Do you need a VPN in an HTTPS world? Yes, and here’s why
5 min read
The standard argument goes like this: people do not need to buy VPNs anymore because the internet has become much safer — you can now browse without worrying about online threats. While this argument is usually well-intentioned (and from a certain point of view, correct), it overlooks certain facts about the current state of internet security. There’s more to this story.
VPN vs. HTTPS
A VPN and HTTPS both have the capability to encrypt your data, but a VPN just so happens to encrypt more. HTTPS encryption only works between browsers and servers, and that’s only if it’s enabled. A VPN, however, encrypts all data that passes through the VPN connection, no matter if certain settings are enabled or not.
The web has gone through a revolution of security during the last decade. Most top websites now support Hypertext Transfer Protocol Secure, a.k.a. HTTPS, which enables encrypted communication between web browsers and websites.
HTTPS uses TLS encryption to secure the data traveling between your device and the website you’re visiting. So if you’re entering a password on a protected website, no third party that’s observing data traffic between you and the website can see it.
And that’s simply amazing.
But the idea that HTTPS and a VPN (virtual private network) are in some rivalry is plain wrong. HTTPS alone is not enough to secure web browsing. VPNs and HTTPS are not competitors — they work together to make everyone safer. You shouldn’t think of it as HTTPS vs. VPN because both tools can work in conjunction with each other.
VPN + HTTPS
The claim “you don’t need a VPN because most websites are encrypted anyway” is built on shaky ground. It’s like saying you don’t need to lock your front door because most homes are never robbed.
Being careful is not foolish or wasteful — we all take extra steps of caution to minimize our risk. We look both ways before crossing the street even though we have crossed thousands of streets without being hit by a car.
What HTTPS can’t do
HTTPS solves significant security issues — but it doesn’t solve them all. Let’s look at the key cases where HTTPS protection fails without the extra layer of security provided by a VPN.
HTTPS alone can’t secure your first connection
Sometimes your browser will first access an unencrypted version of the website (HTTP) and only then be directed to an encrypted version (HTTPS). This creates an opportunity for a man-in-the-middle attack. An attacker could intercept your connection while it’s unencrypted and redirect it to a malicious website. Once there, the attacker could use phishing, malware injection, or other attacks to cause more damage.
That’s why along with HTTPS, a website needs to implement a special mechanism called HSTS (HTTP Strict Transport Security).
HSTS informs your browser to never load an unencrypted website. Meaning with HSTS, your browser will only load the HTTPS version of the website, if available. Sounds neat? Only 11% of the top 1 million websites use HSTS at all — and only 2.3% preload it.
That means that 97.7% of the top websites don’t secure your first request. A VPN solves this issue by encrypting all your traffic from the get-go.
HTTPS can’t encrypt with a single click
For HTTPS to be truly effective, all parties concerned (browsers, websites, and users) must do their part.
Browsers have to notify their users when they enter an unencrypted website or block access to HTTP entirely. Users must notice and understand the difference between HTTPS and HTTP websites. Finally, websites must properly implement TLS encryption.
For HTTPS to work, you have to rely on browsers and websites to do their job. But not all browsers properly notify their users about the status of the website, and not all websites secure the traffic between the server and the client. HTTPS also doesn’t guarantee encrypted DNS traffic, though it can be used in protocols to encrypt DNS requests.
So in the end, users have to find a trustworthy browser and rely on thousands of websites to properly implement and renew their certificates.
With a VPN, you rely on a single service to do its job. Of course, not all VPNs are reliable. But not all antiviruses or firewalls are reliable. Not all tools — digital or physical — are reliable. That’s not a case against using tools.
VPN is the easiest way to make sure the traffic between you and your destination online will be encrypted.
HTTPS can’t protect you against phishing
Even when HTTPS is implemented properly, it doesn’t mean the website itself is safe. Sorry — that’s the internet for you.
Around 83% of phishing sites are now HTTPS websites. So if you enter a website, see a padlock, and feel safe, that’s what hackers expect you to feel: a false sense of security. An encrypted phishing attack is still phishing.
Modern VPNs not only provide encrypted tunnels for your data but offer other security functions. They notify users in case their private data appears in a data leak, filter out and prevent users from accessing malicious websites, and some VPNs can even scan for malware and prevent it from being downloaded.
Beyond the web
There is a new frontier of cyber threats — mobile applications.
When you’re browsing the web, you can at least check whether your connection is encrypted. But most of us don’t have the slightest clue how mobile apps are transporting our sensitive data. It may be encrypted, or it may be easily interceptable by hackers.
App creators are encouraged to protect user data, but there’s a way to bypass these recommendations. Some applications take extra steps (such as certificate pinning) to provide a layer of security. Some don’t. Developers can easily opt out — and they do. For example, here are iOS and Android guidelines for developers.
For example, here are iOS and Android guidelines for developers.
So we’re left blind. Our apps are black boxes. You have no way to determine whether your apps are following best cybersecurity practices. Once again, a VPN is the solution since it encrypts all your internet traffic.
A VPN is the mainstream security solution
There is no question that the VPN industry needs change — and we’re working on it. NordVPN has had regular independent audits because we aim to provide the best quality service possible. We’re also a founding member of the VPN Trust Initiative, an organization that aims to establish an industry-wide quality standard for all VPN services.
The internet, as it is, needs commercial VPNs. These services make it easy for every consumer to improve their security. Anyone can add a layer of security and privacy with a single click — even if they have no technical knowledge.
The internet won’t change overnight, Wi-Fi hotspots won’t turn into safe places, apps won’t force encryption everywhere, and people won’t start paying attention to the multiple ways they can improve their state of security. We strongly believe that recommending people to stop using VPNs makes the digital environment less safe.
A VPN remains the easiest way for the average user to protect themselves from online threats.
