Virtual Private Networks (VPNs) - The guardians of your online privacy

A Virtual Private Network (VPN) allows you to connect devices or networks together with a reliable and secure connection. Most frequently used in corporate environments to link offices in different geographic locations, a VPN allows the sharing of resources efficiently and securely. Their recent rise to fame is due mostly to the security and privacy offered by browsing the Internet through a VPN.

 

Introduction

When browsing the internet your Internet Service Provider (ISP) can see the sites you visit and the data you exchange unless it's encrypted. It's much the same on a public WiFi network. The network operator, and anyone else on the network potentially, can do the same.  This is because your traffic passes through their hands. A VPN can solve this problem by ensuring that any traffic that leaves your device is encrypted between you and the VPN provider. This not only masks the identity of the websites you're visiting but it ensures your traffic is encrypted even if the site doesn't use Transport Layer Security (TLS). It's all good and well that your traffic is encrypted and no one can see what you were doing on naughtylunchladies.com earlier, but sometimes simply knowing the sites you visit is bad enough without knowing exactly what content was exchanged. When you're visiting a website it can also determine what your IP address is, which can tell them where you are and possibly even who you are. Using a VPN when you visit a site results in the IP address of the VPN provider being disclosed and not your own.

 

How a VPN works

A VPN works by creating an encrypted tunnel between your device and the VPN provider. Normally when you browse the Internet packets will leave your device and head off to the server hosting the website you're visiting to request the page that you want. Once they get there and make the request, the site returns the page you were looking for. Even if the traffic is encrypted an attacker can still see that you were exchanging data with scotthelme.co.uk for example, just not what that data was. In most circumstance that is enough protection but if you want to take your privacy to the next step, you need to use a VPN.

no-vpn-http

When exchanging data via http:// an attacker can see the site you're visiting and the data you exchange.

no-vpn-https

When exchanging data via https:// an attacker can see the site you're visiting but not the data being exchanged.

 

When using a VPN all of the traffic that leaves your device goes straight to the VPN provider and it's encrypted. This means that if an attacker is between you and your VPN provider they can't see what site you're visiting or what data is being exchanged. Instead of packets heading off to the website you're visiting like they normally would, they head straight to your VPN provider. From the VPN provider the packets then head off to their intended destination. If an attacker is located between your VPN provider and the website you're visiting, they can see that there is traffic heading to the site, but not who it is from.

with-vpn-and-http

The encryption of the VPN tunnel protects traffic up to the VPN provider. After the provider the attacker would not know the source.
  with-vpn-and-https
The encryption of the VPN tunnel protects traffic up to the VPN provider and TLS protects it between the VPN provider and the destination.

 

What should I use a VPN for?

Privacy

The recent surge in VPN usage can most likely be credited to the Snowden revelations about the PRISM spying program. If you use a VPN provider located in another country then your data goes all the way through your ISP and out of the country whilst protected. This prevents either one of them tracking the sites you visit and viewing what data you exchange. A VPN also provides privacy by preventing the site you're visiting from knowing who you are. If you login to the site and provide user credentials they will obviously know who you are, but if you're just browsing and want to remain anonymous, all the site will see is the identity of your VPN provider, not you.

mask-icon

 

Security

Using a VPN can mitigate a lot of the risks presented by Man in The Middle (MiTM) attacks, especially when using a network like a public WiFi hotspot. Using a simple ARP cache poisoning attack or operating a rogue access point, an attacker can quickly and easily gain access to your traffic while you're out and about. When traffic is tunnelled through a VPN, even if the site doesn't use Transport Layer Security (https://), the attacker will not be able to view your traffic because it is protected by the encryption of the VPN tunnel.

padlock

 

Bypassing censorship

A common way for Chinese citizens to view websites that their Government have blocked using the Great Firewall of China is to use a VPN. Because users can't access the site directly as requests to the domain are blocked, a VPN allows the traffic to tunnel through the firewall and emerge in a country where there are no restrictions in place. The requests can then make it to the intended site and responses return through the VPN tunnel. VPNs have also become a lot more popular in the UK as ISPs are forced to block websites through the courts for copyright infringement. Sites like The Pirate Bay have been targeted specifically and chances are if you click any of these 3 links (link link link) from somewhere in the UK, none of them will work and you get a nice pretty block message.

the-worst-thing-about-censorship

 

Hiding your location

Many online streaming services like Netflix have content restrictions depending on what country you're based in, usually to satisfy copyright limitations. When using a VPN the web server will see your requests as originating from the VPN provider and not from your actual location. If you're based in the UK and the VPN provider is based in the USA, it will appear that you're in the USA. This will allow users to view content that would have been restricted for those outside the USA. Whilst I'm not sure of the legal ramifications of bypassing such restrictions, and you should probably check before doing something like that, it highlights how a VPN can mask your true identity and location quite effectively.

