VPN Troubleshooting

Dann Albright

Dann Albright

In this article, I’ll list out some of the common issues with VPNs and ways to fix them. Fortunately, identifying and fixing a VPN connection is quite simple. 

21 ways to speed up vpnVirtual private networks (VPNs) have a vast array of benefits, but they can also suffer from some very annoying problems. A non-functional VPN is infuriating, and a semi-functional one isn’t much better.

When your VPN is slow, won’t connect, keeps disconnecting, or crashes, there are some things you can do to fix the problem. Let’s take a look.

Jump links / Table of contents:

 

Fixing a VPN That Slows Your Internet Speed

VPNs will always make your connection slower, but they shouldn’t cause a huge drop in speed. If your connection is so slow that it’s making it difficult to browse, it’s time to take action.

1. Use a Premium VPN

If you’re on a free VPN, you’re almost certain to get pretty slow speeds on your connection. Understandably, VPN providers prioritize their paying customers. Even if they say their free VPN is as fast as their paid option, you might find that you disagree.

There are plenty of affordable VPNs with respectively high speeds, and if you haven’t upgraded to one, we highly recommend it. You may see your speeds increase immediately.

Two of the fastest and most reliable VPN providers are NordVPN and ExpressVPN. You can read their reviews here and here.

2. Change Servers

Consider changing serversThe server you use for your VPN connection can make a big difference to the connection speeds you get. The closer you are to the server you’re connecting to, the better speeds you’ll get (in almost every case). You may also get improved speeds from servers that aren’t being used as much.

Most VPN clients make it easy to change servers. Just open the client, select a new server, and confirm your selection. You can then run a speed test or continue browsing to see if the new server is running faster.

If you run a VPN through your router, the process may be more complicated, and it may differ depending on your specific VPN provider. If you remember the process you went through to set up your router VPN, you can likely access your router settings to change the server you access. If you don’t remember the process, or anything has changed, consult the user manuals for your router firmware and your VPN.

3. Change Ports

The connection between your computer and the VPN server uses a networking port on your computer. You can think of this port like you would a physical port; your computer routes traffic from the VPN server to a specific port, and traffic from other places to other ports. It helps keep traffic from various sources separated.

While you might think that every port is as fast as every other, you might be surprised to find out that occasionally changing the port your VPN is connected to will help. Some ISPs slow traffic on specific ports, and sometimes you’ll find that some ports are faster than others for no apparent reason. Try switching your VPN connection through different ports to see if any are faster.

4. Change IP Protocols

Most VPNs allow you to connect via Transmission Control Protocol (TCP) or User Datagram Protocol (UDP). TCP is more commonly used across the internet, as it includes error correction, so if there’s a connection problem or some of the data is corrupted, the transmission is still successful, and the sending computer knows to resend anything that didn’t arrive correctly.

UDP, while not as common, is notably faster than TCP. It doesn’t provide error correction, so if something is lost in transit, it won’t resend the information. This cuts down on the time it takes to transfer information, but may also create a less-reliable connection.

Changing between these two protocols might help you achieve higher speeds, especially if you’re going from TCP to UDP. Keep an eye out for poor connection quality, though.

5. Change VPN Protocols

change VPN protocolsWhile OpenVPN is generally considered to be the best protocol for VPN traffic, there are some times when you may want to use L2TP/IPSec. While it doesn’t provide as much security and doesn’t have as many features, it’s also possible that it will slip by filters that slow down OpenVPN traffic.

If you’re using the VPN for security or privacy, we don’t recommend using L2TP/IPSec if you can help it. If you’re just trying to get past region restrictions, it will work. But it won’t be as secure.

6. Disable Local Security Software

Again, this isn’t something we recommend lightly, and if you can avoid it, you should. But if your antivirus program is scanning all of the outbound packets you send, it could be slowing down your connection. Disable it temporarily to see if it speeds up your connection.

7. Change VPN providers

If all else fails, you can always try using another VPN provider. Some are known to have faster speeds than others. And even if your current provider has a reputation for being one of the faster ones, it’s possible that your area, ISP, or other factors are slowing down the connection. Another provider might be faster.

Many VPNs have free trials (such as VyprVPN), so download one and see if another provider can speed up your connection.

 

Fixing a VPN That Won’t Connect

When all you want to do is get on the internet without being vulnerable to surveillance, censorship, or region blocking, a VPN that won’t connect is a big pain. Here’s what you can do to fix the problem.

1. Make Sure You (and the Server) Are Online

The simplest things are the easiest to overlook. If your VPN client isn’t connecting, try opening a website without connecting through a VPN to see if your internet connection is working. If it’s not, restart your router by unplugging it for 30 seconds and plugging it back in. If your internet is still down, it may be a problem at your ISP’s end.

Check your VPN provider’s website, too, to make sure that the server you’re trying to connect to isn’t down. Every once in a while a VPN server will go offline for maintenance—or just because servers aren’t 100% reliable—and you’ll need to connect to another one or wait a while.

2. Make Sure Your Username and Password Are Correct

In many cases, your inability to connect comes from a very simple problem: you typed your password wrong. Or you entered your email address instead of your username. If you’re getting an authentication error, it’s likely related to one of these two issues.

Retype your username and password, and if that doesn’t work, try resetting your password and attempting to connect again.

3. Change Ports

Again, try connecting to the VPN through a different port. Some ISPs and networks block traffic on specific ports, and that can deny your VPN connection request.

Check your VPN’s documentation to see if it suggests or requires connections on specific ports.

4. Try Connecting on a Different Network

Sometimes the problem isn’t with you, it’s with the VPN. One of the best ways to check this is to join a different network. You can try a nearby public wifi spot, like a coffee shop or a grocery store, a friend’s wireless network, or a public hotspot.

If you find that you can connect on the other network, you’ll know that it’s something about your own that’s causing the problem. Check your wifi and internet settings to see if you can find what’s keeping you from signing in.

 

Fixing a VPN That Keeps Disconnecting

Possibly even more irritating than not being able to connect to your VPN is successfully connecting and then dropping out. Especially if it happens over and over. Here’s what to do.

1. Temporarily Disable Your Firewall

How to Turn Firewall on in Windows 10While firewalls are important security measures, they can also cause some problem with VPNs. They’ll likely slow down your connection, and if it gets slow enough, the VPN connection may simply shut down.

Firewalls, in short, scan the data going in and out of your private network where it connects to the wider internet. And if it sees something that shouldn’t be there, it’ll prevent the transmission. Some firewalls have difficulty keeping up with VPN traffic.

2. Connect to a Nearby Server

Sometimes the problem that causes you to disconnect isn’t with you, but with your VPN provider. If a server isn’t behaving normally, you might be disconnected. Try connecting to another server, preferably one close by, to see if you get a better connection.

3. Change Protocols

Sometimes certain VPN protocols will have difficulty keeping a strong connection. If you’re using OpenVPN (which we generally recommend), try connecting over L2TP/IPSec; if you’re already on L2TP, try OpenVPN. You could also try PPTP, though that’s less ideal.

Again, we recommend sticking with OpenVPN whenever you can, because it’s the most secure of these three common connection protocols. If you can only use your VPN on L2TP, that’s not a big issue, but when at all possible, use OpenVPN.

Changing from UDP to TCP (or vice versa), as discussed above, can also help.

4. Connect via Ethernet

While it’s not common, it’s possible that something at the router level of your network could be causing connection difficulties that will kick you off of the VPN. Plugging directly into the cable jack with an ethernet cable may solve the problem.

The issues often lies in a situation called “double NAT,” which can happen when you have one router behind another. This can happen if you have different routers for different devices or another router connected to your ISP-provided one.

In short, you’ll need to enable bridge mode to make two routers work together. How you make this happen will depend on your router, so you’ll need to dig into the documentation. For a quick explanation of wifi bridging, check out this introduction from Lifewire.

5. Change DNS Servers

Change DNSOccasionally, using a DNS server other than the default supplied by your VPN can help you stay connected. Many VPNs provide their own DNS services for additional privacy, but that can sometimes mess with your connection.

Each VPN will have different steps required for changing DNS servers. Many of them include options that say something like “Only use VPN DNS servers while connected.” You’ll need to turn this option off.

Using other DNS servers might make you slightly more vulnerable to DNS leaks, but if you can’t stay connected long enough to get anything done, that’s probably a tradeoff you’re willing to make.

 

Fixing VPN Software Crashes

Like any other software, your VPN client might crash. If this happens every once in a great while, it’s probably nothing to worry about. But if you’re getting crashes often, and it’s disrupting your browsing experience, you’ll want to take action.

1. Make Sure You Have the Latest Software Version

VPN providers work with developers to make sure that their software is as stable and effective as possible. If you’re not running the most current version, you might have some stability issues.

If at all possible, allow automatic updates to your VPN software. Dig into your VPN client’s settings to see if this is possible. If it’s not, be sure to check for updates regularly.

2. Close Other Apps

If you have a lot of other apps open, they can cause problems with your VPN client, especially if you’re using an older computer. Close anything that you don’t need.

3. Restart Your Computer

Sometimes turning it off and back on again actually does solve the problem. Restart your computer to make sure all updates have been applied and that erroneous processes have been killed off.

4. Reinstall the VPN Client

If worse comes to worst, delete and reinstall your VPN client.

 

Solve Problems with Your VPN Fast

If your VPN isn’t working, it’s in your best interest to solve the problem fast. It’s easy to get out of the habit of starting up your VPN every time you want to get on the internet.

But that exposes you to more surveillance and security issues. If your VPN isn’t working, troubleshoot it immediately—you’ll be glad you did.

If you’re still unable to fix your VPN connection, don’t hesitate to leave a comment and we’ll try to help!

Proxy vs VPN

Kevin Townsend

Kevin Townsend

Kevin Townsend is a writer specializing in cyber security news, views, and issues. He has worked with Wisegate and currently writes for SecurityWeek and TheBestVPN.com.

VPNs and proxy services offer some similar features, but with major differences in versatility and security. VPNs vs Proxy will explain these differences and help you make the right choice for your needs.

What is a VPN?

using vpn

A Virtual Private Network (VPN) is a simulation (hence “virtual”) of a private, local area network that extends across a public network (the internet). Local VPN client software connects you to a VPN server on the internet which then relays you, anonymously, to your required destination. Traffic going from your computer to the network is encrypted, and all of your browsing data appears to be coming from the virtual private network, rather than your personal machine.

VPNs are a boon to user privacy and security, drastically reducing the risk of your activity being traced, as well as protecting you from a variety of security threats.

VPNs come in consumer and corporate varieties. While corporate VPNs were the original form of VPN and still have an important purpose today, most discussion concerns the widely available consumer variety. Corporate VPNs are usually handled as a different subject, and are used by workers in a company to connect to the proprietary network, allowing them to see and transmit data and work remotely, for example while on a long-distance business trip. When comparing VPNs and proxies in general terms, we’re specifically talking about consumer VPNs.

Read more here: VPN Beginner’s Guide: What is a VPN

What is a Proxy?

what is a proxy

A proxy is generally much simpler and usually easier to use, though less versatile than a VPN. Using functionality included in an internet browser, a user can set their internet requests to go to an independent server first (the proxy server), which will then make all further data requests on the user’s behalf. This allows for IP addresses to be masked, adding a basic level of anonymity to internet browsing. It also obscures the user’s geolocation, since the destination server can only see the location of the proxy server.

The most common use for a consumer proxy service is to by-pass filters. Students sometimes use proxies to by-pass school blocks on particular online services. If a school firewall blocks access to social media services, it is often possible to access a proxy service and get to the desired destination.

Similarly, proxies can be used to beat certain region-locked services – so that, for example, the BBC’s iPlayer and the U.S. Hulu services can be accessed outside of their respective regions (all that would be required is a proxy server located within the relevant region). Local censorship rules can also be by-passed by using a proxy server located in a region without censorship.

Use of a proxy server is usually established within the user’s browser settings, although some come with their own client software, and some are accessed in-browser as websites. This latter form of proxy website is often very insecure or even dangerous, and is not recommended.

This article is concerned mainly with standard proxy servers, although most of the information applies to proxy services and client software as well.

Why use a proxy?

Proxies offer simple, basic privacy protection; all web traffic is first sent to the selected proxy server, which then retrieves the requested website or data and relays it back to the user. This means that any website you request only sees the IP address of the proxy server, not your own. This offers some protection against surveillance. Unless you’re specifically targeted or investigated, your traffic will remain anonymous. However, the owner of the proxy server will still have access to your data, and is likely to keep logs which can compromise your privacy in the long term.

By obscuring your IP address, proxies also help to reduce targeted advertising, as ad servers will not be able to log your personal IP address. It’s important to choose the right proxy if this is a concern, however, since some will inject their own advertisements into the pages you visit, blocking targeted advertising from one source but using their own logs of your browsing history to push targeted ads in another way.

Proxy server connections are set up from within an internet browser – Chrome, Firefox, Microsoft Edge/Internet Explorer etc – and consequently don’t require any client software like VPNs do. This makes connecting to a proxy considerably less resource-intensive than using a VPN. Without client software to download and install, there will be no impact on hard drive space either. You will still see a reduction in internet speeds as every request is relayed between you, the proxy server and the destination; but the impact to hardware performance on your own computer should be minimal.

Depending on the location of the proxy server, it will also let you access region-restricted websites and content – if a YouTube video is blocked in the US, connecting to a UK proxy server may allow you to view the video. A user in Canada, likewise, can gain access to US streaming services like Hulu by connecting to a US-based server. This may not be the ideal solution for users who need to access content from many different regions, as for each different geo-block you need to bypass, you’d need to reconfigure your settings every time to direct your traffic to an appropriately located server.

Proxies are a basic, lightweight option. They may be useful for users with severely restricted system resources, or who only need a temporary solution for certain issues and don’t need to be too stringent about security.

When using any proxy, however, the importance of finding a trustworthy server cannot be over-stressed. Remember, although you might be gaining a level of anonymity when using a proxy, the owner of the proxy server is anonymous to you as well. Any individual with access to their own server and the internet can set up as a free proxy, and this could easily be used to gather personal data from the users.

Since proxies are often free services, there will be minimum security on the server. In particular, they will almost certainly maintain logs that can be retrieved by law enforcement. Your anonymity cannot be guaranteed.

Why use a VPN?

With proxies relatively easy and cheap to set up and use compared to a VPN, they might be a tempting choice for users who are new to the issues of online privacy and anonymity. However, proxy servers only offer bare-bones functionality and can introduce as many new security issues as they solve.

In 2015, an Austria-based security researcher analyzed 443 free proxy services and servers, and found that almost 80% were unsafe or not secure, either through blocking HTTPS traffic – which leaves you more vulnerable to surveillance or attempts to steal passwords and identity – or actively modifying the HTML and JavaScript of websites visited. The latter is most likely just to inject more advertisements into the client browser, but it’s still alarming to know that many proxy servers can, and do, modify the data you receive.

While a proxy does mask your IP address, it does not provide any deep level of anonymity. Your identity is obscured only to the websites you visit; most proxy servers will still keep logs of which requests you send, making it easy to trace your traffic at a later date even if your IP is hidden at the time you visit a website. There are many VPNs available which have a no-logging policy, not only keeping your IP address anonymous when you access web-pages, but also meaning that it can’t be traced back to you after the fact.

VPN services usually offer a variety of servers for the user to connect to; this makes them the superior solution for bypassing region locks. When using a proxy, you will have to reconfigure your browser to point to whichever server you want to connect to depending on which region’s content you want to access. You cannot go seamlessly from viewing US-only content to UK-only content – and finding a trustworthy server even for one region can be difficult enough. With a VPN, your provider will often have an array of different servers available to connect to as required, allowing you to switch your virtual region safely and easily.

A good VPN can be used from any connection, including public hotspots; the encryption and extra security measures offered by VPNs will protect your browsing data over public connections. Even if an attacker manages to intercept your data, the encryption will make it unusable. Proxies are often less secure than a regular connection, so using one in public – especially one which will not use HTTPS traffic – is potentially dangerous.

Many ISPs throttle bandwidth for torrenting applications, such as BitTorrent, in an effort to combat piracy and limit impact on bandwidth – despite the effects this has on those using torrents for legitimate reasons. In order to throttle this specific kind of connection, they need to employ a process called Deep Packet Inspection. By analyzing the data packets sent over your connection, the ISP can determine whether the data is for regular web browsing or the use of torrent services – and throttle your connection speed in the latter case. Since a VPN encrypts data as it is transmitted, the ISP cannot inspect the packets properly, and therefore cannot detect when you’re using a torrent service.

Which to choose?

A VPN.

When you’re considering whether to use a proxy instead of a VPN, a good general rule of thumb is “don’t”. There are some very specific situations in which a proxy is the better option, but a VPN will offer you every benefit of a proxy server with less risk, more functionality and better protection. As long as you can choose a good VPN (there are many VPN reviews and articles here on thebestvpn.com to help), the only disadvantages are the learning curve and the additional expense.

The majority of proxies are freely available, but there is also a wide variety of paid proxies on offer. These paid services are more stable and reliable, and tend to perform a lot better than free proxies, but they can’t eliminate any of the other disadvantages of using a proxy and not a VPN; your browsing data is still traceable in the event of an investigation, and all the same issues with changing servers and data encryption are still present.

