There are loads of users out there enjoying the benefits of VPNs, but a common question found online about these VPNs is whether or not there are any downsides to using free VPNs. For the most part, whether or not you perceive a downside in all this has to do with how much you trust your VPN service provider.
When it comes to secure protocols for the most part, the use of a VPN is bound to be about as secure as anything else simply because the protocol is encrypting your communiqué. Other than launching a side channel attack, which is futile in isolation, there isn’t much anyone can do to you if there is a MITM on the opposite side of the VPN connection. However, this assumes that the software and the protocols are secure in the first place.
Secure protocols are one thing, but the Internet is another entirely. The ultimate problem here is that there is no designation on the part of the Same Origin Policy of a different origin for encrypted data from that of plain data when it comes to cookies. A cookie set on one URL can be read by that same URL. Say there are cookie handling vulnerabilities of some kind on that site, now the allegedly secure connection might actually be subverted, and even if it isn’t, that could change at any time. Some might expect the Secure Flag to be of some use in this instance, but all it does is keep HTTP connection from reading the cookie sets in question over HTTPS; this doesn’t work both ways.
For example, suppose there’s session fixation or some other kind of cookie poisoning, this represents a vulnerability on the site you visit that an untrusted connection (e.g. that which you line through your desired, free VPN) makes you particularly susceptible to. The same would be the case if there were a false presumption that a cookie value had merely been set via HTTPS, resulting in a type of XSS vulnerability.
No Privacy Guarantee
More fundamentally, you probably decided to connect to a VPN in the first place because you wanted anonymity. To be specific, you wanted to browse the Internet without having to be concerned that you were being watched or that your activities to certain sites were being logged. You probably also wanted to hide your IP address from the sites you visited while also concealing your browser history from would-be onlookers. The issue with a lot of this is that, when you attempt to cover it all up, VPNs are inherently a threat to those efforts because they have the means to distinguish between you and their other users anyway. The fact that they can even do that indicates that you are not anonymous to them.
Free VPNs are also often free with strings attached. You have to question why the VPN you’re using in particular would be free given that it does cost some money to run a VPN’s servers. The thing to consider here is that there are loads of marketing firms and consumer psychology studiers out there who would kill for browser behavior statistics, and the best way to acquire that kind of information would be from a free VPN who could simply show them “anonymous” web traffic behavioral patterns using YOU as one of a thousand examples. This simply defeats the purpose of using a VPN for privacy.