I've watched several videos about comparing proxies and vpn, and I'm still wondering some questions about their difference. As I know, VPN creates a secure tunnel with the client using the protocol (OpenVPN, IPsec, etc.), through which data is transmitted in both directions. As many people say, the main difference between a proxy and VPN in a web browser is the security of data transmission. But I also found out that proxies can use Https protocol to transfer data to the client. So the question is: then what is the main difference between using a proxy with the Https protocol and a regular vpn in web surfing, if the data coming from the client to their servers will be protected in any case, and encryption of requests outside VPN servers and proxy servers will not occur in any case? Or does VPN still use encryption when making requests from the server to the target web resource and back?
2 Answers
So a modern VPN tunnel exists at the interface level, and it protects all connections coming out of that interface. The entirety of those connections is encrypted, until the traffic leaves the VPN network at its remote endpoint.
With HTTPS, each connection contains both encrypted and unencrypted data. Its not possible to connect to a server using 100% encrypted data, so stuff like the IP and Port, application (HTTP/FTP/etc), SNI header, and hostname header must be unencrypted so that your traffic can reach the destination, and the destination knows what to do with it. That means that entities on the path between you and the remote server (like your ISP) can observe what site you are going to, when you went there, how much data was transfered, etc. The only thing they can't tell is exactly what data you exchanged with that site. HTTPS may also be subject to certificate substitution attacks.
With the VPN, the only connection your ISP sees is the connection between you and the VPN service. All the connections passing through the VPN are fully encrypted from the ISPs perspective, so they cannot tell who you contacted, what app you are using, or really anything else about the connection except the amount of data that all of your connections are using at any given time.
Note that you can combine VPN, HTTPS, and Proxies for additional protection.
hope that helps
-
As far as the VPN is concerned, you have to differentiate between transport and tunnel mode. In transport mode just the payload of any packets is encrypted, but the packet headers (TCP/IP or UDP/IP) remain in cleartext. However, in tunnel mode UDP packets carrying the actual traffic as payload are exchanged between the VPN client and the VPN gateway, and since that is encrypted, neither its headers nor its actual payload can be seen by normal means.– RobiduCommented Dec 7, 2023 at 16:34
-
@Robidu: Transport mode only exists within IPsec, as far as I know, and there it doesn't really constitute a VPN because there is no inner IP header; it's a direct host-host link (although outside observers can't really distinguish the two). Saying that something which doesn't exist "is not encrypted" is misleading at best. At the same time, the entire IP payload (including TCP or UDP header) is encrypted even in transport mode. Commented Dec 7, 2023 at 20:36
-
@u1686_grawity O.k., point taken. Somehow I remembered that part wrong so thanks for pointing that out.– RobiduCommented Dec 8, 2023 at 2:35
To give a relatively complete answer:
- while HTTPS encrypt the data, the visited domain name is sent in clear text to select the SSL certificate used. See Why do HTTPS requests include the host name in clear text? @ Stack Exchange Information Security.
- a SOCKS (or HTTPS) proxy may obfuscate your IP address, but it can also keep logs of the visited websites and viewed pages, modify the downloaded contents, pass your IP to the visited sites using a HTTP header, and more. You need to have absolute confidence in the used proxy and its security.
- a VPN can log the visited domain and the DNS queries, but it works at network level (TCP and UDP protocols). It can't log visited pages. It can use Deep Packet Inspection to inspect your traffic. A VPN works for any type of outgoing connection (HTTP, IRC, UseNET, Skype, Teams, ...). It encrypts all traffic and prevent spying on the contents between your computer and the VPN server. It also obfuscates your identity by the sheer number of users sharing a VPN server. Know that most commercial VPN keeps usage logs for authorities in case of illegal use. A VPN is not a warranty of complete privacy. For complete surf privacy, one need a bare bone browser without JavaScript and to use a privacy-oriented network like TOR (The Onion Router).