Both VPNs and proxies are likely to slow your connection speed somewhat (except in the case of bandwidth throttling, in which case a VPN is more likely to boost your speed), but a proxy server will usually be much slower, as it is a single unit dealing with a multitude of unique connections, and is limited by not only your own connection speed, but also the owner’s.

The only time we would recommend using a proxy rather than a VPN is when you need a “quick and dirty” solution, perhaps for a one-time use of getting around a specific firewall to access important information, or accessing data that’s restricted to a particular region. If you must use a proxy, bear the risks in mind: try to find as trustworthy a server as possible; make sure that HTTPS is not restricted by the proxy; and never send any important, personal data (identifiable information, passwords, payment information etc.) over a proxy – it could easily be logged, read and even abused if the owner of the server is malicious.

A VPN will fulfill all the functionality of a proxy, with greater security and reliability. For anyone with long-term concerns about privacy, security and data protection, a good VPN is unquestionably the best choice.

IPv4 vs. IPv6

Dann Albright

Dann Albright

IPv6 or IPv4The internet is undergoing a profound change.

Well, it’s been undergoing this change for quite a while now. And you probably didn’t even know about it. You might know that the Internet Protocol (IP) is what makes the internet work . . . but did you know that we’re in the midst of a huge update to that protocol?

The specification for IPv6 was finalized in 1998, and the internet is still in the process of switching from the previous version, IPv4. It’s been a long process, and we still have a long way to go.

But why should you be concerned about IPv4 vs. IPv6? Does it have any effect on you at all? It certainly does—and we’re going to take a look at those effects shortly. But first, let’s take a closer look at both protocols and see some of the differences between IPv4 and IPv6.

IPv4: Where We Started

You might be surprised to find out that the fourth version of the Internet Protocol has been around since 1983. Possibly even more surprising is the fact that it’s still used for the vast majority of the internet.

And it’s worked really well. The internet doesn’t seem outdated, and our data transmission has worked fine for the past 25 years. But there’s one big problem with IPv4:

We’ve run out of IP addresses.

An IP address is, simply, the location of a device on the internet. Your phone has one. Your computer has one. So does your gaming console (though they might not have unique addresses; we’ll get to that in a moment). Every data packet sent over the internet contains two IP addresses: the one belonging to the sender and the one belonging to the receiver.

It’s how data moves around the internet. As you can imagine, IP addresses are really important.

The problem with IPv4 is that IP addresses are 32-bit numbers (they look like “191.148.205.315”). There are just under 4.3 billion 32-bit numbers. That’s a huge number, so how can we be running out?

First, we have a staggering number of devices that are connected to the internet. More mobile phones are internet-capable, and they need their own IP addresses. There are over a hundred million broadband subscriptions in the US alone. Each of those needs an IP address, too.

But still, 4.3 billion? That seems like a stretch.

One of the factors contributing to the exhaustion of IPv4 addresses is inefficient use. Some large companies in the 1980s were given millions of IP addresses, far more than they could expect to use. There are a lot of owned-but-unused IP addresses out there, and that waste contributes to our running out of 32-bit IP addresses.

There’s been a push for people who own those unused IP addresses to give them back so they can be used by others, and that has helped slow the rate of exhaustion. But we’re just adding too many devices too quickly.

Which is where IPv6 comes in.

IPv6: The Present and the Future

As I mentioned, IPv6 was finalized in 1998, and it solves a number of issues with IPv4. The biggest improvement it brings to the table is 128-bit IP addresses (something like “2001:0db8:85a3:0000:0000:8a2e:0370:7334”). Instead of being limited to 4.3 billion, the new protocol supports somewhere in the neighborhood of 3.4×1038 addresses.

That’s 340 undecillion IP addresses.

To be fair, Chris Welsh showed that only 42 undecillion will actually be available to assign. Fortunately, that’s still an almost unimaginably large number. We won’t be running out of IP addresses anytime soon on the IPv6 network.

This larger number of IP addresses also means that every device can have its own address. Right now, routers have unique addresses, and individual devices connected to those routers are given non-unique addresses. So data is sent to the router, and it’s forwarded on to its final destination from there.

This process is made possible through Network Address Translation (NAT). And while NAT is a useful and reliable technology, it has some downfalls. It makes certain protocols unable to protect your devices, for example. It also requires resources to effectively do its job (though the amount of resources is extremely small).

IPv6 does away with NAT. Because there are enough addresses for every device, using non-unique IP addresses for devices behind routers is unnecessary. And NAT won’t be standing in the way of improved security.

The new protocol is also more efficient than IPv4; simplification in data packet headers, better routing functionality, and support for better peer-to-peer networking are all improvements. Even with those improvements, though, users aren’t likely to see huge jumps in performance. Sucuri found that little to no performance boost over IPv4, and others have found minimal improvements in the range of 5–10%.

But we’re still in the very early stages of IPv6, and more efficient data transfer is always good.

The Current State of IPv6

Despite being finalized in 1998, very few places on the internet have converted to IPv6. In May 2017, 37 countries had more than 5% of their internet traffic going via IPv6. Only seven countries had more than 15%. If IPv6 is so much better, why haven’t more people converted?

In short, because it’s expensive. It requires new server software and equipment. And it’s also not backward-compatible with IPv4. So any site that wants to work for users coming in via both protocols needs essentially two versions of their site (or a translator service).

But IPv6 is steadily becoming more popular. Most modern routers and operating systems provide support for the protocol. ISPs are rolling out IPv6 capabilities to more users all the time. Most major ISPs offer at least some IPv6 functionality, though they’re deploying at different rates around the developed world.

Should You Use IPv6?

Now that you’ve seen some of the benefits of IPv6 and how widespread it’s available, you might be wondering if you should use it. In short, yes, you should. The more widespread the adoption of the new technology, the better. If your ISP offers it, and you have a router capable of supporting it, it’s a good idea to turn it on.

Before you set out to turn it on, though, you should test to see if you’re already using it. Head to www.test-ipv6.com to see if you’re using IPv6. Here’s what you’ll see if you’re only using IPv4:

testing IPv6 connectivity

Turning on IPv6 will depend on your router and your ISP. Your best bet is to search for “[router manufacturer] ipv6 [your ISP].” You may also want to upgrade your router’s firmware to DD-WRT to make the change easier.

It’s important to understand that there are two ways of accessing IPv6 sites: with a transition mechanism and natively. There are numerous transition mechanisms, but one called 6to4 is likely the most commonly used. It encapsulates IPv6 data in IPv4 transmissions, effectively letting you see newer-format sites with an older transmission protocol.

A native IPv6 connection lets you connect directly to the site in question, skipping the transition process. This is what you need for a full switch over to IPv6. If your router gives you the choice, you’ll want to choose native IPv6.

To see if a site will accept IPv6 connections, use the IPv6 validation tool. If the site has a 128-bit IP address, you know that the site is IPv6-compatible.

How to Turn IPv6 Off

If you’d rather not use IPv6 (and we recommend not using it if your VPN can’t protect your traffic), you can simply tell your computer not to use it. On Windows, go to Settings > Network & Internet > Network & Sharing Center (it’s at the bottom of the window).

Network and sharing center

Click Change adapter settings and then right-click your main internet connection (in my case, it’s my wifi connection) and select Properties:

WiFi Properties

Scroll through the list until you see Internet Protocol Version 6 (TCP/IPv6) and uncheck the box:

Interent Protocol Version 6

To turn off IPv6 on a Mac, head to System Preferences > Network. Click Advanced and then go to the TCP/IP tab.

Configuring IPv4 on Mac

From here, just change the Configure IPv6 drop-down menu to Off.

If you don’t see the Off option, you need to run a Terminal command. Open Terminal and run one of the following commands, based on how you’re connected to the internet:

networksetup -setv6off "Wi-Fi"
networksetup -setv6off "Ethernet"

That should enable the Off option in the TCP/IP tab of the Network settings. To turn it back on, just select Automatically in the menu or run one of these commands:

networksetup -setv6automatic "Wi-Fi"
networksetup -setv6automatic "Ethernet"

IPv6 and VPNs

We’re all about VPNs here, so of course we’re going to talk about IPv6 and VPNs. If you’ve done much research on VPNs, you might have noticed that many providers disable IPv6 traffic over their VPN. This is because many VPN providers haven’t yet updated their servers and software to accommodate the new standard.

Unfortunately, this means that IPv6 traffic is sometimes routed through your ISP instead of your VPN. And that defeats the purpose of having a VPN in the first place. This is known as an IPv6 leak.

A 2015 study found that the majority of VPN providers suffered from IP address leaks, and that many of them were also vulnerable to IPv6 DNS hijacking. In 2016, another group of researchers found that 84% of Android VPNs weren’t routing IPv6 traffic through the VPN.

Fortunately, studies like these have encouraged providers to better protect their customers’ privacy by including IPv6-friendly features. Some VPNs are able to handle IPv6 traffic. Others simply tell their users to disable that traffic to prevent IP address leaks.

If you’re not sure what your current VPN is doing about IPv6 traffic, it’s a good idea to test your connection for IP leaks. IPleak.net is a good tool for testing whether you’re leaking IP information, and it covers both IPv4 and IPv6 traffic. If you see your personal or ISP’s IP address displayed on the page, your VPN isn’t fully protecting your privacy.

Some VPN providers have instituted support for IPv6 traffic, but not as many as we’d like. We’ll give you a few recommendations below for IPv6 protection.

Keep in mind that IPv6 support and IPv6 leak protection are different features. Leak protection usually involves just turning IPv6 off. This does protect your privacy, as there’s nothing to leak. But it doesn’t take advantage of the features that IPv6 provides. IPv6 support, however, lets VPNs route newer-protocol traffic to IPv6-enabled sites.

This is an important distinction. IPv6 leak protection is good—it definitely improves your safety. But IPv6 support takes it to another level.

VPNs That Support IPv6

As I mentioned previously, most VPNs don’t support IPv6 connections. There are a few, however, that will let you connect via IPv6. Mullvad (review) and FrootVPN (review), two VPNs that we like, offer full support. So does Perfect Privacy, but we haven’t had a chance to review their VPN at the time of this writing.

Beyond those three, your best bet is to find a VPN with IPv6 leak protection to prevent your traffic being routed through your ISP. Most of the top-rated VPNs provide some kind of leak protection. A few, like NordVPN (read review), have been very vocal about instituting their leak protection programs, and you can trust that they’ll be effective.

To find out whether your chosen VPN offers IPv6 leak protection, your best bet is to consult their documentation. Some have an option that you need to turn on. Other block IPv6 traffic automatically. Still, others recommend that you turn off IPv6 traffic on your computer.

Of course, we recommend always routing your traffic through a VPN. But if your VPN leaks your IPv6 IP address, it’s probably a better idea to simply turn IPv6 off using the instructions above.

Be Safe with IPv6

Because it’s a new and better technology, you may want to jump right into IPv6. If it’s better than IPv4, why wouldn’t you use it by default? But as we’ve seen, there are a few issues with it—primarily, that most VPNs don’t support it. And that if they lack leak protection, you could be leaking your IP address when you think it’s protected.

Check to make sure that your VPN either supports IPv6 or offers protection from IP address leaking. If it doesn’t, switch VPNs (most of the big names provide some sort of protection) or turn IPv6 off from your computer’s settings.

If you’ve taken those steps, you can be confident that you’ll be safer on the new, IPv6-enabled internet.

Have you made the switch to IPv6 yet? Does your VPN provider support it? Share your experiences in the comments below!

A Beginner’s Guide to Setting Up a Router VPN

Dann Albright

Written by Dann Albright

After an MA (and most of a PhD) in psycholinguistics, he fully committed to digital and print journalism. With over 10 years of professional writing experience, he’s written about everything related to online privacy and technology.

VPNs provide you with a lot of great benefits. You might use one to get around region restrictions on their streaming service. Or protect your privacy if you feel like your ISP or your government might be snooping. You could be taking advantage of VPNs to bypass censorship in your home country.

But you might be one of the many people who face a problem: you forget to log into your VPN. Or just don’t want to. Or you can’t log into your VPN with all of your devices, like your gaming console or your smart TV. Most of the time, people log into their VPNs through a web interface or by downloading an app from their provider.

This is an easy way to access a VPN, but there’s another way: setting up the VPN directly on your router. It’s more convenient, more secure, and protects more devices than using a browser-based or downloadable VPN.

When you first start looking into it, setting up a VPN on your router can be a bit intimidating. But we’ll walk you through the whole process here. We’ll start with how router VPNs work, so you get an idea of what we’re talking about. We’ll go over why you should install one. And finally, we’ll walk you through the process of setting up a VPN on your router.

There’s a lot to cover, so let’s get started!

 

Why You Should Add a VPN to Your Router

Logging into a VPN through your browser or an app is simple and it works well, so why should you install a VPN on your router? There are a few distinct advantages that this approach provides:

1. It’s always up and running

When your router connects directly to a VPN, you never have to worry about signing into the service. When you’re just trying to get online for a few minutes, entering your username and password and waiting for the service to load up can be a pain.

Having a VPN connection on your router means you’re always connected. And that’s crucial when you’re using one to protect your privacy. No more forgetting to log in.

2. You only have to sign in once

If you have several devices connected to your VPN, you have to set it up manually on each device. If you changes phones often, or let friends use your wi-fi and want to protect their privacy, this can be a hassle.

When the VPN is installed on your router, you only have to sign in once. After the VPN is successfully setup on your router, it’ll protect everything on your network without having to sign in on any of those devices.

3. It protects all of your devices

With a standard VPN, you have to log each of your devices into your VPN provider separately. That can be difficult when you’re connecting TVs, game consoles, or other devices that don’t let you download and run any apps you want.

If you have guests over, they’ll automatically be connected to the VPN if they connect to your router. Which is a nice bonus if you want to protect your friends’ and family members’ privacy as well.

All of the devices on your network, no matter what they are, will automatically be routed through your VPN. This approach is more convenient than using an app-based VPN (especially if it doesn’t support every device in your house).

Unfortunately, these benefits come with a cost: running all of your traffic through a VPN could slow down your connection. How much depends on your VPN provider, connection speed, and other factors. But it’s worth noting that your internet access won’t be quite as snappy as it was before.

It’s also possible that you might have trouble accessing local geo-restricted content. If you’re trying to get to something that’s only accessible by people in your country, and your traffic is routed through another one, you’ll be blocked. It’s easy to deal with, but it can be annoying.

Even with those tradeoffs, installing a VPN on your router is still a good idea. Let’s take a look at how to do that.

 

Making Sure You Have the Right Router

Unfortunately, not every router can have a VPN set up on it. In fact, there are only a few routers that you can buy from manufacturers that are ready for VPNs right out of the box. And they tend to be pretty expensive.

But you have a few options here. One of them involved a bit of tinkering with your router, but we’ll show you how to do that.

Here are your options:

1. Buy an out-of-the-box VPN-compatible router

Some router manufacturers are now selling routers that support VPNs right out of the box. This is extremely convenient, as you can just buy a stock router and set up your VPN. It’s definitely the easiest option.

VPN-capable wireless routers tend to cost a bit more than regular routers. For example, the TP-Link SafeStream N300 is a good entry-level wireless router that costs $85. That doesn’t seem too bad, until you realize that you can get a faster AC router for around $50.

However, the extra money that you pay for a VPN router will pay off in ease of use. If your router doesn’t currently support adding a VPN, you may find that it’s a pain to flash your own firmware and install one yourself.

Most VPN-compatible routers allow you to connect a wide range of different VPNs. Most VPNs use the OpenVPN protocol, and almost every VPN router you can find will support this protocol, meaning you can use your router with any VPN provider you want.

2. Flash new router firmware

A router’s firmware is, essentially, the program that runs the router. You probably don’t think very much about your router’s firmware. And that’s by design; it comes fully installed and almost completely set up. You rarely need to mess with it.

But one thing that many people don’t realize is that you can replace that firmware to add new capabilities to your router. This is called “flashing,” and there are two pieces of firmware that are commonly flashed on routers.

The first is DD-WRT, an open-source firmware that strives to give users the maximum amount of functionality without being overly complex. DD-WRT lets users adjust the strength of their wifi signal, manage quality-of-service settings to prioritize specific types of traffic, access your home network from afar, and more.

But, most importantly for this discussion, it also lets you install a VPN. We’ll go over exactly how to do that in a bit.

The second option is called Tomato, and it provides similar functionality. There are a few differences; for example, Tomato isn’t available on as many routers. But it offers better bandwidth monitoring, multi-VPN switching, and a few other things. To see a more detailed breakdown of the differences, check out FlashRouters’ comparison of the two.

Of course, Tomato also lets you install a VPN.

So which should you choose? The choice may already be made for you if you’re flashing your own router, as both firmwares are available for different routers. Check out the supported devices for DD-WRT as well as Tomato-compatible routers to find your router. Beyond that, it could come down to very subtle differences.

Fortunately, both are totally free.

If you’re new to the router firmware scene, just pick one and go with it. Both will give you better router performance and the ability to install a VPN.

How to flash new firmware to your router

Ready to flash firmware to your router? Here are the basics of how to do it.

First, confirm that your router is compatible with the firmware you want to install. Check the previously linked pages to make sure that Tomato or DD-WRT will work on your router.

Find your router model

If your router is compatible, download either the DD-WRT installation files or those for Tomato.

download DD-WRT installation files

Next, do a hard reset of your router.

