VPNs

What you need to know about securing your communication

So what are VPNs good for? VPN stands for Virtual Private Network and I believe the original use would have been to allow remote users to access a distant private network, like a company intranet. This is done in a way that outside observers are unable to see what is being transferred over the public or external network.

Today many companies offer VPN access that will to some degree mask your origin on the internet and transport your data via a different IP address. This use of VPN services resembles a proxy, which also relays your traffic via an IP address registered to someone else, therefore masking your identity partially.

There are many aspects of your traffic and the services and usernames that you use, which may still identify you, even when you are masking your original IP.

To select the right service for you, you need to know what you want to protect and what you may be revealing about yourself in the process. Using a VPN effectively makes most or all of your traffic unreadable to your ISP, though now the VPN provider sees what your ISP did earlier. This is because you will likely be using public services and need to connect to the open internet, so your traffic needs to exit the encrypted network somewhere. in both cases you are giving one party full  visibility into your traffic and communication metadata. So from a security point of view, which do you trust more, your ISP or your VPN provider?

In some countries ISPs sell user data and browsing habits to advertisers. Some VPN providers have been known to do the same. So trusting your provider is very important.

What risks do you want to limit and who are you hiding form?

Most suitable uses for a commercial VPN service.

• Geo-locating you to a different area or geo-unblocking
• Shielding you from untrusted local networks
• [For work] accessing your company network

Not guaranteed to help you with

• Protecting your privacy
• Protecting you from legal action
• Hiding you from advertisers

Good advice

If you are looking for added security, some privacy, protection form local untrusted networks and the option to change your IP address, while not giving away all your browsing history and traffic metadata. Consider running your own VPN service on a private server. This will at least limit your exposure in a better way than being a part of everyone else's juicy traffic on a shared VPN. Is less likely to get your traffic intentionally snooped in transit, and has a similar cost.

Things to consider

• Jurisdiction and legal obligations of VPN owners / company
• Logging
• Authentication options and identifying information collected
• Pricing and payment options
• Other features to think about
• HTTPS and TLS already help a lot
• Running your own?
• What is Tor and how could it help you?

Jurisdiction and legal obligations of owners / company

Most countries have laws requiring companies to either keep a certain level of logs by default and/or obligating companies to assist law enforcement by providing access to logs and traffic. Some countries have purely outlawed encryption. Some countries are known to collaborate with each other in gathering intelligence and monitoring online activity. Often countries monitor each other and share data, when they would not be allowed to monitor their own citizens.

Other than regulations forcing VPNs to keep logs. Many are known to straight up lie about keeping logs. Only very few VPN providers have in some form proven to not keep logs, many more have been shown to actually keep logs or admit so in their privacy policy.

Literally most services can be bad or malicious.

It also makes sense to look at who owns the services. Recently it was found that 44 VPN services are operated by just 7 companies.  These companies have different histories and some have proven to not be very trustworthy. It seems that this particular business is in a place where many services choose to operate in offshore locations, which makes them free of many risks from governments, but also means there is much less regulation to keep them in check.

Authentication options and identifying information collected

Services differ wildly when it comes to requirements for registering an account. Think what the company may do with information that you give upon registration. Be careful with companies that ask for more than an email address. Some will try to ask for detailed information. In the other extreme, one provider will only assign you a unique account number, quite like the famous Swiss bank accounts.

Pricing and payment options

Another way you will be uniquely identified is payment method. If you use a credit card or bank transfer, you can always be found by asking the payment processor. Many privacy conscious VPN providers offer payment options like, cash, crypto currency or even other services gift cards. This way you will leave even less traces, but of course it may be difficult to ask for refunds.

And remember in many cases - if it's free, you are the product.

