Update time：2021-07-19 04:47Tag: purevpn apk
Why you should trust usWho this is forWhat you should do before considering a VPNGeoshiftingTrusting a VPNLimitations of VPNsHow we pickedHow we testedOur pick: MullvadFlaws but not dealbreakersAlso great: IVPNWhat to look forward toWhat about HTTPS?What about Tor?What about creating your own VPN?The competitionFrequently asked questionsSources
We scoured articles, white papers, customer reviews, and forums to compile the pros and cons of various VPN services, different VPN protocols and encryption technologies, and signals indicating transparency, trustworthiness, and security.
We interviewed Electronic Frontier Foundation director of cybersecurity Eva Galperin about limitations of VPNs and tips for selecting the appropriate VPN based on individual circumstances. We spoke with Trail of Bits co-founder and CEO Dan Guido about the security challenges inherent in VPNs and the limitations of security audits and reports. We got answers from Joseph Jerome, then the policy counsel for the Center for Democracy & Technology’s privacy and data project, about how accountable VPNs were for their business models, privacy practices, security protocols, and protections, and how that related to trustworthiness. We discussed what to look for—and avoid—in VPNs with security researcher Kenneth White, co-director of the Open Crypto Audit Project, and with cryptographer and Johns Hopkins University professor Matthew Green.
We interviewed the leadership of three top-performing VPN services about their operational security and internal standards, participating in phone calls with TunnelBear CEO and co-founder Ryan Dochuk and IVPN CEO Nick Pestell, and exchanging emails with Mullvad CEO Jan Jonsson.
As a tech reporter, I’ve covered privacy and security for Wired, Vice, BreakerMag, The Intercept, Slate/Future Tense, Ars Technica, and more. I’ve co-hosted cryptoparties in Phoenix to teach people how to be more secure online. I’ve co-organized events, taught workshops, and spoken on panels about digital security and source protection. I’ve written curricula for TrollBusters, a just-in-time rescue service for women writers and journalists who are experiencing online harassment. I collaborated with the EFF on its Street-Level Surveillance project. I’ve long been skeptical of the security and privacy claims VPN companies make, and I’ve advocated for third-party security audits and other signals of trust.
This guide builds on work by Wirecutter editor Mark Smirniotis, including feedback from the information security team at The New York Times, which at the time included Runa Sandvik, Bill McKinley, David Templeton, James Pettit, and Neena Kapur. They all provided feedback on a wide range of issues, from technical concerns to provider transparency.
We focused on virtual private networks, or VPNs, as an option for people who are hoping to add a layer of privacy or security to their web browsing. Using a VPN can stop your computer or mobile device from revealing your IP address to websites, services, and the rest of the internet when you connect. One reason to protect your IP address is that it can give away your location. Anyone can plug in an IP address at various websites to find your rough location, usually your city, state, and country. While some IP addresses are only loosely connected to a specific geographic location, those associated with Wi-Fi hotspots are much more precise. Commercial outfits such as Skyhook have used hotspot scanning and app partners to amass large databases correlating IP addresses with hotspot locations, and companies can turn to these services to determine your exact location.
VPNs work by routing your web traffic through a secure, encrypted connection to the VPN’s server so that those other parties see the VPN’s IP address, not the one connected to your home or office, or to the coffee shop, airport, or hotel you happen to be in. Using a VPN can also stop your internet service provider from recording your online activities; in 2017, President Donald Trump signed a law repealing internet privacy rules passed by the FCC, allowing ISPs to record all of your traffic, insert ads, track you in a variety of ways, and sell that data to third parties. Although the VPN provider can see what you’re doing, your traffic mixes with that of other people using the same VPN. See our article “What Is a VPN and What Can (and Can’t) It Do?” for more information on how VPNs work and whether you need one.
And it’s not just about ISP behavior: Your IP address is typically recorded by the websites you visit and is usually attached in emails you send, becoming exposed to your email’s recipient. Even loading images embedded in emails you receive can reveal your IP address to wherever the images are loading from.
IP addresses can pinpoint your places of work, too. For example, a court document indicates that a New York Times reporter accidentally tipped off a company to a major investigation by visiting its website too often. You don’t have to be a journalist to sometimes want to keep your place of business private from the site you’re visiting.
Illustration: Sarah MacReading Illustration: Sarah MacReading
But standard VPN services may not be enough in some instances. Human-rights activists, journalists, people hoping to use VPNs in oppressive regimes, or people who are likely to be individually targeted by nation-state actors may need to take steps beyond using a commercial VPN; in these cases, it’s worthwhile to consult a digital-security specialist such as Access Now before signing up for one of our picks.
Although it’s impossible for people outside a VPN provider to know the ins and outs of the company, there are certain indicators that suggest a provider is more trustworthy, which we have attempted to lay out in this guide.
Before choosing a VPN, it’s important to be clear about what you need it to do. Some of the reasons you may want to use a VPN might be better addressed through other tools or methods that are potentially more effective. Look at it this way: If you have a drafty house with paper-thin walls and halogen light bulbs, you’d get far more value out of every dollar by sealing up cracks, insulating, and switching to LEDs than you would by putting solar panels on your roof. If you’re looking to improve your privacy and security, you should make sure to address other areas of vulnerability before signing up for a VPN.
For further advice, see our guide to security layers and good habits. We also like the Electronic Frontier Foundation’s guide to surveillance self-defense.
One of the main reasons people want to use VPNs is to geoshift: making a website or web-based service such as Netflix think that you’re connecting from, say, the United States instead of Germany to access videos or other content with geographic restrictions. But the biggest sites often block connections from VPNs, making geoshifting like this unreliable. We tested each of our candidates for the ability to access content in different countries—and based on the results, we don’t recommend that people expect them to work for that purpose.
Because VPNs see all of the traffic you are hoping to protect, one of the most important qualities of a good VPN is trustworthiness, while the second most important is security. Unfortunately, these are also the most difficult qualities to ascertain. In recent years, VPNs have begun hiring independent firms to conduct security audits to back up their security or privacy claims and have been sharing the results publicly.