When it’s booted back up, log into your router’s administration page. You’ll need to check your router’s manual to find out how to access it. (As an example, my own router requires me to go to http://192.168.10.1.) Enter your admin username and password to log into the administration panel.

Most routers make it easy to upgrade the firmware, and will show you an “Upgrade Firmware” or similar option in the administration panel. (Trendnet routers have this option in the Advanced section.)

installing firmware

The administration panel will then ask you to choose a file. Choose the file that you downloaded from DD-WRT or Tomato, then confirm that you want to install it.

It’ll take a few minutes to install; don’t do anything to your router, computer, or internet connection while it’s installing. This could have disastrous effects for your router. You’ll eventually see a confirmation message that the installation was successful.

Wait about five minutes before hitting “Continue.”

After that, do another hard reset of your router. Then head back to the IP address of your administration panel, and you’ll have successfully flashed DD-WRT!

The installation process for Tomato is similar. Just to be safe, you should probably read over the installation instructions for DD-WRT or those for Tomato before you get started.

3. Buy a pre-flashed router

Does installing your own firmware sound difficult? It’s not too bad, but you have to be confident enough to mess with your router. If you’d rather not do this, you can still get DD-WRT or Tomato—you’ll just have to buy a router that comes with one or the other pre-installed.

One of the advantages of going this route is that you can buy just about any router you want and still install a VPN.

FlashRouters is the go-to destination for pre-flashed routers. You can buy a wide variety of routers from Linksys, ASUS, and Netgear, and they come flashed with DD-WRT or Tomato.

You can even get routers that have VPNs pre-installed on them, so you all you have to do is sign into your provider account when they arrive. It really doesn’t get much easier than that.

That being said, pre-flashed routers can be expensive. For example, you can grab the Linksys WRT3200AC router on Amazon for $180. If you want it pre-flashed and prepped for IPVanish VPN, you’re looking at $300 or more.

That’s a huge bump in price. But, then again, it’s completely ready for you to use. And depending on how comfortable you are with tinkering with your router, it could be worth the expense.

Choosing a VPN for Your Router

Now that you have a router ready to connect you to a VPN, you need to choose the VPN provider that you’re going to use. If you’re already paying for a premium VPN, great! If not, it’s time to do some research.

Once you’ve found one that you look, double-check to make sure that it can be installed on a router. Most VPNs can be installed on a DD-WRT or Tomato router with no problem, but there are some that don’t offer this capability. (Hotspot Shield, for example, makes it difficult—if not impossible—to install its VPN on your router.)

You may want to prioritize speed when you’re choosing a VPN for your router, as it will have to deal with a lot of traffic. You’ll be streaming, gaming, downloading, browsing, and uploading over the VPN now, and any slow-down will be noticeable.

It’s also a bonus if the VPN you’ve chosen has an online guide to setting up the VPN with your router firmware. You might be able to figure out how to do it without a guide (or find the information posted elsewhere), but it’s much easier when you have the best practice straight from the provider.

Beyond these factors, the decision-making process will be the same as any other time you choose a VPN provider. Look for providers that respect your privacy by not keeping logs. Check out speed reports. See where their servers are located. If you want to skip doing all that research, just check out our guide to the best VPNs in 2017, and choose from there.

Understanding VPN Protocols: PPTP vs. L2TP/IPSec vs. OpenVPN

When you’re setting up your VPN router, you might have the choice of a few different VPN protocols. If you aren’t experienced with VPNs, you might not have any idea what the differences are, but choosing the right option will give you better security and speed.

Point-to-Point Tunneling Protocol (PPTP)

PPTP is integrated directly into Windows, making it a popular choice among people who are setting up VPNs. You don’t need a third-party application to get it running, which is nice.

But PPTP is very insecure.

At least compared to the other technologies you could be using. It’ll still disguise your traffic from people who aren’t looking too hard. But the NSA has almost certainly cracked PPTP, which means the US government could monitor your traffic. And that others probably aren’t too far behind.

PPTP does have the advantage of being fast, but it’s not worth trading your privacy for.

Layer 2 Tunneling Protocol / Internet Protocol Security (L2TP/IPsec)

L2TP is a VPN technology that doesn’t actually use any encryption. That’s why it’s usually paired with IPsec, which provides encryption services over the connection.

The biggest advantage of this particular protocol is that it’s fast. Possibly the fastest VPN protocol out there. And it’s often built into modern operating systems, so it’s easy to set up.

But it might not be super secure. It’s tough to say. There’s some evidence that the NSA may have weakened or cracked the IPsec protocol, making this another suspect protocol. The encryption is burlier than that used in PPTP, but it still might not protect you from all prying eyes.

For this reason, it’s probably not a good idea to use L2TP/IPsec if you’re using your VPN to avoid government surveillance. If you want to use it for regionless browsing, that should be fine. But if your safety is in question, stick with OpenVPN.

OpenVPN

The final protocol that you’re likely to come across is OpenVPN, an open-source protocol that uses modern technologies like OpenSSL. It can also run on any port, which means your traffic can be disguised as regular HTTPS traffic, adding an extra layer of security.

Improved authentication, plug-ins, 256-bit encryption, and other security features make OpenVPN the most secure choice for your VPN. Most modern VPNs are capable of using this protocol, and both DD-WRT and Tomato support it.

The drawback to the strength of encryption in OpenVPN is that it can be a bit slower than L2TP. In most cases, you probably won’t notice the difference. But it could add up with torrenting or other big downloads.

In general, though, OpenVPN is by far and away the best choice for your VPN.

TCP vs. UDP

Many VPNs allow you to connect to their servers using two different communication protocols. And while might not make as much of a difference to your security, it’s still good to know which one to choose.

Transmission Control Protocol (TCP) is a “stateful protocol,” which means, in simple terms, that the receiving computer confirms its receipt of the data packet being sent. If the sending computer doesn’t receive a confirmation, it sends the packet again.

This ensures that your data is transmitted reliably, and that packets don’t get dropped.

User Datagram Protocol (UDP) is a “stateless protocol,” so it doesn’t wait for confirmation of receipt from the other computer. This makes communication faster, but also opens it up to the potential of communication errors.

In general, we recommend using UDP unless you have communication errors, in which case you should switch to TCP. Many VPNs do this by default, but if you’re given a choice, it’s a good strategy to stick with.

How to Configure a VPN on Your Router

The method you use to add a VPN to your router depends on whether you’re using a router that is compatible with VPNs out of the box or if you’re using flashed firmware.

A purpose-built VPN router will have its own VPN-ready firmware, and you’ll need to access it to add your VPN. In most cases, it’s best for run a search for “[your VPN] install [your router brand].” That might look like “NordVPN install D-Link.” If you’re using third-party firmware, search for “[your VPN] install [yourfirmware]” instead, like “IPVanish install Tomato.”

If your VPN has posted instructions for working with that particular type of router, you’ll find them and you can simply follow the instructions. This will be much easier than digging through piles of documentation to get it figured out yourself.

In general, you’ll need to follow a sequence of steps that go something like this:

  • Update the DNS and DHCP settings to match those provided by your VPN provider
  • Disable IPv6 (this helps prevent DNS leaks that might compromise your security)
  • Choose a server IP address from your VPN provider
  • Select a tunnel protocol (TCP or UDP)
  • Choose an encryption method (we recommend AES)
  • Enter your VPN username and password

After that, your router will connect you to the internet through your chosen VPN!

There are all sorts of other settings that you might want to tweak if you’re familiar with them, but these are the basics, and the ones you’ll need to fill in before you can get connected.

As I mentioned, the exact settings you’ll need to use depend greatly on the VPN and firmware you’re using. Here are a few links to popular VPNs and the instructions for installing them on your router (I’ve only included instructions for DD-WRT and Tomato; if you’re using a router with built-in VPN capability, consult the owner’s manual):

If you have another VPN provider, you should be able to find information on how to set it up with your firmware without too much trouble. And remember to use OpenVPN if it’s offered as a protocol. There might be situations in which you want to use another protocol, but in general, it’s the best choice.

Upgrade Your VPN Game

If you’re serious about your privacy and security, or you just have a tendency to forget to log into your VPN, installing a VPN on your router is a no-brainer. It takes some work, but if you know what you’re getting into, it’s really not that hard.

The benefits you’ll get from a router VPN definitely outweigh the difficulty of getting one set up. And if you really don’t want to take the time to do it yourself, you can buy a router that’s ready to go.

No matter why you’re using a VPN, installing it on your router will make your life easier and more secure. Now that you know how to do it, you can start the process yourself!

DNS Leaks (Causes & Fixes)

Kevin Townsend

Kevin Townsend

I write about cyber security: news, views and issues. This currently includes: SecurityWeek (objective); ITsecurity.co.uk (subjective); and formerly Wisegate.

What is a DNS LeakBrowsers use the Domain Name System (DNS) to bridge the gap between internet IP addresses (numbers) and website domain names (words).

When a web name is entered, it is sent first to a DNS server where the domain name is matched to the associated IP address so that the request can be forwarded to the correct computer.

This is a huge problem for privacy since all standard internet traffic must pass through a DNS server where both the sender and destination are logged.

That DNS server usually belongs to the user’s ISP, and is under the jurisdiction of national laws. For example, in the UK, information held by ISPs must be handed to law enforcement on demand. Similar happens in the USA, but with the added option for the ISP to sell the data to marketing companies.

While the content of communications between the user’s local computer and the remote website can be encrypted with SSL/TLS (it shows up as ‘https’ in the URL), the sender and recipient addresses cannot be encrypted. As a result, every destination visited will be known to whoever has legal (or criminal) access to the DNS logs – that is, under normal circumstances, a user has no privacy over where he goes on the internet.

VPNs are designed to solve this problem by creating a gap between the user’s computer and the destination website. But they don’t always work perfectly. A series of issues means that in certain circumstances the DNS data can leak back to the ISP and therefore into the purview of government and marketing companies.

The problems are known as DNS leaks. For the purpose of this discussion on DNS leaks, we will largely assume that your VPN uses the most common VPN protocol, OpenVPN.

 

What is a DNS leak?

A VPN establishes an encrypted connection (usually called a ‘tunnel’) between your computer and the VPN server; and the VPN server sends your request on to the required website. Provided the VPN is working correctly, all your ISP will see is that you are connecting to a VPN – it cannot see where the VPN connects you. Internet snoopers (government or criminal) cannot see any content because it is encrypted.

A DNS leak occurs when something unintended happens, and the VPN server is bypassed or ignored. In this case, the DNS server operator (often your ISP) will see where you are going on the internet while you believe he cannot.

This is bad news, since it defeats the purpose of using a VPN. The content of your web traffic is still hidden (by the VPN’s encryption), but the most important parts for anonymity – your location and browsing data – are left unprotected and most likely logged by your ISP.

 

How to tell if my VPN has a DNS leak?

There’s good news and bad news for detecting a DNS leak. The good news is that checking whether your VPN is leaking your DNS requests is quick, easy and simple; the bad news is that without checking, you’re unlikely to ever know about the leak until it’s too late.

There are many in-browser tools to test whether your VPN has a DNS or other form of data leak, including some made by VPN providers such as AirVPN (review) or VPN.ac. If you’re not sure what to do, you could simply go to ipleak.net while you believe your VPN to be operational. This site will automatically check for a DNS leak (and, incidentally, provides a lot more information as well).

  1. Enter ipleak.net into your browser’s address bar.
  2. Once the web page loads, the test begins automatically and you will be shown an IP address.
  3. If the address you see is your IP address and shows your location, and you are using a VPN, this means you have a DNS leak. If your VPN’s IP address is shown, then it’s working normally.

If possible, it’s a good idea to test with multiple online checkers.

Figure 1 shows ipleak.net used with a badly configured VPN. It returns the correct IP address. This is a DNS leak.

Your IP address #2

Figure 1

Figure 2 shows ipleak used with ExpressVPN configured to use a Belgian server (ExpressVPN lets you select from a range of different countries). There is no DNS leak apparent.

Your IP address

Figure 2

For most users, performing this check before continuing to browse other sites will be sufficient. For some users, this won’t be a perfect solution, as it requires you to connect to the internet and send DNS requests to access the checker tools.

It is possible to test for DNS and other leaks without using one of these websites, although it requires you to know your own IP address and how to use the Windows command prompt, It also requires a trusted test server for you to ‘ping’ directly; this could be a private server you know and trust, or one of the following public test servers:

  • whoami.akamai.net
  • resolver.dnscrypt.org
  • whoami.fluffcomputing.com
  • whoami.ultradns.net

To do this, open the command prompt (go to the start menu, type “cmd” and press Enter), and then enter the following text:

  • ping [server name] -n 1

Replace [server name] with the address of your chosen test server (for example “ping whoami.akamai.net -n 1”), and press Enter. If any of the IP addresses found in the resulting text match your personal or local IP, it’s an indicator that a DNS leak is present; only your VPN’s IP address should be shown.

Figure 3 shows the result with ExpressVPN running. Notice that the only IP address returned is the Belgian IP as shown in Figure 2. There is no DNS leak apparent.

FREEDOME

Figure 3

If you find that that your VPN has a DNS leak, it’s time to stop browsing until you can find the cause and fix the problem. Some of the most likely causes of a DNS leak and their solutions are listed below.

 

DNS Leaks Problems and Solutions

The Problem #1: Improperly configured network

DNS Leak problems and fixes

This is one of the most common causes of DNS leakage for users who connect to the internet through different networks; for example, someone who often switches between their home router, a coffee shop’s WiFi and public hotspots. Before you connect to your VPN’s encrypted tunnel, your device must first connect to the local network.

Without the proper settings in place you can be leaving yourself open to data leaks. When connecting to any new network, the DHCP settings (the protocol that determines your machine’s IP address within the network) can automatically assign a DNS server to handle your lookup requests – one which may belong to the ISP, or one that may not be properly secured. Even if you connect to your VPN on this network, your DNS requests will bypass the encrypted tunnel, causing a DNS leak.

The Fix:

In most cases, configuring your VPN on your computer to use the DNS server provided or preferred by your VPN will force DNS requests to go through the VPN rather than directly from the local network. Not all VPN providers have their own DNS servers though, in which case using an independent DNS server such as OpenDNS or Google Public DNS should allow DNS requests to go through the VPN rather than directly from your client machine. Unfortunately, changing the configuration in this way depends a great deal on your specific VPN provider and which protocol you’re using – you may be able to set them to automatically connect to the correct DNS server no matter which local network you connect to; or you may have to manually connect to your preferred server each time. Check the support for your VPN client for specific instructions.

If you have to manually configure your computer to use a chosen independent DNS server, you can find step-by-step instructions in the section ‘Change your settings to a trusted, independent DNS server’ below.

The Problem #2: IPv6

Usually, when you think of an IP address, you think of a 32-bit code consisting of 4 sets of up to 3 digits, such as 123.123.123.123 (as described above). This is IP version 4 (IPv4), currently the most common form of IP address. However, the pool of available unused IPv4 addresses is getting very small, and IPv4 is being replaced (very slowly) by IPv6.

IPv6 addresses consist of 8 sets of 4 characters, which can be letters or numbers, such as 2001:0db8:85a3:0000:0000:8a2e:0370:7334.

The internet is still in the transition phase between IPv4 and IPv6. This is creating a lot of problems, especially for VPNs. Unless a VPN explicitly has IPv6 support, any request to or from your machine sent over IPv6 – or sent using a dual-stack tunnel to convert IPv4 to IPv6 (see Teredo below) – will completely bypass the VPN tunnel, leaving your personal data unprotected. In short, IPv6 can disrupt up your VPN without you being aware of it.

Most websites have both IPv6 addresses and IPv4 addresses, though a significant number are still IPv4-only. There are also a few websites which are IPv6 only. Whether your DNS requests are for IPv4 or IPv6 addresses will usually depend on your ISP, your network equipment (such as wireless router) and the specific website you’re trying to access (with implementation of IPv6 still incomplete, not all users will be able to access IPv6-only websites). The majority of DNS lookups will still be IPv4, but most users will be unaware of whether they are making IPv4 or IPv6 requests if they are able to do both.

A study by researchers from Sapienza University of Rome and Queen Mary University of London in 2015 examined 14 commercial VPN providers, and found that 10 of them – a disturbingly high proportion – were subject to IPv6 leaks.

  • HideMyAss
  • IPVanish
  • Astrill
  • ExpressVPN
  • StrongVPN
  • PureVPN
  • AirVPN
  • Tunnelbear
  • ProXPN
  • Hotspot Shield Elite

While IPv6 leakage is not strictly the same as a standard DNS leak, it has much the same effect on privacy. It is an issue that any VPN user should be aware of.

The Fix:

If your VPN provider already has full support for IPv6 traffic, then this kind of leak shouldn’t be a problem for you. Some VPNs without IPv6 support will instead have the option to block IPv6 traffic. It’s recommended to go for an IPv6-capable VPN in any case, as dual-stack tunnels could conceivably still bypass an IPv6 block. (See Teredo below.) The majority of VPNs, unfortunately, will have no provision made for IPv6 and therefore will always leak IPv6 traffic. Make sure you know before using a commercial VPN whether they have made provisions for IPv6, and only choose one which has full support for the protocol.

