VPN Glossary

A browser add-on/extension, or software, that prevents advertisements from displaying on web pages.

The majority of these will also help to block ad-based malware and cross-site tracking, which is when companies collect your data across multiple websites.

Adblock Plus is probably the most famous example. It’s a browser extension that’s been downloaded by tens of millions of people all over the world for years now.

Some VPN services also have their own ad blockers built-in as an extra feature, like Windscribe and Private Internet Access.

One of the most commonly used encryption protocols, AES-256 is the cipher of choice for the US federal government – hence why you’ll often see VPN providers describe it as ‘military grade‘.

It is considered completely unbreakable, and since its creation in 2001 has undergone excessive testing to prove exactly how secure it is.

It’s a type of cipher, which means it’s a sort of algorithm for encrypting and decrypting data. If a VPN says it uses AES-256 encryption, that simply means that it uses AES-256 to jumble your data at one end of the connection, then reassemble it at the other.

AES is the best encryption standard available to VPN users.

We go into much more detail about how AES works in our VPN encryption guide.

 

One of the most common peer-to-peer (P2P) protocols used to download and distribute files over the internet.

Rather than downloading a file from one central source (like when you download a VPN install file from a provider’s website), torrenting instead connects you to multiple users who already have the complete file. You download bits and pieces of that file from them until you too have a complete download. In return, you can then share (or ‘seed’) the file to help other users looking to download it, and increasing the speed at which they can do so.

To get started, you’ll need BitTorrent client software along with a small torrent file that contains the information needed to download the file you want. These torrent files are most notoriously available on illegal torrenting sites, but they’re also on forums and other sites.

For many unscrupulous individuals, breaking the law is a part of the appeal of torrenting – people take advantage of its speed and P2P nature to share pirated software or media. You should never use it for that. Torrenting is perfectly legal when used to share rights-free material.

Unless you use a VPN, your IP address will be exposed to anyone involved in data transfers, so check out our best VPNs for torrenting in order to protect yourself from unwanted snooping.

A plug-in, or add-on, that can be downloaded and installed to your web browser to let it do all manner of extra things.

Most major browsers (Google Chrome, Firefox, Opera and Safari) offer online stores that allow you to find extensions. However, not all extensions will work with every browser.

You should also beware that anyone can make their own browser extension. Make sure you only install extensions that look trustworthy, otherwise you may find yourself being spied on or monitored even more.

Many VPN services offer browser extensions. They can be an excellent, lightweight solution to achieving a little more anonymity or simple geospoofing. In most cases, these are proxies rather than full VPN extensions (see our definition of ‘proxy’ below), so your web traffic won’t actually be encrypted.

Check out our best VPNs by category to find the best VPN extensions for your browser.

A mathematical algorithm used for data encryption. Even advanced supercomputers find it almost impossible to crack modern-day ciphers because of how incredibly complex these algorithms are.

AES-256 is considered to be the strongest cipher currently available for a VPN. You may also see AES-128 from time to time, too.

To simply put how complex high-end VPN ciphers are, let’s look at AES-128 as an example.

Let’s say that:

• Every person on the planet owns 10 computers.
• There are seven billion people on the planet.
• Each of these computers can test one billion key combinations per second.
• On average, you can crack the key after testing 50% of the possibilities.

Then the population of Earth can crack one encryption key in 77,000,000,000,000,000,000,000,000 years. That’s seventy-seven septillion years.

And that’s just with AES-128, never mind AES-256, which you’ll see as a part of almost every high-scoring VPN on this website.

That example above shows just how hard it is for would-be hackers to ‘brute-force’ a VPN’s encryption, attempting every single possible combination to decrypt the data.

You can read more about encryption ciphers in our beginner’s guide to how virtual private networks work.

Also known as metadata logs, connection logs are used by VPN providers (in most cases) for troubleshooting and dealing with technical issues.

The amount of data collected varies from one VPN service to the next, but generally includes anonymous details such as: connection time, amount of data transferred, and the number of devices that are connected to the VPN.

We largely believe that these sorts of logs are fine.

Some services will also log your originating IP address, however – we recommend you don’t use a VPN that logs your IP.

As a general rule, connection logs aren’t too much of a concern as long as they’re anonymous, not overly detailed, and are only stored for a very short period of time.

Learn more about VPN logging in our ‘What Is a VPN?’ introductory guides.

A small text file placed on your computer when you visit a website, used to remember something about you or your device at a later date.

Cookies have many uses, including remembering your login details and website preferences. However, there have been some issues with sites using them to track visitors without them knowing.

The two most commonly used types of cookie are session cookies and persistent cookies. A session cookie disappears after you close your browser, but a persistent cookie remains after you close your browser and may be used on subsequent visits to the website.

If you want to delete any cookies from your web browser, follow these steps:

While they may often be spoken of as if they’re the same thing, the Dark Web and the Deep Web are actually two different things.

The Deep Web is all of the websites you can’t find or access using regular search engines like Google or Bing. Instead of .com or .org, for example, these websites end with the suffix .onion.

It is only accessible through networks such as Tor (The Onion Router – you can read more about it below) or I2P (Invisible Internet Project). Users of Tor become incredibly difficult to track.

There is nothing illegal about accessing the Deep Web. Plenty of people living under oppressive regimes or intense censorship use it to bypass internet blocks.

