This concern has me waffling over whether to use the https everywhere extension (which, by the way, is also available for the Opera and Vivaldi browsers, which you didn’t mention in your video on the subject).
Similar concern with password management software…
Those are good and important concerns.
In fact, we need to apply that thinking to every bit of software installed on your machine, as well as every online service you use.
Become a Patron of Ask Leo! and go ad-free!
Not limited to security software
While understanding the risks of your security software is important, it’s equally important to realize that this concern applies to any and all software you might choose to install on your computer.
These days, almost all software has an online component, even if it’s just to check for updates. Should that online component be hacked, it could be used to download malicious software onto your machine, which can then do anything. While it might be obvious that hacked security software would be a bad thing, in reality, any software vendor that gets hacked runs the risk of causing damage in the form of malware being installed on the machines of all current users.
Not limited to software
The same thinking is important to consider when selecting online services. You mention VPNs specifically – again, where security is an obvious part of the mix – but actually, the concerns are just as valid for any and all online services you might consider using, including your ISP.
Should an online service be compromised, anything you do with the service is at risk. Your private information, as well as any data you store there, could be made public. In an extreme case – say an ISP getting hacked – you could find yourself directed to malicious sites, or downloading malicious software, without realizing it.
Taken to the extreme
As I said, it’s a concern for every single service you use, and every single bit of software you install on your machine, right down to the operating system.
Should Microsoft (or Apple, or your favorite Linux distribution) ever be hacked, absolute chaos could result.
It’s all about trust
Life is not without risk, and one of the ways we manage risk is to make sure we do business only with entities we trust. That’s not to say we necessarily agree with their actions, but that their actions are transparent in such a way that we can trust them to do what they say they will, and do it with an appropriate level of security in mind.
We begin by trusting that the services and software we use don’t have malicious intent. We’re assuming they’re not out to “get” us; they’re not explicitly out to exploit, harm, or otherwise take advantage of us.
To be clear, not everyone agrees on who does or does not have malicious intent. There are plenty of people who seriously distrust Microsoft, for example. As a result, they may seek out alternatives they find more trustworthy than Windows and other Microsoft software.
The bottom line is, we each need to believe the entity we’re dealing with is at least trying to do the right thing.1
Protection from malicious software is one thing; what about protection from legal attempts to access our data?
For example, even without being hacked, how easily will your ISP expose your information to local authorities? The same holds true for VPN services; they are, in a sense, acting as a kind of proxy ISP (moving the location of your eventual direct internet access to one of their servers instead of your ISPs directly).
This kind of protection is exceptionally complex, as laws and legal realities vary from one place to another, and companies may not always be in a position to defend themselves, or you, in areas outside of your location.
We also trust the services and software we use to know what they’re doing, particularly when it comes to security. We assume they understand the security ramifications of their tools, and have taken appropriate and sufficient measures to ensure our privacy, safety, and security.
This is difficult to judge objectively. For obvious reasons2 software vendors and online service providers don’t specify their full range of security measures publicly. We need to decide how much we’re willing to trust them with our information and activities based on reputation and track record.
One way to evaluate whether or not a vendor is worthy of our trust is to review their history. Specifically, we can research:
- Have there been issues in the past?
- How were those issues handled?
I might claim the second is more important than the first. There’s no such thing as bug-free software, and there’s no such thing as perfect security. In the face of security-related issues, how did the vendor respond? Was it with quick transparency, or ponderous obfuscation? Did it become apparent that their systems had been designed with security in mind, or was it clear they’d made some boneheaded decisions leading to eventual compromise?
Who do you trust?
It’s unrealistic for every computer user to have a detailed understanding of the security issues and risks associated with all the different kinds of software and services, online or off. As a result, it all comes down to trusted referrals and reputation.
For example, I trust Microsoft’s intent and qualifications. Admittedly, I have a small window others might not have3 into how Microsoft operates on which to base my opinions. But, I’m also in a position for others to choose to trust my thoughts on the matter. Or not, as the case may be.4
Perhaps more objectively, I trust the EFF – the suppliers of https everywhere. My trust is based on my understanding of the organization’s goals, their history, and their online reputation. Will they have perfect software developers? Of course not – there’s no such thing. But I do trust them to understand the security ramifications of their efforts – perhaps better than most – and to take appropriate steps to ensure that what they provide is solid and secure. I also trust them to react appropriately should an issue ever become apparent.
Those are the same qualifications I apply to any software or service I use. It’s one reason I haven’t yet endorsed a specific VPN – I don’t have enough of a track record with any of them to feel my opinion is worth anything. If pressed to make a decision, I’d defer to other resources I do trust – like the EFF, in this case – for their recommendations.
Sleeping well at night
As you can see, there are a lot of issues to be considered once we start down this path – so many we could lose all hope!
For most people, things aren’t nearly as bleak as this picture might paint. Most major vendors are reputable and trustworthy, and will do what they can, within the limits of technology and the scope of the law, to keep their services safe and secure from hackers or other types of intrusions.
As long as you focus on getting reputable software from reputable sources, and maintaining your own security hygiene, it’s not something the average computer user need lose sleep over.