The Problem #3: Transparent DNS Proxies

Some ISPs have adopted a policy of forcing their own DNS server into the picture if a user changes their settings to use a third-party server. If changes to the DNS settings are detected, the ISP will use a transparent proxy – a separate server that intercepts and redirects web traffic – to make sure your DNS request is sent to their own DNS server. This is effectively the ISP ‘forcing’ a DNS leak and trying to disguise it from the user. Most DNS-leak detection tools will be able to detect a transparent DNS proxy in the same way as a standard leak.

The Fix:

Fortunately, recent versions of the OpenVPN protocol have an easy method to combat transparent DNS proxies. First, locate the .conf or .ovpn file for the server you wish to connect to (these are stored locally and will usually be in C:\Program Files\OpenVPN\config; see the OpenVPN manual for more details), open in a text editor like notepad and add the line:

  • block-outside-dns

Users of older versions of OpenVPN should update to the newest OpenVPN version. If your VPN provider does not support this, it may be time to look for a newer VPN. As well as the OpenVPN fix, many of the better-made VPN clients will have their own provisions built-in for combating transparent DNS proxies. Refer to your specific VPN’s support for further details.

The Problem #4: Windows 8, 8.1 or 10’s insecure “features”

Windows operating systems from 8 onward have introduced the “Smart Multi-Homed Name Resolution” feature, intended to improve web browsing speeds. This sends out all DNS requests to all available DNS servers. Originally, this would only accept responses from non-standard DNS servers if the favorites (usually the ISP’s own servers or those set by the user) failed to respond. This is bad enough for VPN users as it greatly increases the incidence of DNS leaks, but as of Windows 10 this feature, by default, will accept the response from whichever DNS server is fastest to respond. This not only has the same issue of DNS leakage, but also leaves users vulnerable to DNS spoofing attacks.

The Fix:

This is perhaps the most difficult kind of DNS leak to fix, especially in Windows 10, because it’s a built-in part of Windows and can be almost impossible to change. For VPN users using the OpenVPN protocol, a freely-available open-source plugin (available here) is possibly the best and most reliable solution.

Smart Multi-Homed Name Resolution can be switched off manually in Windows’ Local Group Policy Editor, unless you’re using a Home Edition of Windows. In this case Microsoft simply doesn’t allow you the option of switching off this feature. Even if you are able to switch it off this way, Windows will still send the request to all available servers in the event that the first server fails to respond. It’s highly recommended to use the OpenVPN plugin to fully address this issue.

It may also be helpful to check US-CERT’s guidelines here as well. Smart Multi-Homed Name Resolution has such significant security issues associated with it that the government agency issued its own alert on the subject.

The Problem #5: Teredo

Teredo is Microsoft’s technology to improve compatibility between IPv4 and IPv6, and is an in-built feature of Windows operating systems. For some, it’s an essential transitional technology that allows IPv4 and IPv6 to coexist without issues, enabling v6 addresses to be sent, received and understood on v4 connections. For VPN users, it’s more importantly a glaring security hole. Since Teredo is a tunneling protocol, it can often take precedence over your VPN’s own encrypted tunnel, bypassing it and thus causing DNS leaks.

The Fix:

Fortunately, Teredo is a feature that is easily disabled from within Windows. Open the command prompt and type:

netsh interface teredo set state disabled

While you may experience some issues when connecting to certain websites or servers or using torrent applications, disabling Teredo is a much more secure choice for VPN users. It’s also recommended to switch off Teredo and other IPv6 options in your router or network adapter’s settings, to ensure that no traffic can bypass your VPN’s tunnel.

 

Preventing future leaks

preventing dns vpn leaksNow that you’ve tested for a DNS leak and either come out clean, or discovered and remedied a leak, it’s time to look into minimizing the chances of your VPN springing a leak in future.

First of all, make sure that all the above fixes have been performed in advance; disable Teredo and Smart Multi-Homed Name Resolution, make sure your VPN either supports or blocks IPv6 traffic, etc.

1. Change settings to a trusted, independent DNS server

Your router or network adapter should have a way to change TCP/IP settings, where you can specify particular trusted DNS servers by their IP addresses. Many VPN providers will have their own DNS servers, and using the VPN will often automatically connect you to these; check your VPN’s support for more information.

If your VPN doesn’t have proprietary servers, a popular alternative is to use an open, third-party DNS server such as Google Open DNS. To change your DNS settings in Windows 10:

  1. Go to your control panel
  2. Click “Network and Internet”
  3. Click “Network and Sharing Center”
  4. Click “Change Adapter Settings” on the left-hand panel.
  5. Right-click on the icon for your network and select “Properties”
  6. Locate “Internet Protocol Version 4” in the window that opens; click it and then click on “Properties”
  7. Click “Use the following DNS server addresses”

You can now enter a preferred and alternative address for DNS servers. This can be any server you wish, but for Google Open DNS, the preferred DNS server should be 8.8.8.8, while the alternative DNS server should be 8.8.4.4. See Figure 4.

IPV 4

Figure 4

You may also wish to change the DNS settings on your router – refer to your manual or support for your specific device for further information.

2. Use a firewall or your VPN to block non-VPN traffic

Some VPN clients will include a feature to automatically block any traffic not going through the VPN – look for an ‘IP Binding’ option. If you don’t have a VPN yet, consider getting one from here.

Alternatively, you can configure your firewall to only allow traffic in and out via your VPN. You can also change your Windows Firewall settings:

  1. Make sure you’re already connected to your VPN.
  2. Open the Network and Sharing Center and make sure you can see both your ISP connection (which should show up as “Network”) and your VPN (which should show up as the name of the VPN). “Network” should be a Home Network, while your VPN should be a Public Network. If either of them are set to something different, you’ll need to click on them and set them to the appropriate network type in the window that opens.
  3. Make sure you’re logged in as Administrator on your machine and open the Windows Firewall settings (exact steps for this vary depending on which version of Windows you’re running).
  4. Click on “Advanced Settings” (see Figure 5).
  5. Locate “Inbound Rules” on the left panel and click it.
  6. On the right-hand panel, under Actions, you should see an option for “New Rule…”. Click this.
  7. In the new window, choose “Program” and click Next.
  8. Choose “All Programs” (or select an individual program you want to block non-VPN traffic for) and click Next.
  9. Choose “Block the Connection” and click Next.
  10. Tick “Domain” and “Private” but make sure that “Public” is not ticked. Click Next.
  11. You should be back in the Advanced Settings menu for Windows Firewall; locate “Outbound Rules” and repeat steps 6 through 10.
Windows "Advanced Settings"

Figure 5

3. Regularly perform a DNS leak test

Refer to the section “How do I Tell if my VPN has a DNS Leak?” above for instructions. Prevention is not ironclad, and it’s important to check frequently that all your precautions are still holding fast.

4. Consider VPN “monitoring” software

This can add an extra expense on top of your existing VPN subscription, but the ability to monitor your VPN’s traffic in real time will allow you to see at a glance if a DNS check goes to the wrong server. Some VPN monitoring products also offer additional, automated tools for fixing DNS leaks.

5. Change your VPN if necessary

You need the maximum possible privacy. The ideal VPN will have built-in DNS leak protection, full IPv6 compatibility, support for the latest versions of OpenVPN or the protocol of your choice and have functionality in place to counteract transparent DNS proxies. Try thebestvpn.com’s in-depth comparisons and reviews to find the VPN that offers everything you need to keep your browsing data private.

VPN Beginner’s Guide

John Mason

John Mason

This is the ultimate beginner’s guide to VPNs. Find out what is a VPN how does it work. I’ve tried making it as in-depth (and simple) as possible.

What is a VPNVPNs can seem complicated at first, but are actually easy to use. We’re going to demystify them, what they can do for you, why you really should use them, and how they all work under the hood. Plus, we’ll give you some recommendations along the way to help you pick the best VPN for your needs.

The Beginner’s Guide to Understanding VPNs

  1. What is a VPN
  2. How Does a VPN Work
  3. How Secure is a VPN
  4. Is it Legal to Use a VPN
  5. Does a VPN Make Me Fully Anonymous Online
  6. VPN Logging Policies
  7. Free VPN versus Paid VPN
  8. Can I Use a VPN for Torrenting
  9. Can I Use a VPN to Watch Netflix and Hulu
  10. Does a VPN Work on Android and iOS
  11. Does a VPN Work on Kodi/SmartTV
  12. How Do I Install a VPN on My Router
  13. VPN &amp Tor — How to Use Them Together
  14. IP Leaks and Kill Switches
  15. When to Use a VPN
  16. When Not to Use a VPN

What is a VPN?

What is a VPN?A VPN (Virtual Private Network) is a service that lets you access the web safely and privately by routing your connection through a  server and hiding your online actions.

How Does a VPN Work?

Here’s how a VPN works for you, the user. You start the VPN client (software) from your VPN service. This software encrypts your data, even before your Internet Service Provider or the coffee shop WiFi provider sees it. The data then goes to the VPN, and from the VPN server to your online destination — anything from your bank website to a video sharing website to a search engine. The online destination sees your data as coming from the VPN server and its location, and not from your computer and your location.

When you connect to the web without a VPN, here’s how your connection looks:

No VPN connection

Though it’s the standard, this sort of connection has some flaws. All of your data is out there in the open, and any interested party can peek at what you’re sending.

The internet is a collection of servers responsible for storing websites and serving them to anyone who wants to view them. Those servers talk with each other all the time, including sharing your data with each other to ultimately let you browse a page. Great for you to be able to surf, but not great for privacy.

Going online is like taking a commercial airline flight. The ticket agent, baggage handlers, security personnel, and flight attendants all need pieces of data to get you routed between cities. A similar exchange of information happens on the web.

If it’s just a fun website that you’re looking at then no need to worry. It doesn’t matter if someone sees your data. But if it’s online banking, business email, or anything else that’s a bit more sensitive — it’s a different story.

Now, here’s how the same connection looks with a VPN enabled:

With VPN

When you use a VPN service, your data is encrypted (because you’re using their app), goes in encrypted form to your ISP then to the VPN server. The VPN server is the third party that connects to the web on your behalf. This solves the privacy and security problem for us in a couple of ways:

  • The destination site sees the VPN server as the traffic origin, not you.
  • No one can (easily) identify you or your computer as the source of the data, nor what you’re doing (what websites you’re visiting, what data you’re transferring, etc.).
  • Your data is encrypted, so even if someone does look at what you’re sending, they only see encrypted information and not raw data.

As you would imagine, such a scenario is much safer than connecting to the web the traditional way. But how secure is it exactly? Let’s find out:

How Secure is a VPN?

How Secure is a VPN?VPN security causes debate among IT pros and others in the industry, and no two services are identical in their offerings or security. There are two main factors:

  • The limitations of the type of VPN technology used by a provider.
  • Legal and policy limitations affecting what can be done with that technology. The laws of the country where the server and the company providing the VPN are located and the company’s own policies affect how the company implements this technology in their service.

Let’s take a closer look at these factors.

VPN Protocols

VPN protocols define how the service handles data transmission over a VPN. The most common protocols are PPTP, L2TP, SSTP, IKEV2, and OpenVPN. Here’s a brief overview:

  • PPTP (Point-To-Point Tunneling Protocol). This is one of the oldest protocols in use, originally designed by Microsoft. Pros: works on old computers, is a part of the Windows operating system, and it’s easy to set up. Cons: by today’s standards, it’s barely secure. Avoid a provider if this is the only protocol offered.
  • L2TP/IPsec (Layer 2 Tunneling Protocol). This is a combination of PPTP and Cisco’s L2F protocol. The concept of this protocol is sound — it uses keys to establish a secure connection on each end of your data tunnel — but the execution isn’t very safe. The addition of the IPsec protocol improves security a bit, but there are reports of NSA’s alleged ability to break this protocol and see what’s being transmitted. No matter if those are actually true, the fact that there’s a debate at all is perhaps enough to avoid this as well.
  • SSTP (Secure Socket Tunneling Protocol). This is another Microsoft-built protocol. The connection is established with some SSL/TLS encryption (the de facto standard for web encryption these days). SSL’s and TLS’s strength is built on symmetric-key cryptography; a setup in which only the two parties involved in the transfer can decode the data within. Overall, SSTP is a very secure solution.
  • IKEv2 (Internet Key Exchange, Version 2). This is yet another Microsoft-built protocol. It’s an iteration of Microsoft’s previous protocols and a much more secure one at that. It provides you with some of the best security.
  • OpenVPN. This takes what’s best in the above protocols and does away with most of the flaws. It’s based on SSL/TLS and it’s an open source project, which means that it’s constantly being improved by hundreds of developers. It secures the connection by using keys that are known only by the two participating parties on either end of the transmission. Overall, it’s the most versatile and secure protocol out there.

Generally speaking, most VPNs allow you to select the protocol you use. The more secure protocol you connect through (OpenVPN, IKEv2), the more secure your whole session will be.

Unfortunately, not all devices will allow you to use all these protocols. Since most of them were built by Microsoft, you’ll be able to use them on all Windows PCs. For Apple devices, you will come across some limitations. For example, L2TP/IPsec is the default protocol for iPhone. And Android … well, Android has some problems of its own, which we’ll get to later on.

Encryption Basics

In brief, encryption works by:

  1. Starting with plain data
  2. Applying a key (secret code) to transform the data
  3. Ending with encrypted data

The encrypted data is only readable by someone with the original key used to encrypt the data.

Modern encryption algorithms work on this principle, with the second step being very complex and worthy of doctoral- level research. What you need to look for is your data being encrypted with the AES algorithm of at least 128 bits. Many of the top VPNs out there go a step above that and offer AES-256 encryption, including ExpressVPN (review), NordVPN (review), and Buffered (review). If you’re interested, you can learn more about AES encryption.

Your VPN can be super secure, but it all comes down to the connection protocol the encryption mechanism used to handle your information.

Legal Constraints and Company Vision

(Note: None of this is legal advice. Read for entertainment purposes only.)

All good VPN companies will do everything they can to protect your data, your privacy, and your overall security on the web. Keep in mind that they’re still subject to the law in the jurisdiction they’re in, which can affect their service.

Depending on the local law of the country where the VPN was established, the company may be forced by court order to share whatever records they have regarding your activity — and there can be international agreements between countries to share information in these cases. If you do enough research, you may find a VPN established in a country that doesn’t have any such agreements in place with your country.

So in the end, you are only secure with a VPN if it’s not only willing and technically capable of keeping your information safe and private, but also if it’s legally allowed to do it. Let’s tackle this topic a bit more broadly and focus on answering the general question:

Is a VPN legal?In a word, yes. But not always.

First off, VPN as a concept is somewhat new in “legal years,” so not all jurisdictions have managed to keep up. This means that the rules are murky and can be interpreted in many ways.

In overall, VPNs seem to be okay to use in most countries, especially in the US, Canada, the UK, the rest of Western Europe. (Important! What matters here is your physical location when using the VPN.)

Generally, VPNs are often not okay in China, Turkey, Iraq, United Arab Emirates, Belarus, Oman, Russia, Iran, North Korea, and Turkmenistan.

To learn more about the legality of VPN in your country, find the laws of your local government, and review this in-depth resource of ours answering if a VPN is legal in your country — we go through over 190 countries and tell you what’s up.

Does a VPN Make Me Fully Anonymous Online?

Does a VPN Make You Anonymous?In a word, no. But the extent to which it does is still impressive.

Without a VPN, your connection is fully open, and your ISP, the cafe WiFi router, any server along the way, or a person with the right tools can look at your data. Using a VPN solves many of those problems by encrypting your transmission and making it appear as if it’s the server itself that’s making the connection and not you.

Investigate the following to help determine the extent of your anonymity.

  • Does the service keep logs?
  • The jurisdiction under which the VPN is established. In some cases, they might be legally forced to keep records. What happens when a  government comes asking questions?
  • Does the service keep payment records? Do those records include identifying information?
  • Is there sufficient encryption and a secure connection protocol?

Not every VPN will protect you the same. If you make your choice wisely, you can address the concerns described above. Here’s our comparison of the top VPNs in the market to help you out.

VPN Logging Policies

VPN Logging PolicyThe logs a VPN keeps significantly affects the level of anonymity and privacy you have with their service. The logs a provider may keep include:

  • user activity
  • IP addresses
  • connection/disconnection timestamps
  • devices used
  • payment logs

Any such logs make you a tiny bit less anonymous since your IP can be connected to a given browsing session that you had. Of course, tying this to you personally is very difficult but still kind of doable if some agency is deliberate enough.

Overall, the fewer logs your provider keeps the better, with “no logs” the ideal.

Be careful. Many services state you have privacy on their sales material, but you need to look at their privacy policy to see their fine print and what data they actually keep, or they will state that their country does not require data retention yet they do not state their own data retention policy.

We’ve done the research for you. Here’s our big roundup of over 100 VPNs and their logging policy. Check it out when picking your service.

Free VPN versus Paid VPN

Free VPN versus Paid VPNRunning a good VPN service costs serious money — robust servers, data transfer, infrastructure, employees, and so on. If the service is offered for free, consider what compromises may have been made. Are they logging activity for their own reasons? Are they displaying their own ads? Is your data being sold to a third party?

Paying for a VPN isn’t a huge investment. We’ve tested some great solutions for as little as $3-5 per month, which doesn’t seem a lot in exchange for peace of mind and improved online privacy.

How Much Does a VPN Cost?

The average out of 31 popular VPNs is $5.59 a month, which tells you a lot about what sort of an expense this usually is. VPNs that cost more than $10 are uncommon, and there’s not a lot of reason to buy them since there are more affordable solutions out there.