Many regular websites have .onion mirror versions, including ExpressVPN and NordVPN. Some VPNs let you access .onion websites through servers on their network, too, meaning you don’t even need to download Tor browser to visit them.

Be warned, though – use of the Tor browser will likely alert your ISP. That’s fine if you have nothing to hide, and it won’t be able to see what sites you’re visiting on it, but it will certainly draw attention.

The Dark Web, on the other hand, is a section of the Deep Web used almost exclusively for illegal means.

There are all manner of shady marketplaces and forums on the Dark Web, and we would advise you to stay clear of it entirely.

We conduct an annual investigation into the state of illegal markets on the Dark Web. Our most recent foray revealed how much your personal data and hacked accounts from various popular websites is worth.

A Linux-based open source firmware for wireless routers. It’s a third party software compatible with numerous router brands, designed to be installed over the default operating system to provide added functionality.

You can ‘flash’ DD-WRT into your existing router, which will remove the default factory settings and give you more control. Or you can purchase a router that’s been pre-flashed.

This enables you to configure a VPN at router level, so every device you connect will be routed through the VPN without you having to install individual apps.

Ordinarily when you use a VPN you are randomly assigned an IP address from a pool of total available options. This number can vary greatly – one VPN provider may offer 1,000 IP addresses on the server you wish to connect to, while another may offer just one.

Either way, that IP address you’re assigned is shared by other users also connecting to that server. In fact there’s a high chance there will even be someone using it at the same time as you.

Some VPNs offer subscribers the option of a dedicated IP address. For a small extra monthly fee you can be assigned an IP address unique to you. No other users have access to it, and you will always be able to connect to it whenever you choose.

It may sound strange, given that VPNs are all about protecting your anonymity, but there are some reasons where it makes sense to get a dedicated IP:

• It can more reliably unblock streaming sites like Netflix within the country that the IP is located (but it will only unblock content from that one specific region).
• You’ll see fewer Captchas around the internet
• You won’t receive as many messages from your various accounts notifying you of logins from unfamiliar IP addresses
• Your speeds might be higher due to less congestion on the network

However, we still recommend that you don’t purchase a dedicated IP address. By using one you essentially lose all anonymity. Without other users also being assigned it, or without the potential to be randomly assigned a different address yourself, everything done on that IP address can be traced back to you.

Even if the VPN service in question does not ordinarily keep any logs, it still has to maintain some system of linking an IP address to your account, which can then be used to easily reveal your true identity.

Deep packet inspection is an advanced method of monitoring and analyzing web traffic. Usually when we talk about it in the context of VPNs it’s with regard to governments utilizing it to censor the internet or block citizens’ web traffic.

All your traffic that travels over the internet is comprised of ‘packets’. As the name suggests, they’re small portions of data which as transported bit by bit and then reconstructed upon reception, completing the communication process between a client (your device) and the server (the website you’re trying to view, for example).

To use a metaphor, they’re a lot like letters. Ordinarily, only the packet headers are visible to outside forces, a bit like how anyone could see the address on an envelope but not the information within it.

DPI, though, is akin to opening up the letter and scanning over the contents. It’s possible to use it in a positive way, like to prevent malware, but it’s more commonly used by workplaces, ISPs, or even governments to determine what information can be transferred and what cannot. It’s a super-efficient way to censor the internet.

A good VPN with the right obfuscation tools can shield your traffic from DPI.

DMCA stands for Digital Millennium Copyright Act, and a DMCA notice refers to a copyright infringement notification that’s sent to ISPs by copyright holders.

Anyone who torrents copyrighted material or accesses illegal streaming websites is at risk of having one of these letters forwarded onto them in the mail by their ISP.

Since VPN users take on an IP address registered with their VPN server, any alert relating to alleged infringement goes to the VPN service rather than the ISP of the user doing the alleged infringing.

It’s worth looking closely at a VPN provider’s terms of service, and logging policy, if you are a heavy torrenter to understand how a VPN service responds to these notices.

We strongly condemn torrenting copyrighted material, whether it’s with or without a VPN. Torrenting copyrighted material with a VPN is just as illegal as doing it without one.

The internet’s method of translating web addresses (URLs) into numeric IP addresses.

Every website has an IP address, but it would be a horrible task for you to have to remember it for every site you want to visit.

Instead, we memorize domain names. Every domain name corresponds to an IP address.

For example, the domain name Top10VPN.com converts to an IP address of 151.101.50.49 via DNS.

This translation process is usually performed by your ISP, meaning that it can see every site you visit, along with its IP. But when you’re connected to a VPN, all DNS requests are first routed through the VPN tunnel and then resolved by the VPN provider, rather than by your ISP.

This is a core function of a VPN, and it means that your ISP has no idea what websites you’ve been visiting.

Pick the wrong VPN, though, and this process may fail. You could be exposed to a DNS leak.

DNS hijacking is a form of man-in-the-middle attack wherein the hacker intercepts your traffic before it reaches the proper DNS server. The hacker then redirects the unsuspecting user to a malicious site.

Sometimes these can be sites designed for phishing (which look just like the real site, but instead steal any entered credentials) or they can simply be different sites entirely, riddled with malware.

