Virtual Private Networks (VPNs) let you establish a secure communications channel between your computing device and a server. After connecting to the server, you could gain access to a private network that has work files or applications, or use the server as a relay point to then access Internet content when browsing from a public network.
There are several reasons for using a VPN: you might need to remotely access information held on corporate servers while travelling or working from home; you might be wary of the insecure wireless networks you’re using; or you might want to access online content that’s blocked on the network you’re connected to but is accessible from the server somewhere else. Sometimes a company will require you to use a VPN, meaning the company will dictate the security and type of VPN you use (for example, your employer). Whereas when you make a consumer decision to use a VPN you’re responsible for making these decisions on your own.
In the wake of Edward Snowden’s revelations, a large number of consumer VPN providers have sprung up, and security experts now often suggest that you use a VPN when accessing the Internet from an insecure network (e.g., a café, public library, or other free Wi-Fi hotspot). This blog post will help you understand what to look for when choosing between different VPN services.
All in the Family
VPNs generally provide several different capabilities or services. VPNs can provide ‘data integrity checks’ by cryptographically evaluating whether a party between your device and the VPN server has modified the contents of the packet. VPNs also provide differing levels of user authentication. In some cases, you simply need to enter a username and password to use the VPN. In other cases, stronger authentication measures, such as smart cards or tokens, may be required (e.g., see our previous post on multi-factor authentication). VPNs also provide ‘data confidentiality’ by encrypting data so that intermediaries are not able to read or access what’s being transmitted. As an example, a café owner could not determine what site you were browsing for or modify the contents of that webpage (e.g., to add advertising banners).
Data is sent along a network in “packets,” which are blocks of formatted data, rather than a continuous stream of information. A header is included with each packet to indicate the sender and recipient’s Internet Protocol (IP) addresses and formatting information. The secure communications channel established by a VPN uses either ‘tunnel’ or ‘transport’ mode. In ‘tunnel mode,’ both the header and content are encrypted and secured from third-party observation (used to connect one site to another, such as two office networks). In transport mode, on the other hand, only the content of the communications is encrypted, not the header (used to connect a client to a site, such as VPN client software used to connect an employee to an office network).
There are three major ‘families’ or types of VPN implementations that are widely used today. They include: IPsec, PPTP, and SSL/TLS.
Internet Protocol Security (IPsec)
IPsec is a standardized protocol that uses cryptography to protect communications over Internet Protocol (IP) networks. It’s an end-to-end security protocol, meaning that data is only meant to be accessible by your device and the server that’s being tunneled to. Unlike some other kinds of VPNs, IPsec protects all application traffic over an IP network; some other ways of securing traffic, in contrast, lack this breadth of security and may only secure certain applications’ traffic (e.g., just for a chat program). What’s more, IPsec uses a pair of security protocols: the first is used to provide source authentication and guarantee the integrity of packets (to demonstrate that they haven’t been tampered with), and the second is used to provide data confidentiality. Most major operating systems natively support a version of IPsec.
Public IPsec VPN providers sometimes use pre-shared keys that are identical for all of their users. This means that when IPsec encrypts data using pre-shared keys, any party with access to those common keys can readily decrypt the communications. This is a byproduct of how encryption keys are sometimes shared, as opposed to inherent problems with the protocol itself. As such, a network snoop in a café or other public place could decrypt the communications that you attempt to secure if you use a consumer VPN that uses commonly known pre-shared keys.
Point-To-Point Tunnelling Protocol (PPTP)
PPTP is an older method for implementing VPNs that is no longer widely recommended. PPTP does not describe how data flows are to be encrypted or authenticated, but is used to establish a tunnel that is, itself, subsequently encrypted. The actual encryption or authentication that’s used for this kind of VPN relies on the ‘point-to-point protocol’, and major operating systems, such as Microsoft Windows, have built in ways of implementing various kinds of authentication and encryption over this protocol.
PPTP possesses a range of well-known vulnerabilities. Specifically, there are a number of known methods of undermining the security and authentication provided by PPTP, to the extent that some organizations have deprecated their use of it. However, many public VPN providers continue to use PPTP to establish connections and it remains widely in use.
Secure Sockets Layer (SSL)/Transport Layer Security (TLS)
SSL/TLS VPNs can be used with a web browser to give remote users access to Web applications, client/server applications, and internal network connections. It relies on the same key exchange standards as are used to access HTTPS-secured websites, allowing the communicating parties to establish highly encrypted communications between one another.
SSL-based VPNs are only as secure as the underlying software libraries that are used to establish encrypted communications. OpenSSL is a popular software library that integrates SSL and TLS protocols to establish VPN connections. This library has been adopted by many software developers but it’s been found to have serious security and confidentiality vulnerabilities. Consequently, third-parties might be able to exploit the vulnerabilities to decrypt SSL/TLS VPN traffic unless the software has been properly patched.
False Security Blanket?
Some security experts question the motivation or intent of some commercial VPN providers. Many providers often assert that they retain no logs, or provide high levels of anonymity, but careful reading of their terms of service sometimes reveal that they retain significant volumes of identifying information. In at least one case, a VPN provider used customers’ computers as bots in a botnet, using those devices to launch attacks on websites.
Users may channel all of their data requests through a VPN provider, giving a malicious VPN provider a privileged position to monitor, log, or tamper with any or all communications that are sent through the VPN. Some experts have raised worries about the kinds of subscriber data such providers retain, such as billing information and IP addresses assigned to each subscriber. There are also concerns about the kinds of communications content and metadata information that are retained, such as websites visited, applications used, and in the case of unencrypted communications, the contents of what you say over chat messages or through email.
VPNs are sometimes adopted on the belief that they offer anonymity online. However, you may never truly be anonymous, depending on the VPN company’s data retention and disclosure policies. More advanced techniques for tracking you (e.g., browser fingerprinting, browser cookies) mean that advertisers could continue to track you despite your use of a VPN. And where a pre-shared key is used, any person on the network could potentially decrypt all traffic sent using the VPN. The result is that VPNs are a poor way of guaranteeing online anonymity, especially when compared with systems deliberately designed with anonymity and security in mind, such as The Onion Network (TOR).
The privacy assurances presented to consumers by VPN providers should be assessed to ensure they’re commensurate with the actual privacy protections and data retention practices undertaken by the companies. While some data retention may be useful to manage the service, it might be worth evaluating what constitutes ‘appropriate’ data retention when it comes to VPN service providers.
That being said, VPNs can provide a way for you to securely access Internet resources, or intranet resources, while reducing the likelihood that the insecure networks you’re communicating over can access or tamper with the data. In effect, VPNs treat the Internet as an untrusted space and let you encrypt data so unauthorized third parties are less able to access or read what you’re doing online.
- The Impossible Task of Creating a “Best VPNs” List Today: http://arstechnica.com/security/2016/06/aiming-for-anonymity-ars-assesses-the-state-of-vpns-in-2016/
- How the NSA Can Break Trillions of Encrypted Web and VPN Connections: http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/
- I Am Anonymous When I Use A VPN – 10 Myths Debunked: https://www.goldenfrog.com/blog/myths-about-vpn-logging-and-anonymity
- VPN Security (February 2008): http://www.infosec.gov.hk/english/technical/files/vpn.pdf
- Hola VPN Client Vulnerabilities Put Millions of Users At Risk: http://www.csoonline.com/article/2928817/vulnerabilities/hola-vpn-client-vulnerabilities-put-millions-of-users-at-risk.html