Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Consumer VPNs: You May Be Fine Without SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Consumer VPNs: You May Be Fine Without

If you are watching YouTube videos, you may have noticed how many of them include sales pitches for various VPN providers. Here at the Internet Storm Center, we do regularly receive offers for paid articles, or requests for podcast pitches, from VPN providers or "VPN Review Guides". VPNs have certainly become a new hot business.

In more generic terms, VPNs offer a more secure and private way to use the internet. VPNs do deliver on some of these claims. But I think they also overpromise.

Let's start with some threat scenarios. I think it does not make much sense to talk about security without a clear threat in mind that you are defending against.

1. Coffee Shop Wifi

So you are using Wifi at a local coffee shop. A VPN will in almost all cases sufficiently protect your traffic. There are a handful of VPN providers that were caught in the past not encrypting at all. Those are the exceptions and if you are going with one of the heavily advertised name brands, you should be good in this case. The content of your traffic as well as the nature of the sites you visit should be difficult to detect for anybody else in the coffee shop (well.. maybe if they are setting up an IPv6 router and your VPN doesn't protect you from the IPv6 leak attack.. )

On the other hand, even without a VPN you may be in pretty good shape. With 80+ % of websites using HTTPS, and browsers/operating systems implementing DNS over HTTPS, you pretty much already have all the protection a VPN would give you. It is actually more secure than you may think to use coffee house wifi for online banking.

An alternative solution of course: Tether to your phone. LTE will also avoid a lot of the layer 2 issues that you may run into. But as a (former?) frequent traveler, I can attest to the spotty performance of this option and I have often been "pushed" to insecure Wifi as a result.

2. Private Home Browsing

Many high-speed internet connections come with a more or less static IP address. This may allow an adversary (advertiser) to track you. Using a VPN will allow you to obtain a more dynamic IP address in a location not associated with you (this of course can also be used to bypass some content restrictions). Overall, this works well. But be aware that some sites will just outright block connections via VPNs. In addition, most "tracking" doesn't use IP addresses. Instead features like cookies are used and VPNs will not affect that tracking at all unless they inspect content which opens up other problems. 

You will also conceal your traffic from your ISPs. While ISPs have been seen inspecting and even modifying traffic, all you do is replace your ISP for your VPN provider. VPN providers are not immune to the same commercial pressures as ISPs.

Some VPNs promise faster connection speeds. The argument is that some ISPs will slow certain traffic like for example BitTorrent, or traffic to certain streaming sites. A VPN will conceal the nature of the traffic and makes it more difficult to apply these types of rules. In my experience, the opposite is true. ISPs (at least in my experience) currently do very little filtering like this. A VPN will almost always lead to a lower-performing connection due to the overhead added by the VPN. You may also run into bottlenecks in the VPN infrastructure.

3. Nation-State / Government Attacks

All countries I am aware of have some form of legal intercept legislation requiring telecom providers like ISPs to provide access to customer traffic. Encryption is, of course, one primary defense against this kind of data collection. In most cases, VPN providers are subject to the exact same laws. While some offer "no logging" (which has been shown to be often a false claim), after they receive a respective order they will likely not be able to say "no", unless they are located in a country that makes these orders difficult to obtain. In this scenario, you will need a VPN provider and endpoint in a different country than yours. Some countries are known to outright block VPN connections for that reason, making setting up a well-performing and reliable VPN connection difficult. If you are afraid of traffic interception while traveling to a foreign country: You are almost always better off connecting to a VPN server with a custom configuration at home vs. using commercial VPN providers. Commercial VPN providers use well-known servers that are easily blocked. Modern HTTPS/DoH may again provide almost the same level of security as a VPN.

What Do VPNs not Do?

VPNs will not protect you from malware or visiting malicious sites unless the VPN provider is inspecting your traffic. Even then, a decent up to date endpoint protection suite is likely a lot better than what the VPN provider is doing. And inspecting traffic is exactly what you are usually trying to avoid. In most of the scenarios discussed above, the attacker is more likely going to attack you via the endpoint vs. bothering to intercept your traffic.

