4

A VPN, or Virtual Private Network to be formal, is a method of creating an encrypted data tunnel across the Internet from your device to a destination server.

Although savvy home users and enterprises will operate their own VPNs (business-grade routers provide this functionality) for most folk, a VPN comes by way of a dedicated service provider.

In theory, and as far as many of those VPN users are concerned, this provides them with both security and secrecy. People think that a VPN keeps them anonymous while online. People are more often than not wrong.

What a VPN, any VPN, can actually offer is a method of securing your connectivity and making it much harder for an attacker (be that a hacker or the government) from intercepting your data whilst in transit.

Some VPN services do offer user anonymity as a selling point, but how honest are they being? OK, so the word 'private' in the expanded VPN acronym suggests privacy. But privacy and anonymity are different things. Certainly when talking about VPNs, we should be thinking in terms of the interconnection of private networks rather than the privacy of end user identity.

When it comes to services that claim to provide anonymity, I certainly wouldn't recommend taking them on their word. In fact, I would argue, it is beholden of the prospective customer (that's you) to fact check everything before handing over any money.

And handing over money, funnily enough, is right there at number one in my list of checks to make. If the VPN company is taking a subscription payment from you then what method is it using? A credit card leaves a footprint that leads right back to you, as do most of the normal payment methods. I'd look for a VPN service that accepts Bitcoin as a way of ensuring the hardest to follow payment trail.

Next on my list of things to check would be the policy of the VPN provider when it comes to usage logs. Only those that can state they keep no usage logs (which also means checking the country they operate out of as some have laws requiring the keeping of such things) should be on your list.

Then throw in shared IP addresses to make identifying individual users, for particular behaviours, out of a whole bunch of users almost impossible.

Once all of these check boxes have been ticked, then you can start getting really serious and look for features such as double VPN availability. This means that your connection is made to one server, in one country, which then connects to another in another country.

I use this functionality myself, as it routes my traffic through two hops (or more) with the connection encrypted within double layers of cipher AES-256-CBC encryption. That the connections are mixed between TCP and UDP adds yet another layer of security into the mix. All of which slows the connection speed, but not enough to impact upon my usage. If I were streaming movies, then I wouldn't go down the double VPN route to be honest!

Even after all of the above I wouldn't state that anonymity is 100% guaranteed: that's a tough call on the Internet.

There have been problems in the past with VPN services being vulnerable to leaking IPv6 data for example. More recently, research into Android-based VPN apps revealed huge problems with not only privacy but also security. 'An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps' is the result of a comprehensive analysis of 283 Android apps using the Android VPN permission that were chosen from the Google Play store.

The researchers included an analysis of the source code for each app, and the AndroidManifest file that requests either a custom VPN permission or the official Android BIND_VPN_SERVICE.

The team investigated the potential for malware, third-party library embedding and traffic manipulation. IPv6 and DNS traffic leakage was found in several instances, along with the use of insecure VPN tunneling protocols. Some apps even injected JavaScript programs for tracking, advertising and 'redirecting e-commerce traffic' to external partners!

  • 8% of the apps were identified as having malware (43% of this being classified as adware)
  • 18% of the apps used tunneling protocols without any encryption.
  • 66% of the apps didn't tunnel DNS traffic.
  • 67% of the apps embedded a third-party tracking library in the source code
  • 82% of the apps requested permission to access sensitive data such as SMS history
  • 84% of the apps didn't tunnel IPv6 traffic.

The researchers concluded that "despite the fact that Android VPN-enabled apps are being installed by millions of mobile users worldwide, their operational transparency and their possible impact on user’s privacy and security remains 'terra incognita' even for tech-savvy users."

So, after all that, here's a question for you: which VPN service do you use or do you run a home-brew VPN through your own router - and a secondary question would then be, what are your primary expectations of this VPN?

Edited by happygeek

Votes + Comments
Showing VPN some love....
4
Contributors
9
Replies
79
Views
9 Months
Discussion Span
Last Post by AssertNull
0

Hey actually you gave me info on how to choose a VPN better, i didnt though that with the credit cards (good one). Am using free TunnelBear account since they dont have LOGS and they are fast enought for me too :)

EDIT and because its free you get only 500MB data each month, also you can tweet about the service and you get +1GB free so thats 1500MB per month.
Also i have a question how do you make that two hops (or more) and what VPN service are you using ?

Edited by Stefan_1

0

I have to admit that for me, most of the time, anonymity isn't as important as encryption of traffic. I run my own VPN, but of the hosted services out there I have used Nord (they have a double VPN option and allow subs by Bitcoin, works OK on W10), F-Secure's Freedome (good on Android from the security side of the fence, and speedy as well) when I've needed them. The double VPN option from Nord, for example, is as simple as checking that configuration for your connection and then choosing the countries you'd like to hop between. The interface shows the current server load for each which helps in making an informed choice when it comes to likely connection speed.

0

I just had a client get upset over VPN. It was for another reason and I thought I'd share it here. First the cause of the failure.
The VPN GEO relocates the device.

That is, to the web, the device (PC, phone, pad, etc.) now looks like it is in the country that the VPN connects to the internet.

So this can be a problem as Netflix and other apps depend on geo location to set what content and more is available. Apps may use this to determine date/time and other formats/data.

Not all apps have an override on location so they melted down that apps were breaking and dare I write this? Whined that apps should be VPN and Geo location independant.

I had to write nope. You use the sword, you get to take a few cuts.

0

I had a very interesting conversation with some folks several years back. A friend and I were being recruited to join a startup VPN company. I know little about VPN and I didn't join the company, but a huge part of the conversation was the liability aspect as opposed to the technical aspects. If a client paying for VPN does something illegal, what liability does the VPN provider and what level of cooperation should be offered regarding subpoenas, warrants, etc.? Along the lines of the San Bernardino terrorist attack and the FBI trying to force Apple to help decrypt the data, a VPN company could be in the same scenario as Apple regarding all sorts of real or imagined crimes.

