Saturday, April 14, 2012

Talking about VPNs and security...

Now that we are over with the formalities, let's start talking about what VPNs are and why people sell and buy them. After all, yosti is some sort of VPN provider.

Start from Google, Bing, or your favorite search engine. Look for the term "VPN", click on the ads, and see what people have to offer. You will find two kind of "VPN providers": those that offer some hardware or software solution so you can make your corporate resources accessible from anywhere, and those that sell VPNs as a service.

Within those selling VPNs as a service, many of them seem to be making money by providing security and/or access to services that would otherwise not be available in your country. This is the kind of VPN providers the rest of this article is about.

When you pay for one of those VPNs, you are basically paying for the privilege of sending them encrypted traffic. This traffic will get to their servers which will take care of decrypting it and forward it to the Internet from their own ip addresses, making it look like it was originated there.

How much you pay generally depends on which protocol you use, how much bandwidth you need, if you want your traffic to appear as coming from different countries, if you need a static ip, or how often you want to change your ip address.

So, why do people buy VPN services? If you read many of the comments online, and carefully read their web sites, it seems like security is one of the big selling points.

When you use any kind of network and you visit a web site, your computer needs to connect to the server where the site runs and download the pages you want to view. To do so, it  sends a request to the remote server with your IP address stamped on it, so the remote server can actually send you back the pages you wanted to view to begin with. There is no way around it, if you need data back, the servers need to know where to send it. It's how the Internet works.

This means that the remote server and any network between you and the remote server will know your IP address. By looking up your IP in a database like the one offered by this company, they can guess where you are, and show the location on the web page. Not that they generally care, but people tend to freak out when they realize that any web site they visit can in fact detect the city where the couch they are sitting on is.

If you use a VPN to connect to the site, the remote server will see the address of the VPN provider instead of yours. It will not see your ip address. Your VPN provider will still know who you are, and unless you use some privacy enhancing proxy or some sort of filter on your connection, your browser and your computer will still be exposed to many different attacks. Think about how much they can know about you by looking at cookies, or by using javascript or by exploiting some vulnerability in your flash player or in your browser.

And... even hiding your IP address is generally not that effective in protecting your identity. If you do anything illegal, or they really want to track you down, they can still come and find you. They know the VPN provider, and the VPN provider knows your IP and probably your credit card number with the billing address. If you really care about security, a good reading could be the EFF Surveillance Self Defense site.

The other protection a VPN offers you is encryption. Whenever you connect to the internet from a wireless network, your hotel room or from an airport, the guy sitting a few chairs from you with the long beard and the funky flip flops might be snooping on your connections, using something as simple as wireshark or tcpdump. Using a VPN here helps, as it forces most of your traffic to be encrypted, in a way that it is generally hard for anyone but you or your VPN provider to actually decrypt it. Note that I used "most" and "generally hard" in the last sentence, as that really depends on how the VPN is configured and which software is being used. However, now is not the time to talk about this, we will post a separate article about VPNs, technology and encryption.

But... do you really need this kind of protection? Does it really buy much? Are you sure? In the modern Internet, when you go to a site and do anything confidential, you should check that there is a small closed lock in your browser, and that https is being used. That small lock tells you that the connection is encrypted all the way from your browser to the remote internet site. And if it is not, don't forget that the traffic from your VPN provider to the site you are connecting to will still be in clear text, easy for anyone to steal.

The VPN will protect you against the bearded guy you can see sitting two chairs from you and every possible snooper between you and the VPN provider, but not against the bearded guy you cannot see messing with fiber optics or routers two links down your VPN provider.

Again, if you visit a site containing malware, viruses, or in general malicious content, that content will still get to your browser. If somebody on your network has a virus, chances are that the virus will still try to attack your computer, VPN or not.

The lesson here is that if you buy a VPN to protect your online identity, it's no holy grail. It can get you an additional layer of protection, but how important that layer is and how effective... it really depends on you. You still need to be careful about what you do online, who you trust, and which sites you connect to. The main question you need to answer is what (or who) you are trying to protect against.

There is so much more to talk about, but this article is already too long. In the next few articles, we will talk about the various VPN protocols, and how VPNs can actually allow you to access content that would not otherwise be available from your country.

My suggestion for the day? If you really need to protect your identity online, rely on something like tor, together with tools like privoxy, and some good malaware / trojan / spyware filter. If you are paranoid, run your browser in a virtual machine, and don't forget that tools like this one can detect your OS and browser even if you change the user agent. And of course, always keep in mind who you are putting your trust in.


  1. Saw a link to this article on Reddit and really enjoyed it. Please make sure you continue the series as you say you will :) Thanks!

    1. thanks :) I'm already working on the rest of the articles!

      The next one, though, will be about a slightly different subject: how to make linux harder to attack. This was inspired by a few conversations I have seen recently on reddit, and random questions from friends.

  2. Being a regular reader and a writer i really enjoyed this article, its totally informative and a little critic about VPN providers, keep writing YOSTI.. :)