ProtonBlog(new window)
best vpn service

How to choose the best VPN service

Share this page

As the world’s largest encrypted email provider(new window), people have frequently asked us what is the best VPN service. In this article, we discuss what to be aware of when choosing a VPN service, and our recommended VPN security requirements.

What is a VPN?

A Virtual Private Network (VPN) is a tool to secure your internet connection by masking your device’s IP address and encrypting your traffic. When your computer connects to a VPN, all your online activity passes through the Virtual Private Network, which in theory can shield you from surveillance or prevent your identity from being revealed.

Why use a VPN?

The primary use cases for a VPN service are the following:

  • Prevent your internet browsing from being monitored
  • Bypass censorship – VPNs allow you to access content that might be blocked in your country by the government or the content provider
  • Provide higher connection security when connecting to the internet from insecure locations (public wifi hotspot for example)

Whether or not a VPN service can actually accomplish this however depends significantly on the service in question. In fact, the vast majority of VPN services suffer from one or more security problems, which is why great care must be taken when selecting the best VPN service.

VPN Security Problems

About a year ago, we started to analyze VPN services more deeply in response from user inquiries. As we dug deeper however, we found numerous security and privacy flaws with most existing VPN services. This actually was the impetus that drove us to start working on VPN (more about this later). Below is a summary of the main VPN security issues.

VPN Security Vulnerabilities

  • Using pre-shared keys – A number of mainstream commercial VPNs have their preshared keys (PSKs) posted online; these include PureVPN and IPVPN(new window) . If an attacker knows the PSKs for a VPN service and has access to the network a user is using, the attacker can stage a man in the middle attack and decrypt all of the user’s traffic.
  • Insecure protocols and encryption – Many VPN services use PPTP protocol as a basic way to tunnel and encapsulate data packets. However, PPTP is fundamentally insecure due to using short length encryption keys and password hashes that can be easily cracked by a well resourced state actor. L2TP/IPSec is another popular VPN protocol. However, the NSA has already succeeded in tampering with it(new window). Furthermore, many VPN services which use more secure protocols such as OpenVPN remain vulnerable because of the use of insecure ciphers.
  • No Forward Secrecy – Most VPN services do not require use of Perfect Forward Secrecy ciphers, so VPN network traffic can be saved, and decrypted later if the encryption keys or algorithms are compromised.
  • DNS Leakage – Whenever a web connection is made, a computer will first translate a domain name into an IP address. This lookup is done via DNS servers. Thus, DNS lookup records(new window) also contain a log of all websites visited. While VPN services usually will protect web traffic, many do not protect DNS lookups, meaning that user’s browsing history can still be reconstructed from DNS lookups.
NSA PPTP IPSec(new window)
Leaked NSA files showing PPTP and IPSec VPN compromises.

Methods of VPN Compromise

Even if a VPN service is not vulnerable to the internal problems listed above, they can still be compromised externally. Common problems that can lead to a VPN service being compromised include the following:

  • Jurisdiction – VPN providers are subject to the laws of the country that they operate in, and these laws (like the Investigatory Powers Act(new window) in the UK and the Foreign Intelligence Surveillance Act in the US) can force VPN providers to compromise their users. This means VPN providers with significant US and UK presence are compromised by default. These include HideMyAss (UK), VyperVPN (operated from the US), Strong VPN (US), HotSpot Shield (US), IP Vanish (US) and many others.
  • Compromised servers – VPN providers cannot maintain physical control and supervision over all servers, especially servers in countries that are not privacy friendly. This creates opportunities for state actors to compromise VPN exit servers, sometimes with the collusion (forced or not) of the companies providing servers to VPN operators. In a typical VPN setup, compromise of the exit server completely compromises the browsing activity of VPN users.
  • Correlation Attacks – Even if the exit server itself is not compromised, network based correlation attacks can still compromise a user. By seeing who is connecting to an VPN exit server at a given instant, and what sites the VPN exit server is connecting to, a user’s browsing can be reconstructed. Such an attack is easily within reach of most state actors as they can request assistance from ISPs.

What is the best VPN service?

It is clear that it’s not easy to build a VPN service that adequately protects users. In particular, some of the methods of VPN compromise are extremely difficult to defend against. Proton Mail’s mission has always been to protect freedom online, and to provide security and privacy to everyone. Today we protect diverse groups ranging from journalists and activists, to business professionals.

Having a secure VPN is an important part of this, which is why we are also developing Proton VPN(new window). With the Proton VPN project, we hope to bring to the public a secure and trustworthy free VPN service(new window) which addresses many of the security shortcomings which impact existing VPN services.

We believe that Proton VPN is able to meet a much higher standard for VPN security(new window), and the only VPN service which properly addresses all the shortfalls mentioned above. Most importantly, it meets the important conditions for VPN trust(new window).

Is it safe to use a VPN service?

If privacy is your only objective, the best VPN actually isn’t a VPN at all, but a free software known as Tor. Proton Mail has actually recently rolled out improved support for encrypted email with Tor(new window) through our new onion site. While Tor does provide a great deal of anonymity and security, there are still many reasons why you might still want to use a VPN service.

For one, Tor’s privacy comes at the cost of performance, and Tor is notoriously slow compared to the best VPN services out there. Furthermore, Tor is now increasingly being targeted by state actors(new window), so a trusted VPN service could be safer. VPN also has strong use cases for bypassing censorship and content blocks, or for obtaining better security from insecure locations like public wifi hotspots.

Thus, VPN remains an important security and privacy tool, just make sure that you properly understand what VPNs can and can’t protect against(new window).

Protect your privacy with Proton
Create a free account

Share this page

Proton Team(new window)

We are scientists, engineers, and specialists from around the world drawn together by a shared vision of protecting freedom and privacy online. Proton was born out of a desire to build an internet that puts people before profits, and we're working to create a world where everyone is in control of their digital lives.

Related articles

Apple’s marketing team has built a powerful association between the iPhone and privacy. The company’s ad campaigns claim that “what happens on your iPhone, stays on your iPhone.” And, “Privacy. That’s iPhone.” But Apple’s lawyers are telling a diffe
A cyberattack on national public employment service France Travail has exposed the personal data of as many as 43 million people.  The latest breach is the second major cybersecurity attack to happen in France in the past month, raising concerns abo
If I share a folder in Google Drive, can anybody see my other folders
Google Drive makes it easy to share files and folders, but you may have wondered at some point whether the people you’ve shared a folder with can see your other folders. We answer this question below and also share some tips for truly secure link sha
In 2014, Proton Mail was introduced as a web app, revolutionizing how we think about email privacy. Today, we’re excited to broaden the horizons of secure communication by launching the Proton Mail desktop app. Anyone can now use the new Proton Mail
what is a digital footprint
What you do online isn’t private. Everything you do leaves behind some kind of mark. This trail is often referred to as a digital footprint, and it’s used to track you in many different ways. In this article, we go over what a digital footprint is, h
In February 2024, media reported that Indian authorities may decide to block Proton Mail. Proton Mail is still available in India despite any reports suggesting otherwise.  In response to hoax bomb threats that were sent through Proton Mail, some me