You’ve probably seen lots of scary advertisements and articles that say you need to use a VPN to be safer online. Even though you might still feel foggy about what VPNs actually do, you might be wondering if you should get one — but there are so many options to choose from that you’re not sure which, if any, is right for you.

If you’re nodding along, we have great news for you: You probably don’t need a VPN.

All about HTTPS

It used to be easy to listen in to other people’s internet traffic and steal their passwords, credit card information, and personal information when they submitted it to a website or online service. But the internet is a more secure place now: most websites and services now connect using strongly encrypted connections. Most websites now use Hypertext Transfer Protocol Secure (HTTPS), the encrypted version of the original Hypertext Transfer Protocol (HTTP). If you’re connected to a site over an HTTPS connection, you don’t have to worry about an attacker eavesdropping on your connection to that site.

There’s now a strong expectation that responsibly-run websites will require HTTPS to connect to them. Your email, your social media, the online stores where you shop — they’re probably all connected with HTTPS. It’s even a federal standard in the US for government websites!

Here’s how to tell if you’re connected via HTTPS: your web browser will show a little padlock symbol next to the site’s URL.

If the site you’re visiting isn’t using an encrypted connection, you’ll see a “Not Secure” warning instead of a padlock.

When a site isn’t using HTTPS, you shouldn’t enter any personal information on the site. We also don’t recommend browsing unencrypted sites if you’re on an unsecured internet network, because an attacker “upstream” (like your internet service provider or a government) can modify the sites you visit or even insert malicious code.

There’s an important caveat to HTTPS: although HTTPS encrypts your browsing traffic and any information you send to the website, eavesdroppers can still see what domain you’re connecting to. For example, they can see that you’re on Facebook, but not what exactly you’re doing on Facebook or any personal information you’re sharing with Facebook. And of course, the site you’re visiting will have full access to the information you provide to it, so in this example, Facebook will know everything you share with them. Furthermore, if Facebook does a bad job of securing the servers and software that contain your data, HTTPS won’t keep it safe — but neither will a VPN.

When to use VPNs

The prevalence of HTTPS doesn’t mean VPNs are just another scam, although plenty of them are shady. VPNs aren’t very effective for improving your general digital safety and privacy, but they’re still useful. Here’s when VPNs are the right tool for the job:

• To connect to your work’s network or your school’s network so you can access their network resources. In these cases, you’ll probably be using a VPN provided by the organization in question, not a consumer VPN.
• To bypass censorship or to access geographically restricted content.
• If you have to send information to unencrypted sites over a hostile/unknown network, such as hotel or airport wifi.
• If you’re visiting sensitive domains that you want to keep private, such as LGBTQ+ support sites when you’re not out yet.

If you do decide to use a VPN, make sure you use one you can trust: the VPN provider will be able to see all your traffic. Check out Consumer Reports’ review of VPNs for more information about choosing one. If you’re tech savvy, you can build your own VPN based on the modern Wireguard protocol using tools like Algo or Tailscale.

What you can do to stay safer online

Protect yourself against phishing attacks

Rather than eavesdropping, phishing attacks — attacks that use social engineering to trick you into giving attackers your information — are the biggest threat to your personal information. HTTPS makes sure your information gets to the site securely, but it doesn’t make any guarantees about whether the site itself is legitimate.

Here’s how to protect yourself against phishing attacks:

• Use a password manager. We like 1Password (subscription based) and Bitwarden (free or subscription).
• Enable two factor authentication (2FA). If you’re using 2FA, even if someone gets a hold of your password, they can’t access your account. Ideally you’d use a physical security key or an authenticator app like Authy, but if those aren’t supported SMS works too.
• Use HTTPS everywhere. Never enter personal or sensitive information in a non-secure site.
• Keep your devices updated.
• If you ever get an unexpected email or or message that links to a site prompting you to log in with your credentials, share information that’s texted to you, or pay for something, double check its legitimacy, especially if it provokes feelings of stress or urgency.

Learn about modern web tracking techniques

If you’re interested in VPNs because you want to protect your privacy, VPNs aren’t a complete solution — they only obscure your IP address, and modern web tracking no longer relies solely on your IP address to identify you. Instead, third party trackers use what’s known as your digital fingerprint: a set of characteristics shared by your browser that uniquely identify you. To learn more about digital fingerprinting and how you can protect yourself from being tracked online, check out the EFF’s resource Cover Your Tracks.

Conclusion

VPNs are aggressively marketed as a first line of defense for protecting your information and your privacy. But now that HTTPS is used widely, taking proactive steps against phishing attacks and learning about modern web tracking are more effective ways to safeguard your information and your privacy online. When VPNs are the right tool for the job, make sure to choose one that’s trustworthy.

Are you interested in learning more about digital safety? Contact us or sign up for our newsletter below.