At the local cafe, hackers can get a cup of coffee and rogue access to the network. Who needs a VPN; what could go wrong?Ken Hawkins
For the security minded, one of the scariest revelations from the now three-year-old Snowden leaks had nothing to do with accommodating ISPs (shocking) or overreaching and often vague anti-terrorism practices and policy (an even bigger shock, right?).
Instead, when news trickled out about matters like the National Security Agency’s Vulcan data repository or its Diffie-Hellman strategy, online privacy advocates found themselves quaking.
Suddenly, seemingly everyone had to re-evaluate one of the most often used tools for maintaining a shred of anonymity online—the VPN.
VPNs, or virtual private networks, are typically used to obfuscate users’ IP addresses and to add a layer of security to Web browsing.
They work by routing traffic through a secure, encrypted connection to the VPN’s server.
The reasons for using VPNs vary.
Some people use VPNs to change their IP address so they can access location-specific media content in a different geographic location or download things on torrent that are less likely to be traced back to them. Others hope to minimize online tracking from advertisers, prevent the negative effects of rogue access to Wi-Fi networks, or even just obfuscate their IP address to specific sites they visit.
Not all VPNs are alike, however.
In fact, poorly configured VPNs can make users more vulnerable in various ways.
Some ban torrenting altogether. Others log information, either for maintenance reasons, to track abuse, or in accordance with their local data retention laws.
Last year, I set out to put together a list of the best current VPNs for Ars.
Although there are multiple “top VPN” lists available online, they are often riddled with affiliate links, making it hard to ascertain their accuracy.
An independent online VPN comparison chart outlines VPN business practices, logging, service configuration, and other features, pinpointing contradictory policies and misleading claims that various services are 100 percent effective.
But much of the information is still likely compiled from the actual VPN websites, meaning some misleading marketing claims could sneak in.
Several months of research later, I have failed.
Today, I still can’t make good faith recommendations for VPNs that guarantee the safety and security of interested users.
Instead, the reporting process has only complicated my view of modern VPNs.
Evaluating what works and what doesn’t isn’t always straightforward, and verifying the accuracy of this stuff isn’t easy either (especially when it comes to logging).
So rather than a simple list of services to use, all I can offer are a handful of guidelines to keep in mind when determining if a VPN can be effective for you in 2016.
VPNs are not for anonymity
One common misconception about VPNs is that they provide user anonymity—even in the face of nation-state actors. “If the objective is to limit exposure to mass surveillance from governments, a VPN is likely not adequate,” said security researcher Kenneth White.
In fact, VPNs claiming to offer users anonymity are “inept, irresponsible, or both,” Jeremy Campbell, creator of DNSLeak.com, told Ars in an e-mail. “Using public VPNs for anonymity is foolish and potentially dangerous, no matter how securely it’s configured, simply because the technology was not designed at all for anonymity.
VPN services require that you trust them, which is a property that anonymity systems do not have.”
White didn’t insist on abandoning VPNs altogether at this point, but he cautioned that they should be thought of as a single, supplemental tool and not as a privacy solution. “Instead, the use of strong privacy tools such as the Tor Browser (possibly coupled with a reputable VPN) is a must,” he said. “Not only because of the anonymizing properties, but because the bundled browser has been heavily modified to maximize Web privacy (via cookies, Flash, and Java plugins).”
Tor has a distributed network that attempts to preserve anonymity by running traffic through multiple relays.
But this is also hard to verify, and nobody knows for certain whether or not Tor can be reliably successful.
The browser’s recent high-profile encounter with the US Department of Defense only heightens such caution.
And some critics in fact argue that Tor makes people more susceptible due to its reliance on an outdated version of Firefox.
The takeaway? Tor and even the Tor Browser are not entirely foolproof, either.
“There have been some malicious Tor exit nodes in Russia that have actually been modifying binaries, so if you download a piece of software through Tor and you happen to be unlucky enough to get one of these Tor exit nodes, they’ll actually modify it so it becomes malware,” said Matthew Green, a cryptography professor at Johns Hopkins University.
Although Green has never heard of that happening with a VPN, he pointed out the same attacks are possible.
In contrast to most VPNs, however, Tor and the Tor Browser are used in incredibly high-risk situations, meaning engineers work incredibly quickly to patch security vulnerabilities.
The same may not be true for all VPNs.
Enlarge / Depending on your intentions, you may need more than that one middleman for Internet safety.
VPNs are not necessarily safe for torrenting
Some VPN providers do not permit peer-to-peer sharing and would even turn over user names to a copyright holder if necessary. Others issue warnings on behalf of the copyright holders and may cancel the accounts of repeat offenders.
Anyone wishing to use a VPN for private torrenting and streaming can look for a provider that doesn’t disclose information when served with a DMCA notice (or one that doesn’t retain logs), though the same issue comes up again.
“However, there’s no way for users to verify what VPN providers say,” Campbell said. “They must judge providers by reputation, relying on news reports, discussion in online forums, and so on.”
