How, why and whether to enter the new VPN war zone
Thu 25 Jun 2015
A Virtual Private Network (VPN) is not an easy concept to understand or, once understood, to explain. The name is far from self-explanatory, and renaming it to something more approximate to what it is most popularly used for these days – such as ‘Online Country Changer’ – does not respect, for instance, the legitimate ways that businesses use VPNs – often to connect to locations only ten feet away.
In attempting to describe what a country-spanning VPN does, I recently resorted to the metaphor of having one’s windows replaced so that they provide a view of a different country than the one in which they’re actually situated. It’s not a bad metaphor, but I could tell from the response that I was still describing something ‘indistinguishable from magic’; something, perhaps, only available to 300-pound basement-dwelling darknet geeks who deal with the internet exclusively from a Linux command line.
Consider instead that the cable connecting your computer to the internet is probably about six feet long, more or less – even if you’re using Wi-Fi, since your router has to run a wire into the wall.
Now imagine (assuming you are in the UK) that the cable is 3000 miles long and doesn’t start connecting to the internet until it reaches, say, New York.
VPNs speed all your network requests through a secured and (usually) encrypted tunnel which terminates at a server physically located in the target country, and that’s where all your browsing will be seen to be done from.
While using a VPN, your ISP has no access to any of your browsing activity, and sees only a single encrypted connection. The ISP is very likely to know that it’s a VPN connection, despite the encryption, since it is charged with delivering the network packets to the VPN provider over a range of ports that are typically used by VPN services. Additionally the terminating IP address may be one known to be in use by a VPN provider. But that’s all the ISP can know about a VPN-user’s activity.
Business use of VPNs
In business-case use of Virtual Private Networks, the distances traversed can be significantly less than intercontinental – as little as the next office along. A company’s Human Resources department contains such sensitive information that its network is often walled off from the company’s intranet to defend it against general network attacks and potential data breaches. Since authorised users outside HR’s walled garden will still occasionally need access to it, this can be facilitated by a remote access VPN connection, for maximum security.
Site-to-Site VPN Connections are also used to create common company or corporate intranets even when the disparate departments are in different geographical locations.
VPN security protocols and Multihop routing
VPNs have various – and variously criticised – methods of security, starting at ‘none’. One of the oldest is Point-to-Point Tunnelling Protocol (PPTP), instituted by Microsoft in the days of Windows 95. A PPTP connection is unencrypted in itself, simply creating a tunnel and wrapping the data sent, with encryption handled by TCP or GRE. Despite its age and flaws, the ubiquity of the protocol – accountable to who created and diffused it – retains its place in the business market.
Better VPN security is provided by Transport Layer Security (TLS) and Secure Sockets Layer (SSL), which generate security-certificate-based parameters at the start (‘handshake’) of the connection. Thus the two entities connecting swap valid certificates with each other and establish mutual trust until end-of-session.
IP security (IPSec) is often used as an additional measure along with other security protocols. As with PPTP, its support by Microsoft, notably regarding its integration with the Active Directory service, secures its place even as a secondary protocol, and it’s most frequently found in a Layer 2 Tunnelling Protocol (L2TP) connection, where it handles the burden of encryption whilst housed in a superior tunnelling architecture than it can itself generate.
VPNs which offer ‘multihop’ routing provide an additional layer of anonymity to the end-user by attaching a different IP address to the user’s activity than the one in which they entered the VPN network. This does not mean that entities you connect to won’t necessarily know that you’re using a VPN, since all IP addresses in use by the providing company may well have been identified as such at any time; but it does mean that your own ISP can provide absolutely no clue where you went after you left the ‘last-known’ IP address it saw you disappearing into. It’s the digital equivalent of ‘losing a tail’ at the lights.
Negatively, sending one VPN connection to another in this way can have a deleterious effect on latency, something which Tor users (see below) must contend with, as the Onion Router network ‘hops’ them multiple times around Tor nodes (and IP addresses) in order to obfuscate their online tracks.
Can you trust your VPN provider?
Since a significant portion of potential customers are interested, for whatever reason, in securing anonymity online, VPN providers frequently claim to offer ‘logless’ browsing. With several qualifications, this isn’t completely possible, particularly if the provider is furnishing a DNS service – and most especially if it is watching your bandwidth consumption, since ‘data caps’ are completely impossible without log-files.
Anyone who has ever delved into web-centric servers and OSes such as CentOS knows the enormous extent to which logs are generated by default for practically all network actions; even if one restricts the output or later deletes it, the very least a VPN provider has to do is to know that you are using the service, because it has to assign you to an IP address. Since that IP address communicates with other services that likely have zero commitment to log-deletion, it is not possible to guarantee ‘anonymous browsing’ at all times, even where the VPN provider is honouring their commitment to a ‘zero knowledge’ service.
It has been noted that various VPN providers’ promises are frequently at odds, to a greater or lesser extent, with their terms and conditions, offering ‘anonymous surfing’ whilst explicitly stating in the SLA that they will respond to instances, for example, of copyright infringement by cancelling the user’s account – which effectively makes the provider an ISP once-removed.
In 2011 popular UK-based web proxy HideMyAss cooperated with a court order demanding information on a suspected member of the LulzSec hacking team, and was in possession of perfectly adequate records to secure an arrest for the target.
This year TorrentFreak published a list of 53 VPN providers that responded to the site’s questions about what information they log and keep, and it is interesting to note how many of these have ‘internal procedures’ for complaints against the service which would seem to defy the companies’ avowal of amnesia.