Most services give out big discounts if you’re willing to subscribe for one or two years up front, instead of renewing your subscription monthly. For example, Private Internet Access — a VPN that we very much enjoy — costs $6.95 if paid monthly, but $39.95 when paid annually (which translates to $3.33 per month – that’s over 50% off).

We have a more in-depth pricing comparison table here. If you’re strapped for cash, you can also check out our roundup of the cheapest VPNs and fastest VPNs.

Can I Use a VPN for Torrenting?

Can You Use a VPN for Torrenting?In general, yes, but that depends on the specific service you’re using and also the kind of things that you are torrenting.

Torrenting is a common name for a specific protocol used to transfer data and files over the web, but not the actual types of files. Although it gets a lot of bad press overall, it is perfectly okay and legal if you’re transferring files that you have the rights to. Piracy, on the other hand, is completely illegal regardless of the tools that you use to do it.

Then, there’s the VPN’s own policy regarding torrenting and how it’s handled. Most of the quality VPN solutions in the market will allow torrenting. According to our research, you can torrent with: ExpressVPN, Buffered, VyprVPN, PIA, and NordVPN.

When it comes to the security aspect of torrenting, it all comes down to the VPN’s policies regarding things like logging or sharing your user data. In general, if a VPN doesn’t keep logs overall they also don’t keep them for your torrent activity.

Another aspect worth considering when choosing a VPN for torrenting is the download speeds that the service can offer. Of course, this sort of information can be hard to come by; most of the time you only find out after you buy the VPN. We did some testing of our own and based on it, we can recommend these VPNs for their good download speeds: ExpressVPN, VyprVPN, PIA, and Buffered.

Can I Use a VPN to Watch Netflix and Hulu?

Can You Use a VPN for Netflix?Yes. But like with most things on this list, it all comes down to the specific VPN that you use.
The problem with Netflix overall is that even though it’s now available in over 130 countries, not all shows are distributed equally. Due to complicated licensing agreements that were established before Netflix’s big international rollout, various TV stations retain the rights to even some of Netflix’s own shows, which effectively prevents Netflix from legally making those shows available on their platform. Complicated legal stuff, but VPNs can help here. The way Netflix and Hulu block some of their content in parts of the globe is based on location filters. Meaning that if you’re in a country that’s banned, you’re banned.

VPNs make this easy to fix. Since you can select the server that you want to connect with, all you need to do to unlock certain Netflix shows is connect to a server in a country where that show is available. That’s all. We have a comprehensive post on how to watch Netflix via a VPN + the best VPNs that allow you to do that.

Does a VPN Work on Android and iOS?

Again, that’s a yes.

Many of the top VPN services out there also let you download mobile apps for either Android or iOS.

Here are our best VPNs for Android: PIA, Tunnelbear VPN, ExpressVPN.

Both platforms let you set up a VPN connection rather easily. For instance, on iPhone, you can do that in Settings → General → VPN.

With all that being said, be careful if you’re tempted by any of the free VPN apps for either Android or iOS. There’s research by a team of specialists (from CSIRO’s Data61, the University of New South Wales, the International Computer Science Institute and the University of California Berkeley), going through more than 280 free Android apps that use Android VPN permissions. The research reveals that 38% of those apps include malware, 84% leak users’ traffic and 75% use tracking libraries. So there’s that.

Does a VPN Work on Kodi/SmartTV?

Your smart TVs and Kodi boxes are yet more things that require a live internet hookup to provide you with their goodies. And with that, a VPN can help you keep those streams private so that only you and the service itself know what you’re watching.

There are two ways in which you can enable a VPN connection on your smart TV:

  • configure it on the device itself,
  • configure it right on your router – effectively protect your whole home network and everything that’s connected to it (we will cover this in the next section below).

Let’s focus on the former here. In overall, many of the quality VPNs come with the ability to configure them right on your smart TV. For example, VyprVPN — which is one of our recommended VPNs — comes with an app for Android TV, and also with detailed instructions for Kodi/OpenELEC and Apple TV. Other VPNs in the market provide you with similar options.

Some of the networks that support smart TV devices and boxes: ExpressVPN, VyprVPN, NordVPN.

ExpressVPN has a great guide on how to set up their VPN with Kodi.

How Do I Install a VPN on My Router?

How to Install a VPN on a RouterInstalling a VPN on your home router is the best way to make sure everything that’s connected to that router is put through a safe VPN connection. In that scenario, you no longer need to install individual apps on your mobile devices, laptops, smart TVs or anything else with web access.

First, make sure that your router is compatible with VPNs. This can be done on the website of the manufacturer that produced the router. Often, most DD-WRT and Tomato-boosted FlashRouters are compatible with VPNs.

The specific steps involved in setting things up differ from service to service. Your specific provider likely has a dedicated section on their website devoted to explaining how to carry through with the process. For example, here’s how to do this if you’re with ExpressVPN and here’s PIA. We also have an example demonstration of how it’s done on most DD-WRT routers on this page (near the bottom).

Installation is simple and involves you logging in to your router and then filling out a couple of standard forms — nothing you won’t be able to handle.

VPN & Tor — How to Use Them Together

Even though Tor and VPN are fundamentally different, they can still be used together for maximum security and online privacy.

  • Tor gives you the ability to access the web by routing your connection through a number of random nodes, while also encrypting that connection at every stage.
  • VPN gives you access to one server at a time.

The nature of it is a bit different in principle, and therefore we can’t say things like “Tor or VPN is better than the other.” We talked about the differences between Tor and VPN in detail on this site already, feel free to visit that post to get the full picture.

One of the good things about Tor is that you can use it 100% free and there are no built-in limitations to that free version. All you need to do is grab the official Tor web browser. Once you have it, you just need to fire it up like your standard Chrome or Firefox browser, click the connect button, and you’re up and running.

How to combine your VPN and Tor:

  1. Enable your VPN connection normally. From this point on, everything that involves communicating with the web goes through your VPN.
  2. Open your Tor browser and connect with Tor.

At this stage, you have the VPN connection and the Tor web browser running at the same time. The main downside with such a setup is that it’s going to be much slower than your standard, VPN-only connection. Tor on its own slows down your experience noticeably, and when combined with a VPN, the results can be even more dramatic. On the plus side, it gives you super privacy, which is a huge plus.

IP Leaks and Kill Switches

IP Leaks and Kill Switch

Kill Switch

A kill switch is a feature that automatically kills your internet access if the encrypted, safe connection should ever drop. If there’s any connectivity issue at all, the kill switch will trigger and block all activity until the secure connection returns.

If your VPN doesn’t have a kill switch and a connectivity issue arises, it’s probable your device might attempt to restore the standard, unprotected connection, thus exposing what you’ve been doing up until that point.

According to our research, the following VPNs have a kill switch: ExpressVPN, PIA, VyprVPN, SaferVPN.

IP leaks

IP leaks are a known vulnerability with some setups people use to access the web. It’s not entirely a VPN problem at its core.

IP leaks can happen when your VPN fails to hide your actual IP as you’re browsing the web. For example, you want to access a geo-restricted show on Netflix, so you change the server to an approved country and reload the page. Then you realize that the content is still blocked. This means that your real IP might have just been leaked.

The best VPNs all have some clever scripts programmed into their apps to minimize this risk. As I mentioned, your IP leaking is not always the VPN’s fault. Sometimes the configuration of your computer and the many apps within are to blame. Even the browser you use and the add-ons installed in it can cause IP leaks.

When to Use a VPN

There are a number of good reasons to use a VPN:

  • It encrypts your activity on the web.
  • It hides your activity from anyone who might be interested in it.
  • It hides your location, enabling you to access geo-blocked content (e.g. on Netflix and other sites).
  • Makes you more anonymous on the web.
  • Helps you keep the connection protected when using a public WiFi hotspot.

Overall, use a VPN if your web privacy, security, and anonymity are important to you. Roughly $3-5 a month is a small price to pay for all of that.

When Not to Use a VPN

As predictable as this may sound, we really see no good reason not to use a VPN if you’re taking your online security and privacy seriously.

VPNs are incredibly useful as another layer of security on top of SSL protocols on websites, having a good antivirus program, not downloading shady software, not sharing too much private information on social media, and so on. Overall, they’re your next step towards using the web more consciously and with sufficient precautions set up.

There are not many downsides to them. Perhaps the only one being that your connection can sometimes slow down. After all, you’re routing your data through an extra server.

What do you think? Are you convinced of the idea of a VPN and thinking about getting one? Take a look at our plentiful reviews comparing more than 35 popular VPNs.

19 Steps to Protect Your Online Privacy in 2018

John Mason

John Mason

This article was put together with the help of Dana Jackson (PrivacyHub).

privacy and security

Online privacy is a topic that grows in importance every single year.

With more and more web services, connected apps, and even home assistant devices that are gaining in popularity, it’s now more crucial than ever to understand what the dangers to your online privacy are and how to protect it consciously.

Here are 19 actionable steps to help you remain anonymous on the web and protect your online privacy. No sophisticated computer knowledge required.

Steps to protect your online privacy:

1. Consider getting a VPN

Normally, your connection to the web is unprotected by anything. It’s just your computer requesting a website (or a service, or a tweet, etc.) and then the server providing that website to you.

What’s problematic from an online privacy point of view here is that such a connection is public, can be intercepted, and every server helping on with the connection along the way can take a peek into what’s being transmitted. If it’s a sensitive email (or anything to that nature) then you really don’t want that.

This is where a VPN comes into play. VPN (or Virtual Private Network) is a service that allows you to connect to the web safely by routing your connection through a VPN server before it gets to its destination.

Here’s a quick visualization of what your connection looks like without and then with a VPN enabled:

what a VPN does for your online privacy

What a VPN actually does is encrypting the connection so that even if someone intercepts it, the information within will be scrambled and unreadable. In fact, no intercepting party will be able to determine where the connection is coming from or what it is about, thus giving you improved online privacy.

Even though the concept might seem complicated and intimidating at first, modern VPNs are actually very easy to use and don’t require any technical skills like server configuration or routing. All you need to do is literally install your VPN of choice and enable it with a single click.

We have a comparison of the best VPNs on the market right here. Many of the top VPN solutions also offer versions for mobile devices.

Be careful with free VPNs

VPN services are great. That’s more than true. However, not universally across the board.

As someone once said, “if you’re not paying for the product, then you’re the product”. And this is even more concerning considering that we’re dealing with the topic of online privacy. At the end of the day, no one wants to have their data compromised or sold to a third party purely because they failed to read the fine-print when signing up for a seemingly great free VPN service.

2. Use the privacy/incognito mode

All current versions of web browsers like Chrome, Firefox, Opera come with a privacy mode.

For example, in Chrome, if you press CMD+SHIFT+N (Mac) or CTRL+SHIFT+N (Win), you will open a new tab in privacy mode. In that mode, the browser doesn’t store any data at all from the current session. This means no web history, no web cache, no cookies, nothing at all.

incognito mode

Use this mode whenever doing anything that you’d prefer remain private and not able to be retrieved at a later date on the device that you’re using.

However! Let’s make it clear that privacy modes don’t make the connection more secure in any way. They just make it private in relation to your own device – meaning, they make it private on your end only.

(Privacy modes are also available in mobile browsers.)

3. Block web activity trackers

The main online privacy concern with the modern web is that you’re basically being tracked everywhere you go.

And this is not only about ads. Basically, every website that you visit will attempt to track your activity in multiple different manners. Just to name a few:

  • Traffic analytics – used commonly by most websites to get a better understanding of their audience, where they’re from, what devices they’re using, how much time they’re spending on the website, what sub-pages they’re interacting with, and so on.
  • Current location – commonly used by functional widgets like weather widgets, “near events”, and so on. But also used for general tracking and data analysis.
  • Social media – used to show you people’s activity in relation to the page or article that you’re reading. A specific example of this is the Facebook pixel:
  • Facebook pixel – those are meant to connect your activity with your Facebook profile, thus giving Facebook a better understanding of what your behavior is and what to show in your news feed (including which ads you’re most likely to enjoy).
  • Media trackers – for example, if there’s a YouTube video on the page, that video block is connected to your other YouTube activity, thus having an impact on what kind of videos YouTube is likely to recommend you next.

All of those trackers can make websites slower and generally less safe to use.

One of the viable solutions is to use a tool like Ghostery. It’s free and has versions for all major web browsers. The installation is simple, and it basically starts working right out the box.

Ghostery settings

4. Use ad blockers

Various sources (e.g. 1, 2) indicate that Google serves around 29 billion ads every single day.

But that’s only Google. What about Facebook? What about all the in-house ad inventory handled by webmasters themselves, without any ad network in between? It’s not unreasonable to estimate that the total number might grow to even 60 billion.

In simple terms, ads are everywhere. But their sole existence isn’t problematic from an online privacy point of view.

What is problematic is that ads are not “closed black boxes”. It’s quite the opposite – they take in a lot of data, “listening” to what you’re doing and taking note of every click and every action you take. That data can then be used to follow you on the web and serve you even more targeted ads the next time around.

All of the above is common market practice. It’s not illegal to do any of it. In fact, all those tracking algorithms are considered clever for how effective they are.

But then there’s also the other side of the coin. Some ads go even further and try to infect your computer with malware, trick you into installing unsafe software, or try getting accidental clicks by hiding the fact that they are ads in the first place (impersonating the design of the site they’re on).

The best solution to not get affected by any of this is to simply block ads altogether. The easiest way to do that is by installing an ad blocker extension in your browser. Such an extension will block out any ad and prevent it from displaying. Ad blockers usually work right out the box with no configuration needed.

5. Use Signal or Telegram for messaging

Not all online communication is equally secured or protects your online privacy enough.

For example, email in itself isn’t the most private form of communication due to all the connection layers and different servers that participate in order to get the email to its destination.

Using solutions like Facebook Messenger or direct messages on Twitter raises whole other privacy concerns related to those corporations’ agendas and ways of handling user data. It wasn’t that long ago when we heard about 32 million Twitter passwords potentially getting hacked and leaked, for instance.

A much better solution is to use other tools for casual communication and even sensitive conversations. Tools like Signal and Telegram, even though seeming like something that your younger cousin might use, are, in fact, top-of-the-line when it comes to making sure that whatever’s been said via the tool’s communication lines remains private.

Both Signal and Telegram employ end-to-end encryption. They even come with multiple mobile and desktop apps.

More than that, both apps also now enable voice calls, which presents a much safer and more private alternative to classic phone calls.

6. Don’t input sensitive personal data on non-HTTPs websites

In simple terms, HTTPS is the secure version of HTTP – the standard protocol that’s used to send data between your web browser and the website you’re reading.

Checking whether you’re connected to a website via HTTPS is very simple. All you need to do is take a look at your browser’s address bar and notice if the address starts with https:// plus if there’s a green padlock icon next to it. Like so:

paypal (https secure)

The important thing to remember here is to never enter any sensitive information on websites that don’t have HTTPS enabled. This includes things like your credit card information, social security numbers, address information, or anything else that you don’t want to have compromised.

Unfortunately, there isn’t “a fix” that you can do if a given website doesn’t have HTTPS. You simply have to avoid websites like that.

7. Clear your cookies regularly

Cookies are a popular term on the web, but very few people realize what they actually are. Technically speaking, cookies are quite simple. They’re just small text files that are kept on your computer (and your mobile devices as well). They store small packets of information related to your personal activity in connection with a given website.

The most classic use of a cookie is to keep you logged in to a certain website and not force you to re-enter your credentials every time you come back. But cookies can go much further than that.

These days, they’re also commonly used to store your shopping cart items (in case you decide to abandon your cart but then come back to the site later on and continue shopping), or to keep track of the content that you read previously on the site (thus helping with future content suggestions). These are just two of tens of possibilities.

Cookies are perhaps impossible to avoid entirely. If you disable them altogether, you’re effectively making it nearly impossible for yourself to use sites like Facebook, Twitter, most e-commerce stores, or other services where login is required.

What you can do, though, is at least clear your cookies occasionally. This can help keep your browser clean and also not let some websites take advantage of older cookies that they set up maybe even months ago, thus making it more difficult to track your online habits.

8. Only use secure email

As we said above when discussing online messengers (in #6), email is not the most secure form of communication online. On the other hand, it’s hard to imagine our life without email entirely, so, in some situations, we just need to bite the bullet and use email anyway.

However, there are still things that we can do to make it more secure.

First off, you can say goodbye to free email solutions like Gmail or Outlook.com, and instead opt for a premium one. One of the viable alternatives in that realm is the secure email service Tutanota that comes with a fully encrypted mailbox.

Other than that, you can attempt to add another layer of encryption on top of your existing free email inbox. For instance, if you use Gmail, you can get this Chrome extensions, which will enable end-to-end encryption on your messages as well as attachments. This sort of encryption makes sure that your conversation remains private.

Read more about anonymous email.

9. Review the permissions given to your mobile apps

Each app that you have on your iPhone, iPad, or Android device requires a certain set of permissions to deliver its functionality. Sometimes, though, certain apps become too demanding in this department, requesting access to more than seems necessary to make the app operational.

If you ever caught yourself wondering, “Why does a recipe app need access to my location all the time?” then you know what we’re talking about.

What you should do from time to time is go through your currently installed apps and review the permissions given to them. Most of the time, you can revoke part of those permissions without making the app useless (like the recipe app example).