All of your internet activity will flow through the servers of the company whose VPN you use, so you’ll need to trust it more than you trust the network you’re hoping to secure, whether that’s airport Wi-Fi, a hotel internet connection, your corporate IT network, or your home ISP. “That last mile between you and your ISP is extremely treacherous,” said Dan Guido, CEO of Trail of Bits. In the past, executives traveling overseas have been attacked with malware served through unsecured hotel Wi-Fi, and ISPs have hijacked and rerouted customer search queries, injected targeted ads based on browsing history, and injected supercookies to track mobile customers. In-flight broadband providers have been caught issuing fake HTTPS certificates.
The FTC announced in 2019 that it was seeking information about different broadband providers’ privacy practices. “There is this widespread suspicion that broadband providers aren’t being forthright with how they use your data,” Guido said. A look through broadband providers’ terms of service reveals that they typically include a lot of privacy opt-outs for information collected by default and being provided to third parties.
So there are reasons to trust some VPN providers over some ISPs, or to seek protection in the form of a VPN.
But not all VPNs are an improvement, as more than a few VPN providers have been caught lying about policies in the past or sharing data with third parties, and many VPN services have had poor configurations that leaked the very data they were being paid to secure. “A lot of times VPNs that promise you privacy and security don’t deliver because they’re lying,” said Eva Galperin, director of cybersecurity at the EFF. “A lot of VPNs that say, ‘We will protect your privacy, we won’t log, we won’t comply with a subpoena,’ that kind of thing, turn out to be full of lies. That is a very serious problem because it’s really hard to evaluate for.”
Your internet activity will flow through the servers of the company whose VPN you use, so you’ll need to trust it more than you trust the network you’re hoping to secure.
In fact, there are so many stories about VPNs not being true to their claims that we can list only a sample:
In 2016, one study (PDF) found a mix of VPNs that had embedded third-party tracking and insecure implementations. Another project found that 90% of the VPNs it tested used insecure or outdated encryption.In May 2019, the director of the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned that foreign adversaries were interested in exploiting VPN services (PDF).In early 2019, more than half of the top 20 free VPNs in the App Store and the Google Play store were owned by or based in China, a country where VPN services are banned.There have been multiple instances of individual VPNs being caught or accused with evidence of violating their own privacy policies or sharing customer data, including claims against EarthVPN, Facebook’s Onavo, HideMyAss, Hola VPN, Hotspot Shield (PDF), IPVanish, and PureVPN.
On the other side, there are some VPNs whose no-logging cases have been proven in court:
ExpressVPN was unable to provide logs to Turkish authorities, who raided the data center and took the company’s Turkey server but found no logs or customer data.PIA’s no-log claims were verified in both a 2016 investigation (Scribd subscription required to view the link) and a 2018 court case.Perfect Privacy stated on its blog that authorities in Rotterdam, Netherlands, seized one of its servers to try to obtain customer data but were unable to do so.
Knowing who is behind your VPN is a big step toward trusting them. Some VPNs offer great service or pricing but little to no insight into who exactly is handling them. We considered feedback from security experts, including the information security team at The New York Times, about whether you could trust even the most appealing VPN if the company wasn’t willing to disclose who stood behind it. We decided we’d rather give up other positives—such as faster speed or extra convenience features—if it meant knowing who led or owned the company providing our connections. Given the explosion of companies offering VPN services and the trivial nature of setting one up as a scam, having a public-facing leadership team—especially one with a long history of actively fighting for online privacy and security—is the most concrete way a company can build trust.
Another major factor we looked for: published security audits conducted by reputable third parties, which are much more common than they have been in the recent past.
Security audits aren’t perfect. Although independent companies evaluate a VPN provider’s technology as best they can, such audits are limited to a moment in time; there are no assurances that the VPN will have the same technology or security practices the next day. Additionally, the auditors themselves are limited by time and sometimes are contracted to look only at certain aspects of a VPN.
For this guide, we insisted that our VPN picks have published third-party security audits of their core product.
“They’re not going to be intimately familiar with the entire company. They’re not going to have time to look through every line of code. They’re given a set of constraints, usually a very small amount of time that they’d prefer is longer, and they don’t have any familiarity with any of the technology earlier than day one and they need to figure it all out,” said Trail of Bits’s Dan Guido.
However, software companies and service providers that are willing to engage with third-party auditors to review their code and implementation—and make the results public—do send a signal of trust. For this guide, we insisted that our VPN picks have published third-party security audits of their core product (rather than just their web-browser extension).
Some VPNs have had no-log audits conducted in order to show that they are living up to their privacy promises. As with security audits, there’s never a guarantee that practices in place during audits aren’t changed the next day, if compelled by a government, for example. And even if companies intend to stick to their promises, they may be inadvertently failing to secure the data they are entrusted with protecting. Although the move toward transparency with no-log audits is a positive one, competition makes it mandatory that such audits be paired with security audits that can help find vulnerabilities so that companies can patch or mitigate them.
If you penny-pinch on privacy and security services, you may end up without privacy or security.
Even if you know who’s behind your VPN, you shouldn’t trust a free one. A free service makes you and your data the product, so you should assume that any information it gathers on you—whether that’s an actual browsing history or demographics such as age or political affiliation—is being sold to or shared with someone.
If you penny-pinch on privacy and security services, you may end up without privacy or security. As Bill McKinley, head of the information security team for The New York Times, put it: “If I can spend more on organic bananas, I can spend more for confidence in a VPN provider.”
The Center for Democracy & Technology brought just such a complaint against one VPN provider in 2017, though no investigation has been announced. Many privacy sites suggest finding a VPN service outside the prying eyes of US intelligence agencies and their allies, but FTC protections could be an argument for finding one in the US so that there’s a penalty if the service deceives its customers.
VPNs are not a tool for anonymity, and we have a separate guide with a more in-depth explanation of what a VPN can and can’t do. But at minimum, anyone signing up for a VPN should know that it’s possible for providers to see your traffic, and beyond that, other parties have ways of tracing your identity even if you use a VPN.
There are three common scenarios where other parties would be able to quickly link your online habits. For one, if you sign in to a Google account from home without a VPN, Google has a log of your home IP address. Even if you turn on your browser’s private or Incognito mode and don’t log in, your “private” searches are also linked to your IP address, and then back to your Google account. If you then connect your VPN and sign in to your Google account just once, your “anonymous” VPN IP address is just as trivially linked back to your secret browsing history.
