NordVPN review: Revamping security practices, but still useful
When I started learning about NordVPN for this review, one of the first things I noticed was that, although its branding seems Nordic, the company’s headquarters is actually in Panama.
Editor’s note (Oct. 29, 2019): NordVPN revealed it became aware in March 2018 that one of its data centers in Finland had been hacked, or accessed without authorization. NordVPN also outlined remediation steps it is taking (see: NordVPN introduces bug bounty program as part of security overhaul).
It took NordVPN quite a while to let users know about the breach. The results of our review haven’t changed, because we evaluated the product at the user level. But our concern about running confidential data through any third party (and this ranges from VPN vendors to your local home improvement store) remains. Our bleak forecast is that nearly every company will be breached. Your defense, in addition to secure passwords, multi-factor authentication, and VPN usage, needs to be checking your accounts religiously. Here are our best practice recommendations that might just keep you safe.
When I spoke to Marty P Kamden, the company’s CMO, he told me the name “was inspired by Nordic ideals of confidence, trust, and innovation. It reflects how we value our customers’ freedom of choice, how we strive to be innovative with our technology, and the way we work.”
There are definitely jurisdictional privacy benefits to using Panama as the country of record for a VPN provider. In particular, the nation doesn’t have mandatory data retention laws and doesn’t participate in either the Quadripartite Pact (better known as Five Eyes or UKUSA) or SIGINT Seniors Europe (or SSEUR, better known as Fourteen Eyes).
These are signals intelligence sharing agreements between certain nations that allow for data sharing. For VPN users concerned about security and government access to communications data, the fact that a VPN private network provider isn’t subject to either of these agreements is a plus.
NordVPN at a glance
NordVPN is a product worth considering if you’re concerned about protecting your Internet connection from prying eyes. The company boasts 5,100 servers in 62 countries.
This metric is important, because one of the key reasons to use a VPN service is that you connect from your machine to a server somewhere else, often in another country. The more servers available, the better chance you can anonymize your connection.
Beyond basic VPN
The company provides a list of server locations, and each location provides different categories of service beyond basic VPN. There are a total of five communications services offered: P2P, Double VPN, Dedicated IP, Onion Over VPN, and Obfuscated (which means “to render obscure, unclear, or unintelligible).
P2P: P2P stands for Peer-to-Peer. Back in the days of Napster, P2P was huge. While we definitely don’t condone sharing copyrighted materials, P2P networks have great value in distributing large files without exacting too much of a load on any one machine. For example, many Linux distributions are shared via P2P. NordVPN supports P2P sharing in many countries.
Double VPN: When you connect from your computer to a VPN server, your data is encrypted once along the path. Double VPN routes you through a second VPN server, which provides a second layer of encryption and hides your originating IP address from the second VPN server.
Onion Over VPN: You may have heard of TOR (for The Onion Router). While TOR routes data through multiple servers and encrypts it, the biggest benefit is that, to anyone trying to spy on packets, every TOR user looks the same. It’s a powerful boost to anonymity. Onion Over VPN is Nord’s method of allowing you to use all the benefits of TOR, but across your own VPN connection, as well. If you want anonymity, this is big.
Obfuscated: These are servers that Nord says “can bypass network restrictions such as network firewalls.” This only works with OpenVPN, so you’re limited to their Windows, Mac, and Android apps.
Dedicated IP: This is just about the opposite of everything else we’ve discussed. Many users want to blend in with all the other users as a way to hide their identity. Dedicated IP assigns your account a specific IP that you and only you use. Why would you want to do this? Some servers and systems require certain IP addresses for access or ease of login. It’s a special case. Don’t worry if you don’t understand this one. If you need it, you’ll know it.
Not all countries offer all five of these services. In fact, only the NordVPN servers in The Netherlands offer all five. Some countries offer just P2P, some offer just Obfuscated, and some only allow connections without any enhanced VPN service.
Performance testing
I installed the NordVPN app on a fresh, fully-updated Windows 10 install. To do this kind of testing, I always use a fresh install so some other company’s VPN leftovers aren’t clogging up the system and possibly influencing results. I have a 1,000Mbps fiber feed, so my baseline network speed is rockin’ fast.
To provide a fair US performance comparison, rather than comparing to my local fiber broadband provider, I used speedtest.net and picked a Comcast server in Chicago to test download speed.
I was a little disappointed that I couldn’t choose a specific location in the US to connect to, so I let NordVPN make what it considered to be the best connection. UPDATE: Since I first looked at NordVPN, the company has added the ability to connect to specific cities.
Beyond the US, I tested connections to Sweden, Russia, Taiwan, Australia, and India. For each test, I connected to each server three times. The number shown below is the average result of all three connections.
While I was connected, I also ran DNS and WebRTC leak tests (to make sure that DNS and IP are secure) using DNSLeak.com, ipleak.net, and dnsleaktest.com. These tests are basic security tests and not much more. If you’re planning on using NordVPN (or any VPN service) to hide your identity for life and death reasons, be sure to do far more extensive testing.