The same is true for tracking. As mentioned above, you can still be tracked via good old cookies and similar techniques. In most cases, VPNs do not make tracking significantly more difficult.

You are replacing one choke point, your ISP, with another, the VPN provider. VPN providers are far less regulated and monitored than ISPs. As recent leaks have shown, VPN providers promising no-logging have actually been logging customer traffic. VPN providers are subject to the laws of the countries they operate in and have to collect and make available logs according to those laws.

What Alternatives Do I have?

As mentioned above: An up to date system with a browser configured to use DNS over HTTPs will give you 90% of what a VPN will get you (of course, you may have similar trust issues with the DoH endpoint you select).

You could set up a VPN server at home. This is a great solution if you are mostly concerned about privacy while traveling. It will also give you secure access to systems in your house and is not terribly difficult to set up. As an alternative to a home system, a VPN server on a cheap cloud provider may work as well. The price of a simple cloud server is comparable to some VPN providers. Or better: Set up a complete virtual system in the cloud and use its browser. This will probably give you the best protection from malware and tracking if you just "reset" the system often.

Having a VPN available from a reputable company is a good option if you would like to occasionally watch a movie only available in a different country, or if you would like to add additional privacy when browsing. But understand the limitations and it will not prevent you from ransomware if you keep turning off your anti-malware solution and if you run Excel macros that arrive in various emails. 

I will not recommend a VPN provider. Do your homework, search recent news for VPN providers who leaked data (or didn't encrypt traffic at all). If you are a VPN provider and are looking for a guest appearance on my daily podcast: The only guests I feature are SANS.edu students who score As on their research paper. So have your marketing person sign up for the SANS.edu masters program, and I will feature them once they submit a research paper and receive an A grade.

Additional Reading:

Study about trackers in Android VPN Software: https://research.csiro.au/isp/wp-content/uploads/sites/106/2016/08/paper-1.pdf
Recent VPN Data Leaks: https://www.welivesecurity.com/2020/07/20/seven-vpn-services-leaked-data-20million-users-report

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

Johannes

3910 Posts
ISC Handler
Jul 29th 2020
Thanks Johannes.

This space is made more interesting by Mozilla's launch of a (rebranded) VPN service earlier this month.

Also, Alec Muffet's recent finding that TorBrowser leaks HTTPS secure cookies to HTTP sites, makes things even more tricky.
DomMcIntyreDeVitto

42 Posts
> VPN providers are not immune to the same commercial pressures as ISPs.

In the US, most people only have only 1 (or maybe 2) choices for an ISP. The ISPs know this and treat us poorly because they can. There are many VPN providers (although not all of them good). I can switch whenever I want. That alone shifts some power back to me, the consumer.

> You will also conceal your traffic from your ISPs.

(Again, referring to the US) In 2017, Trump signed a law allowing the ISPs to collect and sell our surfing history. While the content may be encrypted, the sites are not. Researching an embarrassing disease? That's for sale. Maybe you don’t look at porn on the internet, but if you did, I’ve got some bad news: that history is going up for sale, too.

> Some countries are known to outright block VPN connections for that reason, making setting up a well-performing and reliable VPN connection difficult.

True, but at least you know *YOU* are being monitored, as opposed to "it happens, but only to other people". Better than not knowing.

> If you are afraid of traffic interception while traveling to a foreign country: You are almost always better off connecting to a VPN server with a custom configuration at home vs. using commercial VPN providers.

What percent of the population even known how to set up their own custom VPN server? Using a commercial solution is easy.

> most "tracking" doesn't use IP addresses. Instead features like cookies are used

True, but there are defenses against that, including private browsing. You could also select a Europe country as your VPN exit server. The websites think I'm European and the GDPR applies.
R

38 Posts

Sign Up for Free or Log In to start participating in the conversation!