In fact, government requests for data have included asking ISPs for accounts linked to other accounts—if Google knows which VPN you use and that there are multiple accounts on your computer, it knows that your accounts are linked, as does anybody else it shares that data with.
Even if you were to practice perfect separation, VPNs can’t protect against browser cookies and browser fingerprinting techniques that can track you regardless of logins and IP addresses.
People in the US who believe that offshore VPNs will protect their identities in the case of criminal activity will be disappointed to learn that the US government actually has mutual legal assistance treaties with dozens of countries throughout the world.
To narrow down the list of VPN providers, we looked at VPNs listed in reviews from sources such as CNET, PCMag, and The Verge, as well as recommendations from the nonprofit Freedom of the Press Foundation and the security firm Bishop Fox. We also looked at VPNs that had answered questions on the Center for Democracy & Technology’s Signals of Trustworthy VPNs survey. We combined these results with research and recommendations from noncommercial sources such as That One Privacy Site, customer experiences and tips on the r/VPN subreddit, and reviews in the App Store and Google Play store. We piled this research on top of our work from previous years, which looked at sites such as vpnMentor and TorrentFreak and technology-focused websites like Lifehacker and Ars Technica, as well as those services that were simply on our staff’s personal radars.
In 2019, we settled on 52 VPNs that were repeatedly recommended or at least so highly visible that you’re likely to encounter them when shopping for a VPN provider. In 2020, we added four more. From there, we dug into the details on how each one handled issues from technology to subscriptions, as well as the steps they’ve taken to improve their transparency and security posture.
The minimum: published security audits by a reputable third-party firm; public-facing leadership
The best: comprehensive, published white-box (aka open-box) security audits by a reputable third-party firm conducted annually; transparency reports; a bug bounty program or a coordinated vulnerability disclosure program
We thoroughly reviewed all audits, paying close attention to how comprehensive they were and what they included. We also factored in which companies had public-facing leadership or ownership. We looked for audits by third-party firms, prioritizing those that assessed the overall security of a VPN provider.
The best: easy-to-read policies; companies located in countries with strong consumer protections
The VPNs we chose said they logged minimal information. We looked for clear and easy-to-read terms of service and privacy policies and checked to confirm that they were consistent with the site’s marketing copy. We asked companies about their internal security and privacy standards, and how they would respond to requests for information, in order to gauge the trustworthiness of their statements on logging.
The minimum: a free version (or trial) or a money-back guarantee
The best: a free version (or trial) and a money-back guarantee
Despite our extensive testing, we know that VPNs work differently in different locations and on different computers and networks. A trial or a free version of a VPN can allow you to test out several of them risk-free to see if any are a better fit for your specific circumstance.
The minimum: at least 75 server locations in at least 20 countries
The best: more than 1,000 servers
The more servers a network has at each of its locations, the more likely you are to get a speedy connection. And a VPN with a wide variety of server locations can help you geoshift your location without losing connectivity or allow you to log on to a less-congested part of the world. However, VPNs tend to be slower at peak times even on the most robust networks due to limited bandwidth in and out of an area.
The minimum: OpenVPN with SHA-256 authentication; RSA-2048 or better handshake; AES-256-GCM or AES-256-CBC data encryption
The best: RSA-4096, Curve25519, P-256, P-384, or P-521
We built our requirements based on interviews with experts and recommendations (PDF) put out by the National Institute of Standards and Technology. All the trust in the world won’t help a VPN provider keep your browsing information private if it’s not secure. We recommend the open-source WireGuard protocol, a new lightweight protocol that is gaining prominence. It now has a Windows client and is integrated into the Linux kernel, which required additional security review. If the VPN you choose doesn’t offer WireGuard, we recommend using connections based on the OpenVPN protocol due to security flaws and disadvantages in the PPTP and IPsec protocols.
Although AES 128-bit encryption is fine for most purposes, we prefer services that default to the more-secure 256-bit encryption and still offer good performance. And while RSA-2048 is sufficient for now, we prefer the future-proof RSA-4096 as our top standard.
The minimum: a kill switch that’s effective and that you can activate with one click
The best: customizable rules allowing you to activate a kill switch on startup or on specific networks
When a VPN “kill switch” is turned on, the VPN software is supposed to shut off all network traffic in and out of your computer or mobile device if the encrypted connection fails. Without a kill switch, if your Wi-Fi drops or there’s another connectivity issue, your VPN stops securing the connection. In some cases, VPN software doesn’t even alert you that it’s no longer protecting your traffic, thereby wiping out all of the benefits of your using it in the first place.
We considered kill switches to be mandatory, but people who can’t log on to their home Wi-Fi, for example, may simply turn off their VPN out of frustration. That’s why we also looked for apps that allow you to easily set your own rules about when the kill switch should activate and when it shouldn’t, in order to customize the experience.
Desktop VPN apps are relatively simple affairs, but the best ones make it fast and easy to connect to the service and find important settings.
The minimum: native apps for Windows, Mac, Android, and iOS (including iPadOS)
The best: additional operating systems, routers, and smart TVs
We consider native apps for Windows and Mac a necessity because they’re far easier to use than open-source or third-party VPN apps. Native apps for iOS and Android are a requirement because although it’s possible to manually configure your phone to use a VPN, it’s not exactly a user-friendly or easy process.
The minimum: two simultaneous connections
The best: five or more simultaneous connections
While the majority of VPN providers allow you to install their software on as many devices as you’d like, most of them limit simultaneous connections. A two-connection limit is likely sufficient for most individuals, but five or more connections offer flexibility for couples, families, or people with many devices.
The minimum: email support, with responses sent within 24 business hours; robust help section
The best: email, chat support during business hours, quick response to weekend tickets
If you can’t set up or reliably use your VPN, you won’t use it—thereby eliminating all of the benefits. An extensive help section on the website can resolve many problems. Although we consider online-chat support to be the gold standard, quick and clear responses to emails can be equally helpful.