On iPhone, you can do that by going to Settings, scrolling to the bottom, and then going through each app one by one.

app permissions

 

10. Update to a newer mobile device

It seems that every year companies like Apple, Samsung, Google try to convince us to buy the latest smartphone and toss our old ones away. Naturally, we resist. But we can’t resist forever. At least not if we don’t want our online privacy to take a hit.

What we need to remember is that modern mobile devices are computers. Just like your desktop PC or Mac, but only slightly less powerful. Therefore, they’re also prone to various security threats, and just like any other device, they require constant updates to stay secure.

New devices are being updated constantly, so that’s no problem. Older ones, not so much.

For example, Nexus 7 – a device that’s still relatively popular (you can buy them on eBay right now) – stopped getting security patches after June 2015. This means that whoever’s using it has been left on their own and exposed to new security threats for more than two years now.

Whether we like it or not, at some point, a new device is unavoidable.

11. Shred your files

Although sounds surprising, getting rid of a specific file once and for all isn’t that easy. Simply moving it to the bin and then emptying it won’t do. Any file removed through this standard operation is easily recoverable in full.

This is due to how the process of deleting anything actually works. In its most basic state, your operating system will just make a note that the space where your file used to be “is now free” with no actual deleting taking place. Therefore, if someone knows where to look, they can still access that file easily.

A safer solution is to take advantage of a “file shredding” tool. Those will allow you to remove sensitive, private files from your hard drive by overwriting them several times with random sets of data and in random patterns.

File shredder by Dr. Cleaner

12. Be careful with social media

The ideal case from an online privacy point of view would be to delete your Facebook account entirely, but that’s probably out of the question for most people. So, instead, at least be careful about what sort of data you share with your favorite social platform.

For once, don’t share your location with Facebook all the time and with every update you post. There have been multiple cases of people’s homes robbed after they posted updates about them being on vacation. For instance, three robbers in New Hampshire got away with $200,000 worth of stolen goods after breaking into 50 homes, all made possible by checking Facebook statuses of their victims beforehand.

A good rule of thumb is to not post any information that you’d consider sensitive from an online privacy point of view. Assume that the whole world is going to see your next status update.

13. Access the web via TOR

Tor has been getting a lot of bad reputation over the years, not always for all the right reasons. Tor, as a technology, is a very clever mechanism that allows you to remain completely anonymous while browsing the web.

Tor (short for “The Onion Router”) routes your web connection through a number of nodes before it gets to its destination. Because of that, no one is able to track it or view what’s being transmitted. In some aspects, Tor is similar to VPN. The main difference between the two is that VPN connects you through one additional server, while Tor uses multiple ones.

Getting started with Tor is simple – all you need is the official Tor web browser. There are versions available for all major systems. After getting it installed and fired up, you can establish a connection with the Tor network via a single click. At that stage, your connection is secure and anonymous. Here’s what the browser looks like:

TOR browser

14. Don’t use Windows 10 if you can

Windows 10 is notorious for its “loose” approach towards online privacy. On its default setup, the system is set to share all of your personal information (including your activity) with Microsoft and even third parties. It also synchronizes all your browsing history and other settings back to Microsoft servers.

On top of that, Cortana – the system’s assistant – records all your keystrokes and listens to all your activity.

If that’s not enough, Microsoft is also making it surprisingly difficult to set things the way they should be. Basically, every consecutive update of the system tends to bring back the factory settings, thus forcing you do carry through with your fixes once again.

At the end of the day, if it’s a viable option for you, say goodbye to Windows 10 entirely.

15. Consider not using Google

This goes not only for the main Google search engine but also all of the other tools – Google Analytics, Gmail, Google Apps, Google Drive, etc.

Due to its huge network and portfolio of tools, Google knows basically everything about you there is to know. Whether you’re comfortable with this from an online privacy point of view is up to you.

When it comes to the main search engine, DuckDuckGo is an alternative worth considering, or even Bing (but then we’re back in camp Microsoft).

As for things like Gmail and Google Drive, there are multiple viable solutions on the web. For example, SpiderOak is an interesting alternative to Google Drive and Dropbox that even has Edward Snowden’s approval.

16. Probably delete Facebook from your phone

There have been multiple stories appearing lately describing Facebook’s alleged “in the background listening” practices. Some people are reporting concerns related to the Facebook app listening on to the conversations they’re having over the phone and then suggesting ads based on the things mentioned in those conversations.

In all likelihood, or at least we’d like to believe so, this is not entirely plausible – and Facebook obviously denies. However, getting rid of the Facebook app from your phone surely won’t hurt your overall online privacy.

17. Do you really need that Amazon Echo?

As useful as those new home assistants can be, they also carry some serious online privacy concerns with them. Most of all, they’re in an “always on, always listening” state.

What this means is that Alexa is constantly listening to everything – everything(!) – you say around the house, and transmitting it over the internet to Amazon’s servers.

Ultimately, you have no control over how that data is going to be used and by whom. Though, full disclosure, Amazon says they don’t share your Amazon Echo data with third parties.

Google Home, however, is perhaps even more hostile to your privacy. Apart from microphone access (always listening) it also tracks your location and can share your data for advertising purposes with third parties (including Google’s other companies).

18. Use virtual machines

Virtual machines let you simulate a second computer (a virtual one) within an application. It’s basically a sandbox. The virtual machine can be limited in any way you need it to be, for instance, with the web connection disabled, or any other part of the system removed.

Virtual machines are great if you want to do a sensitive task on your computer that doesn’t necessarily involve a web connection. Or, even more so, when you want to make sure that the web connection is unavailable and that your actions are not logged for any future transmission to a third party.

In other words, if you want to open a file and you need to be sure that no one is watching over your shoulder as you do so, you can do that via a virtual machine. Then, after you’re done, you can delete that virtual machine and thus remove every trace of the operation.

Try out VirtualBox, a popular free solution that runs on Windows, Linux, and Mac.

19. Avoid public Wi-Fi

As much as everyone loves those free Starbucks Wi-Fi hotspots, you should perhaps be careful around them. Or, rather, not perhaps, but definitely.

Public Wi-Fi raises a number of online privacy concerns:

  • You never know who’s running the hotspot, what the software is, what the setup is, what sort of information is being logged, and so on.
  • You don’t have any certainty if the hotspot you’re using isn’t an “evil twin” – a hotspot created to impersonate the genuine Wi-Fi network that you actually intended to use. For example, let’s say that you see an open network called, “Starbucks Free Internet”, so you decide to connect. However, you have no way of telling if that network is actually the official one run by the coffee shop. Essentially, anyone with a mobile router can create a network like that and then steal the information of anyone who connects to it. Listen to the first episode of Hackable – a podcast by McAfee to learn more about this (available on iTunes).
  • You can’t be sure that using a VPN will protect you. In most cases, VPNs solve the problem, but if you’re dealing with a fake network then the person running it might still be able to see what’s going on. Additionally, there’s the issue of DNS leaks. In simple terms, your laptop can still be using its default DNS settings to connect to the web, rather than the VPN’s safe servers. Here’s more on the topic.

What can you do?

  1. Really avoid public Wi-Fi networks if you want to perform any sort of sensitive operation. Don’t access your online banking platforms or anything else where your privacy is of utmost importance.
  2. If you do use public Wi-Fi, also use a VPN. Do the DNS leak test available here to make sure that the connection is secure.
  3. Always ask what’s the exact name of the public network that you want to connect with – to avoid connecting to an evil twin.

 

Conclusion: Protecting Your Online Privacy is Simple

Online privacy is a topic that has been gaining in importance more and more over the last couple of years.

Apart from those basic, common-sense things that every web user should be doing in terms of their online privacy, there are also matters of new regulations and problematic net neutrality issues that have appeared quite recently.

These days, it seems that you can’t easily escape big corporations tracking you online, your ISP (internet service provider) recording your online activity and perhaps even selling the data to third parties (which is legal in the US).

All in all, this can be frightening. However, there still are viable things you can do and tools you can use to keep and protect your online privacy. We hope that the list above gave you a good overview of what’s possible and how easy to carry out most of those actions are. But you do need to be deliberate, and also review your online privacy optimizations every once in a while.

More helpful online privacy tools can be found here: PrivacyTools.io

Online Privacy Infographic

Internet Safety for Kids (20 Tips for Parents)

Maria Korolov

Maria Korolov

Maria has written for the Chicago Tribune, reported from the front lines in Afghanistan, and ran a business news bureau in China. Today, she specializes in emerging technology, including cybersecurity and virtual reality.

If you’re like me, and you use your kids as free tech support whenever you need to configure your wireless router or your TV to play funny cat videos, then it’s tempting to let the kids take care of their own online security as well.

That could be a big mistake.

While your kids might be experts at the technology, they’re not experts at evaluating risk.

You already know that, unless guided, it’s easy to manipulate children into smoking, drinking, speeding, bullying, and, of course, jumping off cliffs because all their friends are doing it.

Mistakes can cause a lot of damage. Everything from expensive ransomware infections, identity theft, loss of friendships to putting your child’s life at risk.

As in the off-line world, you need to provide guidance, set boundaries, and, depending on your child’s age and maturity level, put safeguards in place.

You also need to be aware of where the threats are coming from.

 

10 Things You Can Do Now to Protect Your Children Online


1.  Make YouTube safe for your kids

YouTube is the new children’s TV.

It’s one of the most popular sites out there, but not all of those videos will be appropriate for your children.

But the site does have some safety features, and you should take advantage of them.

On the desktop site, if you scroll down to the bottom of the screen you’ll see a “Restricted Mode” setting. This hides videos flagged as containing inappropriate content.

In the mobile apps, click on the three dots at the top right and click on Settings > General and scroll down until you see the “Restricted Mode” option.

YouTube restricted mode

2.  Help your kids set the privacy controls on their social media accounts

If your children share messages, pictures or videos on Facebook, Instagram and other platforms, they might not be aware of who can see their posts.

Most apps do have privacy settings though that let your children control who they let into their lives.

Here are the links to information about the privacy settings on the most popular apps:

3.  Install anti-virus on your computers and mobile devices

Children are as vulnerable as the rest of us, if not more so, to clicking on bad links and downloading malicious software.

To protect them and their devices install anti-virus software on all of them.

There are some excellent free products available from trustworthy brands.

VPN (another option)

Also, consider using a Virtual Private Network. To find a suitable VPN, take a look at our Best VPN Chart or browse through free VPNs.

4.  Set up separate accounts for your kids on your computers

If you share a device with your children consider setting up a separate account or accounts. Each account will have its own home screen and, depending on the device and platform, a different selection of features, apps, and permissions.

This helps you to protect your own data or video recommendations. It also allows you to set up customized security and privacy settings for each child.

On Windows computers, you can set up a new user account for your children. Go to Settings > Accounts > Add a family member > Add a child.

Windows 10 Kids Account

You can block specific apps, games, or websites, or set screen time limits. Visit https://account.microsoft.com/family for more information.

On Apple computers, you can set up parental controls for some user accounts. That allows you to restrict access to adult websites. Learn more here: https://support.apple.com/en-us/HT201813

5.  Set up separate accounts for your kids on your mobile devices

Android parental controlTablets and smartphones also allow multiple user accounts on the same device.

On Android tablets, you can create a restricted account for your child, with limits on which apps they can use.

On Android phones, you can create a new user account for your child. But the only account restriction currently available is to turn off the ability to make phone calls and send text messages.

That said, you can restrict their Google Play account. Go to Settings > Parental controls and turn them on. You’ll be able to set specific content restrictions on apps and games, movies, TV, books, and music.

On the Apple side, iPhones and iPads have controls for apps and features, content, and private settings. Launch the Settings app and go to General > Restrictions and tap on “Enable Restrictions.”

6.  Secure your gaming systems

Don’t forget that your gaming console is also an Internet device these days. Children can download games and make in-game purchases, and even surf the Web.

Most devices have features that allow you to:

  • Restrict the kind of content your children can get
  • Limit their purchases and …
  • …  restrict or turn off their Web browsing.

7.  Consider using kid-safe browsers and search engines

For added control, you can install a kid-safe web browser for your children to use.

Zoodles, for example, offers a child-safe environment. There’s a free version for Windows PCs and Macs, and for Android and iOS tablets and smartphones. The premium version, which costs $8 a month, includes ad blocking, time limits, and other features.

Another alternative kid-safe browser is Maxthon, while the browsers you use now will have some built-in tools.

If you use the Chrome browser, you can set up a “supervised profile”. This will block explicit search results, show you what websites your children visited, and even restrict what websites they can go to. The restrictions work in two ways:

  1. You can have a list of approved websites and your children can visit those sites only.
  2. OR – you can pre-ban a list of websites and your children can visit any site aside from those on your banned list.

More information here: https://support.google.com/chrome/answer/3463947/?hl=en

Also check out these kid-safe search engines:

8.  Lock in apps for the youngest children

If you want to let your child play with your phone in the back seat of the car without worrying about them messing it up or surfing the web for creepy content do this: open up an app for the child and then set it up so that they can’t exit the app.

On phones running Android 5 and higher, it’s called “screen pinning.”

First, go to Settings > Security > Screen pinning and turn it on and also enable “Ask for PIN before unpinning.”

Then load your app, hit the overview button – the little square on the bottom right – and swipe up until you see a pin icon come up in the lower right corner. Now your child will need your PIN in order to switch apps.

Screen Pinning on Android

On iPhones and iPads, this is called “Guided Access.”

First, go to Settings > General > Accessibility > Guided Access to set up Guided Access. Then, when you’re in the app you want to lock in, triple-click the home button to bring up the Guided Access settings. You can turn off Guided Access either with a PIN or by setting it up to work with your Touch ID through Settings > General > Accessibility > Guided Access > Passcode Settings.

9. Use an app that limits the time your child spends online

According to the Pew Research Institute, 50 percent of parents have used parental control tools to block, monitor, or filter their child’s online activities.

The ScreenTime app is available for Apple, Android and Amazon devices. The app is free for one child, and includes the ability to monitor the device remotely and to see your child’s web and search history. A $4-per-month premium version adds daily time limits, ability to block apps, and block the use of the device during school hours or after bedtime.

Alternative apps:

There are also some James Bond-type apps out there. These will let you track your child’s location, read their emails and text messages, and spy on their Snapchats and other communications.

Be careful with these. Do you want to lose your child’s trust? Ask yourself if you want to engage in a cyberwar with a teenager that could escalate to them using anti-spyware applications and burner phones.

10.  Make sure your kids are only using safe chat rooms

Some kid-friendly platforms offer chat rooms where kids can talk to other kids. Vet the sites first to make sure that someone monitors the chat rooms.

And teach your kids not to share their real identities on such platforms but to use anonymous screen names instead.

Teach, Educate and Talk with Your Children


11.  Teach your children not to respond to messages from strangers

If they get a text message, instant message, email or social media message from someone they don’t know then they must delete it at once.

Make sure they know not to open it, not to respond to it, and, of course, not to click on any links or attachments.

If those girls from Pretty Little Liars followed that advice, the show would have been over after one episode.

12.  Educate your children about the risks of “sexting”

Last year, in a report to the U.S. Congress, the Justice Department revealed that the biggest growing threat to children is something called “sextortion.”

It’s bad enough when minors send nude images of themselves to boyfriends or girlfriends, and those images then get distributed to others.

Besides the psychological damage, children who both send and receive the “sexts” are breaking the law. Something that could result in prosecution and even registration as a sex offender.

And it gets worse.

According to the FBI, the “sextortionists” have gone pro, with individual criminals targeting hundreds of children each. They pretend to be the same age as their victims. They then trick or coerce them into producing child pornography for them. They even get them to recruit friends and siblings.

In a review of forty-three such cases, the FBI found that two victims committed suicide, and ten others attempted to kill themselves. Victims also have their grades decline, drop out of school, get depressed, and engage in cutting and other types of self harm.

The National Centre for Missing and Exploited Children say that reports of sextortion were up 150 percent during the first several months of 2016. This was in comparison to the same time period in 2014. 

In 4 percent of the sextortion reports, the children engaged in self-harm, threatened suicide or attempted suicide as a result of the victimization, the Centre said.

13.  Warn your kids about file sharing

Uploading illegal files is of course  – illegal!

And so is downloading – though fewer media companies seem to be prosecuting kids these days. Though downloading illegal files also carries other risks, such as viruses.

Fortunately, there are now many free and low-cost services out there where kids and teens can get videos and music.

14.  Warn your kids about online polls and surveys

There are lots of fun, harmless polls out there, like the one that tells you what kind of poodle you are. But many ask for too much personal information, and could land your kids on spammers’ email lists, or open them up to identity theft.

Many adults have a separate email account for when they need to provide an email address to register for something. If your child has a legitimate reason to fill in questionnaires needing an email address, consider helping them set up a second email account of their own.

15.  Warn your kids about getting too close to strangers

When you’re meeting someone for the first time after, say, communicating with them via an online dating app, you know to set the meeting in a public location, such as a coffee house, and to let friends know where you are.

This is common sense.

But children and teenagers often lack that basic common sense – or might be tricked into keeping their online relationships secret.

Of course, predators can also communicate with potential targets via traditional mail, or meet them at bus stops. But the Internet allows them to scale up their activities big time.

Attackers can use online relationships to lure children to meet them in person. Or, more often, they will try to trick children into making unnecessary purchases, or into sharing information, photos, or videos.