VPNs do not offer robust protection from ad tracking
Although VPNs mask your IP address, they won’t necessarily protect you from spying ads and invisible trackers. “VPNs alone provide negligible protection against ad network tracking, because an IP address (which the VPN is masking) is a weak identifier,” Campbell said. “Ad networks prefer browser cookies, supercookies, and browser fingerprinting techniques ( https://panopticlick.eff.org) that VPNs cannot protect against.”
To protect against ubiquitous ad tracking, ad blockers (like uBlock or uBlock origin) and tracking blockers (like PrivacyBadger or Disconnect) provide some level of protection.
Advanced users can use virtual machines or multiple browsers isolated in sandboxes. Using the Tor Browser can protect against browser fingerprinting as well.
VPNs could put you at risk
The best use case for consumer VPNs is local network security, especially on public Wi-Fi networks in airports, hotels, cafes, and even on airplanes (especially since GoGo has been caught issuing fake HTTP certificates for YouTube, which could expose all user traffic—including users’ YouTube passwords—to the inflight broadband provider).
Since VPNs create a tunnel between a user and the VPN provider’s server, though, it’s again important to have trust in the VPN provider.
That provider can essentially see all of your traffic, log all of your traffic, and even modify your traffic.
An improperly configured VPN could potentially give others direct access to your private local LAN, which is likely significantly more dangerous than shady people sniffing your traffic at the coffee shop.
“You’re really putting yourself at their mercy if they’re not honest,” said White. “Your fear may be that you’re going to get hacked by someone on the local network, but [by using a sketchy VPN] you’re basically putting yourself in the hands of your worst possible attacker.
All of your traffic is going through the worst coffee shop access point in the world if you pick the wrong VPN service.”
White offered a quick list of VPNs that have preshared keys posted online: GoldenFrog, GFwVPN, VPNReactor, UnblockVPN, IBVPN, Astril, PureVPN, PrivateInternetAccess, TorGuard, IPVanish, NordicVPN, and EarthVPN.
“If I know the preshared key for your VPN and I am somebody who has control of the Wi-Fi access point, and you’re using a preshared key with a VPN I know, then I can basically man-in-the-middle attack and decrypt everything you’re doing,” said White. “The security you get against that kind of attacker when the preshared key is known is not very strong.”
PPTP instead of IPSec, L2TP/IPSec, IKEV2, or OpenVPN
Some VPNs use the outdated PPTP VPN protocol, which is fundamentally insecure.
Better options include IPSec (LibreSwan and StrongSwan, which are actively maintained), LT2P/IPSec, IKEv2, or OpenVPN.
Among these alternatives, IPsec can be set up without installing extra software, but some believe it was either compromised or intentionally weakened by the NSA. OpenVPN is more secure but can be more difficult to set up and requires third-party software.
It also needs to be configured correctly.
Recent research by High-Tech Bridge found that 90 percent of SSL VPNs tested use insecure or outdated encryption.
In total, 77 percent used the insecure SSLv3 (or even SSLv2) protocols, 76 percent used an untrusted SSL certificate (making it easier for remote attackers to perform man-in-the-middle attacks and intercept all data passing over the VPN connection), and a large chunk used insecure key lengths for RSA signatures, insecure SHA-1 signature.
Believe it or not, 10 percent were still vulnerable to Heartbleed.
Some VPNs log information to be in compliance with data retention laws in their respective countries.
And a lot of VPNs overall log information, such as when specific users connected, where they connected from, and even what connections they made.
It’s not entirely easy to know whether to trust VPN claims that they do not log.
Even VPN providers that log less than others often do log usage data (including incoming connections, either by IP address or user name) and internal routing on the network they use for internal load balancing or server maintenance.
This creates a record of user accounts or connections and outgoing IP addresses—which is quite a bit of information.
Some logs are only held in volatile memory, but others are not, often due to retention laws in various countries. Ultimately, the information kept can be enough to de-anonymize VPN users if combined with usage data from that person’s computer or connection logs from another site.
Reading the terms of service closely may help you determine whether logs are maintained, what is retained, for how long it’s retained, and perhaps even how such information would be used in which instance—but again, the claims are hard to verify.
Folks thinking that VPNs will protect user identities in the case of criminal activity will be disappointed to learn that the US government actually has mutual legal assistance treaties with dozens of countries throughout the world.
Enlarge / Genuine slide from the Snowden leaks.
This is what NSA’s VPN Exploit Team does when it decrypts a VPN.
“From a technical point of view, I think the most underrated vulnerabilities are network leaks in the client-side VPN software,” said Campbell.
Even after a user has connected to a VPN server, a few outgoing packets may not be using the VPN tunnel, which could compromise their privacy. “That could be life threatening.
VPNs have been rightly criticized about this vulnerability by many in the security/anonymity community (e.g., https://www.usenix.org/system/files/conference/foci12/foci12-final8.pdf).”
Some VPNs do have settings that block insecure communications before they have a chance to activate, such as when you first sign onto a Wi-Fi hotspot or switch from one to another. Other providers allow users to set up firewall rules.
In June 2015, a group of researchers from Sapienza University in Rome and Queen Mary University in London tested 14 popular commercial VPN services and found that 10 of them leaked IP data, and all but one were vulnerable to IPv6 DNS hijacking attacks.