Some VPNs offer additional features that can be nice to have but weren’t crucial to our decision making:
Additional payment options: Cryptocurrency, cash, PayPal, Amazon Pay, bank wire, gift card balances, and even jars of honey are accepted for payment, but since a VPN doesn’t guarantee anonymity (see the section on limitations), we don’t think such an array of options is crucial for most people.Stealth modes: A stealth mode helps circumvent networks that block VPNs by making your encrypted VPN traffic look like it’s some other type of data.Custom ad blockers: Although this is a nice feature to have in a VPN, you can find a number of trustworthy and free browser extensions for this purpose.Multihop connections: For added encryption and obfuscation, some VPNs can route your traffic through multiple servers. This is unnecessary for most people, though, and can reduce speeds.Warrant canaries: Many companies proudly display “warrant canaries” on their websites. These are digitally signed notices that say something to the effect of “We have never been served a warrant for traffic logs or turned over customer information.” Law enforcement can prohibit a company from discussing an investigation, but in theory it can’t compel a company to actively lie. So the theory goes that when the warrant canary dies—that is, the notice disappears from the website because it’s no longer truthful—so does privacy. The EFF supports this legal position, though it stopped tracking warrant canaries in 2016; other highly regarded companies and organizations think warrant canaries are helpful only for informing you after the damage has been done. Such notices may provide a nice sense of security, and they are important to some people, but we didn’t consider them essential.
After going through the above criteria in 2019, we narrowed our initial list down to just five services that met our requirements. In 2020, we tested six services, including four we had previously tested and two we had originally skipped because they didn’t meet our security standards: Encrypt.me, IVPN, Mullvad, NordVPN, ProtonVPN, and TunnelBear. We signed up for each one of those services and dug deeper into their policies, technology, and performance on an Acer laptop, a MacBook Pro, an iPhone, and a Pixel phone.
Your browsing speed and latency while connected to a VPN depends on the VPN server’s physical location—with a server located far away, your data takes longer to arrive—and on the bandwidth of the VPN provider’s internet connection.
We tested each service using Ookla on macOS for each VPN in its default configuration over Wi-Fi. We recorded baseline download rates of nearly 120?Mbps without a VPN active and checked our non-VPN speeds at random intervals to confirm that our local ISP wasn’t affecting the tests.
Ookla takes a “multi-threaded” approach to testing, using up to 16 streams. Multi-threaded testing, according to a 2016 white paper by OTI, has a higher tolerance for background packet losses and can obfuscate deficiencies in the network, so it tends to be more forgiving than other tests. Though other rating options like M-Lab’s speed test may be a better measure of real-world results, in our experience Ookla’s tests worked on every service and allowed us to get a true relative comparison. Plus, Ookla’s data has been cited by the FCC in publications including the agency’s first Consolidated Communications Marketplace Report (PDF), according to the company’s blog.
These two tests show how using a VPN, especially a distant server, will generally slow down your internet connection. We did this second speed test in Southern California with a VPN connection to a server in the United Kingdom. This screen recording has been sped up, so the connection time may be longer than depicted. These two tests show how using a VPN, especially a distant server, will generally slow down your internet connection. We did this first speed test in Southern California without a VPN connection. This screen recording has been sped up, so the connection time may be longer than depicted. These two tests show how using a VPN, especially a distant server, will generally slow down your internet connection. We did this second speed test in Southern California with a VPN connection to a server in the United Kingdom. This screen recording has been sped up, so the connection time may be longer than depicted.
From Phoenix, Arizona, we ran the VPN-enabled test using eight different server locations per service:
For services that offered automatic location selection—a feature designed to give you the best speed possible—we also ran the tests on whichever location the VPN software chose.
We ran the full series of tests with each location during three time periods that we chose to see whether internet rush hours drastically reduced performance:
Thursday midday, between 10 a.m. and 2 p.m. PacificThursday evening, between 7 p.m. and 9 p.m. PacificSaturday midday, between 10 a.m. and 12 p.m. Pacific
We also tested each VPN outside of these hours using its fastest connection on a MacBook Pro, a Pixel 3a phone running Android 10.8, and an iPhone 11 running iOS 13.5.1. Additionally, we tested the apps over video calls to see if any service caused frozen screens, slowdowns, or dropped connections.
To verify that each service we used hid our true IP address effectively, we used a geolocation tool as well as sites that detect DNS leaks and WebRTC leaks. We visited the websites for Yelp, Target, and Akamai—sites that sometimes block suspicious IP addresses—to make sure the VPN IP addresses did not prevent us from accessing them.
We also evaluated the interface and experience of the desktop and mobile apps of all the top-performing services. We set up each service’s Android app on a Pixel 3a phone running Android 10. We used iOS apps, when available, on an iPhone 11 with iOS 13.5.1. We looked at the payment process, how easy each app was to set up and connect, and what options were available in the settings pane.
We contacted each of our finalists with simple questions about their service and troubleshooting. VPN companies provide technical support through email, online ticketing systems, or live chat, but some chat options are not available outside of business hours. Our response times to support inquiries ranged from immediate chat responses to two days. Self-help support sites can be useful when you’re waiting for a reply with the inability to connect, so we looked at both the speed of response and the robustness of troubleshooting information available in the site’s support section.
Based on our performance tests, we whittled our list of five contenders down to three: IVPN, Mullvad, and TunnelBear. In 2019, We reached out to these finalists for more information about their operations to judge their trustworthiness and transparency, and we spoke to two by phone and one over email.
Photo: Michael MurtaughOur pick
Mullvad is transparent about its security and privacy practices. The VPN offers reliable connections and is easy to use on laptops, phones, and tablets.
Buying OptionsBuy from Mullvad
($5.50 per month)
Mullvad is a secure VPN that provided a seamless experience during our testing: It was easy to set up, and it hummed along so quietly in the background that we would often forget that it was even turned on. The company excelled in signals of transparency and trust, and in our testing the service was easy to use and delivered some of the fastest speeds of any VPN we tested. Dedicated apps for Windows, macOS, Android, and iOS make Mullvad simple to set up on a variety of devices even if you have little technical knowledge. Mullvad’s subscription is reasonably priced and costs the same whether you use the service for a month or a year, and one subscription can support up to five simultaneous connections at a time, so it’s easy to use on all of your devices, too.
Mullvad doesn’t require your email address or a username. You just get a randomly generated account number.