Other features to think about

Does the provider offer a custom App, they are not always secure and may contain nasty surprises. Some VPN software has been found to lack encryption or even include malware. So it is highly recommended to get a service that is compatible with known clients like the OpenVPN client. OpenVPN is open source and available on most popular platforms. Using an OpenVPN client gives you a degree of certainty that the encryption is well implemented (given that the right scheme is used) and that you are not installing malware without knowing it. There is a very good guide on selecting a VPN here. On the same site you can find a comprehensive comparison of most known VPN providers. Services are rated on many of the criteria I mention in this article. If you want to understand what VPNs do and how they work, this is a very informative site.

Another important privacy preserving aspect is how DNS is set up with your service. It is best if your VPN provider runs their own DNS servers. To avoid using your ISP's DNS you can use OpenDNS by Cisco or Google's public DNS. The trade-off here is of course that they will now see your browsing history, though they will not be able to access the content.

Keep in mind that VPN services are often advertised poorly and their effect on your security and privacy is often exaggerated. Many services offer affiliate deals where people get money for converting customers, which leads to dishonest tactics. If you have reason to believe you are in a hostile network a VPN can be good for you. Be aware of the threats and understand what are the effective actions that mitigate the risk posed by those threats.

Good to know about https

May sites these days offer a version that is protected by TLS or SSL encryption. This is usually evident form the address beginning with https:// and a little lock icon showing in your browser. TLS will encrypt you traffic to individual websites. It has been possible for some time to get free certificates form Let's Encrypt, that allow enabling https for any site. Browser extensions like Https Everywhere will forward you to the https version of a site when it is available. This will in most cases protect you data from anyone in between you and the service, not just until your ISP or VPN service. It is especially important to use https to mitigate the risk that your providers bay be watching your traffic. This will still allow them to see what addresses you visit and therefore possibly identify you.

I have compiled a list of recommended VPNs that I trust for one reason or another. You should do your own research on who you trust and consider your personal threat scenarios.

Running your own VPN

One option you have is to run your own VPN. I write more on this topic here.

What is Tor?

There is another option that is in some sense more sophisticated and answers a different combination of the needs in this article. I'll write about the Tor network soon. Then there is also the Tor Browser, which comes with secure defaults and routes its own traffic via Tor. Tor Browser is good for testing websites and geo-locating outside your own country. Many people use it to circumvent censorship or for a greater degree of anonymity. Although trying to be anonymous on the internet requires some effort on the part of the user. I write about Tor here.

Sources

• https://thatoneprivacysite.net/#simple-vpn-comparison (NOTE! this domain seems to have been taken over by commercial VPN providers and now redirects to an unrelated third party. This link has been updated to point to an original copy on archive.org )
• https://web.archive.org/web/20200707114701/https://thatoneprivacysite.net/#simple-vpn-comparison
• https://schub.wtf/blog/2019/04/08/very-precarious-narrative.html
• https://gist.github.com/joepie91/5a9909939e6ce7d09e29
• https://restoreprivacy.com/vpn-logs-lies/
• https://ssd.eff.org/en/module/choosing-vpn-thats-right-you
• https://www.theverge.com/2017/1/31/14436874/free-android-vpn-risk-insecure-data-malware-study
• https://www.wired.com/2017/02/beware-mobile-vpns-arent-safe-seem/
• https://www.zdnet.com/article/researchers-slam-hola-vpn-over-absent-encryption-user-ip-leaks/
• https://www.allthingssecured.com/vpn/truth-about-vpn-logging-policies/
• https://thenextweb.com/security/2018/03/27/26-popular-115-vpns-keeping-tabs-saying-theyre-not/
• https://thebestvpn.com/118-vpns-logging-policy/
• https://hackernoon.com/what-vpn-services-arent-telling-you-about-data-logging-4ce15e4c90f0

Links:

• https://vpnpro.com/blog/vpn-business-ethics-research-worrying-findings-about-top-vpns/
• https://www.vpnmentor.com/blog/companies-secretly-own-dozens-vpns/
• https://bigbrotherwatch.org.uk/wp-content/uploads/2017/04/VPN.pdf