A VPN can prevent DNS hijacking by creating a secure tunnel between your device and the DNS server, ensuring that your DNS requests can’t be observed or tampered with.

These occur when a DNS request slips out of the encrypted VPN tunnel and instead go via your ISP, meaning your true IP address (as well as the site you’re trying to visit) is exposed. You can check for DNS leaks with our free leak test tool.

The best way to prevent this from happening is to choose a VPN provider that offers built-in DNS leak protection. Any VPN with a respectable score on our website is guaranteed to keep you safe from leaks of all sorts, not just DNS.

We explain in full what DNS is a little further up this page. DNS over HTTPS aims to improve this technology and make it even more secure and private.

Currently, DNS requests are sent in ‘plain text’ – that is to say, entirely unencrypted. Anyone spying on you (not to mention your ISP) can see the name of the site you’re browsing to. This makes DNS requests particularly vulnerable to ‘man-in-the-middle’ attacks.

DoH, however, aims to secure this process by securing all DNS requests within what’s called an ‘HTTPS GET’ or ‘HTTPS POST’ request.

This means that, just as HTTPS domains are secure, DNS requests will also be secured – protected from interference and interception.

Server Name Indication, or SNI, was made an internet standard all the way back in 2003. SNI allows a server to host multiple HTTPS websites all on the same IP address.

SNI also requires your device to specify which of these websites it wants to connect to, to ensure that you’re not returned a random or incorrect one from the same IP address.

However, this information is all transported in plain text, which is no good for privacy or security. It means that your DNS request or your own IP address could be leaked as the server attempts to resolve your request.

ESNI, or Encrypted Server Name Indication, aims to solve this by encrypting the process. With ESNI, only the server and the client trying to connect to it has the key capable of decrypting it.

ESNI technology is currently in a preliminary phase. Only users of certain versions of Mozilla Firefox will be able to use it, and only when accessing services hosted by Cloudflare (which hosts a great explainer on the matter here).

When it’s been shown to work properly, we hope to see ESNI supported by other browsers and content delivery networks (CDN), and eventually used automatically for the majority of web traffic.

Until then, a VPN is important to prevent leaks during the SNI stage.

A free, open-source web browser developed by Mozilla Foundation, a non-profit organization.

It still isn’t quite as widely-used as Google Chrome, but Firefox is becoming more popular with security-conscious users due to the abundance of privacy enhancing add-ons on offer.

You can also install extensions within Firefox browser, just like Chrome.

Here are the very best Firefox VPN add-ons we’ve tested.

Geo-restrictions refers to restricting access to web content based on the user’s geographical location. For example, BBC iPlayer is only accessible to UK residents, and Hulu is only available in the US.

It is also used by governments in high-censorship countries to block websites that are deemed inappropriate or those that are illegal under local laws.

You can use VPNs to unblock region-restricted websites and apps. However, be careful not to infringe any copyright laws or violate any terms of service.

Using software to change your virtual location is commonly known as ‘geo-spoofing’, and is one of the most popular reasons to use a VPN.

You can also geo-spoof by using a proxy. If all you want to do is access content unavailable where you are then proxies are fine, but be warned that your data won’t be encrypted while doing so, and you’ll be publicly visible.

The most commonly used name for the Chinese government’s vast, advanced internet censorship apparatus.

Just as the Great Wall was designed to keep intruding armies out of the country, the Great Firewall is designed to prevent outside internet from reaching the people of China.

It’s the most advanced, most large-scale example of government web censorship in the world. Thousands of websites are blocked, including many that those in unrestricted nations would take for granted, like Google and Wikipedia.

The Great Firewall is so advanced that the overwhelming majority of VPNs can’t even get around it.

Our reviews have uncovered a small number of VPNs that works reliably in China, but even then some will need to be downloaded before you enter the country as the Great Firewall blocks the providers’ websites.

A more secure version of HTTP, the protocol that is the foundation of the web. ‘HTTP’ stands for ‘Hyper Text Transfer Protocol’ – the ‘S’ in ‘HTTPS’ stands for ‘Secure’.

Hypertext is any sort of online content which links through to other content – without it, the internet is just an entirely separate and disconnected assortment of web pages. You’ll see either HTTP or HTTPS at the start of the URL of almost every website you visit. To understand the difference, you need to how HTTP actually works.

Put simply, HTTP is a series of requests and responses. When you attempt to access a website, the ‘client’ (your web browser) sends an HTTP request to the ‘server’ (where the website you want to access is hosted). The server then returns a ‘response’ to the client – this response is usually the resource requested, i.e. a website.

When this transaction takes place over HTTP, rather than HTTPS, it is entirely unencrypted. That means that not only can hackers view the contents of the request and response (known as an eavesdropping attack), but they could potentially hijack the process and insert whatever data they want instead of the requested response (known as a man-in-the-middle attack).

HTTPS uses secure port 443 by default and encrypts all user data, making it far less vulnerable to these attacks.

Previously it was mainly used by banks and online retailers, but it’s now the norm for mainstream websites. If you ever find yourself on a standard HTTP website then it’s a good sign that either the owner has forgotten to keep it updated or that the site is outright dangerous.

When you visit a HTTPS website, anyone monitoring your activity can tell that you’ve visited the site, however they won’t be able to see anything specific that you’ve done, such as the pages you visited or any details that you entered into forms.

