Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown
Blog How-To

Do you need a VPN in an HTTPS world? Yes, and here’s why

The standard argument goes like this: people do not need to buy VPNs anymore because the internet has become much safer — you can now browse without worrying about online threats. While this argument is usually well-intentioned (and from a certain point of view — correct), it overlooks certain facts about the current state of internet security. There’s more to this story.

Lukas Ramonas

Lukas Ramonas

May 06, 2022 · 4 min read

Do you need a VPN in an HTTPS world? Yes, and here’s why


The web has gone through a revolution of security during the last decade. Most top websites now support Hypertext Transfer Protocol Secure, a.k.a. HTTPS, which enables encrypted communication between web browsers and websites.

HTTPS uses TLS encryption to secure the data traveling between you and the website you’re visiting. So if you’re entering a password on a protected website, no third party that’s observing data traffic between you and the website can see it.

And that’s simply amazing.

But the idea that HTTPS and a VPN (virtual private network) are in some rivalry is plain wrong. HTTPS alone is not enough to secure web browsing. VPNs and HTTPS are not competitors — they work together to make everyone safer.


The claim “you don’t need a VPN because most websites are encrypted anyway” is built on shaky ground. It’s like saying you don’t need to lock your front door because most homes are never robbed.

Being careful is not foolish or wasteful — we all take extra steps of caution to minimize our risk. We look both ways before crossing the street even though we have crossed thousands of streets without getting into a car accident.

What HTTPS can’t do

HTTPS solves significant security issues — but it doesn’t solve them all. Let’s look at the key cases where HTTPS protection fails without the extra layer of security provided by a VPN.

HTTPS alone can’t secure your first connection

Sometimes your browser will first access an unencrypted version of the website (HTTP) and only then be directed to an encrypted version (HTTPS). This creates an opportunity for a man-in-the-middle attack. An attacker could intercept your connection while it’s unencrypted and redirect it to a malicious website. Once there, the attacker could use phishing, malware injection, or other attacks to cause more damage.

That’s why along with HTTPS, a website needs to implement a special mechanism called HSTS (HTTP Strict Transport Security).

HSTS informs your browser to never load an unencrypted website. Meaning with HSTS, your browser will only load the HTTPS version of the website, if available. Sounds neat? Only 11% of the top 1 million websites use HSTS at all — and only 2.3% preload it.

HSTS informs your browser to never load an unencrypted website. Meaning with HSTS, your browser will only load the HTTPS version of the website, if available. Sounds neat? Only 11% of the top 1 million websites use HSTS at all — and only 2.3% preload it.

That means that 97.7% of the top websites don’t secure your first request. A VPN solves this issue by encrypting all your traffic from the get-go.

HTTPS can’t encrypt with a single click

For HTTPS to be truly effective, all parties concerned (browsers, websites, and users) must do their part.

Browsers have to notify their users when they enter an unencrypted website or block access to HTTP entirely. Users must notice and understand the difference between HTTPS and HTTP websites. Finally, websites must properly implement TLS encryption.

For HTTPS to work, you have to rely on browsers and websites to do their job. But not all browsers properly notify their users, and not all websites secure the traffic between the server and the client.

So in the end, users have to find a trustworthy browser and rely on thousands of websites to properly implement and renew their certificates.

With a VPN, you rely on a single service to do its job. Of course, not all VPNs are reliable. But not all antiviruses or firewalls are reliable. Not all tools — digital or physical — are reliable. That's not a case against using tools.

VPN is the easiest way to make sure the traffic between you and your destination online will be encrypted.

HTTPS can’t protect you against phishing

Even when HTTPS is implemented properly, it doesn’t mean the website itself is safe. Sorry — that’s the internet for you.

Around 83% of phishing sites are now HTTPS websites. So if you enter a website, see a padlock, and feel safe, that’s what hackers expect you to feel: a false sense of security. An encrypted phishing attack is still phishing.

Modern VPNs not only provide encrypted tunnels for your data but offer other security functions. They notify users in case their private data appears in a data leak, filter out and prevent users from accessing malicious websites, and some VPNs can even scan for malware and prevent it from being downloaded.

Beyond the web

There is a new frontier of cyber threats — mobile applications.

When you’re browsing the web, you can at least check whether your connection is encrypted. But most of us don’t have the slightest clue how mobile apps are transporting our sensitive data. It may be encrypted, or it may be easily interceptable by hackers.

App creators are encouraged to protect user data, but there’s a way to bypass these recommendations. Some applications take extra steps (such as certificate pinning) to provide a layer of security. Some don’t. Developers can easily opt out — and they do.

For example, here are iOS and Android guidelines for developers.

So we’re left blind. Our apps are black boxes. You have no way to determine whether your apps are following best cybersecurity practices. Once again, a VPN is the solution since it encrypts all your internet traffic.

A VPN is the mainstream security solution

There is no question that the VPN industry needs change — and we’re working on it. NordVPN goes through regular independent audits because we aim to be as transparent as possible. We’re also a founding member of the VPN Trust Initiative — an organization that aims to establish an industry-wide quality standard for all VPN services.

The internet, as it is, needs commercial VPNs. These services make it easy for the average user to improve their security. Anyone can add a layer of security and privacy with a single click — even if they have no technical knowledge.

The internet won’t change overnight, Wi-Fi hotspots won’t turn into safe places, apps won’t force encryption everywhere, and people won’t start paying attention to the multiple ways they can improve their state of security. We strongly believe that recommending people to stop using VPNs makes the digital environment less safe.

A VPN remains the easiest way for the average user to protect themselves from online threats.