VPN Glossary: key terms explained
Kill switches, DNS, geo-spoofing – what does it all mean?
- Advanced Encryption Standard (AES)
- Black box
- Catapult Hydra
- Cipher
- Dark web
- Deep Web
- DD-WRT
- Deep Packet Inspection (DPI)
- Domain Name System (DNS)
- Eavesdropping Attack
- Encryption
- Encryption Key
- Five Eyes Alliance
- Geo-blocking
- IP address
- IPv4
- IPv6
- IP leak
- Jurisdiction
- Key Exchange
- Kill switch
- Latency
- Leak
- Lightway
- Logging
- Man-in-the-middle attacks
- No Logs Policy
- Obfuscation
- OpenVPN
- Perfect Forward Secrecy
- Ping
- Protocol
- Proxy
- Public Wi-Fi
- Split tunneling
- strongSwan
- Throttling
- Tor
- Tunnel
- VPN Client
- VPN Server
- VPN Service
- Warrant canary
- WebRTC
- White box
- WireGuard
Virtual Private Networks (VPNs) are, undeniably, handy pieces of kit for anyone who values their digital privacy. They can put a stop to snooping cybercriminals, invasive ads, and ISP (internet service provider) throttling that can grind your streaming sessions to a halt. Unfortunately, the language used on provider sites can be super-techy and obscure.
If you've ever wondered just what encryption is, exactly, or the difference between a DNS leak and an IP leak, you’re not alone – and I'm here to help.
I've picked out the terms you're likely to come across when shopping around for the best VPN in the business. I've summed up each one with a jargon-free explanation that'll help you wrap your head around the key VPN concepts – whether you're totally new to the tech or have some experience under your belt.
Advanced Encryption Standard (AES)
Advanced Encryption Standard (AES) is an encryption cipher that determines how data is encrypted and decrypted.
AES is the industry's gold standard, and you'll often find it described alongside the key length. AES-128 uses a 128-bit key, for example, whereas AES-256 encryption uses a 256-bit key. The more bits, the stronger the encryption, and AES encryption is virtually uncrackable (even when tested by brute force attacks).
Black box
Auditors use a "black box" testing technique to check out VPN services from the point of view of an everyday user – like you and me. While black box testing lets the auditor install and run the VPN, it doesn't allow them to comb through the service's app and server source code. That requires a "white box" test.
Catapult Hydra
A VPN protocol developed by Hotspot Shield. It uses TLS 1.2-based security, but additional details on how the protocol works haven't been shared by the provider.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
Cipher
Ciphers contain rules for data encryption and decryption – and there are all sorts of ciphers available. Blowfish is an enduring favorite, developed in 1993, and still widely used today. Advanced Encryption Standard (AES) is tougher, however, and has become the VPN industry's gold standard.
Dark web
Web content that lives on darknets, which are only accessible to savvy users with specific software. The TOR network is the most popular of these.
Deep Web
Similar (but not the same as) the dark web, the deep web is any site that isn't indexed by search engines – think Google, Bing, etc. You can access these deep web sites via a direct URL or IP address, but you might need an additional password to view content.
Deep web sites are used for online banking, email providers, and forums where you'll need an account to join the conversation and check out content.
DD-WRT
Firmware you can use to improve your wireless router's performance: better speed, more features, and extended functionality. You'll need to "flash" your router to do this, however, which can be risky. Lots of VPNs are compatible with DD-WRT (including ExpressVPN and NordVPN), meaning you can set them up on a range of wireless routers.
"DD" is a reference to Dresden, in Germany, where DD-WRT firmware was initially developed. "WRT" means wireless router.
Deep Packet Inspection (DPI)
Filtering technologies that inspect network traffic to understand its purpose. DPI uses pre-defined criteria to check out traffic, find viruses, malware, hackers, spam, and other threats, and block them. Unfortunately, DPI can also be used by repressive government regimes to monitor its citizens' online activity.
When you connect to a VPN, your traffic is encrypted and much harder for snoopers to inspect with DPI. That means you can go about your browsing with added peace of mind. DPI isn't a rock-solid guarantee of privacy, however, as it can be used to sniff out and prevent VPN usage.
