When I write a blog post, I usually look for an image that goes well with the article. My go-to website is Pixabay. It has a large collection of images, and I try to contribute my own whenever I can. What I like about Pixabay is that most, if not all, images are CC-0, meaning I can use them however I see fit.
This year, the coworking space where I spend most of my day upgraded their internet service. In the email, they bragged that the new ISP uses state-of-the-art security. Great, but something seemed off to me. With the new ISP, I could no longer access Pixabay. The rest of the internet worked just fine, but not Pixabay. When I tested the website on my phone, it didn't load either. I turned off the wifi on my phone and tried again. Lo and behold! It worked.
For some reason, the state-of-the-art service had blocked it. I contacted the service desk team, and after a long back-and-forth, the website was reinstated. But I had one question: why were they blocking this website in the first place? It didn't take long before I noticed that Copilot was no longer offering suggestions in my IDE. To debug this, I connected my computer to my hotspot, and Copilot started working immediately. Examining the logs, I found the API being called by Copilot, and when I opened it, it showed that the domain was blocked.
The service desk would whitelist one website, and then Pixabay would fail again. They'd reinstate Pixabay, then I'd discover another website I used was also blocked. Their state-of-the-art service automatically blocked websites.
I asked other tenants in the coworking space, and they told me that several of the websites they access had stopped working as well. The management at this coworking space asked us to provide a list of websites we wanted unblocked so they could whitelist them all. Here's the thing though: the websites we visit are none of their business. We pay to use the space and the internet, not access to some specific websites. Snooping on the websites I visit is a violation of my privacy.
Coworking - Pixabay
Almost overnight, everyone started using their own hotspot, and a new issue popped up. The internet became extremely slow in the building. Having hundreds of people all broadcasting their own wifi in a constrained space quickly introduced wifi congestion.
The solution was obvious. I could either go back to using the restricted internet or sign up for a VPN. Now, I use a wired connection and Mozilla's VPN. Why Mozilla? Well, because multiple VPN websites are also blocked by the ISP, but Mozilla was the one that worked. It somehow got past the ISP's threat detection.
But speaking of trust, how is the network able to block access to some websites in the first place? All the websites I visit are SSL encrypted, meaning they use HTTPS. The whole point of using a secure connection is so that no one can see and monitor the websites I'm accessing.
When you enter a website address (URL) into your browser, your computer sends a request to a DNS server to translate that address into an IP address:
google.com -> 142.250.176.14
This address is then used to access the web server hosting the website, securely connect to it with an SSL/TLS handshake, and then encrypted data is exchanged. This means no one can snoop in and read the data being sent between me and the website I'm accessing. However, the request to the DNS server is not encrypted. I assumed this was how the coworking space ISP was able to identify which website I was accessing and block it.
So I switched to DoH, DNS over HTTPS. For most browsers, it's a simple checkbox in the browser settings. With DoH, Your browser sends a DNS query to a DoH-compatible DNS resolver. The query is encrypted and sent over HTTPS, making it indistinguishable from regular web traffic. The resolver decrypts the query, looks up the IP address, and sends the encrypted response back. Your browser decrypts the response and connects to the website. The entire process is supposed to be invisible to the ISP, yet Pixabay remains blocked.
Modern networks use Server Name Indication (SNI) to block SSL encrypted websites. SNI tells the server which website's certificate to present, and this happens before encryption begins, making it visible to network monitors. This is exactly how my co-working space, despite my use of DoH, was likely able to block sites. They could see the SNI and block the connection before the secure handshake was completed.
But with a VPN connection, all internet traffic is encrypted then tunneled through the VPN service. This includes both the DNS Query and the SNI. In my case, when I enter pixabay.com, the web address is encrypted then tunneled to the VPN server, and then the VPN server pings a DNS server. This hides the DNS query from the ISP and local network.
The only thing the coworking space network sees is that I have connected to a VPN. All traffic is invisible to them, and I can access my beloved Pixabay. Now, why would I say I don't trust VPNs when I just showed you how they resolved my problem? That's because the privacy they offer comes with a few asterisks.
The main selling point of VPNs is privacy. Your ISP cannot see the websites you are visiting, the website you are visiting cannot see your IP, and those on your network cannot see what you are doing. This is a good spot to introduce today's sponsor, without which this blog post wouldn't be possible: NordVPN!
NordVPN is perfectly suited for the busy professional traveling and using public wifi networks...
Just kidding! There are no sponsored posts on this blog, but you've probably heard about VPNs via your favorite YouTuber or podcast at this point. This is great, but VPNs do not make you anonymous as advertised.
For example, whenever you access Reddit while on the VPN, you'll be presented with a page that asks you to log in with your account first before you can access it. When you use VPNs to unlock streaming content from other regions, you are still using your own account to do so. Lastly, the VPN service does see your traffic.
VPNs are subject to the same laws that ISPs have to abide by. This means they can be compelled to hand over data by law enforcement. Of course, depending on the jurisdiction, this can vary widely. You'd have to hope that your VPN is located in a country with strong privacy laws.
It's always better if the VPN service has a no-log policy, meaning they don't store any data about your activity: no IP addresses, browsing history, or connection timestamps. However, VPNs can make this claim without it being true. PureVPN claimed not to log user activity, yet in 2017, they assisted the FBI by providing logs in a cyberstalking case.
VPNs use known IP addresses that can be banned. It's easy enough to detect if an IP address is from a VPN, and as a result, websites can ban those IPs.
All this is to say that VPNs have their use. In my case, they helped me access a website and services I use frequently. VPNs are useful tools for bypassing local network restrictions, avoiding ISP monitoring, and accessing geo-blocked content. They're not tools for complete anonymity. Full privacy should not be expected from them.
I can make my internet traffic invisible to my ISP. But I can't make it invisible to everyone. That's a good use case, but that's not what is advertised.
Did you like this article? You can buy me a coffee.
Share your insightful comments here.
Comments
There are no comments added yet.
Let's hear your thoughts