And, with that caveat, here are the results:
Speed Test Server |
Baseline download speed without VPN (higher is better) |
Ping speed without VPN (lower is better) |
Time to connect to VPN |
Download speed with VPN (higher is better) |
Ping speed with VPN (lower is better) |
Leaks |
Chicago – Comcast |
188.67Mbps |
71ms |
19 sec |
43.14Mbps |
61 ms |
None |
Stockholm, Sweden – Datacom |
361.70Mbps |
195ms |
15 sec |
15.97Mbps |
217ms |
None |
Moscow, Russia – Rostelecom |
11.99Mbps |
220ms |
15 sec |
23.77Mbps |
217ms |
None |
Taipei, Taiwan – NCIC Telecom |
82.45Mbps |
175ms |
18.99 sec |
18.65Mbps |
160ms |
None |
Perth, Australia – Telstra |
123Mbps |
217ms |
16 sec |
16.64Mbps |
242ms |
None |
Hyderabad, India – Excitel |
338.25Mbps |
243ms |
17 sec |
1.44Mbps |
326ms |
Maybe |
In looking at these numbers, it’s possible to get carried away by the difference in the baseline speed compared to the VPN speed. That’s not the best measurement, mostly because I have broadband over fiber, so my connection speed is extremely high.
When you use a VPN service, it’s natural for performance to drop. After all, you’re running all your packets through an entirely artificial infrastructure designed to hide your path. The real numbers you should look at are the download speed and the ping speed. Are they high enough to do the work you need to do?
Ping speed is an indication of how quickly a response gets back after a network request is sent from your computer. Some of the limitations here are due to actual physics. If you’re sending a packet across the planet, it will take longer to hear back than if you’re sending a packet across town.
For all connections, with the exception of India, NordVPN download performance was quite good. Since you don’t really need more than about 6Mbps to 8Mbps to stream HD video from sites like YouTube, the NordVPN connections were certainly fast enough. For years, most of us would have been thrilled to have the broadband download speeds reported after this VPN was enabled.
Then there’s India. My non-VPN performance was blazing fast. Yet, my VPN performance was terrible. I retried connecting to what NordVPN considered the best India server a bunch of times, and then tried selecting random Indian servers (Nord labels them as India #1, India #2, and so on). Performance was terrible with each. I also found that DNSLeak.com reported a leak, although I couldn’t find any evidence of a DNS leak with some cursory checks of my own.
I reached out to the company about this. According to Daniel Markuson, Digital Privacy Expert at NordVPN, “This specific website is configured in a strange way. If it detects a difference between the DNS server address and the IP address, it considers this to be a DNS leak. However, if the DNS displayed is not your original regular DNS servers, then no leak has actually occurred. Simply put, this is a false positive due to strange interpretation of what DNS leak is.”
The bottom line of my basic performance tests is that you can probably get the job done unless it involves India. If you have a specific country you want to connect to, it’s a good idea to take advantage of the company’s full 30-day refund policy and just try it out.
See latest NordVPN plans and deals
Double DNS performance
I was very intrigued by the Double VPN offering, but the results were mixed. When I tried to connect via Double VPN to the fastest US server, I waited two minutes, lost patience, and got up to get coffee and pet the dog. By the time I sat back down at my computer five minutes later, there was still no connection.
I stopped the connection attempt, selected Netherlands as my server location instead of the US, and was connected in about 30 seconds. I ran the same speed test to Comcast in Chicago that netted 188.67Mbps natively, and got 1.49Mbps download. Of course, that was from The Netherlands to Chicago. When I connected to Duocast in Groningen (a large city in the north of The Netherlands), my speed increased to a still-meager 2.02Mbps.
Clearly, Double DNS speeds are slow, but they’re workable enough if you’re not transferring large media. If you’re connecting to mail servers, sending messages, browsing Facebook, etc, it should be tolerably fine.
Privacy and security features
Big on our list of questions for any VPN vendor is what kind of data they log. NordVPN does need an email address so you can log into your account, and they do capture anonymized performance metrics to tune their systems, but the company says it doesn’t log any traffic or access data.
In terms of platform support, NordVPN has apps for iOS and Android, Windows, and Mac. On top of that, NordVPN supports a huge number of platforms ranging from all the way back to Windows XP, forward to Raspberry Pi, Synology, and Western Digital, along with QNAP NAS boxes, Chromebook, a whole bunch of routers, and more.
At its core, a VPN encrypts and decrypts your data, so the method of encryption is very important. Unfortunately, it’s really not possible to say which encryption protocol is best, because that depends on what you need. We can say that certain protocols are proven to be no longer safe, and while some VPN providers still encrypt using those protocols, NordVPN does not. NordVPN offers OpenVPN and IKEv2/IPsec, which are well-respected protocols.
In addition, NordVPN is now offering something it calls CyberSec, which shares a lot of the characteristics of an antivirus program, but works very differently. CyberSec monitors network transmissions for malware, where antivirus programs tend to monitor running programs.
CyberSec also watches out for on-system botnet activity and tries to block any participation in a DDoS (distributed denial of service attack). It also blocks pop-ups, auto-play videos, and known dangerous websites. It’s a very nice and welcome addition to its VPN offering and is provided at no additional charge.
Finally, they support Bitcoin payment, so if you want to keep your identity completely private, you don’t even need to give them a credit card number.
The bottom line
Going back to our mantra that everyone’s needs are different, we can’t tell you which VPN service to choose. We like what we’ve seen of NordVPN, performance is generally good, and the company’s attention to security and privacy seems sincere.
NordVPN is not a free VPN, but given the company’s fair 30-day refund policy, we can definitely say they’re worth giving a try. If you’re curious about other VPN vendors, take a look at my comprehensive best-of VPN directory over on CNET.
See latest NordVPN plans and deals
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.
Disclosure: ZDNet may earn a commission on services featured on this page. Neither the author nor ZDNet were compensated by Nord for this independent, unbiased review.
READ MORE HERE