Other issues in this category (82)
VPN: A false sense of security
Wednesday, January 11, 2023
In our issues of the Anti-virus Times, we’ve already mentioned VPN many times, and one of the articles was entirely devoted to this technology. In it we very simply talked about the principles of how virtual private networks operate. Nowadays, VPN is no longer just another obscure abbreviation from the world of computer networks. On the contrary, it is so popular that it has already become a generic term to indicate anonymity on the Internet. And, if originally this technology was designed for the corporate sector, now it is a truly mainstream tool designed to solve at least two urgent problems: accessing blocked resources and ensuring online anonymity.
Many years ago, anonymity on the Internet for ordinary users went without saying. To a certain extent, this was so because an Internet traveller’s digital footprint was not as obvious as it is now. Marketing, advertising, sales, and analytics had just started to appear online, so at that time sites were not attempting to learn literally everything about a user. Users themselves also did not often enter their personal data on sites. No payments, no giving consent to data processing, and no analytics or targeted advertising. Visiting blocked resources was out of the question. Phrases like "track by IP" were used jokingly. At the same time, of course, that anonymity was imaginary. Even back then, tracking and analysing a chain of HTTP requests from a particular user was possible from a technical point of view.
The mass understanding that in reality our digital life is transparent came later. As the Internet became part of day-to-day life for billions of people, the problem of anonymity and security became really relevant. In the current conditions, the popularity of VPN solutions has been assured–many users have wanted to be "invisible" on the Internet and hide their actions from outsiders. The market responded to this request, and now the magic word "VPN", which has become similar to a trademark, is presented as a panacea. Let's see whether VPN is synonymous with security and whether this coin has an opposite side.
Recall that a VPN connection should provide data encryption and conceal the "digital identity" of a user who is accessing some Internet resource. On paper, everything looks great and safe. Quite simply, the site you're connected to doesn't know that it was you who connected to it. In addition, an outsider cannot read or change the data that you are exchanging—that is to say they cannot see the actions that you are taking on the Internet.
Let's consider, for example, a blocked resource. When using a VPN connection, you are not accessing such a site directly. Instead, you are connecting to a VPN server that is run by a so-called operator. And this server, in its turn, is accessing the targeted resource on its behalf and transmitting you the answer. For the server, the site you want to visit is not blocked. Your communication with the VPN server is protected, and all the data transmitted is encrypted, so it is impossible to see the contents of requests and responses.
In practice, it's not that simple, unfortunately. Speaking about the dangers of the careless use of VPN, you can immediately identify one common and most important thing—and that is the false sense of anonymity and security. VPN operators promise you complete privacy and often recommend using the Internet via VPN servers. We already mentioned that when connecting to a VPN, you are giving the VPN operators complete control over your anonymity. It is important to understand that they can analyse all traffic and log it. Thus, you are hiding your activity from outsiders but also revealing all your cards to the operator that is providing you with VPN access. What happens next is a matter of the operator's honesty. If you are totally confident that the operator is not leaking your personal data today, what guarantee do you have that they will not do so tomorrow? Also, that specific company's employees who have access to user data can perform destructive actions. Therefore, it is worth remembering that the risk of data leakage and compromise always exists. Even when you entrust your data to an operator with an impeccable reputation.
There exist a huge number of private VPN server operators that offer everyone a free VPN connection. In this case, the issue of trust is especially acute because it is completely unclear what kind of person is using the server and whether they can be trusted. Technically, nothing prevents such an operator from creating a botnet using its users for subsequent sale or simply logging each action and transferring the information to "wherever it is needed".
Of course, don't forget about vulnerabilities. Any VPN connection uses a certain implementation of a particular protocol. For example, PPTP is still far from the most secure protocol. The presence of vulnerabilities that can be exploited by intruders undermines all the security and privacy of the VPN connection. It is almost impossible to know which implementations of protocols a particular operator is using. Or that they can ensure that they do not contain known vulnerabilities.
It's also worth noting that VPN doesn't even technically make you completely invisible. Even if you assume that an outsider cannot reveal the content of your encrypted “conversation” with a VPN server, they can still determine the actual fact and duration of the connection, and the amount of transmitted traffic. This already provides a lot of information if someone has set out to learn more about you.
Finally, let's mention the presence of disclosure signs of a VPN connection. Both your ISP and the destination site you're connecting to can determine whether you're connected using VPN. For example, the site can analyse the IP address of your VPN server as something that belongs to the hosting providers, compare the time zones of the VPN server and your computer, compare the correspondence between the language settings of your browser and the geolocation of the VPN server, and view the MTU of the network package. Each disclosure sign itself is of low importance, but in combination, they clearly indicate the use of VPN. In turn, the provider can analyse the connection protocol to the VPN server, the ports that are in use, and other meta data that are present at the connection initialisation stage. As previously mentioned, quite a lot of information is gathered about your connection: the fact that you are connecting to a certain VPN operator, the time and duration of the connection and the amount of information that is transmitted and received. And, it’s not as little as it may seem.
The Anti-virus Times recommends
- Always remember that VPN is no panacea, and it cannot guarantee complete anonymity and security. So use this technology wisely.
- Assess risks. Blind trust in a random VPN can be more expensive than getting a paid tariff package offered by a well-known provider.
- Your online activity will in any case leave a “digital footprint”. Careful and competent use of VPN will help make it less obvious, but it will not completely hide it.
- You should distinguish the difference between VPN and a proxy connection. In the latter case, your traffic is not additionally encrypted, as is the case with VPN. In addition, numerous browser extensions provided as VPN solutions work only with browser traffic and do not encrypt all Internet connections.
- A VPN connection does not eliminate the need to observe basic rules of safe behaviour on the Internet and use a reliable anti-virus.