Look for a padlock icon in your browser’s URL bar and try to only use websites where the address begins with https://

As defined by Access Now, an internet shutdown is an intentional disruption of internet or electronic communications, rendering them inaccessible or effectively unusable, for a specific population or within a location, often to exert control over the flow of information.

Internet shutdowns are remarkably common, all over the world. While they may often be associated with totalitarian or discriminatory governments, we have, on occasion, seen internet shutdowns from otherwise-democratic governments in an attempt to stop access to or the spread of hate speech or dangerous content.

Internet shutdowns are rarely total in nature – they’re often confined to specific regions, specific websites, or specific providers. To learn more, read our regularly-updated internet shutdowns report.

A unique numerical address given to your internet connection by your ISP.

These can be ‘rotated’ (changed) on a regular basis or randomly reassigned every time a connection resets, but everything you do online is linked to one.

There are two types of IP address: public and local. The vast majority of the time, when we talk about IP addresses we’re referring to public IPs.

Public IP addresses assigned by your ISP will apply to all the devices connected to your network. That means that, for example, your smartphone and your laptop look the same to your ISP.

Local IP addresses are assigned by your router to all of the various devices connected to it as a means of telling them apart. They’re only visible to those on that network, and are rarely something you need to worry about.

IP addresses aren’t purely virtual, either – they’re also tied to physical locations. This is how VPNs work to get you around geo-blocked content. They assign you an IP address from a server in a different country, meaning that any website or service trying to see where you are will be none the wiser.

See your own IP address with our IPv4 and IPv6 checker tool, or read our guide on how to hide your IP address.

This happens when a device running a VPN ends up contacting a default server, rather than the intermediary VPN server it was supposed to.

The result is that websites or apps you’re using can see your real IP address instead of the one your VPN has assigned you.

You can test for IP leaks using our free VPN leak test – it takes less than a minute and require very little technical knowhow, so don’t be put off by the idea of it.

In order to prevent this happening you should select a VPN provider that offers DNS and IPv6 leak protection.

Short for Internet Protocol Version 4. The current default system for defining numerical IP addresses (see our definition of DNS above).

First devised in 1983, IPv4 is based around a 32-bit address scheme, meaning that it there are 2³² addresses available – that’s almost 4.3 billion. 94% of all internet traffic flows through IPv4 addresses.

An IPv4 address will look something like this: 198.51.100.1

The trouble is, the internet has exploded exponentially in popularity since IPv4 was first created, and now addresses are running out as only a limited number were available for assignment.

This is where IPv6 comes in (see below).

Internet Protocol Version 6, a new standard introduced to solve the problems presented by IPv4.

It utilizes 128-bit rather than 32-bit internet addresses, meaning the total number available is absolutely enormous: compared to IPv4’s 4.3 billion, IPv6 has over three hundred and forty undecillion.

In terms of practical application, it’s essentially inexhaustible.

An IPv6 address will look something like this: 2600:1005:b062:61e4:74d7:f292:802c:fbfd

IPv6 is still fairly niche, though, and unfortunately a lot of VPNs fail to direct IPv6 traffic through the VPN tunnel.

If you connect to a website that supports IPv6, your DNS request can be handled by your ISP, therefore exposing your true IP address.

Some VPN services that don’t work on IPv6 connections block your internet connection altogether in order to stop your IP from being revealed.

The company that supplies your internet connection. Unless you use a VPN, your internet data remains unencrypted, meaning your ISP can see everything you’re doing online.

ISPs in many countries (notably the US, most of Europe, Australia and Russia) are legally required to store customer metadata to allow government access if necessary.

Some ISPs even monitor internet traffic in real time and feed it directly to law enforcement agencies and intelligence networks.

A feature offered by most popular VPN services, a kill switch prevents your true IP address from being exposed should the VPN connection drop for any reason.

Some VPNs allow you to choose certain sites or apps to bypass the kill switch (known as split tunneling) however most will simply cut off all internet connections until the VPN tunnel is re-established.

Note that not all providers will call it a kill switch, for example ExpressVPN calls it a ‘Network Lock’. Some VPNs come with a kill switch built in, which is great if you might otherwise forget to switch it on.

Wherever possible, you should try to choose a provider that offers this feature. Even the most reliable of VPNs can experience drops or disconnections, and your hardware can also be just as guilty – it’s always better to be safe than sorry.

Layer 2 Tunneling Protocol is a commonly used VPN protocol that’s built into most popular operating systems.

It’s quick and easy to set up and is secure enough if implemented correctly. There are some concerns that the NSA might have deliberately weakened it, although this isn’t backed up by any solid evidence.

L2TP itself is actually unencrypted, which is why it’s usually bundled together with IPSec (Internet Protocol Security) to created the simple, secure L2TP/IPSec.

There are no major vulnerabilities to note, but if you’re planning to use it in a high-censorship country you could have some issues, as it isn’t very effective at bypassing firewalls due to communicating over the easily-blocked UDP.

Any information collected or retained by your ISP or VPN provider. This is usually spelled out in its privacy policy or terms and conditions.

Some VPN providers incorrectly claim to be ‘zero logs’, so it’s vital make a clear distinction between those that don’t collect logs and those that do.

