What’s the big problem with free VPNs? Why should you take care of?


The VPN emerged as a very effective system to protect communication between two ends and prevent possible “nosy” they could have access to these data transfers. The idea was much used in business and professional environments, but its benefits have become much more common use after adapting the VPN for a much more attractive task: to enjoy Netflix, Hulu or Pandora in our country, when theoretically we could only do it from the United States.

In that case the trick is to play with the IPs, the addresses that serve to try to prove that our team is working in the United States or in any other country. Usually these VPN services have a certain cost, but there are free alternatives – in long ago we were talking about seven of them – that attract many users by that circumstance. The problem, of course, is that nothing is actually free.

The Hola case

In May of 2015, the scandal that came up with Hola, a free VPN service that, as in other cases, makes it possible to access geographically restricted Internet services. Hola’s proposal was very attractive and its operation was remarkable, but the problem was that this gratuity came in small print.

In this case, that small print translated into the fact that when we connected to that VPN we gave up our bandwidth so that users of another associated service – Luminati, which is a paid VPN – could take advantage of it for different scenarios. That of course they could be benign, but that as it proved also could be very debatable.

It happened that one of the users (or groups of users) that used Luminati took advantage of that service to launch a denial of service attack to the 8chan web. This was confirmed by Fredrick Brennan (the text and images have been lost because 8chan was hacked in April 2017), responsible for 8chan, who explained how that fall had occurred.

Image Source: Google Image

Brennan called Hola the “least ethical VPN service I’ve ever seen,” and made it clear that the service’s gratuitousness made its users potentially indirect perpetrators of these attacks through that gigantic botnet in which one enters unknowingly. Although the managers of both companies have already clarified the matter and it seems that “there will be no more problems” between the two parties at the moment, the damage is done, and that is the demonstration that a free VPN, like anything else free, this cost is usually charged in another way. In August 2016 this service was still not recommended according to specialized VPN analyzes.

VPNs are an interesting alternative to protect our use of the Internet. Keeping privacy is something that is increasingly worrying – especially after the leaks of Edward Snowden – and services of this type promise to guarantee that privacy and often boast of offering that ability without charging us anything.

The problem is that for the proxy servers that provide this service they need to have a connection especially able to deal with the huge amounts of data generated by these services when used by many users. And that costs money. Lots of money! If we add the cost of maintenance, operations and safety, these costs increase. Why would anyone offer such services for free? Easy: because they are not really free.

In some of these services, gratuitousness is compensated by the appearance of advertising in our browsing sessions, and those service providers expect us to click on those ads while we wait for the connections to be completed or while they are working. The problem is that the channel through which advertising is managed is always a priority: our connections to the information we want are slower than those intended to present the advertising in question. Many free VPN services offer desperately slow, and / or desperately unstable, connection speeds. If you have taken advantage of these services to access streaming services in the US like Netflix, you may have suffered such continuous outages with those VPNs of dubious origin.

The other problem, much more worrying, is the fact that there are services of this type that are nothing more than a claim for crackers and cybercrime groups to have access to our computers. The attackers, with extensive knowledge in this segment, launch a VPN service that they advertise as free, begin to receive the service requests, and manage to infiltrate the computers of those users to obtain sensitive data such as information about credit cards. And suddenly the services stop working and appear the scares in the bank accounts of those affected. There are indeed websites that try to analyze the validity of these services as VPNRanks and that among other things revealed the problems that have existed with Hola.

You may also like to read: How long have you being the worst possible password 123456 and why never get delete it?

Either they continue to act and behave as the basis of a gigantic MitM (Man-in-the-Middle) attack that can subtract huge amounts of data from all those users. From there, infinite possibilities for those attackers, who can modify the data that come to us in our browsing sessions “disguising” the destination websites and changing them for others, or can inject all kinds of information and malware on our computers without we learn.

That same principle is the one that can be applied to those botnets that are actually created when one accesses a VPN. The responsible of the service has the enormous responsibility to manage all those protected connections, and all that managed bandwidth allows that as in the aforementioned case of Hello its responsible rapprochement that botnet to offer that capacity to users of payment. They may be cyber criminals in search of cheap botnets with which to carry out their attacks, of course.

What should a good VPN service provide?

It seems clear that free VPN services are an open door to problems, and if you ever use one or have used it, you will be exposed to those risks. The companies that charge for this type of services is not that they are exempt of problems, of course, but the guarantees of having a service more advisable are much greater.

And yet, things like that could happen to Cody Kretsinger, a hacker from the LulzSec group who was responsible for the attacks that Sony Pictures Entertainment’s servers suffered in 2011. Kretsinger used a popular VPN called HideMyAss the name is quite descriptive) to hide those attacks that made to access servers controlled by Sony Pictures.

Image Source: Google Image

The problem is that HideMyAss logged users IPs and their times of entry and exit of the service. A UK court demanded HMA to offer him the data to investigate the attacks, and that allowed the justice to identify and arrest Kretsinger. Although the providers of these services are able – although they should not do so – to monitor all the web activity of users, what they usually do is to record those IPs and those times of entry and exit of the service. That implies a serious risk for who precisely tries to use those services to protect their privacy.

So, when looking for a VPN that guarantees this privacy we will need to read carefully the terms of service of that provider to check if that information remains or not registered, and for how long. Many VPNs indicate that they only store the personal information needed to create an account and process the payment, but they note that they do not record those IP addresses, schedules or bandwidth usage during the sessions. Not only that: they allow to pay with cripto like bitcoin, something that adds a degree of security and privacy in that transaction if we really want to protect our identity.

If you use a service of this type with the idea of ​​being able to watch broadcasts of streaming services, for example, the most important thing is that these services offer you those “exit locations” that pretend that your computer is in the United States, or where applicable. Here it may also be interesting to hire the services of a VPN provider that is outside our country to avoid greater legal problems than necessary, so if the provider has multiple servers located in different parts of the world, this is more interesting at the time to ensure our privacy and security.

Issues such as anti-malware or anti-spyware filter features are also important, as is increasingly-the use of services that provide special features for mobile devices. Much more technical is the comparison of the different protocols used in VPN services (PPTP, L2TP, OpenVPN, SSTP, IKEv2), and in general experts seem to recommend especially OpenVPN and precisely emphasize that better not to trust PPTP much. With all this information, you can better appreciate how important it is to choose not just a paid VPN, but one that fits your needs in the right way. In TorrentFreak made a comparison of services recommended a few months ago that can serve as a reference for those who are interested in this type of solutions.

Watch out for free VPNs, including apps and mobile services

You will also have to take these risks into account in that other segment of VPNs that are available to connect in a theoretically secure way from smartphones of all kinds. A CSIRO study conducted in August 2016 showed how about 40% of free VPN applications for Android contain malware, and among them are some of the most popular.

In fact, these free VPNs can not only have embedded malware, but can also monitor our activity and track everything we do on our devices and then sell that data to other companies.

Applications such as Hotspot Shield even redirect HTTP requests to e-commerce sites like Alibaba or eBay and “hijack” our browsing sessions, among other risks. Here the ideal is to resort to a payment service with good reputation as revealed by the previously linked comparison of Torrentfreak or this other specialized blog Restore Privacy.