In May and June 2020 Mullvad underwent a third-party security audit, a process that is key for improving trust in an opaque industry. Though we wish that Mullvad, like IVPN, allowed testers to look at its servers—something only the company can authorize—the white-box audit was otherwise comprehensive and included a look at Mullvad’s phone apps, something IVPN’s audit didn’t cover. Conducted by Cure53, the audit took six testers a total of 20 person-days to complete (IVPN’s took 21 person-days). In evaluating Mullvad, auditors spotted seven vulnerabilities, implementation issues, and other findings: two of medium severity, two of low severity, and three informational. In comparison, IVPN had three high-severity issues, two of medium severity, three of low severity, and one informational. Both companies issued updates quickly. Cure53’s report states that Mullvad “does a great job protecting the end-user from common PII leaks and privacy related risks.”
Mullvad’s transparency is another strong signal of trust. Located in Sweden, the company (Amagicom) is directly owned by founders Fredrik Str?mberg—who works on research and development in security—and Daniel Berntsson, and it lists its employees on its site. Plus, according to Mullvad’s CEO, many of the people on its 22-person team use Qubes, a security-focused operating system designed to keep sensitive work isolated and secure even if an attacker were to breach another portion of the computer.
It’s very clear in the icon design when your computer is connected to Mullvad and when it’s not.
Mullvad collects less information than many VPNs and a little less than IVPN. For example, IVPN stores email addresses, the associated IVPN ID and expiration date, and some payment information and transaction information. Mullvad collects very little data on its customers, and all of the cookies that may track you on the Mullvad website expire when you close the browser window. Those cookies include one that allows you to log in, a cookie that retains your language preference, a security cookie that prevents cross-site request forgeries, and cookies for Mullvad’s payment processor for some payment types. In contrast, IVPN uses a web analytics service—Piwik/Matomo—and collects data on your browser user-agent, language, screen resolution, referring website, and IP address, though it does discard the last piece of the IP address. Piwik may also use a web cookie to identify users who revisit the site. In addition, IVPN stores customers’ transaction and subscription IDs to process their money-back guarantee, enable auto-renewal subscriptions, and resolve payment issues.
Mullvad has fairly readable terms of service, including details about what kinds of information the company collects and how it uses that information.
Mullvad has fairly readable terms of service, including details about what kinds of information the company collects and how it uses that information. As we discuss in the section on trusting a VPN, using a VPN service beholden to US laws provides for some level of consumer protection, but some people argue that services outside the US are less likely to be swept up in US-government data-collection efforts. We’re unable to draw distinctions between the laws of Sweden (or Gibraltar, where IVPN is incorporated) and US law in this regard, but we do like that Mullvad includes details on how it handles government requests for data. It also says it retains lawyers to monitor the legal landscape and is prepared to shut down the service in the affected jurisdiction if a government somehow legally forces it to spy on its customers: “Just as where no data can be revealed if it does not first exist, the service can’t be used as a surveillance tool if it’s not in operation,” the company says.
Though we prefer a trial, we like that Mullvad offers a 30-day money-back guarantee so you can see if the server speeds and connections work for you. IVPN offers a free three-day trial, but you have to enter your credit card or PayPal information anyway, and the money-back guarantee is for only seven days rather than a month. When you sign up for an account, Mullvad offers more payment options than IVPN, including credit card, Bitcoin, Bitcoin Cash, PayPal, or Swish. Mullvad offers a 10% discount for payment in cryptocurrency. Although Mullvad accepts cash payments, most people aren’t going to mail cash to Sweden from the US, and those payments are not eligible for the money-back guarantee.
Mullvad wasn’t the fastest we tested overall, but its speeds in the US still tied for the fastest.
Mullvad’s app allows you to connect to servers in 57 cities across 36 countries. In connection speeds, on average, it ranked second among the VPNs we tested during rush hour, behind NordVPN, and it did not freeze or drop video calls. Across nine locations, it averaged just about 9% faster than IVPN. During non-rush-hour traffic, Mullvad averaged 80.15 Mbps in the US. The phone apps were much faster, averaging 115 Mbps on Android and 126 Mbps on iOS over cellular data during non-rush-hour times. Mullvad didn’t disrupt basic web browsing tasks, and Mullvad and IVPN were the only two VPNs that did not cause video calls to drop or freeze.
As for the security and connection standards Mullvad uses, it’s competitive with the other VPN services we found to be trustworthy. Mullvad allows you to choose between the OpenVPN and WireGuard standards on Windows and macOS. It uses WireGuard on its iOS and Android app. We recommend using WireGuard for better security and faster speed. We like that Mullvad lays out its security standards clearly; although IVPN meets our standards, that company is less technical in its descriptions.
Mullvad includes a kill switch, which stops all traffic if the VPN disconnects. As with other competitors we tested, this feature worked as promised and kept our browsing and connections offline until the VPN connection was confirmed.
Mullvad’s open-source apps are available for Windows, macOS, Android (though the Android app is still in beta; more on that below), and iOS. This flexibility makes Mullvad simple to set up on a variety of devices even if you have little technical knowledge. You can customize whether to launch the app on startup and autoconnect when it launches. It also has a local network sharing setting to access other devices on the same network, which prevents problems with printing and file sharing, a common issue for some VPNs. And though Mullvad didn’t disconnect randomly as often as other VPNs we tested, it clearly and visually indicates when you are disconnected by changing the closed green lock icon to an open red lock. IVPN is the same on Windows, but on a Mac, IVPN’s icon is black when connected and gray when disconnected, which can be harder to discern at a glance.
Mullvad’s “Local network sharing” option is great, as some other VPNs have a tendency to block certain tasks you do on your local network, such as printing.
Whether you sign up for a month or a year, the cost of a Mullvad subscription is the same: 5 a month (usually around $5.50 to $6). IVPN charges $6 per month for its standard tier and $10 per month for its pro tier. If you commit to a whole year of service, IVPN charges $60 per year for its standard tier and $100 per year for its pro tier, which means its pro tier is still more expensive than Mullvad with the annual discount, and the savings with the standard tier are negligible.
Mullvad offers some features other providers don’t. Although most people won’t take advantage of these extras, the existence of these options shows that the company invests a lot of thought into privacy and security. For instance, you can download the software using the Tor Browser and verify the signatures for new app releases. We were particularly impressed with the company’s design specifications, which describe how the application should work, the connections that it should be allowed to make, and how that differs on each individual platform. “That level of upfront specification means that you can test against that specification, which means that you can actually find deviations from it that indicate security issues. That’s a deeper level of knowledge about what you’re building than what I’ve seen for many other VPN providers,” said Dan Guido. Mullvad also supports installation on many routers, though it’s worthwhile to check and confirm that yours is supported and what steps are required.