The researchers did not comprehensively recheck VPNs to see if they deployed fixes, but they did run some ad hoc tests and found improvement.
Again, though, it’s not easy to determine which VPNs that say they fixed this and other issues actually have.
“The advice that I would give people is that, if you’re worried about government monitoring, you should always use Tor, full stop,” said Dr.
Gareth Tyson, a lecturer based at Queen Mary University of London and one of the authors of the study.
Again, this could prove to be an imperfect solution. While the Tor Browser may offer anonymity, censorship circumvention, and protection from monitoring and tracking, it’s not as speedy as using a VPN.
Some ISPs unfortunately block Tor relays to boot.
Hopefully, Ars readers can identify a majority of the online snake oil that exists.
VPNs aren’t exempt, and many make claims that lack credibility (offering “100 percent online security,” for example).
“Take a really skeptical look at a service provider that makes claims of no logging, accepts Bitcoin, and makes any kind of grandiose claims about military grade or government-proof or NSA-proof encryption,” said White. Not only could VPNs have lax security, some may be honeypots run by nation-state actors.
Conversely, VPNs that are very clear about their threat model and what they can and cannot protect against are likely more trustworthy.
Reading terms of service can sometimes provide a bit more clarity.
For example, in 2015, the free version of the Israeli-based VPN Hola was caught selling users’ bandwidth to Luminati VPN network, and users who cloaked their IP addresses unwittingly became VPN exit nodes or endpoints (exposing their own IP address and associating it with other people’s traffic). Hola did not update its FAQ for clarity until 8chan message board operator Fredrick Brennan stated that Hola users’ computers were unwittingly used to attack his site.
What to look for
Given all the precautions and VPN footnotes above, is it feasible to find workable VPNs or at least reliable information about them? “Assertions from VPN service providers are absolutely caveat emptor, in the absence of public third-party audits,” White pointed out. “You’re getting Pinky-Promise-as-a-Service.”
That said, there are many positive signs to look for when evaluating a VPN beyond the basics: is the VPN using up-to-date protocols, what’s the reputation of the company and the people behind it (and their history or expertise), are terms of service easy to understand, what does the VPN protect against and what doesn’t it cover, and is the service honest about its disclosures?
“There has been an explosion of cheap VPN providers over the last few years since the Snowden revelations,” Campbell warned. “Many of these new providers use laughable security practices.
In many cases, they are Web hosting businesses that have decided to repurpose some of their servers, effectively becoming bandwidth resellers, but with no security experience.”
As a final precaution, Campbell also looks for VPNs that do not use third-party systems to capture sensitive customer data. “Any VPN service that respects their customers’ privacy will self-host all systems that interact with customers, such as third-party live chat scripts, support ticketing systems, blog comments, etc.
Customers often submit very sensitive information in support requests without knowing that the VPN provider doesn’t have exclusive control over the system,” he said.
Among solid current options: Streisand. (Wait, not this one?)
Bettmann for Getty Images
Depending on your privacy needs, a pre-made solution may not currently exist.
If that’s the case, technical users can roll their own VPNs.
If a pre-made solution is more your speed, one option is running Streisand over a DigitalOcean VPS, Amazon Web Services, Vultur, OVH, or another reputable hosting provider.
Created in the aftermath of Turkey blocking Twitter, Streisand’s goal is to help users circumvent Internet restrictions.
“Streisand sets up a new server running L2TP/IPsec, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge.
It also generates custom configuration instructions for all of these services,” the GitHub page reads.
Creator Joshua Lund told Ars that one of Streisand’s goals is to make the setup process as painless as possible. He envisions the open-source service growing into a ”centralized knowledge repository” where the best practices can be updated and automated by a watchful community.
“Streisand automates several difficult steps that can dramatically increase security,” Lund told Ars in an e-mail. “For example, Streisand’s OpenVPN configuration enables TLS authentication (AKA an ‘HMAC firewall’), generates a custom set of Diffie-Hellman parameters, and enables a much stronger cipher and checksum algorithm (AES-256/SHA-256 instead of OpenVPN’s antiquated default of Blowfish/SHA1). Many users will skip these optional and time-consuming enhancement steps if they are configuring OpenVPN by hand.
In fact, most commercial VPN providers don’t enable these features in their OpenVPN setup.”
Other benefits of Streisand include automatic security updates and an automated setup process that allows users to get a brand new server running in around 10 minutes.
And when compared to commercial VPN providers, Streisand-deployed servers are far less likely to become targets of censorship efforts, DDoS attacks, or blocked access to streaming services.
Like VPNs at large, your mileage with Streisand may very.
And after surveying the state of such offerings in 2016, there may only be one truly universal rule: What to look for in a VPN depends on what you’re using it for in the first place.
A user looking for local network security has different needs than someone using a VPN for geoshifting, for example, so these decisions can get complicated fast.
But being aware of the limitations of VPNs in general and knowing what specific weaknesses and pitfalls to avoid can at least help you make a more informed complicated decision.