Microsoft Edge’s “Free VPN” Is Really Just a Browser Proxy, Security Researcher Warns
Microsoft Edge’s “Free VPN” Is Really Just a Browser Proxy, Security Researcher Warns
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- Ubuntu 26.04 LTS (Resolute Raccoon): The Most Ambitious Ubuntu LTS in a Decade
- Proton Mail: Data Transferred to FBI Again!
- How Close Are Quantum Computers to Breaking RSA-2048?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
Microsoft Edge’s “Free VPN” Is Really Just a Browser Proxy, Security Researcher Warns
Microsoft’s marketing of Edge Secure Network as a built-in VPN has drawn sharp technical criticism — but the full picture is more nuanced than the headlines suggest.
February 25, 2026
On February 11, 2026, Microsoft’s official Edge account on X posted an enthusiastic pitch: “No extra apps, no subscriptions. Just free VPN support built right into Microsoft Edge. Turn on Secure Network VPN and browse with more confidence.” For millions of everyday users, it sounded like a straightforward offer — enterprise-grade privacy protection, baked directly into a browser they already use, at no cost.
Within days, a privacy researcher pushed back hard.
The Researcher’s Verdict
On February 18, Sooraj Sathyanarayanan, a privacy researcher and security strategist at Brave Software, published a technical analysis on X that quickly spread across the security community. His conclusion was blunt: “Edge Secure Network is NOT a VPN. It’s an HTTP CONNECT proxy built on Cloudflare’s Privacy Proxy Platform. It only tunnels traffic inside the Edge browser. Every other application on your system — DNS queries, email clients, background services, OS updates — everything outside Edge is completely exposed.”
That single distinction — browser-level proxy versus system-wide VPN — sits at the heart of the debate.
How Edge Secure Network Actually Works
Edge Secure Network is built on Cloudflare’s HTTP CONNECT-based Privacy Proxy infrastructure. When the feature is active, it checks that the user has a valid Microsoft account, issues authentication tokens through Cloudflare’s Privacy API, and routes encrypted browser requests through Cloudflare’s network. Cloudflare then selects an appropriate egress IP address for the outgoing connection.
This is meaningfully different from how a conventional VPN operates. A true VPN installs at the operating system level and intercepts all network traffic from every application on the device — not just one browser. Under Edge Secure Network, activity from other applications, background services, email clients, operating system updates, and even DNS queries continues to use the regular, unprotected network path.
The feature also has a default behavioral quirk that many users are likely to miss. By default, Edge Secure Network runs in “Optimized” mode, meaning it only activates under specific higher-risk conditions — such as when the device connects to an open Wi-Fi network or when the user visits a non-HTTPS site. At home on a private network while browsing HTTPS sites, which now represent the overwhelming majority of the web, the feature typically remains inactive. To force continuous protection, users must manually switch to “All sites” mode in settings.
There is an additional concern about connection failures. If the connection to Cloudflare’s servers drops, traffic continues without encryption — without any warning to the user. A traditional VPN typically includes a “kill switch” that blocks traffic entirely to prevent this kind of silent data leak.
The Privacy Paradox of Mandatory Login
One of the more pointed criticisms involves the requirement to sign in. To use Edge Secure Network, users must be signed into Edge with a personal Microsoft account. The free tier includes a 5GB monthly data allowance, after which the protection stops until the quota resets.
This creates a contradiction that privacy researchers find hard to overlook. The tool is positioned as a way to keep browsing activity private — yet activating it requires authenticating with a real identity tied to a Microsoft account. As long as an account is logged in, it synchronizes browsing history, passwords, favorites, form data, extensions, and open tabs across all Edge instances by default. For users genuinely seeking anonymity, this is a significant trade-off.
The trust model underlying the privacy promise adds another layer of complexity. Microsoft states that Cloudflare does not see account identities, and Cloudflare says it does not inspect user traffic. However, researchers note that the system depends entirely on the unilateral claims of two commercial companies rather than any independent public audit, and the codebase is closed source.
What the Feature Does — and Doesn’t — Cover
Beyond the VPN-versus-proxy debate, the feature has several practical limitations worth understanding. To conserve limited bandwidth, certain high-bandwidth scenarios — including video streaming services like Netflix, Hulu, and HBO — are excluded from routing through the feature by default. This also means it cannot be used to bypass geographic content restrictions, a common reason people turn to VPNs in the first place.
Rather than allowing users to choose a server location, Edge Secure Network automatically routes traffic through the geographically nearest Cloudflare data center, preserving approximate location so that local searches continue to function normally. The feature is also unavailable on enterprise-managed devices and in some regions.
Is the Criticism Fair?
The answer is: partly. Sathyanarayanan’s technical observations are accurate. However, as the German tech outlet Heise Online noted, Microsoft never explicitly claimed that Edge Secure Network would protect all device traffic. The official feature documentation makes clear it is a browser-level protection tool, not a full system VPN, though the marketing language on social media and in settings — where the feature is described as an “integrated VPN” — has reasonably created expectations the product cannot meet.
Cloudflare, for its part, has been transparent about the architecture since announcing the partnership. The company describes its Privacy Proxy Platform as a forward-looking approach to internet privacy built on open standards, distinct from traditional VPN protocols like WireGuard or IPsec, and designed to balance user privacy with practical usability — such as preserving location-relevant search results.
The Bottom Line for Users
Edge Secure Network is not useless. For casual users on public Wi-Fi who want basic protection for their browsing sessions without installing additional software, it does provide a real — if limited — layer of encryption and IP masking within the browser. That is genuinely better than nothing in certain scenarios.
But calling it a VPN sets expectations the product cannot fulfill. Users who believe they have enabled device-wide privacy protection may be making security decisions based on a false assumption. Other apps, background processes, and DNS queries on their machine remain fully visible to their internet service provider and any network observer.
For anyone with serious privacy requirements — journalists, activists, travelers in restrictive jurisdictions, or anyone who needs their entire device protected — a dedicated, system-wide VPN service with a verified no-logs policy and a kill switch remains the appropriate tool. Edge Secure Network, despite its marketing, is not a substitute for one.
Sources: Windows Latest, PCWorld, Heise Online, Cloudflare blog, Cloudflare press release, tech2geek.net