Mullvad’s phone apps are new, and the Android app is still in beta as of this writing. But it’s available in the Google Play store, and in our tests it was just as stable as the app was on iOS. You can’t pay for additional months from the Android app; instead, to do so you have to log in from a browser or in one of the other apps.
It’s unfortunate that Mullvad doesn’t offer a free trial of any sort, but its 30-day money-back guarantee is a longer guarantee than many of its competitors offer. We prefer free trials because they make the process of verifying speeds before subscribing to a service so much easier.
Although Mullvad does not have a bug bounty program, it does have a dedicated PGP address for security researchers to report vulnerabilities, and it says it has rewarded findings in the past.
If you need to contact support, you have to go through email, as Mullvad doesn’t offer chat or phone support and does not use any third-party vendors for ticketing. When we checked in 2019, the company responded quickly to a support email during the weekend and provided clear and informative responses. Its team operates support during weekday office hours in Central European time. Mullvad provides clear setup and anonymity guides.
Photo: Michael MurtaughAlso great
IVPN may be a better deal if you plan to use it on six or seven devices or if you catch it on sale. In our tests it was almost as fast and consistent as Mullvad, and it’s similarly transparent, trustworthy, and easy to use.
Buying Options$70 from IVPN
If Mullvad doesn’t give you the same speeds we found, if you want to get faster responses to support tickets, or if you want to more easily install a VPN on network-attached storage, IVPN is a good choice. It is fast, consistent, and easy to use on Windows, Mac, Android, and iOS. Like Mullvad, on its website it includes detailed information on its policies and a readable terms of service. IVPN has a three-day trial, which is great for people who want to test speeds without paying for the service or going through a refund process as Mullvad requires. But IVPN has fewer server locations than Mullvad, and in our tests IVPN was slower than Mullvad.
The extra features included in the pro plan aren’t worth the cost for most people, but the standard plan is limited to just two devices, which might not be enough for some.
IVPN (Privatus Limited), which was incorporated in Gibraltar, lists its core team on its website, and founder and CEO Nick Pestell answered all of our questions about the company. IVPN has 13 full-time staffers, three of whom work specifically on infrastructure security; that’s fewer staffers than Mullvad has but still far more than many VPNs have. It seems committed to transparency, and it has undergone a public, third-party security audit. In fact, the auditors confirmed that IVPN fixed the issues found during the audit. Although the audit did not include IVPN’s phone apps, testers did have access to IVPN’s servers, which was not the case for Mullvad’s audit.
IVPN includes an optional anti-tracker and ad blocker, along with a plethora of configuration options.
IVPN also posts a transparency report that shows the number of valid legal requests it received from government or law enforcement agencies in a given year, going back to 2016. We like that IVPN makes a point to say it does not advertise or guarantee complete anonymity, enable geoblocked content on streaming services, or offer a way around the Great Firewall of China. Additionally, IVPN has published ethical guidelines on its site, including clear, detailed information on its marketing methods and ethical commitments.
You can take IVPN out for a spin to see if it works for you with its three-day trial, but you’ll need to provide a valid credit card or PayPal account (which won’t be charged until the end of the trial). You can also get a full refund if you cancel your account within seven days.
While NordVPN was most frequently the fastest, both Mullvad and IVPN often came close, and they offer much more transparency into their security practices.
Although IVPN has fewer servers and exit nodes than Mullvad, it was almost as fast, and it was the third-fastest VPN we tested during rush hour. We like that IVPN lets you choose the city of the server you want to log in to, or it can automatically select the fastest connection, an option that Mullvad does not offer. It’s worth experimenting to see if the server IVPN selects as the fastest actually is the speediest for you; in our testing, a location close to us tested faster than IVPN’s option.
Like Mullvad, IVPN is open source and includes an option to use WireGuard, which we recommend for improved speed and security. The two services are pretty similar once configured. IVPN offers a kill switch in the form of an always-on firewall option, which worked when we tested it.
IVPN provides two subscription tiers: a standard account, which works for up to two devices simultaneously, or a more expensive pro account, which works with as many as seven. A pro account also includes port forwarding, which most people don’t need, and multihop, which routes your connection through multiple servers in separate jurisdictions; multihop can also slow down your speed exponentially, however, and you can get the same benefit from using Tor for free. We recommend choosing an account type by the number of devices you plan to install IVPN on. Annoyingly, IVPN limits you by how many devices you’re logged in to, not actively using. For example, although you can install IVPN on a tablet, computer, and phone with a standard account, you have to repeatedly log in and out if you bounce between those devices.
Like Mullvad, IVPN is available for Windows, macOS, Android, iOS, and Linux. You can install IVPN on some routers and network-attached storage devices.
Last we checked, IVPN responded quickly to our support ticket during the weekend, providing clear and informative responses. You can also get help via chat during business hours. The company has two customer service staffers providing around 18 hours of coverage per day both through ticket requests and via chat (though the chat may be offline if a staff member is working on a ticket). IVPN’s CEO said that 81% of tickets in May 2020 were answered within an hour, and that an additional 18.1% were answered within one to four hours. Mullvad doesn’t keep stats on its support responses but says it operates customer support during weekday office hours in Central European time.
Annoyingly, IVPN limits you by how many devices you’re logged in to, not actively using.
IVPN’s documentation is more novice-friendly than what Mullvad offers, including clear, detailed setup guides as well as troubleshooting advice and anonymity guides.
It also has some features that Mullvad doesn’t have, such as the ability to block trackers (though this isn’t available for Android phones using the app on the Google Play store; instead you have to delete previously installed versions and download the APK file from the site). But most people should block trackers through free extensions like Privacy Badger and Ublock Origin. IVPN also offers a “hardcore mode,” where you can block Facebook and Google altogether, though this isn’t something most people will want to use unless they have a high tolerance for broken sites. And you can set specific Wi-Fi networks as trusted, so you can choose to not use your VPN on your home Wi-Fi, for example, without disabling the kill-switch setting.
Both Mullvad and IVPN have completed new audits in the last year that we plan to take a closer look at. Mullvad published a third-party audit of its infrastructure in January 2021, while IVPN completed an audit of its apps in March 2021.