Domain Name System (DNS)
DNS takes the URL you type into your browser's address bar and turns it into a numeric IP address that your device uses to find the webpage and load it up. DNS is often thought of as the translation of human inputs (like URLs and domain names) into computer-friendly numeric codes.
Your default DNS provider is usually your ISP (Internet Service Provider). However, connect to a VPN, and your DNS will be provided by the VPN service provider.
Eavesdropping Attack
A form of hacking that targets information as it is transmitted over unencrypted wireless internet connections. Often, these are free Wi-Fi hotspots you find in cafes and airports, and they typically don't require a password.
Eavesdropping attacks are sometimes called "sniffing attacks" or "spoofing attacks".
Encryption
Encryption encodes data, turning it into a random string of unintelligible characters, and prevents it from being read by snoopers and hackers. An algorithm encrypts your data, and a cipher is used to subsequently decrypt it once it reaches its destination.
Today's best secure VPNs use a variety of encryption protocols to protect your data, but AES (Advanced Encryption Standard) is the most widely used and secure.
Encryption Key
Encryption keys are made up of random sets of information used to encrypt and decrypt data. You'll often see keys described alongside their size – like 1024 and 2048. The bigger the number, the more variations there are in the encryption process, and the harder it is for attacks to crack the code.
Five Eyes Alliance
An intelligence network made up of the UK, the US, Canada, Australia, and New Zealand. The existence of the Five Eyes Alliance (and the extent of its data harvesting) was unveiled in 2013, by Edward Snowden, and now we recommend sticking to VPN providers who are headquartered outside of the countries listed above.
Extended alliances exist, too – including the Nine Eyes and Fourteen Eyes.
Geo-blocking
Geo-blocks prevent you from accessing web content – and can limit certain sites, services, and apps to specific countries.
Streaming VPNs can help you get around geo-blocking measures, however, which is vital for folks trying to check out international Netflix libraries. So, if you're on vacation, traveling for work, or simply interested in what other regions have to offer, a VPN is your best bet.
IP address
An IP address is like a digital street name and house number – every device has one, just like physical houses, and they use them to communicate. Any gadget that can connect to the internet has a unique IP address that contains approximate location information and makes sure that the correct data gets routed to the correct computer.
IPv4
IPv4 is what we call the 4th version of the internet's standard protocol, Internet Protocol (IP). IPv4 assigns a unique IP address to every internet-enabled device, allowing them to communicate and connect to the web.
We're rapidly running out of usable IPv4 addresses, however. The protocol is so popular, and there are so many devices connected to the internet, that it became necessary to develop a new standard protocol – IPv6.
IPv6
Internet Protocol version 6 (IPv6 for short) is the newer version of IPv4. Like its predecessor, it defines how IP addresses are dished out to our gadgets and computers, and how they communicate.
IPv6 isn’t as widespread as IPv4, but it's certainly better. It's much quicker, simpler, and has 1,028 times more IP addresses than IPv4. That's good news, too, because we're quickly running out of IPv4 addresses.
IP leak
IP leaks occur when your IP address is visible – even though you're using a VPN.
If you're using your original DNS server, and not the one provided by your VPN, your ISP (internet service provider) can see everything you get up to online. Naturally, this is the last thing you want when using a VPN.
You can visit IPLeak.net, IPLeak.org, or BrowserLeaks.com to check for DNS leaks. Alternatively, lots of VPN providers have their own DNS leak tools – including ExpressVPN's excellent page.
Jurisdiction
The country where a VPN provider's headquarters are located. A VPN provider has to stick to the laws of the jurisdiction – which can vary from country to country.
Generally, we'd advise you to use a VPN headquartered in a country that isn't a part of the Five Eyes alliance – and one without invasive data retention laws.
Key Exchange
A process where two parties securely swap cryptographic keys that can be used to share encrypted data. Anyone who isn't an involved party will be unable to get their hands on a key (or a copy of the key) and, as a result, unable to decrypt the shared data.
Diffie-Hellman is a popular method of key exchange, along with Internet Key Exchange (which you might recognize from the IKEv2 protocol).
Kill switch
One of a VPN's most must-have features. A kill switch cuts your connection to the internet if your VPN connection drops out, and ensures that you don't suffer an IP leak. Without a kill switch, your identifiable information could become visible to snoopers, and your data could be left unprotected.
