Will a VPN Protect Me? Understanding Threat Models

By Ava McKinneyOnline Safety

Will a VPN Protect Me? Understanding Threat Models

The internet was originally designed for communication between trusted partners, with a focus on resilience against external threats like nuclear attacks. However, it lacked protection against internal threats from malicious network users. Neither the content nor the metadata (such as user IDs, dates, or email subjects) were private or protected from tampering or interception.

As the internet evolved, various internal threats were identified, and network components were updated to address them. However, most efforts targeted minor adversaries like individuals or criminal organizations. As a result, email remains unprotected against powerful adversaries. The HTTPS protocol was developed to authenticate websites and protect users from eavesdropping and man-in-the-middle (MitM) attacks, but its security depends on a hierarchical system of trusted certificate authorities, which remain vulnerable to powerful attackers.

Commercialization led to an advertising-driven economic model, incentivizing the most capable players to invade user privacy. Worse, the internet has become heavily militarized by the US and China, resulting in mass surveillance and targeted attacks. Intercepted information is often (albeit secretly) used for business development and law enforcement.

Censorship is also widespread. Countries like China, India, the UK, Iran, Saudi Arabia, and Pakistan restrict internet access for various economic, social, ideological, or religious reasons. The US censors the internet mainly to protect intellectual property rights, using its jurisdiction over .com, .net, and .org domain registrars to seize thousands of sites, often based solely on allegations. All such domains (including most VPN services) are vulnerable. This article does not judge censorship as “good” or “bad”—its existence is simply a fact.

When defining your threat model, consider what you want to protect, from which potential adversaries (“archetypal attackers”), and what the consequences of compromise might be. Also, consider your skills, how much effort you’re willing to invest, and what level of convenience you’re prepared to sacrifice. Remember, you may have several context-dependent threat models and may want to combine different protective measures for each.

Examples of Threat Models

Below are typical threat models for potential users, ranging from trivial to advanced. Each example includes: 1) a brief description of the threat; 2) recommended protective measures; 3) how they work; 4) issues and limitations. For all but the first model, it’s important to prevent data leaks if the VPN connection drops. Use a VPN client with leak protection or set up your own firewall, and always test for leaks.

1. Protection Against Hackers on Public Networks

Users connecting to public Wi-Fi hotspots may fear hackers (from other users or network admins) intercepting their data, such as credit card or bank information. They need security and privacy but are not trying to hide their internet activity or be anonymous.

  • Recommended: Any reputable VPN service.
  • How it works: All traffic between the user’s device and the VPN server is encrypted (usually with AES-256). Eavesdroppers on the public Wi-Fi see only encrypted data.
  • Limitations: VPNs do not encrypt traffic between their exit servers and the final internet destination. For end-to-end encryption, users should connect to sites using HTTPS.

2. Protection Against ISP Monitoring

Some users are concerned that their ISP may monitor and log their online activity, potentially sharing logs with others. They want privacy and anonymity but are not worried about real-time hackers or other adversaries.

  • Recommended: A reputable no-logs VPN service with perfect forward secrecy.
  • How it works: The ISP sees only encrypted traffic to the VPN server. Websites see the VPN server’s IP, not the user’s. With perfect forward secrecy, compromising a VPN session only exposes that session’s data.
  • Limitations: Users must trust the VPN more than their ISP. For higher stakes, consider splitting trust (e.g., using Tor or chaining VPNs). For hiding Tor usage, access Tor via a VPN or a chain of VPNs.

3. Hiding IP and Location from Websites

Some users don’t want websites to know their ISP-assigned, location-based IP address or their real name (via IP or previous activity). They are not concerned about threats from ISPs or regulators.

  • Recommended: Any reputable VPN service, plus using a fresh device or virtual machine not previously used for those sites.
  • How it works: Websites see the VPN exit server’s IP, not the user’s. Using a new device/VM avoids cookies or trackers linked to the user’s real identity.
  • Limitations: Don’t rely on browser privacy modes or anti-tracking plugins alone. Even Tor Browser can be vulnerable to zero-day exploits. For high-value targets, use dedicated devices.

4. Hiding Real Name from Journalists

Users may want to remain anonymous to a specific correspondent (e.g., a journalist) when communicating by email, hiding their real-name-linked IP address. They are not concerned about ISPs or governments.

