beyond the local WiFi network using VPN, ODoH, or similar techniques. Without additional protection, in-clear traffic is accessible to both the WiFi Operator and other WiFi clients. By necessity, IP header and packet-routing data is always in-clear.

Captive portal networks requiring a WiFi Password (as sometimes found in hotel and retail environments) use encrypted WiFi. While encrypted WiFi will protect against casual eavesdropping, unless the WiFi network itself employs peer-to-peer blocking, PSPF, or similar controls to inhibit communication between network clients, other WiFi clients will still be able to access all WiFi traffic on the network segment. As before, any in-clear network traffic remains accessible to other users sharing the WiFi network.

Captive Portals often block VPN, ODoH, and other encrypted traffic, requiring users to disable these encryption technologies to connect and use these networks. With these protections disabled, the user’s network traffic is unprotected.

In all cases, the WiFi Network Operator remains in a privileged position to easily monitor and manipulate in-clear traffic protocols. Some operators may also employ a transparent proxy to intercept traffic, or perform deep packet inspection of TLS/SSL traffic, effectively acting as a MITM attack on users’ traffic. While this may trigger a certificate warning, many users don’t necessarily understand the implications and simply click through warnings to continue the session, bypassing TLS/SSL protections.

In such environments, a commercial VPN service can provide additional protection over the least trustworthy network segment. A properly configured VPN connection ensures that in-clear traffic is not intercepted over the least trustworthy WiFi network and remains inaccessible to the WiFi Network Operator. While the VPN traffic only benefits from this additional protection between the end-user and the VPN Gateway, with careful configuration, DNS traffic can still be tunnelled to a trusted DNS provider using DoH, DoT, or ODoH.

In summary, public WiFi networks are high-risk environments that can benefit from a VPN. Commercial VPN services have limited (if any) benefit when used with domestic WiFi over which the end-user has control of access. VPN is not a security panacea - but used properly and with understanding of what it can and cannot usefully protect, can provide useful additional protection from a variety of threats and privacy issues.

The most basic is that VPN does not improve security; it adds another player seeing your traffic, with more information than even a public Wi-Fi would have, and there have been several ostensibly “trustworthy” VPN provides who have stolen user data. Avast, for example, was fined twice, over 3 years, for selling user’s browsing data. And Norton was hacked and user data was stolen. The probability of a random public Wi-Fi being vulnerable is much less than the probability of your “trustworthy” VPN provider stealing your data.

You are missing the point entirely. The VPN is not a solution in its own right - but is one layer of comprehensive/complimentary risk mitigation strategy.

While a Commercial VPN Operator has [without argument] opportunity to monitor the unencrypted portion of your network traffic, this element of risk can be effectively mitigated by other measures. Either way, as previously outlined, the VPN Operator has no more access than would be the case when connected to the internet via your own ISP - the latter of which you entrust the vast majority of your network traffic; your ISP has greater opportunity, resources (and in some cases statutory obligation) to monitor your traffic prior to delivery to the internet.

A public WiFi network offers potential access to your client traffic by multiple unknown threat actors - who have motive and opportunity. Using a VPN merely adds a layer of protection for the least-trust portion of the network path to whom unknown opportunist Actors also have access.

Home internet doesn’t need a VPN. 99.9 % of the people out there don’t need a VPN… save your money. You can take that to the bank.

All the OP was asking is if they need to be paying for a VPN service after receiving these offers in an email, message, or website advertisement most likely. Can we just assume that this retired person is operating on a Home Network behind a router and agree that NO, you do not need to purchase a VPN for protection and you can safely ignore all those offers that they are receiving. It should not be necessary to have a 2 page answer to a pretty specific question from a user looking for assistance.

Here's another from the FCC...

https://www.fcc.gov/protecting-your-personal-data

Think before you connect to Wi-Fi networks and Bluetooth. Unsecure connections may compromise sensitive information stored on your device and in online accounts. Take these steps to minimize the risk:

• If you regularly use a public Wi-Fi hotspot, consider using a virtual private network (VPN) that will encrypt your data.
• Adjust your device's settings so it does not automatically connect to nearby Wi-Fi networks.
• Websites that are secure use "https" at the beginning of their web address. If the “s” is missing, avoid sharing any sensitive data or information.
• When sending sensitive information, your mobile data plan may be more secure than Wi-Fi.
• Turn Bluetooth off when not in use. Use Bluetooth in "hidden" mode rather than "discoverable" mode. This prevents other unknown devices from finding your Bluetooth connection.
• If you connect your mobile phone to a rental car, be sure to unpair your phone and clear any personal data from the car before you return it. Take the same steps when selling a car.
• Check out FCC Consumer Guide: Wireless Connections and Bluetooth Security Tips.

I could trade many more links - and provide contextual explanation and technical argument (both for and against) for them all 🙂

Bostonb4 wrote:

I’m retired and keep getting offers for VPN purchases. Do I need the additional cost?

[Re-Titled by Moderator]

You don’t need to use a VPN.

No! They are just ads trying to scare you into purchasing their product by making false claims that your security is at risk. You see these same kind of ads for companies selling AntiVirus software, which is also totally useless.

Businesses use a metric called Return On Ad Spend (ROAS) to measure the amount of money spent on ads compared to the increase in revenue. The goal is for a positive ROAS where the revenue increases more than what they spend on ads. Unfortunately that is also the reason why you see so many of those ads, and the ones that scare users seem to be more effective.

vpn means that the vpn server you connects to can harvest all your data and sell it if they wish

the purpose of VPN is for people who work from home can get a tunnel across the internet and have a presence on their company lan network

you can read more about it here Virtual private network - Wikipedia

persoanally I only use it on my company laptop when working at home

David M Brewer wrote:

No… BTW, using a VPN will cut your internet speed in half. Why people use VPN is beyond me.

Properly configured VPN connections typically introduce a ~10% protocol overhead. Unless seriously misconfigured, they do not cut your available bandwidth by half.