GoodAccess logo
Go back
Back
Go back
Back

VPN vs HTTPS: Do You Need a VPN When Most Online Traffic Is Encrypted?

True, 95% of internet traffic passing through Google is now encrypted, according to Google Transparency report. But this encryption does not mean protection or privacy, at least not in the sense that VPNs provide.

Table of contents

  1. What is encryption?
  2. VPN vs. HTTPS: What's the difference?
  3. What is HTTPS?
  4. What is a VPN?
  5. Business VPN vs personal VPN
  6. When is HTTPS enough and when do I need a VPN?
  7. Summary

What is encryption?

Encryption is a method of using mathematical algorithms to render a communication unintelligible to outsiders and only readable to the intended recipient who has the encryption key.

The encryption has to be strong enough to be effective. Strong encryption is encryption that uses a complex enough algorithm to make it near-impossible to decipher the content of the communication without the correct key.

VPN vs. HTTPS: What's the difference?

Looking at today's encryption-everywhere world, you may ask yourself, “Why do I need a VPN?” “Is a VPN necessary?” Well, it depends. Both HTTPS and VPNs have encryption at their core, but otherwise they are vastly different things built for very different purposes.

What is HTTPS?

HTTPS (hyper-text transfer protocol secure) is an internet protocol for communication between your browser and internet servers that includes end-to-end encryption. When people say 95% of internet traffic is encrypted, they speak about HTTPS.

The cryptographic protocol that HTTPS uses is called TLS (a replacement of SSL), which stands for transport layer security. Despite the name, it does not necessarily mean that the encryption occurs on the transport layer; in practice, it is in the layers “above” it.

Also classified as an in-transit type of encryption, the purpose of HTTPS is to protect the content of communication between the sender and recipient. This ensures that anyone “listening in” on the communication will not be able pick out usernames, passwords, banking information, or other sensitive data.

However, because this encryption occurs only between your internet browser and the server, it does not encrypt other data that can be used to trace your behavior on the internet and identify you as a target. This data includes:

  • your IP address,
  • your physical location (country, city),
  • the browser and operating system you are using,
  • the sites you visit.

All this information can be seen and monitored by your ISP, government, or another entity, and misused by corporations or attackers.

A typical example are man-in-the-middle attacks, during which attackers lurking, for instance, on an unsecured Wi-Fi impersonate a server you are trying to reach. They then resend your communication to and from the server, encrypting and decrypting it each time, which, because they have the decryption key, gives them access to every piece of information you send.

This is a common way of stealing access credentials or credit card information, and is enabled by the fact that the victim is visible to the attacker.

Fig. 1 – Principle of man-in-the-middle attacks

What is a VPN?

A VPN, or virtual private network, encapsulates packets in a private channel set up between devices or entire network segments. Common protocols used by VPNs include OpenVPN, IKEv2, or IPsec.

The primary purpose of a VPN has always been to ensure data privacy and security through the use of encryption; however, unlike HTTPS, VPNs create a private encrypted tunnel before they send data through the internet, which encrypts not only the content of the communication but also the identity of the sender and receiver as well as other information that gives away your your behavior or details of the device you are using.

When extended to the IP address, this is called IP address obfuscation, a mechanism that conceals your online identity even on unsecured public networks, such as airport or hotel Wi-Fi.

It’s worth emphasizing that, unlike HTTPS, if you are using a professional VPN service such as GoodAccess, it encrypts all data exchanges your device participates in as long as the VPN is on. This includes all communications that all your applications (not just your internet browser) make with all their corresponding servers. If you want to dig deeper, check out our blog on business cloud VPN to learn more.

Fig. 2 – Anatomy of a VPN

Business VPN vs personal VPN

A business VPN and a personal VPN are fundamentally the same technology that fulfill the same core purpose of ensuring online privacy and security. However, they are both intended for different use cases and outfitted with different feature sets.

The main function of a personal VPN is to conceal the user’s activity to:

  • escape corporate or governmental surveillance,
  • bypass censorship restrictions,
  • ensure data security while browsing on public Wi-Fi.

On the other hand, business VPNs cater to the needs of companies, which may share the same need for data privacy, but on top of that require secure remote access to business systems for remote branches or employees working from home, complete with access controls and other security and quality-of-life features. In addition, they need to enforce company security policies and comply with legal requirements (GDPR, SOC2, HIPAA).

This is why business VPNs will feature functionalities like:

HTTPS VPN
Widespread and requiring no configuration by the user Needs special deployment
Protects data in transit Conceals in-transit information, user identity, and online behavior
Needs to be enabled on the server Always encrypts all traffic as long as switched on
Encrypts browser-server exchanges Encrypts all inbound and outbound traffic
No access management as such (handled by individual application providers) Uses identity-based access management
An ISP-assigned address (static or dynamic) and often shared Unique and private static IP address.

Tab. 1 - Difference between VPN vs HTTPS explained

When is HTTPS enough and when do I need a VPN?

First and foremost, no data exchange on the internet is implicitly safe, and best practice is always using every security measure you can get. However, depending on who you are and your needs and responsibilities, some measures may be overkill.

HTTPS is enough when:

  • You’re browsing the internet at home or on a secured network.
  • You aren’t entering any sensitive information while on a network you don’t trust.

VPN is better than HTTPS when:

  • You need to access internal business systems remotely.
  • You need access for remote or contracted workforce.
  • You need to secure access to online and cloud resources.
  • You need to comply with data protection laws.
  • You need a unique static IP address to assign to your users and use for allowlisting.

Summary

So, do you need a VPN when using HTTPS? In short, a VPN is a more robust solution that secures all connections, not just browser-server exchanges. While a fully-fledged business VPN is arguably unnecessary for an individual home user, companies will find that their data protection needs align very closely with what VPNs provide.

If you are wondering where to get a VPN, give GoodAccess a try. Just create a free account and take your personal test drive.

Go back
Back
Go back
Back