Know your children’s online friends. And, as with off-line friends, confirm their identities, and talk to those kids’ parents. Be sure that those “kids” are, in fact, kids.

16.  Help your children deal with cyberbullying

Cyberbullying affects up to 15 percent of children, according to a report released last year by the National Academies of Sciences, Engineering, and Medicine.

And the rates are even higher for children who are overweight, disabled, or LGBT, or members of a minority group.

Victims have physical problems such as sleeping, upset stomachs, and headaches along with psychological effects, such as depression, anxiety, and alcohol and drug use.

Let your kids know that they can turn to you for help, and find out what resources are available from your local schools.

You should save messages and other evidence of the cyberbullying. Report the bully to the social media platform concerned in the first instance. Then to the telephone or Internet service provider as well as to the school, or local law enforcement authorities. And block the bully from your child’s social media, telephone, or email accounts.

More information here:

17.  Set a good example

How many baby pictures and vacation photos have you posted online? Before lecturing your kids about staying safe, make sure that you yourself are a good model. Learn about the privacy settings in the social media apps you use most, then check that you aren’t sharing private, personal moments with the whole Internet.

And don’t drive while texting or talking on the phone. Wait until we all have those self-driving cars we’ve been promised and do your texting then.

18.  Set rules about what your kids can share online

As an adult, you know to be careful about what information you post online. You know not to share your financial information or social security numbers with strangers.

Make sure your kids know the rules and understand the reasons behind them. Even seemingly innocuous information, like vacation pictures, can let criminals know when your house is empty.

Some information, like a funny picture of your cat in the snow, is safe to share with everyone. Other stuff, like vacation plans, is fine to share with family and close friends. And some things are best not shared online at all.

The recommended age for children to have their own social media accounts is 13.

The Family Online Safety Institute has a sample family online safety contract here: https://www.fosi.org/good-digital-parenting/family-online-safety-contract/

19.  Add your kids as  a “Friend”

If your children have their own accounts on Twitter, Facebook, Google Plus, Instagram, Snapchat or other social media sites, follow or friend them.

Don’t let your kids tell you that other parents don’t do this. According to the Pew Research Center, 83 percent of parents are friends with their teenage child on Facebook.

You’ll be able to see if they’re posting inappropriate things online and can step in before problems escalate.

It’s not foolproof. There are ways that children can keep their communications hidden from you. And if you’re too heavy-handed in your monitoring, it may cause your children to be more secretive.

20.  Set limits on how much time your children can spend online

According to a recent national survey, tweens spend an average of six hours a day with their devices, and that’s not including the time spent on school or homework. And teens spend an amazing nine hours a day staring at their screens..

Sure, some of that is listening to Spotify while exercising. But the bulk of the time is spent watching videos, playing games, and using social media.

The American Academy of Paediatrics used to recommend that children under two should have no screen time at all, with conservative limits regarding screen time for older children. In late 2016, the organization re-evaluated current research and loosened its recommendations. They now suggest that some screen time, video chats with relatives and educational applications for instance, can be valuable for even the youngest children.

Now, the organization suggests that families create a Family Media Plan.

They also recommend that parents:

  • Limit the use of screens during meals and for an hour before bedtime.
  • Limit the child’s temptation to check devices at all hours of the night by not charging them overnight in their rooms.

21.  Additional resources

Internet Matters: Resources for parents looking to keep children safe online, with age-specific how-to guides, free apps, and device safety checklists. https://www.internetmatters.org/

Family Online Safety Institute: Parenting guides and news and reports about online safety issues. https://www.fosi.org/

Safe, Smart & Social: Social media training guides and safety tips for parents and educators. https://safesmartsocial.com/

17 Safe Internet Browsing Tips

Andrey Doichev

Andrey Doichev

Andrey Doichev writes on technology and cyber security for a number of online publications and is managing editor at BBJ.

The Internet can be a dangerous place for the careless. Land on the wrong website, and you can infect your computer with malicious software that will steal your data or scramble it and demand a ransom for its return. Fill in a username and password in a bogus form, and your digital life can be turned to toast.

As scary as this sounds, if you’re careful, you can surf the Net with a great degree of safety.

Safe surfing starts with your browser.

Two of the most popular ways miscreants prey on browsers are through socially engineered malware and phishing.

Nearly a third of Internet users have been victims of socially engineered malware, according to NSS Labs, an independent testing organization. By using some form of deception, for instance, linking to a rogue website, or opening an infected document, bad actors can manipulate a person to poison their machines with malicious software. Such software can compromise or damage hardware or steal sensitive or information. Ransomware gets distributed this way too.

This form of malware has had wild growth in the last 12 months. It encrypts data on an infected computer or phone so its owner can’t access it. It then demands the owner pay a ransom to make it accessible again.

Phishing is often a prelude to planting socially engineered malware on a machine, but it’s also used to get hold of sensitive data. For instance, you receive an email from your bank asking for your username and password to access your account. Only the email isn’t from your bank but from a phisher masquerading as your bank. And the next thing you know your checking and savings accounts are running on empty.

NSS notes that 2016 saw the reporting of over 145,000 unique phishing campaigns each month. Just as frequent was the discovery of 125,000 phishing websites.

In fact, the situation became so alarming among businesses, which lost $2.3 billion in the last three years to phishing scams, that the FBI issued a special alert on the subject.

 

1. Use/Install Most Secure Internet Browser

Major browsers offer protection against social engineering malware and phishing, although some offer more protection than others.

For example, in NSS’s latest browser tests, Microsoft’s new Edge browser blocked 99% of the malicious samples thrown at it, compared to 85.9% for Google Chrome and 78.3% for Mozilla Firefox.

NSS Report (Browsers)

(link to NSS report)

3 Best Internet Browsers for Safe Browsing

  1. Microsoft Edge (2017 version)
  2. Google Chrome
  3. Mozilla FireFox

For several years now, Microsoft has incorporated into its browsers a technology called SmartScreen URL and Application Reputation filtering.

The tech checks the reputation of a URL before it allows it to download into the browser. If the website’s reputation is bad, as would be the case with a phishing website, you’ll receive an alert. You can then choose whether to go to your homepage, a website you’ve been to before, or to be a devil and proceed to the website of ill-repute.

The similar screening happens when you try to download a file from a questionable website. The browser will block the download.

NSS also found that Edge was the quickest to block new social engineering malware taking only 10 minutes. Compare this to four hours, 39 minutes for Chrome and four hours, five minutes for Firefox.

It was also the most effective in addressing “zero day” vulnerabilities. These are flaws exploited for the first time in an attack: 98.7%, compared to 92.8% for Chrome and 78.3 percent for Firefox.

2. Customize Your Security Settings

You can also make a browser more secure by customizing it through its preferences or settings menu. Fiddling with settings, though, can create inconveniences.

For example, shutting off features like “autofill“, which automatically fills forms on web pages, and password storage prevents files from storing data ready for anyone hacking your system to mine it.

On the other hand, the manual filling of forms and typing in usernames and passwords can be a burden.

Turning off other features can reduce the “attack surface”, the places available to intruders to attack your system, but they can reduce your surfing pleasure, too. Turning off “cookies,” for instance, can improve your privacy. The problem being that there are plenty of websites that won’t serve up their web pages to you if you don’t have cookies enabled. The same is true for enabling plug-ins, JavaScript and, to a lesser degree, Java.

One option you should definitely turn on, though, is “block pop-up windows” to prevent pesky ads from popping up over web pages you’re visiting. And if your browser supports it, choose the send “Do Not Track” requests with your browsing traffic option to keep marketers from snooping on your Net travels.

Here are step-by-step guides for securing your browsers (i.e. making them less vulnerable).

As with any software, you always want to make sure your browser is up-to-date with the latest upgrades and patches. Many times those patches are created to address new found security flaws in the software. Keeping a browser current is less of a problem than it used to be because now updates are often automated.

3. Use Password Manager (not “AutoFill” options)

Next to your browser, a good password manager has become almost essential for safe surfing. Especially after you turn off the ‘remember passwords and fill forms’ options of your browser.

Features can vary from manager to manager, but they all have one thing in common:

They remember your credentials – username and password – for a website and fill them in when you land on its login page.

password managers

That allows you to create unique and secure credentials for every website wanting them without having to commit those credentials to memory. You need only remember one password: the master password for accessing the password manager.

Thousands, sometimes millions, of passwords become compromised every day so password managers can help you avoid the domino effect that occurs when reuseing passwords. Credential thieves can take a set of stolen credentials and plug them into thousands of websites through automation techniques. That done they can crack every site where you’ve reused your password. Using unique passwords reduces the damage that can be done with a single password.

Here are 3 Most Popular Password Managers in 2017

  1. 1PassWord ($2.99/mo)
  2. KeePass (FREE)
  3. LastPass (FREE)

While inserting something new into your web flow may not sound appealing to you, password managers are relatively unobtrusive after installation. Most install in a browser of your choice as a plug-in. There they’ll watch your cyberspace travels. If you’re new to a website, the program will help you create credentials for it. If you’ve been to the site before, the software will automatically fill in your login info. What’s more, most managers will also create a list of sites for which they’ve stored logins that can be quickly accessed from your browser’s toolbar.

4. Use Creativity When You Create Your Passwords

If remembering a lot of passwords is a big chore, then creating passwords is just as taxing. Password managers can automate that for you, too. You can tell them to create a secure password for you and it’s done in an instant.

In some managers you can even customize the passwords they create.

You can make a password a certain length. The recommended length is 16 characters. But that may be too long for some websites. You want it to be pronounceable when using numbers, capital letters and special characters. Or if you’re excluding similar characters like 1 and l or O and 0.

If you go old school and create passwords in a form by hand, a password manager can help you there too. It’ll tell you if your creation is secure or if you’ve already used that password someplace else.

One of the greatest benefits of a password manager is that most of them work across platforms. Whether you’re working on your phone, tablet, laptop or desktop, you always have access to your credentials. That also means you don’t have to type a secure password like F*t5pWU397%6QvAk7K9W on a smartphone keyboard.

What’s more, with information synchronized across platforms your devices will do an automatic updated when you either change your credentials or add new ones.

 

5. Hide Your IP With a VPN

Having a secure browser and a password manager will offer you a measure of security as you cruise the Web, but if you want to take safety up a notch, consider using a Virtual Private Network service.

VPN services both protect your connection to the Internet by encrypting the data in the connection and hide where you’re connecting to the Net, which protects your privacy.

Encrypting your connection to the Internet is especially important when working on insecure Wi-Fi networks, such as those found in public places like airports, hotels and restaurants. Those networks are insecure because it’s quite easy for a snoop to intercept traffic on them with a software tool called a sniffer. With an encrypted connection though, snoops capturing your data will see only garbage.

When you connect to the VPN service you’re subscribing to, it masks your identity on the Net. That means your Internet Service Provider won’t be able to track your movements online. Your government will also have a more difficult time tailing you. And sites that would ordinarily recognize you, such as your bank, won’t know who you are and will ask you to authenticate yourself to them.

There are some hassles to using a VPN, which is why usually only people with an extra need for privacy use them. For example, they can slow down your Internet experience because your traffic may be making more hops to get from point A to point B than it would have if you weren’t using a VPN.

What’s more, a VPN service’s servers are likely to be located all over the world. That can create problems if you use streaming services that have regional restrictions, like Netflix and YouTube. If you’re connected to a VPN server in Tokyo, then to the streaming service it looks like you’re in Tokyo and not in your home or office.

VPN providers offer their services in both subscription and free offerings. The problem with free services is they have to make their money in some way. More often than not that means selling your data to marketers. So if protecting your privacy is as important as protecting your communication, you may want to avoid free VPNs.

One exception to that rule, though, is the latest version of the Opera browser. It has free VPN services built into it. Although at its core Opera uses the same browser kernel as Google’s Chrome,  some websites may not recognize Opera. In addition, Opera’s VPN proxies may also be blocked at certain websites, such as Netflix.

Otherwise, Opera’s VPN will do what’s expected from a VPN. It will replace your IP address with a virtual IP address to thwart net trackers. It will allow you to access websites blocked by firewalls or an organization like a school or company. And it can protect sessions at public Wi-Fi spots.

Best Picks for VPN

  1. ExpressVPNRead review
  2. NordVPN – Read review
  3. VyprVPN – Read review
  4. PureVPN – Read review

P.S. Here’s a full list of best VPN services (updated for 2018)

6. Confirming Site’s Security (https vs. http)

One way to determine if a site is trustworthy is if it has a green padlock on your browser’s address bar.

Not only does that mean that traffic between you and the site is encrypted, but that the domain’s ownership has been validated. While domain validation is useful, it doesn’t say anything about the legitimacy of the owner.

There’s another level of validation for that called Extended Validation. Organizations need to prove their identity and their legitimacy as a business before they can get EV validation. This appears as a green address bar and lock in your browser.

Chrome HTTP not secure

Even if you’re rigid about following good security hygiene, some personal information you’ve uploaded to the Internet during your digital lifetime may fall into the wrong hands. If it’s an email address that’s part of a data breach, you can get an automatic notification via a free service offered by the breach monitoring website Have I Been Pwned.

It’s also a good idea to activate any alerts offered by your credit card providers and banks. Those alerts will keep you notified of various kinds of activity in those accounts. Then, in the event of a compromise, you can respond to the situation at once.

 

7. Phishing Emails and Tips to Avoid Them

Phishing exampleNo doubt think you know how to spot a phishing email. But do you?

Phishing emails get an average click rate of about 10 percent or higher, according to a report released last month by Wombat Security Technologies.

And there’s a lot of them. If you don’t click on one, you might well click on the next one.

Diligent recently published the results of a survey regarding which phishing emails people were most likely to click on.

More than 68 percent of people would click on an email if it looked like it came from someone they know. And 61 percent would click on an email that referred to social media, such as one saying “Did you see this pic of you? LOL.”

People who got an email that looked like an invitation to access a shared file on a service like Dropbox clicked in to it 38 percent of the time.

Other successful phishing emails were ones that told users that they had to do something. Instructions/information such as:

  • Needing to secure their account
  • Needing a new social media login
  • Have a court appearance – the court notice being in the attachment
  • Were due a tax refund

According to Diligent, 156 million phishing emails get sent every day, and 16 million of them aren’t detected by spam filters.

So what happens if you click on the link, or open the attachment? You get malware that’s what.

More than 90 percent of phishing emails carry ransomware. These are programs that infect your computer and encrypt all your files. The hackers then ask you to send them money to get your files back — but there’s no guarantee that they’ll keep their promise. Well they are criminals after all!

Last year, ransomware hackers took in more than $1 billion from victims.

You can also get infected by malware that spies on everything you do, including the passwords that you type into your online banking site. Other malware takes over your computer and uses it to send out more spam. That slows down your computer with the potential to get you into trouble with your Internet service provider.

Tips for Recognising Phishing
  • Spelling or grammar mistakes. Real companies hire copy editors to check their emails before they go out.
  • It doesn’t use your name.
  • It’s from someone you don’t know, or it refers to a transaction that is unfamiliar to you.
  • It asks for your personal information.
  • It seems too good to be true. Or too bad to be true.
  • The tone is urgent or even threatening.
  • The return address of the email or the URL of the link doesn’t look right. For example, instead of taking you to MyBank.com, it goes to MyBank-this-is-real-we-swear.com.
  • It asks you for money or a donation.
  • It’s as vague as it can be, and it wants you to click on a link or download a file to find out more.

With the constant growing rate of cyber crimes and online scams, people lose billions and many people have lost their identity.

This guide will help you avoid the following:

  • Identity Theft
  • Credit Card Frauds
  • Phishing Emails
  • and more.

We’ve pointed out 14 ways to keep your online activity super-secure. At the end of the article, we’ve reviewed some IT industry experts who give good insight to the future.

8. Download Software From Trusted Sources

 

Untrusted softwareThe Internet is awash with different kinds of software that you can download and install on your computer. Keep in mind that not all downloads are equally trustworthy.

An approved software update for your operating system (usually Windows or macOS) is sure to be safe to install. On the other side of the spectrum, a download from a cheap-looking website that promises to clean up the files on your computer is one to stay away from.

Look to download commercial apps bought from secure sites and free apps from sites with a good reputation (such as Tucows and ZDNet, as well as official resources such as the Mac App Store). If you’re unsure about the origin of any piece of software, don’t download or install it. Look it up on the web and check for reviews and blog posts about the software from reputable sources. It doesn’t take long to tell whether a piece of software is genuine and trusted by the web community.

9. Avoid File-sharing Sites and Torrenting

Sites used to back up and synchronise your files are generally fine to use, and are much safer than many people might think. But places where you’re active in sharing content with others, file-sharing sites for e.g., have the potential to compromise your computer. This is because such sites often deal in the sharing of files that aren’t intended for sharing.

These files might be films, software or other content that has some commercial, copyrighted value. Someone looking to gain control of others’ computers could easily share some rogue software – called malware. This would allow them access to your machine if it were to run on your system.

Be careful, then, whenever using a service like this. It should go without saying that following copyright laws in your country is a sensible thing to do!

10. Turn on Two-Factor Authentication Whenever Possible

2 step verificationMany of the most websites most critical to our lives: online banking websites, Gmail, Facebook etc. offer two-factor authentication.

