The Problem With VPNs

in #privacy7 years ago

vpn.jpg

In 2011, Cody Kretsinger, a hacker working for LulzSec to break into the Sony Pictures website, was sentenced to 15 years in prison. His VPN provider, HideMyAss, exposed him to the authorities.

The FBI was able to trace an IP address used during the hack back to one of HideMyAss’s servers, and under court order, HideMyAss revealed Kretsinger’s identity.

Incidents such as these could raise questions as to the effectiveness of commercial VPNs as anonymity tools.

Let’s begin by saying that I do not condone criminal activity of any kind. This article is just intended to be informational as to the effectiveness of VPN services.

A VPN (Virtual Private Network) encrypts your browsing traffic and sends it to a server owned by your VPN provider, which in turn fetches information from a webpage and returns it to your browser. This in theory hides your browsing habits from your Internet Services Provider (ISP) (as traffic from your machine to the VPN server is encrypted) and hides your location from websites you visit (they can only see the VPN’s server).

VPNs are mainly used to:

  • Change locations and gain access to geo-restricted content, as well as bypass censorship
  • Protect sensitive information (such as banking data) on insecure networks
  • Perform illegal activities, such as Torrenting/P2P file sharing to download pirated material unbeknownst to one’s ISP.
  • Hide online activities from their ISP or government (the main issue which I will discuss).

VPNs work well for changing location, but the other activities can be rendered useless by a faulty VPN.

The crucial issue with the concept of a VPN is that the end user is at the mercy of the middleman for privacy. Your VPN provider can monitor everything you’re doing online while using their service.

Even if they claim that they don’t keep logs, you can’t verify this, so the only safe assumption is that they are monitoring your online activities.

Their servers are also a potential target for hackers, who could be monitoring sensitive data, such as banking information, although this risk is minimal. Your VPN provider monitoring your data is a much higher risk.

There are two main alternatives to commercial VPNs.

  • Using an open source project such as Algo or Streisand to configure a rented VPS (Virtual Private Server) to act as a VPN server

The distinction between a VPS and VPN is important. A VPS is a plain server, likely a virtual machine rent from a commercial provider. Their abbreviations are similar. Please do not get confused.

  • Using the TOR network

Algo or Streisand

As for the first method, a user could rent a cheap barebones virtual machine from a small provider. LowEndBox has lists of great deals for various locations.

This method can also be compromised by the middleman ( in this case your VPS provider) but you are less likely to be monitored by your provider, as VPS providers aren’t specifically targeting users with sensitive information. They just provide generic servers.

In contrast, VPN providers specifically seek users in need of privacy, so these are more likely to be honeypot schemes, as monitoring data from such users tends to yield more interesting results.

Since you can control the server and VPN protocols, you can configure the setup to your own needs. In addition, you can erase the server at any time. Renting a VPS is significantly cheaper than paying for a commercial VPN. This is one of this method's most significant benefits.

This method has the following downsides.

  • You only have access to the location of the rented VPS, while most commercial VPN providers have hundreds of servers spread across the globe, so if the IP of your rented VPS gets blacklisted, you will be unable to switch servers

  • Commercial VPN services have competent IT teams to fix server issues. If your server or client program is misconfigured, you’re on your own.

  • Although both Streisand and Algo are easy to use, issues are always possible and neither solution is recommended for anyone who isn’t decently literate in tech.

  • Most cheap VPS providers have data-caps, which is something to consider if you’re planning on using the server to download lots of files or torrent.

  • Commercial VPN servers are hubs of many simultaneous connections and activities, so your activities will be lost in the crowd. Using this method, any browsing activities (with some work) can be traced back to you, which is a consideration if you need a high level of privacy.

  • If you do want to use this method for anonymity, do whatever you can to hide your identity from your VPS provider. Pay in Bitcoin, or preferably Monero (if it is accepted), to avoid being identified, and use common sense.

TOR

The Onion Router (abbreviated TOR) works by passing your connection through several nodes, each of which can only see the IP address of the previous node. The network is run by volunteers, and has been praised for helping whistleblowers and dissidents freely express their views without oppression. It is also used to access darkweb markets.

Of all three options (Commercial VPNs, VPS hosts, and TOR,) TOR is by far the most private and secure. The network is widely viewed as totally anonymous, although several [potential vulnerabilities and attacks] have been suggested. The slow speed of TOR should render torrenting difficult, and it can be misconfigured, in which event p2p file sharing could be easily monitored and detected by your ISP.

The Best Option

There really is no clear-cut answer.

Commercial VPNs do work for changing location and could be used to protect data such as banking information on insecure networks. They are also easy to use for the average consumer, but there is always the risk that your provider is monitoring your connection, so unless you really trust your provider, you should use one of the other methods if you are transmitting sensitive data.

If you want a cheaper option that's likely more secure than a commercial VPN, configuring a rented VPS with Algo or Streisand is the way to go, but there is some risk if you mess up the setup. If you do misconfigure, all the benefits of a VPN are void. This method will not work well for anonymity.

For anonymity, neither one of the first two options will cut it. For this, the best method is undoubtedly TOR. It is worth noting that either of the first two options can be used with TOR as an extra layer of security.

As for torrenting, there is no perfect solution. VPNs and rented VPSs are not completely private, and risky to use, although a definite improvement from a plain unencrypted connection. TOR, although secure, is very slow, and can be misconfigured. If you are planning on torrenting, either a commercial VPN or a configured VPS are probably your best options. Although neither are foolproof, you should know the risks before you torrent using either method. There is always a possibility of getting caught. The only completely foolproof solution is not to torrent at all.

Thank you for reading!

If this post helped you, or at least opened your eyes, please upvote. I will donate the proceeds to the World Food Program.

Sort:  

Nice post! A few comments I'd add:

  1. A third alternative is SSH tunneling.
  2. Tor commentary probably should mention that other mixnets are out there too, although they behave very differently than Tor.
  3. Misconfiguration is a huge issue. DNS leaks are quite common for example. Kill switches and IPv6 leaks might deserve a cameo mention as well.

Don't let that nit picking fool you - this post is a terrific help for anyone concerned with online security and privacy!

Congratulations @asilentobserver! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 2 years!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!