Lawrence Finch wrote:
Something to think about→Don't use VPN services. · GitHub•
There are two legitimate purposes for using VPN:
To allow access to a private network such as a school or business when you are not on site.
• To allow access outside of a country with a repressive government that has restricted Internet access.
Any other use is risky, and can lead to problems like the one discussed in this thread. VPN disguises your location by making you appear to be somewhere else in the world. But you can’t control that “somewhere else”, and if it is in a location that an app isn’t approved for the app won’t work. Plus the fact that the provider of the VPN knows everything about you and your location, as well as what sites you access through the VPN. So you are totally dependent on the VPN provider’s honesty. As a start, if the VPN is free, DON’T USE IT. The provider has to make money somehow, and if you aren’t paying them then they are selling your private data to make money. But even those that charge can’t necessarily be trusted.
You don’t really need VPN when using public Wi-Fi, because all communications between your iPhone and the servers it accesses are end-to-end encrypted.
Whilst some of your points have some credence, I have to challenge others which are grossly incorrect or offer over-simplification.
While some network traffic uses fully encrypted protocols, it is common misconception that all modern network traffic is fully encrypted. Alas, it is not. Many protocols have unencrypted header information; others upon which communication rely are totally in-clear.
As an example, your DNS traffic is (by default) an un-encrypted protocol - and conveys (leaks) considerable information about you and your traffic. This DNS traffic, in addition to being commonly monitored by the network operators(s), is often used for malicious purposes and/or as an attack vector/exploit. Where available and correctly configured, there are available mitigations for risks associated with DNS (such as DoH, DoT and DNSSEC), however, these are beyond reach of most users.
As a further example, without delving into the technicalities, when using public/open networks your network traffic can be easily intercepted by other users of the same WiFi network. One immediate source of risk is session hijack/replay.
There are many legitimate reasons to use VPN - these not being limited to the two that you cite. Contrary to your assertion, using VPN over public networks does provide useful and significant protection against local attacks and traffic monitoring which are endemic on public networks. For this reason alone, it may argued that using a VPN reduces (but does not fully eliminate) avoidable risk.
You are correct in your assertion that, where used, a commercial VPN operator has visibility of your network traffic - as your network traffic is obviously being routed via their VPN endpoint. Whilst your VPN-tunnelled traffic is protected from locally prying eyes, your traffic is delivered to the internet from VPN endpoint in its original (partially encrypted) form.
To reiterate, traffic visible at the VPN Gateway/endpoint is partially encrypted at protocol level. As such, for practical purposes, the traffic exposed to the VPN Operator is no more at risk than would otherwise be exposed on the open/insecure WiFi network. If the VPN Provider is chosen with care, risk of traffic interception over high-risk networks can be significantly mitigated.
For this purpose, use of a VPN is a “trust” exercise. In whom do you place greater (dis)trust? The open/insecure WiFi network to which you make your network connection (with all of its consequential risk), or the VPN Operator? Which carries greatest risk to you, the security of your network traffic, or your privacy?
A reputable VPN Operator (noting that “free” services are generally outside of this category) has no commercial interest in your network traffic - but may be bound by legislation of the country in which it is based to collect metadata concerning your connection. The latter you can nothing about - and unless you yourself engage in nefarious activity, should offer no concern. The former simply requires wise selection of your network operator - often requiring parting with money on subscription terms.
If the user has the technical capability (and competence) to correctly configure a VPN endpoint/gateway, trust in the VPN moves from that of a commercial VPN Operator to the end-user entirely - removing any perceived issues with the VPN Operators interest.
To conclude, in part for the benefit of the OP, I hope to have provided additional qualified information as to some of the benefit and limitations of using a VPN.
