Not everyone wants a VPN so they can keep their online activity private. Many simply want to circumvent regional blocks and watch HBO Max in the UK, or a movie on Netflix US that’s not available in other countries.
However, when you do use a VPN - which stands for Virtual Private Network - you’d rightly assume that your data is encrypted – regardless of what you’re doing. But that isn’t always the case, as I’ll explain.
Almost every VPN service offers extensions for web browsers including Chrome, Firefox and Microsoft Edge in addition to apps for Windows, Android, macOS and iOS.
When you use a browser add-on like this, the protection applies just to your activity in web browser and not to other apps on your device. This is convenient if you want to make sure the full speed of your internet connection is available for downloads, and to avoid any problems with other apps that may not work properly if they’re forced to use a VPN connection.
But the way these extensions are marketed – in both their name and descriptions – makes it seem like they’re just another 'app' for using the VPN service.
Look in the Chrome Web Store, for example, and you’ll see extensions calling themselves “Free VPN Extension” and “Secure, unlimited VPN”. Read their descriptions and things are just as misleading.
“Ultra security, privacy and anonymity”, reads one while another claims to “guard you against fraud and hackers.. and secure your personal data”. Yet another reads “Secure your browser activity with military grade encryption while using public wifi hotspots, company network or school network.”
What’s the big problem? It’s this: none of these extensions are actually VPNs. They’re proxies.
A proxy server is similar to a VPN in that it changes your IP address and can make it appear to a website, Netflix or any other web service, that you’re located in a completely different place to your real location.
A VPN does this too, but a proxy does not create an encrypted tunnel like a VPN does. And this means your ISP (and anyone else with a keen interest in snooping on you) could still see which websites you’re visiting, any files you’re downloading, and possibly sensitive information you send via email or other unencrypted messaging services.
That’s because, although HTTPS is used for many websites (which means the data is encrypted), it is not used for all. Also, when you visit a website it's address (such as www.techadvisor.com) has to be 'resolved' to an IP address so your browser can display that web page.
This process is called a DNS lookup, and it's not always encrypted when you use a proxy. So when the information isn't encrypted, it's sent to a DNS server in plain text, and this reveals which sites you’re visiting to whomever has access to that server.
It is possible to encrypt DNS lookups over HTTPS, but no VPN browser extension description (that I've seen) explains whether that happens or not with that particular add-on. The point is, this stuff is too complicated for most people to understand and even if you're something of a security expert, it's unclear what most VPN browser extensions are actually doing.
You can read more about proxy services if you’re interested.
Many VPN services use careful wording in their browser extensions so they don’t actually claim to encrypt your internet connection. Instead, they talk about ‘HTTPS everywhere’ as well as listing the features available in the associated VPN service, but without making it clear that some (such as encryption of all data) don’t apply to the browser extension you’re about to install.
Not all VPN services are as bad as others, but unless you’re already clued up about proxies, they’re all misleading to one degree or another. I’ve yet to see a single extension that spells it out to unsuspecting users that a ‘VPN proxy’ is not actually a VPN connection and that it does not protect you in the same way.
Take ZenMate’s description, for example. “The ZenMate free VPN browser extension uses strong encryption to secure all your traffic and hides your real IP address so you can access any blocked website, protect your data and surf the internet anonymously without a data limit.“
Clearly misleading. In fact, even a VPN won’t make you anonymous, let alone a proxy.
NordVPN is naughty, too, not mentioning that its extension is a proxy anywhere and claiming that it uses "Military-grade encryption [which] instantly protects you with in one-click".
ExpressVPN is much better, calling it a proxy and more clearly explaining in the description what the extension does. However, the extension isn't a proxy at all: it controls the ExpressVPN desktop app and does provide an encrypted VPN connection - it's the same as connecting to a server in the app. That makes the extension a bit redundant, in my mind, but it might just be a nice shortcut if you're already browsing and don't want to fire up the app.
But rather than simply write this article as a warning, I’ve also contacted all the companies featured in Tech Advisor’s best VPN services roundups to ask them to edit the name and description of the extensions they offer to make it clear that these are mere proxy services and not VPNs.
When VPN is part of the company name, including this in the extension’s name is unavoidable. For others, the VPN acronym shouldn’t be used at all.
When is it safe to use a proxy?
If you just want to unblock YouTube, Netflix or a website that you can’t access because it’s blocked in your region, a proxy is fine.
However, if visiting a blocked website could land you in trouble with the authorities, a proxy isn’t going to cut it: you need to use a VPN. And preferably a top-notch VPN that takes security and privacy seriously, not just any old VPN.