  • Recommended: Any trusted VPN service.
  • How it works: The email’s “Received: from” header will show the VPN exit server’s IP, not the user’s. This applies to both webmail and standalone email clients.
  • Limitations: The email account must not be linked to the user in any way (no payment trails, no use in identifying contexts). Adversaries can still identify the VPN service and may inquire about the user. For advanced adversaries, use chained VPNs or Tor. Setting up email clients to use Tor without leaks is complex, and some VPNs block SMTP to prevent spam.

5. Protection from Regulators

Some users want to hide their online activity (content and metadata) from ISPs and regulators, as well as their location and identity from websites. They seek both privacy and anonymity, resilient to regulatory attempts to break it. They are not under active investigation and strong encryption is not restricted.

  • Recommended: Tunnel traffic through multiple anonymity systems, e.g., a chain of VPNs followed by Tor. For more security, connect anonymously via public Wi-Fi.
  • How it works: VPNs hide activity from local observers and mask location/identity from remote observers. Chaining VPNs splits trust; using Tor makes collusion between providers impossible, forcing adversaries to rely on traffic analysis or exploiting system vulnerabilities.
  • Limitations: This model is only suitable where strong encryption is legal, users are not under investigation, and consequences of exposure are minor. Even with precautions, connecting via ISP is risky. Anonymous public Wi-Fi is safer but less convenient.

6. Protection from Censorship

Some users want to bypass censorship without drawing attention or needing strict anonymity. They believe the consequences of exposure are minor.

  • Recommended: Any reputable VPN service. For advanced censors, use VPNs with obfuscated proxies; for powerful censors, use Tor with obfuscated bridges.
  • How it works: ISPs and regulators see only encrypted traffic to the VPN server. If the regulator can’t monitor the VPN server’s local traffic, they can’t see which sites the user visits, unless they block or throttle all traffic to the VPN server.
  • Limitations: If exposure consequences are significant or strict anonymity is needed, use the next threat model. Advanced censors may block all VPN proxies; Tor with obfuscated bridges is more resilient due to thousands of bridges.

7. Protection from Censorship, ISPs, and Regulators

Some users want to avoid censorship and hide their online activity from ISPs and regulators, as well as their location and identity from websites. They need both privacy and anonymity, resilient to regulatory attempts to break it. They are under active censorship, strong encryption is regulated, and exposure could have serious consequences. They may also face threats from foreign adversaries.

  • Recommended: Tunnel traffic through multiple anonymity systems, ideally starting with Tor and connecting anonymously via public Wi-Fi. Use full-disk encryption with a “panic button.”
  • How it works: Obfuscation thwarts state censorship. Chained anonymity systems further hide activity from local and remote observers. Tor’s thousands of bridges make it highly censorship-resistant. Anonymous public Wi-Fi adds another layer of protection.
  • Limitations: Using public Wi-Fi anonymously can be challenging due to range, line-of-sight, and weather. Wi-Fi access points log MAC addresses; use multiple USB Wi-Fi adapters and MAC spoofing software to reduce profiling risks. If public Wi-Fi is unavailable, connecting via ISP is risky. Devices should use full-disk encryption and be set up for instant shutdown with a panic button that renders the disk unrecoverable.

8. Protection from Everyone (Not Under Direct Targeting)

Some users want anonymity from all adversaries (e.g., the NSA), are subject to state censorship, and strong encryption is regulated. They must bypass censorship, hide activity from local observers, avoid message associations, and hide location/identity from all remote observers. They are not under active investigation but fear serious consequences if exposed.

  • Recommended: Tunnel traffic through multiple anonymity systems, starting with Tor and connecting anonymously via multiple public Wi-Fi hotspots. Use full-disk encryption with a panic button.
  • How it works: Tor provides the best protection against censorship and detection. Public Wi-Fi offers backup anonymity if obfuscation fails or activity is linked to a hotspot. Avoiding special attention is crucial; blend in and don’t attract notice by being overly secretive.
  • Limitations: Requires significant knowledge, experience, and resources. The key is to avoid becoming a target of special investigation. Physical security and discretion are paramount.

9. Protection from Everyone (Under Direct Targeting)

These users believe they are specifically targeted for investigation or prosecution.

  • Recommended: Seek a safe physical location, go into hiding, or seek asylum (as Edward Snowden did). Use the approaches from the previous two models.

Conclusion

This overview covers threat models for users with different goals. Only you can decide if the risks associated with models 7, 8, and 9 are acceptable and if you’re prepared for the consequences of countering such threats.

Authors: Vergil & Pavluu

Onion Market – a free P2P exchange on Telegram.

Leave a Reply