Not all logs are bad – we don’t judge a provider too harshly if it solely collects connection metadata to help it run its service better (for example how many users are connected to a server at once, or how much data you consume over the course of a month).

So long as that data is entirely anonymous and can neither be traced back to you nor reveal your activity in any way, that top-level logging is largely harmless.

What we absolutely don’t want to see logged by a VPN, though, is:

• Your real IP address
• Unique information about your device (such as your smartphone’s IMEI number)
• The IP addresses of sites you visit
• DNS requests you make while browsing
• Detailed connection timestamps

All of these things can be used to identify you, should they fall into the wrong hands. There are plenty of other things that VPN providers can log, too, but we believe that those are the absolute worst.

If a VPN does collect logs, we also want to see them deleted in a timely fashion – ideally as soon as your session is over. Some providers can hold on to them for months, or even indefinitely.

It’s best to choose a provider that collects a minimal amount of logs to protect your online privacy, or even better a VPN that doesn’t collect any logs whatsoever. This way, everything you do online remains completely private and can in no way be traced back to you as an individual.

Unsure if your VPN is logging too much? We go into greater detail in our guide to VPN logs.

Ordinarily, when using a VPN, your web and app traffic travels from your device, to the VPN server, then on to its destination point.

Multi-hop VPN is a feature that routes your traffic via two different VPN servers instead of just one. These servers are usually in totally different parts of the world.

The goal here is added security – the more points your traffic jumps between before unencrypting itself at the destination, the harder it is to track. It’s a similar concept to Tor.

While added security is always appreciated, the downside to multi-hop VPN is that it makes your connection much slower, as your traffic has to travel double the distance.

We don’t think that multi-hop VPN is strictly necessary, and 99% of users will be fine using a standard VPN connection, but it can be useful in certain circumstances (where anonymity is an absolute must, or when you want to bypass censorship).

A popular term used when discussing the visibility of VPN traffic.

While VPNs do a terrific job of encrypting and shielding your data, they’re also quite obvious when they do it. Many websites, services, or anyone observing the flow of information are able to tell when a traffic is regular and unencrypted, and when it’s being run through a VPN.

Obfuscation is the act of masking that VPN traffic, passing it off as regular data from a regular internet user.

This is most important when trying to work around government censorship blocks in countries like China. Their censorship setups are so advanced that standard VPNs will be detected – advanced obfuscation technologies are required to sneak by undetected. Only a handful of top quality VPNs have the obfuscation necessary to do so.

Open source software is a product built with source code that is freely available for anyone to inspect.

We love seeing VPNs which are open source, as it means that technically proficient users, security buffs, and white hat hackers can inspect the VPN at its most basic level to check for weaknesses.

Being open source also means that a provider can’t lie about the capabilities or activities of its VPN and get away with it.

A number of top-tier VPN services are open source. And our favorite VPN protocol, OpenVPN, is also open source.

The industry-standard VPN protocol and the one we recommend you use wherever possible.

OpenVPN is an open-source software that’s highly configurable and offers the best balance between performance and privacy.

OpenVPN encryption is comprised of two parts: data channel and control channel encryption. Data channel encryption secures the data itself, while control channel encryption uses TLS to secure the connection between your computer and the VPN server.

It isn’t natively supported by any platforms, but is available on most of them through third-party software. The majority of VPN services will offer custom apps that run on OpenVPN – we do most of our speed testing over OpenVPN.

It runs best on a UDP port, but can be set to run on any, including TCP port 443, which is the port used by regular HTTPS traffic.

While OpenVPN in its default configuration is blocked in high censorship countries like China, it continues to work well combined with some form of custom obfuscation. ExpressVPN, Astrill, and VyprVPN, for example, all do this.

P2P is a type of network in which computers or other devices share files with each other rather than downloading them centrally from a server.

Even before a file download is complete, devices in the P2P network will upload parts of the file to other devices requesting that file. This data transfer continues even after the initial download is complete, which can make large P2P networks an incredibly efficient means of sharing data.

There are different types of P2P platforms or systems, many of which revolve around large media files, often causing copyright infringement issues – you’ll likely have heard it referred to as torrenting.

Some of the most popular uses of P2P networks today are torrenting, Kodi and services like Popcorn Time. It’s important to remember that not all P2P is illegal, though. Far from it, in fact, as so long what you’re sharing isn’t copyright protected then it’s totally legal.

Every time you connect to a VPN, the client (your VPN app) and the VPN server exchange a key. This key allows both parties to decrypt the data being transferred between themselves – in this instance, that data is everything you’re doing online.

Obviously it’s imperative that that key is kept 100% private. If a hacker or spy were to intercept it they would be able to see everything you’ve done while connected to your VPN.

Ordinarily, there’s one ‘master key’ that your VPN will use when you connect. This is where Perfect Forward Secrecy (sometimes referred to as PFS) comes in to play.

Perfect Forward Secrecy guarantees that your VPN is generating a brand new key every time you connect to it. That means that, should the very worst happen, a hacker would only have access to your data from the very most recent session, rather than every connection you’ve ever established.

With the level of encryption employed by most VPNs it’s incredibly unlikely that their keys will ever be cracked. Still, Perfect Forward Secrecy is a very useful extra step to take in protecting yourself online.