This means that, if someone looks suspicious in any way they’ll step in.  So should it appear that you’re logging in from a computer in China, and you’ve never used that particular computer before, and also you’ve never even left your home town – well, alarm bells will ring and they’ll intervene. For example, the bank might send a one-time code to your phone, or send a code to you by email.

Unless the hacker also somehow got into your email or your phone, they’ll be locked out of your account.

And if you ever lose your password, or someone tries to hijack your account, you can go through the second authorization method to reset your password and get your account back.

But two-factor authentication isn’t automatic. You have to give your cell phone number to your bank and you have to enable the two-factor with Google and Facebook.

If you haven’t done it yet – now is the time.

According to the Pew survey, of 16 percent of respondents said their email accounts had been taken over. While 13% said this had happened to one of their social media accounts.

Here are the instructions for the most popular services:

11. Change Your Passwords After a Breach

Speaking of changing your passwords after a breach – you should do that.

According to the Pew survey, 64 percent of Americans have personal experience of a major data breach.

If you’re one of them, or suspect that you are, go and change your passwords. Start with your most important sites: banking, credit cards, and shopping sites. Then move on to your favorite social media sites.

Chances are you can’t even remember all the places where you have an account, right?

Go back to the previous step and install a password manager.

12. Consider Using Credit Monitoring

Another thing that the criminals will do if they get access to your personal information is open new accounts in your name. You never see these statements because you don’t know that the accounts even exist. Well not until you start getting hounded by collection agencies and discover that you’ve no longer got a credit rating.

Lucky then that protecting against this is very easy.  And free.

You might have heard that you’re allowed one free report a year from each of the credit monitoring services, so you haven’t bothered with it.

Now, there several free options out there will let you check your credit report any time you want, for free, without any damage to your credit rating. And they’ll also send you an alert if anyone tries to open a new credit account in your name.

Capital One and Discover Card both offer free online credit monitoring.

My personal favorite service is Credit Karma, and another popular option is Credit Sesame.

13. Consider Using Extra Anti-Virus Protection & Lock Your Screen

By now you should have the idea that NOT clicking on phishing emails is your first line of defence.

But what happens if you do, and the malware starts invading your computer or smartphone?

With luck you have anti-virus in place to catch it.

I use Avast, and there are several others from very reputable companies that don’t cost you any money.

You can get the antivirus software for your smartphone, too. Yet, according to Pew, only 32 percent of people have it.

Another way to protect your computer or mobile device is to turn on password or PIN or fingerprint locks.

According to the Pew survey, 28 percent of smartphone owners don’t use a screen lock or other security feature to limit access to their phone.

Most people don’t secure their laptops either. It’s simple enough for a thief to grab your device and walk off with it and all the data in it. If you’ve got it set up with automatic logins to your financial sites, email or social media accounts, you’re even more vulnerable.

Do you have a camera on your computer? I keep a Post-It over mine, and Facebook’s Mark Zuckerberg uses a piece of tape. It’s a quick and easy fix.  I’m happy knowing that some stranger isn’t watching me picking spinach out from between my teeth.

Because of the large number of breaches in the news recently, people are more aware of cybersecurity issues than ever before, said Pew’s Rainie.

“But in their day-to-day life, they don’t act as if it’s a central concern,” he said. “It’s a paradox.”

14. Be Prompt about Updating Your Operating System and Software

Keep your PC updatedWhen a company discovers that there’s a security problem in its software, it sends out an update.

Some programs do automatic updates, without asking permission. But many operating systems and applications ask first.

Most people don’t approve the update right away. Given the choice, only 32 percent of people opt to have their apps update themselves on an automatic basis. Of the rest, 38 percent run the updates when it’s convenient, and 10 percent never install app updates at all.

When it comes to major updates, like the phone operating system, 42 percent wait until it’s convenient, according to the Pew survey, and 14 percent never update it.

That’s a problem. When hackers find out that there’s a security vulnerability, they rush out to take advantage of it before everyone upgrades. The longer you take, the more at risk you are.

So why don’t people update right away?

“It might be strictly a matter of convenience and control,” said Pew’s Rainie. “Some people think, I want to do updates in my own time. Or, I don’t want to burn through to my data cap.”

15. Use Reputable Shopping Sites

Most brand-name e-commerce sites, like Amazon, have good security systems in place and are happy to refund your money if something goes wrong.

Scammers still pop up though promising goods that they don’t deliver. Check the ratings and customer reviews before making a purchase.

As an extra precaution, if you pay with a credit card, you can also have them reverse the charges if it turns out that there’s a problem.

Chrome HTTP not secure
Don’t visit a shopping site that doesn’t have a GREEN certificate on its browser bow. This means they don’t encrypt your credit card data.

16. Don’t Use Unsecured WiFi

Most wireless routers – the devices that share the Internet signal around your home or office – will be set to use a form of encryption that needs a password to let you connect to the WiFi network. Although this is a pain, it’s a safe way to ensure you’re not making it easy for others to join your wireless network. Not doing this would mean they might be able to gain un-authorised access to any of the computers or devices on the network.

When you are out of the home or office, you might connect to a public WiFi hotspot. These often have their own joining criteria (a need to register or enter a password, for example), but some WiFi networks are completely open. Connecting to such networks is usually a bad idea. It’s best to pick a secure network instead or to rely on your device’s own connection to your mobile operator.

An alternative is to use a Virtual Private Network (VPN) app such as ExpressVPN (review). This allows you to create a secure connection even when you have joined an unprotected WiFi network.

Such apps are ideal for Android and iOS. For more comprehensive reviews, take a look at our VPN Reviews.

17. Back Up Your Data

While it’s crucial to keep your computer protected from the outside world, it’s important to remember that you keep data – that’s files, documents, pictures, music, videos – for a reason: to use them. The last thing you want is for the hard disk inside your computer to fail and for you to lose any or all that precious information. So, what to do? The best course of action is to put in place a backup routine. That means finding a way to copy your information to a safe place so that you don’t rely on your computer’s hard disk alone.

You can make your backups to an external hard disk, such as one connected to the computer via a USB cable.

More and more people are now turning to cloud backups. Cloud backups give you a secure way of transferring data over the Internet to a service such as Dropbox.

For the best protection, use a combination of physical and cloud backups. Doing so will mean your data should be safe even if a disaster were to strike. A service such as Acronis may suit you if you wish to go for the hybrid backup route.

Advanced Encryption Standard (AES)

John Mason

John Mason

Advanced Encryption Standard
What is AES and how does it work

AES, or Advanced Encryption Standards, is a cryptographic cipher that is responsible for a large amount of the information security that you enjoy on a daily basis.

Applied by everyone from the NSA to Microsoft to Apple, AES is one of the most important cryptographic algorithms being used in 2018.

What exactly is AES? How does it work? And can “non-techie” people like you and me apply it to be more secure in our daily lives?

That’s exactly what we will be discussing in this guide.

What is AES?

AES or Advanced Encryption Standards (also known as Rijndael) is one of the most widely used methods for encrypting and decrypting sensitive information in 2017.

This encryption method uses what is known as a block cipher algorithm (which I will explain later) to ensure that data can be stored securely.

And while I will dive into the technical nuances and plenty of fun cryptography jargon in a moment, in order to fully appreciate AES we must first backtrack for a brief history lesson.

AES Design

AES vs. DES (Background story)

Before diving into AES in all of its encrypted glory, I want to discuss how AES achieved standardization and briefly talk about its predecessor DES or Data Encryption Standards.

Basing their development on a prototype algorithm designed by Horst Feistel, IBM developed the initial DES algorithm in the early 1970’s.

The encryption was then submitted to the National Bureau of Standards who, in a later collaboration with the NSA, modified the original algorithm and later published it as a Federal Information Processing Standard in 1977.

DES became the standard algorithm used by the United States government for over two decades, until, in January of 1999, distributed.net and the Electronic Frontier Foundation collaborated to publicly break a DES key in under 24 hours.

They successfully concluded their efforts after only 22 hours and 15 minutes, bringing the algorithms weakness into the spotlight for all to see.

Over 5-years, the National Institute of Standards and Technology stringently evaluated cipher designs from 15 competing parties including, MARS from IBM, RC6 from RSA Security, Serpent, Twofish, and Rijndael, among many others.

Their decision was not made lightly, and throughout the 5-year process, the entire cryptographic community banded together to execute detailed tests, discussions, and mock attacks in order to find potential weaknesses and vulnerabilities that could compromise each cipher’s security.

While the strength of the competing cipher’s was obviously of paramount importance, it was not the only factor assessed by the various panels. Speed, versatility, and computational requirements were also reviewed as the government needed an encryption that was easy to implement, reliable, and fast.

And while there were many other algorithms that performed admirably (in fact many of them are still widely used today), the Rijndael cipher ultimately took home the trophy and was declared a federal standard.

Upon its victory, the Rijndael cipher, designed by two Belgian cryptographers (Joan Daemen and Vincent Rijmen) was renamed Advanced Encryption Standard.

But this cipher’s success didn’t end with its standardization.

In fact, after the standardization of AES, the cipher continued to rise through the ranks, and in 2003 it was deemed suitable by the NSA for guarding Top Secret Information.

So why exactly am I telling you all of this?

Well, in recent years, AES has been the subject of much controversy as many cryptographers and hackers questions its suitability for continued use. And while I am not posing as an industry expert, I want you to understand the process required to develop the algorithm and the tremendous amount of confidence that even the most secretive agencies place in the Rijndael cipher.

DES vs AES

 

Common Uses of AES in 2017

Common uses of AESBefore I dive into some of the more technical details about how AES works, let’s first discuss how it’s being used in 2017.

It should be noted that AES is free for any public, private, commercial, or non-commercial use. (Although you should proceed with caution when implementing AES in software since the algorithm was designed on a big-endian system and the majority of personal computers run on little-endian systems.)

  1. Archive and Compression Tools

If any of you have ever downloaded a file off the internet and then gone to open that file only to notice that the file was compressed, (meaning that the original file size was reduced to minimize its affect on your hard drive) then you have likely installed software that relies on an AES encryption.

Common compression tools like WinZip, 7 Zip, and RAR allow you to compress and then decompress files in order to optimize storage space, and nearly all of them use AES to ensure file security.

  1. Disk/Partition Encryption

If you’re already familiar with the concept of cryptography and have taken extra measures to ensure the security of your personal data, the disk/partition encryption software that you use likely uses an AES algorithm.

BitLocker, FileVault, and CipherShed are all encryption software that run on AES to keep your information private.

  1. VPNs

The AES algorithm is also commonly applied to VPNs, or Virtual Private Networks.

For those of you who are unfamiliar with the term, a VPN is a tool that allows you to use a public internet connection in order to connect to a more secure network.

VPNs work by creating a “tunnel” between your public network connection and an encrypted network on a server operated by the VPN provider.

For example, if you regularly do work from your local coffee shop, you are probably aware that the public connection is incredibly insecure and leaves you vulnerable to all types of hacking.

With a VPN, you can easily solve this problem by connecting to a private network that will mask your online activities and keep your data secure.

Or, let’s say that you are traveling to a country with stringent censorship laws and you notice that all of your favorite sites are restricted.

Once again, with a simple VPN setup, you can quickly regain access to these websites by connecting to a private network in your home country.

It should be noted, however, that not all VPNs are created equally.

While the best VPNs (like ExpressVPN and NordVPN) rely on an AES-256 encryption, there are a number of outdated services that still rely on PPTP and Blowfish (a long since obsolete 64-bit encryption), so be sure to do your research before selecting a provider.

  1. Other Mainstream Applications

In addition to the above applications, AES is used in a plethora of different software and applications with which you are undoubtedly familiar.

If you use any sort of master password tools like LastPass or 1Password, then you have been privy to the benefits of 256-bit AES encryption.

Have you ever played Grand Theft Auto? Well, the folks over at Rockstar developed a game engine that uses AES in order to prevent multiplayer hacking.

Oh, and let’s not forget, any of you who like to send messages over WhatsApp or Facebook Messenger… You guessed it! AES in action.

Hopefully, you are now beginning to realize just how integral AES in running the entire framework of modern society.

And now that you understand what it is and how it’s used, it’s time to get into the fun stuff. How this bad boy works.

 

The AES Cipher

The AES cipher is part of a family known as block ciphers, which are algorithms that encrypt data on a per-block basis.

These “blocks” which are measured in bits determine the input of plaintext and output of ciphertext. So for example, since AES is 128 bits long, for every 128 bits of plaintext, 128 bits of ciphertext are produced.

Like nearly all encryption algorithms, AES relies on the use of keys during the encryption and decryption process. Since the AES algorithm is symmetric, the same key is used for both encryption and decryption (I will talk more about what this means in a moment).

AES operates on what is known as a 4 x 4 column major order matrix of bytes. If that seems like too much of a mouthful to you, the cryptography community agrees and termed this process the state.

The key size used for this cipher specifies the number of repetitions or “rounds” required to put the plaintext through the cipher and convert it into ciphertext.

Here’s how the cycles break down.

  • 10 rounds are required for a 128-bit key
  • 12 Rounds are required for a 192-bit key
  • 14 Rounds are required for a 256-bit key

While longer keys provide the users with stronger encryptions, the strength comes at the cost of performance, meaning that they will take longer to encrypt.

Conversely, while the shorter keys aren’t as strong as the longer ones, they provide much faster encryption times for the user.

Aren’t Symmetric Ciphers Easier to Break than Asymmetric?

Now before we move on, I want to briefly touch on a topic that has sparked a significant amount of controversy within the cryptographic community.

As I noted earlier, AES relies on a symmetric algorithm, meaning that the key used to encrypt information is the same one used to decrypt it. When compared to an asymmetric algorithm, which relies on a private key for decryption and a separate public key for file encryption, symmetric algorithms are often said to be less secure.

And while it is true that asymmetric encryptions do have an added layer of security because they do not require the distribution of your private key, this does not necessarily mean that they are better in every scenario.

Symmetric algorithms do not require the same computational power as asymmetric keys, making them significantly faster than their counterparts.

However, where symmetric keys fall short is within the realm of file transferring. Because they rely on the same key for encryption and decryption, symmetric algorithms require you to find a secure method of transferring the key to the desired recipient.

With asymmetric algorithms, you can safely distribute your public key to anyone and everyone without worry, because only your private key can decrypt encrypted files.

So while asymmetric algorithms are certainly better for file transfers, I wanted to point out that AES is not necessarily less secure because it relies on symmetric cryptography, it is simply limited in its application.

asymmetric vs symmetric

Attacks and Security Breaches Related to AES

AES has yet to be broken in the same way that DES was back in 1999, and the largest successful brute-force attack against any block cipher was only against a 64-bit encryption (at least to public knowledge).

The majority of cryptographers agree that, with current hardware, successfully attacking the AES algorithm, even on a 128-bit key would take billions of years and is, therefore, highly improbable.

At the present moment, there isn’t a single known method that would allow someone to attack and decrypt data encrypted by AES so long as the algorithm was properly implemented.

However, many of the documents leaked by Edward Snowden show that the NSA is researching whether or not something known as the tau statistic could be used to break AES.

Side Channel Attacks

Despite all of the evidence pointing to the impracticality of an AES attack with current hardware, this doesn’t mean that AES is completely secure.

Side channel attacks, which are an attack based on information gained from the physical implementation of a cryptosystem, can still be exploited to attack a system encrypted with AES. These attacks are not based on weaknesses in the algorithm, but rather physical indications of a potential weakness that can be exploited to breach the system.

Here are a few common examples.

  • Timing Attack: These attacks are based on attackers measuring how much time various computations need to perform.
  • Power-monitoring Attack: These attacks rely on the variability of power consumption by hardware during computation
  • Electromagnetic Attacks: These attacks, which are based on leaked electromagnetic radiation, can directly provide attackers with plaintext and other information. This information can be used to surmise the cryptographic keys by using methods similar to those used by the NSA with TEMPEST.

The Anthem Hacking: How AES Could Have Saved 80 Million People’s Personal Data

During February of 2015, the database for the Anthem insurance company was hacked, compromising the personal data of over 80 million Americans.

The personal data in question included everything from the names, addresses, and social security numbers of the victims.

And while the CEO of Anthem reassured the public by stating the credit card information of their clients was not compromised, any hacker worth his salt can easily commit financial fraud with the stolen information.

While the company’s spokesperson claimed that the attack was unpreventable and that they had taken every measure to ensure the security of their client’s information, nearly every major data security company in the world disputed this claim, pointing out that the breach was, in fact, completely preventable.

While Anthem encrypted data in transit, they did not encrypt that same data while it was at rest. Meaning that their entire database.

So even though the attack itself might have been unpreventable, by applying a simple AES encryption to the data at rest, Anthem could have prevented the hackers from viewing their customer’s data.

Conclusion

With the increasing prevalence of cyber-attacks and the growing concerns surrounding information security, it is more important now than ever before to have a strong understanding of the systems that keep you and your personal information safe.

And hopefully, this guide has helped you gain a general understanding of one of the most important security algorithms currently in use today.

AES is here to stay and understanding not only how it works, but how you can make it work for you will help you to maximize your digital security and mitigate your vulnerability to online attacks.

If you really want to dig into AES, I consider watching the video below by Christof Paar (it goes in-depth and it’s interesting, too):

If you have any further questions about AES or any insights that you have gained from cryptography-related research, please feel free to comment below and I will do my best to get back to you.