NordVPN’s Android app received ioXt certification, a new certification that seeks to get a base level of security for internet connected devices and VPNs. We’re not confident the certification is useful for VPNs yet, and we’re still waiting on Nord’s security audit for 2021.
Tunnelbear released its transparency report for 2020, which confirms its no-log policy and details the government requests it received. We’re waiting on its security audit.
Mozilla VPN is now available for Windows, Android, and iOS, but lacks a Mac client. Mozilla’s software is open source, and the company confirmed in an email that it has plans for third-party audits with its partner, Mullvad, to make the product safer and improve user trust. We’ll take a closer look once its Mac client and its audits are released.
If HTTP browsing is a postcard that anyone can read as it travels along, HTTPS (HTTP Secure) is a sealed letter that gives up only where it’s going. For example, before Wirecutter implemented HTTPS, your browsing traffic could reveal both the exact page you visited (such as http://www.nytimes.com/wirecutter/reviews/best-surge-protector/) and its content to the owner of the Wi-Fi network, your network administrator, or your ISP. But if you visit that same page today—our website now uses HTTPS—those parties would see only the domain (that is, https://www.nytimes.com). The downside is that the website operator has to implement HTTPS. Sites that deal with banking or shopping have been using these types of secure connections for a long time to protect financial data, and in the past few years many major news and information sites, including that of The New York Times, have implemented it as well.
Browsers have increasingly long lists of privacy features baked right into their standard setups, but the HTTPS Everywhere extension can help make sure you browse websites over a secure connection whenever possible. Although mobile apps have started to move toward using secure connections, as well, many don’t implement it or specifically disable it.
What a snooper sees when you’re browsing
Secure HTTPS websitesOutdated HTTP websiteshttps://www.nytimes.comhttp://www.nytimes.com/wirecutter/reviews/best-surge-protector/https://newyork.craigslist.orghttp://newyork.craigslist.org/d/missed-connections/search/mishttps://www.webmd.comhttp://www.webmd.com/news/breaking-news/confronting-alzheimers/default.htmEven without a VPN, websites like these that default to HTTPS give you extra privacy online. If they didn’t, a lot more information about your browsing habits would be available to prying eyes, whether they be Wi-Fi operators, ISPs, or independent bad actors.
HTTPS is a powerful tool because it helps keep sensitive browsing private at no extra cost to the people using it. But like most security standards, it has its own problems. That little lock icon in your browser bar, which indicates the HTTPS connection, relies on a certificate “signed” by a recognized authority. But there are hundreds of such authorities, and as the EFF says, “the security of HTTPS is only as strong as the practices of the least trustworthy/competent CA [certificate authorities].” Plus, there have been plenty of news stories covering minor and even major vulnerabilities in the system. Some security professionals have worried about those least-competent authorities, spurring groups to improve on the certificate standards and prompting browsers to add warnings when you come across certificates and sites that don’t withstand scrutiny. So HTTPS is good—but like anything, it isn’t perfect.
Tor is a free service that attempts to preserve anonymity—something that VPNs do not do. It is a distributed network that runs traffic through multiple relays.
If you aren’t familiar with Tor, this handy interactive graphic shows how it protects an internet connection, and this series goes into more detail about how Tor works. Runa Sandvik, a former researcher with The Tor Project who was part of the information security team at The New York Times at the time of our interview, described it as “a tool that allows users to remain anonymous and uncensored.”
Tor does not write any history to disk, allowing you to do internet research without leaving a trail back to you or leaving a forensic trace on your computer.
Although it cannot protect you from, say, targeted government surveillance, Tor can be useful for looking up private information, such as medical conditions, without your activity being traced back to you or added to a marketing profile. Tor uses a different circuit from a different IP address in each tab, making it more difficult for other parties to link your searches and accounts across tabs. However, Tor can be blocked by some websites and has a reputation for slow connections.
One way to resolve the issue of trust is to be your own VPN provider, but that’s not a feasible option for most people. Plus, it still requires trust in any company providing the hardware that your VPN would run on, such as Amazon’s cloud services. Multiple projects can help you cheaply turn any old server into a VPN, including Algo, Streisand, and Outline. By encrypting all the traffic from your home or mobile device to a server you manage, you deprive your ISP and a potentially villainous VPN of all your juicy traffic logs. But most people lack the skills, patience, or energy—or some combination of the three—to do this. If you don’t manage servers or work in IT, it may be harder to manage perfect operation and performance better than trustworthy professionals can. Lastly, although you remove one threat from the equation by cutting out a VPN service provider, you also lose the extra layer of privacy that comes from your traffic mixing in with that of hundreds or thousands of other customers.
In addition to our top picks, we signed up for and tested five other services.
Encrypt.me, formerly Cloak, stood out to us for its especially honest and transparent marketing copy and for its status as one of the first VPN providers (if not the first) to have a third-party security audit, back in March 2016. That audit was never made public, but in October 2019, Encrypt.me released results of a more recent black-box (aka closed-box) security audit. Encrypt.me offers a 14-day trial and a 30-day money-back guarantee. We like that it allows you to use an account with as many devices as you’d like, as long as you keep it to one account per person. If you use Eero for mesh Wi-Fi, you can get a membership to Encrypt.me as part of your Eero Secure+ subscription. Encrypt.me did just okay on our speed tests, and it had fewer server locations than other VPNs we tested. That said, if it works well for you, there’s no reason not to use it, especially if you’re an Eero Secure+ subscriber.
VyprVPN offers some benefits, such as quick support and the ability to report bugs from within the app. VyprVPN’s security audit, conducted by Leviathan Security Group, checked whether the platform logged personally identifiable information in ways not required for business operations. Although the audit was minimal in scope, the report included an architecture diagram, information on components of the VPN and how they interact, and other pertinent information. We appreciated that informative security audit, but we found VyprVPN to be extremely unreliable, often failing to connect at all. And VyprVPN still allows you to connect using the PPTP protocol (although that setting is off by default), an older, less secure option that puts you at risk. It also posts a pre-shared key on its website, which may increase the potential of man-in-the-middle attacks.