Plenty of VPNs use PFS. There are a number that make it explicitly clear on their websites, while a load more will be using it without actually promoting it. Some of our favorite VPNs with PFC are:

• ExpressVPN
• IPVanish
• Private Internet Access
• Hotspot Shield

Your home router has something called a NAT firewall built into it. As the router acts as a gateway between all your devices and the internet, it’s the NAT firewall that determines which traffic is meant for which specific device. It also blocks out unwanted traffic.

The NAT firewall does this automatically – port forwarding allows you to configure it manually.

Of the 60,000 or so ports on your router, the first 1,000 are dedicated to a specific set of common functions. The majority of the remainder can be assigned to whatever you like.

Assigning a port to a specific device on your network allows your router to create a direct connection between it and the desired destination (be it a website or another device).

Some of the most common reasons to set up port forwarding are to connect to a gaming server, connect to an internet of things device, or to improve torrenting P2P connections.

This direct line of communication would usually mean leaving your device’s identity and IP address exposed, but by doing so over a VPN you ensure that an open connection is maintained while your IP address remains anonymized.

While open ports are great for speed, they can also pose a security risk. Some VPNs don’t permit port forwarding, as they aim to protect you from unwanted web traffic.

PPTP, or Point-to-Point Tunneling Protocol, is an outdated VPN protocol with lots of known security issues.

First introduced in 1995, PPTP is available on almost all major platforms and is very easy to set up without the need for third-party software, and its simplicity, versatility, and speed mean that it’s still offered by a large majority of VPN providers.

However, PPTP is highly insecure. In fact, it’s probably the least secure VPN protocol out there.

It’s been proven that the NSA has managed to crack it, hackers can extract Windows NT password hashes from its authetication process, it’s extremely vulnerable to dictionary attacks, and all of this is well known – making PPTP a target.

We recommend that you use virtually any other protocol rather than PPTP – OpenVPN is our favorite.

A proxy server acts as an intermediary between your computer and the internet, so any traffic routed through it will appear to come from an IP address different from your own.

While this may sound a lot like using a VPN, proxy connections are not encrypted.

While the website you’re visiting won’t know your true IP address, your ISP will still be logging your activity. The owner of the proxy server will also be able to see your originating IP address, and hackers will still be able to intercept your traffic.

Proxies are extremely popular for getting around content geo-blocks, as they change your virtual location quickly and simply, with no slowdown and (usually) at no cost. While they’re fine for this purpose, we would still recommend a good VPN that can do all that while also keeping your traffic encrypted.

Most VPN browser extensions are proxies, so check our reviews before you start using one. They’re handy for heavy browser users just looking to mask their IP address, however most of them aren’t VPN substitutes.

Secure Sockets Layer (SSL) is the standard technology used for establishing an encrypted connection between two systems. This could be between a web server and a client (e.g. an e-commerce website and a browser) or server to server (e.g. an application that processes financial details).

This connection ensures that all data passing between the two parties remains encrypted, private, and whole, and prevents malicious parties from reading or modifying the information transferred.

In order to create an SSL connection, a web server requires an SSL Certificate. To receive this, you will be required to answer a number of questions regarding the identity of your website and your company. The server will then create two cryptographic keys: a Public Key and Private Key.

Along with your website’s details, the Public Key is then placed into a data file called a Certificate Signing Request (CSR), which you can then submit to a certification authority like Let’s Encrypt.

This third party will then validate your details and issue you with an SSL Certificate, allowing you to use the protocol on your website. Your server will match your issued SSL Certificate to your Private Key, and will then be able to establish an encrypted link between the website and a user’s web browser.

When a browser connects to a secure website it will retrieve the site’s SSL Certificate and ensure it up-to-date, is issued by an Authority the browser trusts, and it is being used for the correct website. If it fails any of these checks, the browser will display a warning to the user that the site is not secured by SSL.

When a website is successfully secured by an SSL certificate, HTTPS (Hyper Text Transfer Protocol Secure) will appear in the URL. The details of the certificate can be viewed by clicking on the lock symbol in the browser bar.

TLS (Transport Layer Security) is an updated, more secure version of SSL. While many still refer to their security certificates using the term SSL, when you are implementing SSL from an authority today you are actually using the most recent TLS certificates.

If you’d like to look into the configuration of any SSL server on the web, you can use an independent auditing tool like Qualys SSL Labs, which will assess and rate the SSL/TLS connection of any given server.

The assignment of multiple users to a single IP address.

Ordinarily, your IP address is unique to your router, so is solely allocated to the devices and people connected to it.

A shared IP address makes its more difficult to pin down a single user, therefore increasing privacy.

This is a key principle of VPNs, and why some don’t invest heavily in a large number of available IP addresses. On the one hand, a small number of IP addresses can result in slowdown during busy periods but, on the other, it also leads to a greater level of privacy due to the sheer number of people using it.

When you pick a VPN, decide which of those two factors matters most to you.

Sideloading, as the name suggests, sits somewhere between uploading and downloading.

It’s most commonly used when referring to the installation of apps on Android devices that aren’t officially listed on the Google Play Store.

These apps have to be downloaded as .APK files, and then installed (or sideloaded) from a separate app or device.