Latency
How long it takes for data to journey across a network from its source (usually your device) to its ultimate destination (like a website).
When you connect to a VPN, data leaves the source and is routed through the VPN server before it makes it to its destination. This is an extra step in the process – but an important one, as this is where your data is encrypted – that can increase latency.
Leak
Whenever a VPN fails to keep your personal information secure and out of the hands of onlookers (including your internet service provider, the website you're on, other network users, or cybercriminals) it's known as a leak.
Common leaks include: IPv4, IPv6, DNS, and WebRTC.
Lightway
A proprietary protocol created by ExpressVPN – and based on WireGuard. Like WireGuard, Lightway is more lightweight than OpenVPN, consisting of fewer lines of code. This means that it won't drain your device’s battery as fast or demand as many CPU requirements.
Lightway is quicker, connects faster, and is designed to handle common mobile networking hangups – like surprise signal dropouts. Most proprietary VPN protocols are closed-source, but Lightway bucks the trend, and you can comb through its source code yourself if you want to check that it's working as it should.
Looking in the Lightway: ExpressVPN
If Lightway has piqued your interest, you'll want to check out ExpressVPN. It's an awesome newbie VPN, thanks to a bevy of handy automations that handle all the complicated configurations for you, and it can unblock more content than you'll know what to do with. Take this super-fast service for a test drive with a 30-day money-back guarantee.
Logging
Generally, VPN logs are split into two categories: connection logs and usage logs. Connection logs are usually anonymized, and contain information about which server you're using, how long you've been connected to it, and the device you're using the VPN with. Connection logs help VPN services maintain their server networks and troubleshoot issues as they crop up.
Usage logs, on the other hand, are far more insidious. They can reveal your IP address, the websites and services you've visited, and your download history, which is a massive violation of your digital privacy. The Tom's Guide team doesn't recommend VPNs known to keep usage logs.
Man-in-the-middle attacks
A cyberattack that allows a snooper to listen in to conversations between a user device and the sites they visit – and record login details, financial information, and even credit card numbers. Armed with this information, the snooper can go on to impersonate the victim or empty their bank account.
No Logs Policy
A no-logs policy states that a VPN won't keep a record of a user's browsing history, download history, real IP address, DNS queries, or bandwidth usage. Today's top VPNs submit to independent audits of their no-log policies in the name of transparency.
Obfuscation
Obfuscation makes encrypted VPN traffic look just like ordinary web traffic – so the websites you visit can't tell that you’re using a VPN at all. Obfuscation can help you access streaming platforms and blocked services, and nullify VPN bans imposed by certain websites or oppressive governments.
The best VPN with obfuscated servers: NordVPN
NordVPN is my top pick overall when it comes to obfuscation. The provider has obfuscated servers you can connect to with just a click and get around those pesky VPN bans and check out content that might otherwise be unavailable in your current location. Check out NordVPN today with a handy 30-day money-back guarantee.
OpenVPN
A massively popular VPN protocol. OpenVPN is secure, configurable, and open-source – which means you could take a look at its source code (and pick out potential bugs or weaknesses) if you wanted.
OpenVPN's security and versatility have made the protocol a mainstay in the VPN world, but the WireGuard protocol (and proprietary protocols, like Lightway and NordLynx) are quicker.
Perfect Forward Secrecy
A method of encryption that frequently swaps the encryption keys that a VPN uses to encrypt and decrypt data. The constant switch-ups ensure that only a small percentage of data is exposed if a bad actor hacks a key.
Ping
A measurement of latency; how long it takes for data to travel along a network, from one device to the next, and come back with a response.
When you connect to a VPN, your traffic is routed through a VPN server after it leaves your device and before it reaches its ultimate destination. This extra step can result in increased ping.
Protocol
Rules that dictate how data is transmitted between your device and the VPN's server, and how the VPN creates a secure connection between the two.
The protocols you'll see most often include OpenVPN, WireGuard, and IKEv2.
Proxy
Proxies can help bypass geo-restrictions that block access to region-specific services or websites. By masking your original IP address and replacing it with one of the proxy's IP addresses, you can avoid restrictions.
However, proxies aren't usually encrypted, so they're often thought of as unblocking tools rather than a full privacy-enhancing security suite (like a VPN).