netflix-content

 

Problems with using a VPN

Privacy

Just like your ISP or the nasty hacker on your public WiFi hotspot, the VPN provider will have access to all of your traffic. It's important to pick a reputable VPN provider and check their policy on logging and data retention to see if it suits your needs. Most of the risk can be mitigated by browsing sites using https:// where possible but there is always going to be unencrypted traffic they can access. A VPN is great if you genuinely want to be more anonymous and private online by masking your identity. The common assumption that a VPN company can protect you when conducting illegal activity has quite spectacularly blown up in the face of a few hackers, including Cody Kertsinger from hacker group LulzSec.

von-provider-access-to-traffic

 

Bandwidth

Some VPN providers may not be able to offer you enough bandwidth to match what your Internet connection is capable of. This could result in reduced download and browsing speeds. When you're connected to the VPN provider you're effectively sharing their Internet connection. During busy periods with a lot of users online, or if they operate a bandwidth throttling policy, this could have an impact on you. VPN providers can also have bandwidth caps in place to limit how much you data you can send through their network in any given time period. Check what restrictions the provider has in place before signing up and make sure they are enough to cater for your needs. If there is a free trial period you should definitely take advantage of it and try the service out.

password-strength

 

Device Limits

Another thing to look out for on VPN providers is the number of simultaneous connections you're allowed to the network. When you're out and about you may want your laptop, tablet and phone to be secure when using a public WiFi hotpost so all 3 will need to be connected to the VPN. It's not so bad at home if your router supports a VPN connection as every device in your house can sit behind it, but it's a restriction you may need to consider. Out of the 10 or so providers I have looked at most provide enough connections, or no limits at all, so it shouldn't be a problem.

multiple-connections-to-vpn

 

Availability

It is going to happen. One day, you will fire up your tablet or laptop and that connection to the VPN just isn't going to work. They could be having some minor hiccups or it's just one of those days, but you're not getting connected. Whether or not this represents a serious problem really depends on why you need the VPN in the first place. If you're in China, you can wave bye bye to Facebook and Twitter, or if you're a reporter behind foreign borders you may not want to browse at all without protecting your identity. Service downtime can be anything from an minor inconvenience to a serious problem. This is another good reason to read up on a provider before signing up and ensure they have a reliable service.

vpn-provider-down

 

Latency

When adding a VPN into the mix there are going to be increased delays. There is the additional overhead of the VPN provider decrypting your traffic and then forwarding it on to the destination and then the re-encryption and transmission on the return journey. With a good provider this delay will likely make very little if any discernible difference. You might struggle with latency sensitive applications like online gaming but for general browsing or downloading you will likely be just fine.

clock

 

Protocol

When connecting to a VPN there are different protocols available and naturally some of them are more secure than others. PPTP only offers very basic protection and you should use alternatives where available. It was first introduced in Windows 95 after all... Next up is L2TP/IPsec which comes built in to most operating systems these days and is easy to setup. If it's done right using a good crypto algorithm like AES you won't really have a problem with L2TP/IPsec from a security standpoint but it's not quite as efficient as the other commonly available protocol, OpenVPN. As a relatively new technology OpenVPN is more secure and efficient than L2TP/IPsec but is a bit more involved in terms of setup and config. If you can use OpenVPN it is recommended but don't worry too much about using L2TP/IPsec if you need to.

openvpn-logo

 

Jurisdiction

Whilst using a VPN in another country can be beneficial it can also bring with it some concerns. Laws may require a VPN provider to log more or less data than your country of residence depending on where they operate. You should check that the provider doesn't log any more information than is legally required and that there aren't any strict data retention laws they are bound by. VPN companies that operate out of some jurisdictions are not bound by any data retention laws nor are they required to log user activity. On that note you should also check the providers privacy policy and make sure they don't share data with any third parties at all, ever.

legal-scales

Image attribution

 

TorrentFreak have written a very nice article covering a large number of the mainstream VPN providers asking for information regarding the level of privacy and anonymity they can provide. That's a good place to start your search for a VPN provider though there are many other resources online too. Whilst a VPN is not the complete solution to anonymity online it will get you, I'd say, well over 90% of the way there if done properly. Even basic masking of your traffic to prevent your ISP selling your browsing habits is worth the low cost of a VPN solution.

 

Scott.
Short URL: https://scotthel.me/VPNs

Author image
About Scott
Researcher, blogger and international speaker. I'm the creator of report-uri.io and securityheaders.io, free tools to help improve online security.