In VPN terms, this means installing the APK of your VPN onto an Android device (most likely a Fire TV Stick or an Android TV device) using a file manager app in order to find and load the APK file.

The number of devices you can use your VPN on at the same time.

The more simultaneous connections a VPN provider allows the better, as it means you can protect all of your household or family’s devices, as well as your own.

Between three and five simultaneous VPN connections is standard, but watch out for restrictions on the most basic or free plans, which limit you to just one.

A handful of VPN servcices don’t place any restrictions on the amount of devices connected at the same time.

Smart DNS is a tool which, much like a VPN or proxy, allows you to appear to be connecting to a website or service from a different part of the world than where you actually are.

The difference here is that, rather than change your IP address, Smart DNS changes the DNS server that your traffic is routed through (you can learn more about DNS in our glossary entry here).

By re-routing your DNS requests, your true location is kept a secret and previously blocked sites are now made available. Beware, though, that Smart DNS does not encrypt your traffic like a VPN does.

The lack of encryption does make Smart DNS fast, though, and it’s also geared for easy use on devices that usually lack native VPN apps, such as games consoles, Apple TV, and other streaming devices.

A popular VPN feature that allows you to control which apps or programs travel outside of the encrypted VPN tunnel.

It may seem counter-intuitive to deliberately leave some of your traffic unencrypted and personally-identifiable, but there are some circumstances where split tunneling is necessary.

Certain services may not work unless they think that you’re in the correct real-world location (like online banking), while some services actively detect and block VPN traffic (like Amazon Prime Video).

Simply use split tunneling to route these apps outside of the VPN and they’ll work exactly as normal – just beware that they won’t be encrypted.

Some VPN providers offer static IP addresses, often for an extra monthly premium.

Ordinarily, the address assigned to you by a VPN is dynamic. That means that it’s randomly assigned every time you connect.

With a static IP address, however, you’re guaranteed to be connected to the same IP address every time – a bit like how your home router has the same fixed IP address.

There are pros and cons to using static VPN IP addresses. On the positive side, a static IP address:

• Guarantees faster speeds as you’re the only person connecting to it.
• Can help with unblocking geo-restricted content, as its traffic patterns resemble normal web traffic more so than VPN traffic.
• Can making using online services a smoother experience – some can take issue with frequently-shifting IP addresses on one account.

There are some crucial downsides to static IP addresses, though:

• They’re explicitly linked to you. If you want to use a VPN for anonymity then a static IP address is the complete opposite of that. Even if the VPN provider doesn’t keep usage logs your activity could still all be traced back to you.
• They’re tied to one region. A static IP address stays in place – that means that if you want to connect to a server in a different country you’ll have to use a different (shared) IP address.
• They cost money. It’s usually considered an extra service, and some VPN providers don’t even offer them.

We personally believe that you shouldn’t be using a static IP address. VPNs are a privacy tool first and foremost and a static IP address runs directly contrary to those principles. However, they can have their uses – only you can say whether or not it’s the right choice for you.

TCP stands for ‘Transmission Control Protocol’, and it’s one of the two protocols that OpenVPN can run over (the other being UDP).

TCP is viewed as the more reliable of the two OpenVPN protocols.

When packets of data are transferred over TCP, the client (i.e. the device sending it, like your smartphone) waits for confirmation that the packet has been correctly received, before then either sending the next one or resending the failed packet.

This guarantees the transaction to be completed properly, but it comes at a cost to its speed. As TCP’s checks involve data being sent back and forth, the further you are from the VPN server the greater the slowdown will be.

If you’re using a VPN to stream content over great distances, or to game on faraway servers, then you should use UDP instead. For everything else, TCP is a good choice (the VPN in question even lets you choose between the two of them, that is – many don’t).

Speed throttling, or bandwidth throttling, is when your ISP intentional slows down the speed of your internet connection. This is usually used as a way of regulating network traffic and therefore minimizing potential bandwidth congestion.

Often, ISPs will detect users taking part in high-bandwidth activities such as streaming or torrenting and intentionally throttle their traffic to even out the usage across the network. A good VPN service will prevent this from happening as your ISP won’t be able to see what you’re doing online.

Free software that anonymizes your browsing, Tor stands for ‘The Onion Router’.

While it’s best known for providing access to the Dark Web, it’s actually becoming increasingly common among everyday internet users seeking the highest possible levels of privacy.

It’s also an excellent way of bypassing government restrictions and accessing blocked content in high-censorship countries, however be warned, it is incredibly slow.

Tor can be used to access .onion websites, which is the suffix of pages on the Deep Web (instead of the usual suffixes like .com or .org). These websites are entirely inaccessible through standard web browsers (like Chrome or Edge) without additional software.

When you request a service or website through the Tor browser, your request is wrapped in multiple layers of encryption. It’s then bounced through three or more randomly selected nodes on the Tor network.

Each node decrypts and forwards the request to the next server in the chain. The last node – known as the exit node – performs the final decryption, reads the content of the transmission (for example, the URL you originally requested), and sends it to the destination server.

As a result, users are completely anonymized. Someone spying on the exit node may be able to see what site was visited, but they would have no way of knowing who visited it.

Connecting to Tor through a VPN is an excellent way of ensuring your security, and some VPN providers actually offer servers optimized for that purpose.