In my community, it was not a hypothetical at all. The old NBC show To Catch A Predator held a couple of stings in my town right around the time I was considering joining this startup. Lots of the arrested folks were challenging the chain of custody of the online chats, blaming viruses, etc., Internet Service Providers were being subpoenaed, and there were a lot of calls looking to hire expert witnesses to explain how this all worked in order to establish reasonable doubt that the accused was knowingly chatting with underage teens.

The end result was that at that time (late 2007), at least where I was, it was really uncharted territory legally and we didn't consider it overly paranoid, with all the terrorism and pedophila concerns, to think that we'd be sued and jailed and ostrasized as enabling the bad guys ("If you have nothing to hide, why are you using VPN?"). Not good for business.

I took a pass on the startup and still don't understand VPN, but I came away from those meetings with the definite feeling that VPN wasn't nearly as anonymous and secure as its proponents made it out to be. I can't see ANY reason to keep the logs. No logs = no subpoenas for logs. I would not sign up with any company who gave me 500 MB free because they're clearly keeping track of stuff. And getting another GB for tweeeting about it? Seems to defeat the anonymity and low-profileness right there.

0

Stefan_1: "I run my own VPN - What language is written in?"

To clarify, I have a router upon which I have installed my firmware of choice (DD-WRT) and I then run a hardened OpenVPN configuration over that...

I have also been known to run certain VPN services over the top of that, including double-VPN solutions, when connection speeds are less important than connection/data obfuscation :-)

Edited by happygeek

1

rproffitt: Of course, the geo-location option is one reason many people use a VPN. Here in the UK, for example, a VPN that has 'home-router' exit points can avoid the media network VPN exit point blacklist and enable out of territory usage. Horses for courses. Which is kind of the point of my article: a VPN isn't a privacy tool, although it can be, and it isn't just a security hardener either, although it can be :-)

2

AssertNull: VPN usage can be secure, but that rather depends on how you are measuring security of course. I'd recommend using a VPN (be that your own router homebrew or a subscription service - NEVER a free service IMHO) whenever you are using the Internet on a public/insecure connection somewhere such as a hotel, coffee shop or airport. That's just common sense. Would I recommend using a commercial VPN service if you were participating in something that was borderline (or out and out) illegal and you didn't want to get caught or you were doing something that TPTB might have an interest in? Nope. Would I change that recommendation if you had done your research properly into the service you were using, and had taken into consideration factors such as payment tracing etc? Yep. As for the legal liability side of things, I rather imagine that has long since been laid to rest by the VPN service providers or they wouldn't still be in business. Those that don't retain logs, any logs, so they cannot be forced to hand them over get my vote...

Votes + Comments
No logs. Good idea. Especially here.
1

I rather imagine that has long since been laid to rest by the VPN service providers or they wouldn't still be in business.

I wish I shared your optimism. You could be right. It could also be that there hasn't been a good test case yet in the legal courts/court of public opinion. Law students generally are of non-technical backgrounds, older, and the entire system, at least in the US, tends to lock the barn door ten years after the horse has escaped. Thus legislators and judges generally have no ability or desire to make informed decisions regarding stuff like DNA, encryption, lie detectors, etc., and rely on scientific expert witnesses in a very non-scientific environment to make case law. In my opinion, the Apple/San Bernardino case proves how little the general populace and the decision makers understand the technology and issues involved (ie the wishful thinking that Apple could "simply" find their own vulnerability, exploit it, have it used once and only once, and still have everyone consider the iPhone secure).

If I'm organizing rallies, I'm going to use VPN or something to make it less easy to trace to my home. And that's if I'm organizing NON-VIOLENT rallies. We're in a time where a lot of folks lump all protesters together as seditious and violent.

There was a very recent protest against that Milo guy at UC Berkeley which turned violent. The facts are at least slightly in dispute (ie were Molotov Cocktails actually thrown at police officers?). I'm not a cop basher, but they've been known to simply grab the nearest person in a crowd when things get violent. Consider this scenario or a terrorist cell that used encryption/social media/VPN as part of their TTP. The police or FBI (or insert British version in your case) knocks on your door and says "HappyGeek, terrorists are using your VPN service to blow up innocent people. It's your patriotic duty to help us stop them. If you don't tell us who it is, pack your toothbrush. You're going to Guantonomo Bay". Donald Trump tweets "HappyGeek helped terrorists kill innocent people. If the British people don't present him to me by high noon, I will bomb the UK". You're more optimistic than I am if you're confident that your neighbors won't turn you over.

You, of course, have deleted all the logs and CAN'T help them. Good luck explaining that while being waterboarded. Good luck convincing anyone that you weren't one of the Molotov Cocktail throwers and were instead simply peacefully protesting next to the bomb thrower, who you didn't encourage and who you didn't know.

Of course none of this SHOULD happen, but really, does anyone believe it can't happen if another 9/11 happens or a few San Bernardinos happen? What I remember most about the whole To Catch A Predator incident was that the police and the prosecutors knew absolutely NOTHING about computers and how it all worked and simply took the word of people who said they did understand it, something that would never happen if, say, the evidence in question was a gun. In my opinion, a lot of the "experts" exploited that ignorance and truth took a back seat.

We live in very interesting times. Not sure if this is a derail of your thread or in the spirit of where you want it to go.

Edited by AssertNull: Post was WAY too long. Shortened it. Still too long :)

Votes + Comments
Thanks for this. I use TAILS and as such may be an extremist.
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.