Public Wi-Fi
The free wireless connections offered by hotels, airports, cafes, and other public places. Anyone can connect to these public Wi-Fi hotspots – you won't need a password. However, because of this (and because public Wi-Fi hotspots are unencrypted), they're a notorious hotspot for hackers. Users are at risk unless they have a VPN to encrypt data transmitted to and from their devices.
Split tunneling
A feature offered by some VPNs that allows you to send some of your traffic through the VPN, and some not.
If an app isn't working properly with your VPN (a streaming service that blocks access if it detects that you're connected to a VPN server overseas, for example), you can set up split tunneling and direct app traffic through your original internet connection to avoid the problem in the future.
strongSwan
An open-source VPN app. You can use it on Windows, Mac, Android, and iOS, and it's compatible with most VPNs on the market.
Although strongSwan isn't packed with features, you can use it in place of a VPN provider's app if you're having trouble with it.
Throttling
Internet throttling is a mode of digital traffic management that reduces connection speeds. Your internet service provider (ISP) might decide to throttle your connection if you're in the middle of a data-intensive activity (think HD streaming, online gaming, torrenting) to alleviate bandwidth demand.
A VPN prevents throttling by hiding your activity from your ISP – meaning it won't know what you're up to and won't know to throttle you.
Tor
The Tor Network (also known as The Onion Router) is an open-source project that enables secure and anonymous online communication. Tor achieves this by encrypting data multiple times and passing it through randomly selected volunteer-run services (or "nodes").
Although Tor and VPNs aren't the same, they can both mask your IP address and boost your digital privacy – and some VPNs are compatible with Tor.
Tunnel
The encrypted connection that links your device and another network. A VPN, for example, creates a secure tunnel between your device and the internet.
VPN Client
The VPN client is the device owned (or used) by you, the VPN user. This device connects to the VPN server via the encrypted tunnel and can be a PC, laptop, smartphone, tablet, games console, TV, or even a router.
VPN Server
Servers run and maintained by the VPN provider that connect to the internet. VPN end users connect their devices to a VPN server of their choice via the encrypted tunnel. Most of today's top VPNs have hundreds (sometimes thousands) of servers dotted around the globe – talk about being spoiled for choice.
VPN Service
A service or company that provides VPN servers. These servers are scattered around the world and enable VPN users to connect to the internet via the secure encrypted tunnel.
Warrant canary
A document that subtly informs VPN users that a VPN provider has been ordered to reveal identifiable information about its users. Warrant canaries let users know that a VPN provider hasn't been lumped with a warrant or subpoena, up to a certain date. So, if the warrant canary is wildly out of date or removed altogether, VPN users can typically assume that the provider has come under investigation.
WebRTC
Created by Google, Web Real-Time Communications (WebRTC) is an open-source technology allowing web browsers (and other apps) to support audio, video, and other communications.
However, WebRTC can inform websites about the original IP address of a user, even if they have a VPN, which is known as a WebRTC leak.
White box
An in-depth method of software testing where auditors have access to apps and their source code.
White box VPN audits result in more detailed findings than black box tests, where auditors only have access to the same information as end users – meaning they can test apps, but can’t comb through the source code.
WireGuard
The next generation of VPN encryption – and the successor to OpenVPN in terms of popularity. WireGuard is easy to set up by design, contains fewer lines of code than OpenVPN, and often results in improved speed – making it a favorite of avid streamers and gamers.
Blazing fast WireGuard implementation: Surfshark
Surfshark is all-in when it comes to WireGuard, and is wickedly quick as a result. I often recommend Surfshark as a Netflix VPN, seeing as it can handle HD and 4K streaming without buffering hiccups, as well as your day-to-day browsing. You'll also get unlimited simultaneous connections, budget-friendly prices, and a handy 30-day money-back guarantee.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example:
1. Accessing a service from another country (subject to the terms and conditions of that service).
2. Protecting your online security and strengthening your online privacy when abroad.
We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
River is a Tech Software Editor and VPN expert at Tom’s Guide—helping take care of VPN and cybersecurity content, publish breaking news stories, and ensure all of our VPN testing is as accurate as possible. When they’re not following the ins and outs of the VPN world, River can be found plugged into their PS5 or trekking through the Welsh countryside in a very practical, but unfortunately unfashionable, waterproof jacket.