Read our dedicated guide to learn more about the differences between Tor and VPN – plus the pros and cons of each and how to use them together.

First defined in 1999, TLS is a proposed Internet Engineering Task Force (IETF) standard that builds on earlier SSL specifications to provide secure communications over a network. Websites, email services, instant messengers, and VoIP services can use TLS to secure all communications between their servers and a user’s browser.

The protocol primarily aims to provide privacy and data integrity between two or more communicating applications. When secured by TLS, connections between a client (e.g. a web browser) and a server (e.g. wikipedia.org) are encrypted, authenticated, and regularly checked for integrity.

The technology is comprised of two layers: the TLS record and the TLS handshake protocols. The former provides connection security, while the latter enables the server and client to authenticate one another and to negotiate encryption keys before any data is transmitted.

TLS is more efficient and secure than SSL thanks to stronger authentication, encryption, key-material generation, and a range of other processes. This includes the use of secure remote passwords, pre-shared keys, elliptical-curve keys, and lots more — all of which SSL does not support. TLS and SSL are not interoperable, but TLS does offer backward compatibility for older devices. 

In addition to the properties above, certain configurations of TLS can provide additional privacy-related features such as ‘perfect’ forward secrecy, which ensures that future disclosure of encryption keys cannot be used to decrypt TLS communications recorded in the past.

UDP stands for ‘User Datagram Protocol’ and, along with TCP, is one of the two different protocols used by OpenVPN.

Unlike TCP, which employs a reliable method of checking that data packets have all been communicated between your device and the VPN server, UDP employs no such error correction.

That means that data sent over UDP is either sent and received very quickly – or with errors.

As a result, we recommend that you use UDP for tasks like streaming or gaming, where lag-free data transmission and fast download speeds are a priority.

For any other task, though, TCP is preferable due to how reliable it is. Many VPN providers don’t let you choose between the two when you use OpenVPN, but it’s always worth checking.

Uniform Resource Locator, otherwise known as a website address to you and me (e.g. www.top10vpn.com or www.google.com).

Technically speaking, URLs are addresses made of words and numbers, which are then converted into IP addresses by a DNS translation service so they can be understood by your computer.

You’ll see a URL at the top of every webpage in your browser’s search bar. URLs can be broken down into several key components. Let’s take https://www.top10vpn.com/ as an example to better understand how they work.

• https:// is the ‘scheme’. It details what protocol has to be used in order to fetch the information you’re attempting to access (the information, in this instance, being the website you’re on right now).
  HTTPS is a more secure version of HTTP – the vast majority of the URLs you visit will use one of these two.The : indicates the end of the scheme, while the // signifies the start of the hostname (i.e. the website you’re looking for).
• www. defines the location of the content – in this case, the rest of the URL that follows is hosted on the world wide web.
• top10vpn is the domain name.
• .com is the domain suffix, and tells you what sort of website you’re visiting, or its location. For example, ‘.gov’ indicates a government organization, while ‘.co.uk’ indicates a site based in the United Kingdom.
• Anything that follow after that dictates where the content can be found on the server that hosts the website. It works just like your computer does, like when you access the C: drive and then browse to /User/My Documents/ to find a specific file, for example.

Short for Virtual Private Network, they give you privacy and security online, unblock restricted content, and allow you to appear as if you were connecting to the web from another country.

It does this by encrypting your internet connection and diverting you via a remote VPN server in order to replace your IP address.

This is just a top-level explanation, though. We explore VPNs in much greater detail in our dedicated guide, ‘What is a Virtual Private Network‘, including more technical information and the reasons why you you should you use one.

The software that you use to connect your device to a VPN server.

The term “VPN client” is generally used to refer to a VPN provider’s desktop or mobile application.

Be careful not to confuse this with the general computational use of the word ‘client’, which would be referring to your hardware (like your desktop computer or smartphone) rather than the software running on it.

The processes and sets of instructions VPN clients rely on to establish secure connections between a device and a VPN server in order to transmit data.

A VPN protocol is a mix of transmission protocols and encryption standards. Read our complete VPN protocols for a more detailed explanation of what these protocols are, and how they work.

Popular VPN protocols that you’ll regularly see from numerous providers include:

• PPTP
• L2TP/IPSec
• IKEv2/IPSec
• OpenVPN
• IPSec
• SSTP
• SoftEther
• Wireguard

OpenVPN is our protocol of choice, thanks to its excellent combination of security and speed. However, WireGuard is quickly becoming a strong second choice.

A common term for the encrypted connection between your device and a VPN server.

It’s often referred to as a metaphorical ‘tunnel’ because it can’t be breached, its entirely opaque, and it can take you from your physical location to an entirely different geographical one.

Read more about VPN tunnels in our introduction to how VPNs work.

Commonly found in cafés, hotels, and airports, these are public internet access points that can be used by anybody and everybody.

While they’re undeniably useful if you don’t want to use up your data allowance when you’re out and about, a major downside is that they are not secure.

It’s easy for hackers to set up fake hotspots that look like the real thing, detect your web traffic as it travels from your device to the hotspot, or hack the router itself.

The best way to browse securely on free WiFi hotspots is to first connect to a VPN. This will encrypt your internet connection so it cannot be intercepted by anyone else.

That said, if the public network you’re using requires any sort of password then you should be safe.