We received multiple reader questions about ProtonVPN, and although we like that it’s open source, publishes a transparency report, and has had recent security audits, we had problems with the service. ProtonVPN’s website design choices made it all too easy for us to accidentally select an annual subscription rather than monthly payments. The service does not email receipts, which are available only on the account page, and ProtonVPN’s support was among the slowest of the VPNs we tested. Additionally, the company shut down our test account for fraud in response to a PayPal dispute, an action that made it impossible for us to obtain the receipt that’s typically needed to address such a dispute. We had difficulty with connectivity, too, as the VPN server often failed to respond.
We previously dismissed NordVPN for withholding information on its ownership, but it eventually shared the name of one owner, Tom Okman. It also shared a black-box security audit with us, though that report is not publicly posted on its site. The VPN was called to task for failing to immediately disclose a security breach to customers and the public until after a security researcher tweeted about it. It has also posted slightly misleading tweets about “passing” security audits. That said, we found NordVPN to be very fast, though unlike our top picks, it dropped a few video calls. NordVPN does not offer a free trial, but it does offer a 30-day money-back guarantee.
We dismissed another 45 services before performance testing for a variety of reasons. We’ve listed the main reasons for their dismissal below.
Private Internet Access, or PIA, is a highly visible, privacy-focused VPN that has a stellar reputation for being unable to provide detailed records to law enforcement, according to court records. Because of this and its advocacy concerning online privacy and security, it has also been a Wirecutter staff pick. But we had to put PIA on our list of VPNs that have not had a public third-party security audit.
Other VPNs we considered testing but ruled out because they had no public audits include: AirVPN, Astrill, AzireVPN, blackVPN, BTGuard, CactusVPN, Cryptostorm, CyberGhost, Disconnect, Faceless.me, F-Secure Freedome VPN, FrootVPN, Goose VPN, Hide.me, InvinciBull, IPredator, IPVanish, KeepSolid, nVpn, OVPN, Perfect Privacy, personalVPN, PrivateVPN, Private Tunnel, PureVPN, StrongVPN, SurfEasy, TorGuard, TorrentPrivacy, Trust.Zone, VPN.AC, VPN.ht, VPNTunnel, Windscribe, Zenguard, ZenMate, and ZorroVPN.
We ruled out some VPNs for trust issues. EarthVPN appears to have lied about its logging practices, while ProxySH confessed to spying on customer traffic in 2013. HideMyAss has handed customer information over to police. The Center for Democracy & Technology filed a 14-page complaint about Hotspot Shield with the FTC, alleging unfair and deceptive trade practices. None of these VPNs appear to have had third-party security audits, either.
We dismissed ExpressVPN and Surfshark for not being public about their ownership or leadership. “Would you put your money in a bank where you don’t know what laws govern it or who owns it or who manages it?” asked security researcher Kenn White. “Would you go to a financial adviser using a fake identity?”
We did not include Guardian Firewall + VPN, which is currently available only for iOS, or Cloudflare’s Warp, which is available only for iOS and Android.
Yes, most VPNs allow you to pick a location for your IP address, which can get around some geo-restricted websites and online censorship. However, doing so isn’t always useful for accessing international video services, despite the fact VPN companies often claim it is. If that’s your main goal, a VPN isn’t a reliable solution.
When you connect to a VPN, all your traffic is tunneled through the VPN provider, so the company could technically see your web browsing. This is why it’s important to find a trustworthy company.
Properly configured, a VPN masks all your internet usage, including torrenting, from your ISP. However, there’s nothing to stop ISPs from throttling traffic that looks like a VPN. Bittorrent software also sometimes requires configuration changes to work properly with a VPN and if not done correctly your ISP may still see what you’re up to.
This depends on what internet speed you’re paying for, your location, and the location of the VPN server. But even in the best case scenarios, a VPN will typically slow down your connection a little bit. This is why we recommend starting with a trial period with our picks to test speeds before making a commitment when possible.
A VPN can help secure your internet connection when you’re working in a public place, like a coffee shop or airport. HTTPS is common these days and protects many aspects of your traffic on an unsecured network, but it’s still not perfect, so a VPN can still be useful in this regard. However, a VPN doesn’t protect your data from the most common security concerns for most people: breaches or leaks. For that, we think it’s best to use a password manager to create unique passwords everywhere and two-factor authentication whenever possible.
No. A VPN can increase security and reduce some online ad tracking, but it’s not an anonymization tool. If you log into any online accounts, like Google, then that company can trace who you are, and browser fingerprinting can collect some data about you regardless of whether you’re using a VPN. A VPN used in conjunction with some browser extensions can reduce the type of invasive tracking used primarily for advertising, but if you need anonymity, you should use tools like Tor.
Kenn White, security researcher and co-director of the Open Crypto Audit Project, phone interview, June 10, 2019
Matthew Green, cryptographer and professor at Johns Hopkins University, phone interview, May 16, 2019
Matthew Prince, CEO of Cloudflare, phone interview, May 17, 2019
Joseph Jerome, policy counsel for the Center for Democracy & Technology, phone interview, May 22, 2019
Dan Guido, co-founder and CEO of Trail of Bits, phone interview, May 24, 2019
Eva Galperin, director of cybersecurity at Electronic Frontier Foundation, phone interview, May 27, 2019
Ryan Dochuk, CEO and co-founder of TunnelBear, phone interview, May 29, 2019
Nick Pestell, founder and CEO of IVPN, phone interview, June 7, 2019, and email interview, June 18, 2020
Jan Jonsson, CEO of Mullvad, email interview, June 4, 2019, and June 18, 2020
Yael Grauer is an investigative tech journalist based in Phoenix. Her work has appeared in The Intercept, Wired, Ars Technica, Motherboard, Future Tense, OneZero, and more. She likes cooking, hiking, playing puzzle games, listening to bluegrass music, and spending time with her husband and their rescue chiweenie.
by Haley Perry
From laptop bags to headphones to chargers to dongles galore, here are the essential accessories to help you use your new laptop.
by Mark Smirniotis
A VPN can secure a public Wi-Fi connection and reduce some types of online tracking, but isn’t reliable to access video sites or limit government data tracking.
by Michael J Kennelly
Private Internet Access added OpenVPN support to its iOS app, something we thought couldn’t be done. Here’s how we’ll reconsider our picks.
by Haley Perry
From password managers to backup software, here are the apps and services everyone needs to protect themselves from security breaches and data loss.