Installing a VPN, and falling foul of ‘migrated’ online identity
I use a VPN myself, provided by a company called Private Internet Access (there’s no endorsement intended, though I am not generally unhappy with the service provided – it is simply the only VPN to date that I have ever personally arranged for myself). Costing £25 a year, the installation is provided, to Mac users at least, via a mountable DMG file which installs the software and later provides a drop-down menu by which one can select a ‘country of apparent residence’.
One’s earliest days in VPN-land are fraught with anomalies. Some of them are quite alarming, such as accidentally attempting to log in to your online banking ‘from America’ when your bank knows that you withdrew £20 from a cash machine in London only two hours ago. That kind of thing, be warned, can get your cards frozen.
Automated web services will feed you content based on your apparent IP address, which obviously is going to be associated with the country you chose to browse from. Weather reports suddenly become wildly inaccurate, whilst ads amusingly begin to target a resident of your ‘adopted’ locality, and you find yourself being offered fewer bargain umbrellas and more sun-screen. Depending on your VPN provider, certain protocols may behave erratically or become unavailable; in my case I cannot use FTP whilst connected via VPN, though it is easy enough to turn the VPN off for the duration of an FTP task.
Additionally you’ll find that a whole host of your favourite sites run geographical franchises worldwide in order to leverage geo-based advertising. Hence you’ll often be redirected to a version of a favourite site that is associated with the country you chose for your VPN. Depending on which one that was, the site may not necessarily be in English any longer. On a positive note, this is an easy way to see the more robust and content-rich American versions of sites which attempt to shunt UK viewers into an ad-specific ghetto version. But we’ll return to ‘geoblocking’ shortly.
A cheap and quick way to dip one’s toe in the waters of VPN is to try out the various web-browser plugins that enable proxy surfing on a per-browser basis, such as Hola Better Internet for Google Chrome. More advanced proxy users can configure their Firefox experience with FoxyProxy, in either the standard or the less intimidating basic version. More cutting-edge Firefox users can also try out the fledgeling Free Proxy List add-on, which lets users switch between the constantly emerging free proxies available at Proxy List.
Committing to VPN
Those enamoured of VPN life can commit to it very deeply if they want. At the simplest level one can configure a VPN to run on start-up, and to disconnect the computer from the internet whenever the VPN connection itself is shut down. Negatively this gives you nowhere to go if the VPN service itself should succumb to technical difficulties temporarily, and may cause some confusion as to whether the VPN or your ISP’s connectivity is at fault in the event of an outage.
That notwithstanding, you can go even further and configure your router to connect via a VPN by default. This is a marginal practice, but gives the advantage of supplying the security of a Virtual Private Network to any network-enabled device – such as smartphones, consoles or IoT devices – which accesses the internet via Wi-Fi.
DD-WRT provides a Linux-based open source router firmware framework through which you can truly take charge of a consumer-level router, configuring it to connect to your VPN provider by default. This involves flashing the factory firmware on a device that is not necessarily inexpensive, and needs to be approached with a sensible level of research and preparation. Broadcom-based routers can also be similarly mastered with Tomato’s slightly scary firmware replacement.
Committing to VPN connectivity to this degree is likely to be undertaken more for reasons of online security than geographical flexibility, since most users will need to be identified as resident in their own country in order to use banking services and local services which employ geoblocking (such as BBC’s iPlayer, for UK residents), among others. That said, there’s no technical reason not to launch a second, country-specific VPN connection on top of a same-country VPN tunnel for those occasions where you want to browse from a specific geo-locale for a while. However, latency is likely to be something of an issue in these circumstances – perhaps a chronic one if using Tor on top of all this.
VPNs in the news
VPN uptake at a consumer level is becoming a ‘war zone’ because issues about its use are commingled with The State’s current determination that a secure internet not prevent legitimate state authorities from gaining access to information about individuals who may be the subject of its investigations.
In Australia the Copyright Amendment (Online Infringement) Bill 2015 is thought by many privacy advocates to be an opportunity for the government to criminalise VPNs, despite rumours of an amendment that may exclude Virtual Private Networks from the scope of the act. But Australia is currently in the vanguard of pro-security legislation which does affect VPN services, and instructed Australian ISPs in April to stop offering VPN services, on the basis that they were being used to circumvent geo-blocking (of which, more below). The last few holdouts against this proscription have just crumbled.
Though the Tor foundation itself recommends the use of a VPN as an additional safeguard for users, some of the countries where confidentiality are most critical either block, attempt to block or monitor (or attempt to monitor) encrypted protocol tunnelling – such as Iran, periodically.
Russia is taking an increasingly aggressive stance against VPN usage, at least as it applies to the general public, and has even actively blocked a website that provided information about VPN blockades in Russia, and also provided advice on installing VPNs. Though privacy advocates wonder if Russia will really be able to block ‘unauthorised’ VPNs, the Russian administration has committed itself to trying.
VPNs in the firing line over geoblocking and regional licensing
Since the entire world economy is currently predicated on the different traction between national currencies, and since global businesses have to accommodate their prices to the consumer potential of individual economies, it isn’t surprising that VPNs, with their ability to level this playing field and at least partially circumvent regional restrictions, are becoming increasingly controversial as they apparently emerge from the edge into the mainstream. In 2013 Electronic Frontier Foundation member and privacy advocate Nick Pearson wrote in the Washington Post that his online privacy platform IVPN had seen a 56% upsurge in VPN sales in the wake of the Edward Snowden revelations.
Interestingly Google searches for ‘VPN’ were actually in decline for a long time before Snowden, and the opaque nature of the subject has not affected the search results trend for the term as much as some have estimated.
However this provides no information in itself about VPN uptake, whilst a similar look at the term ‘download Tor’ indicates a decided upward swing for the ‘secure’ browser that was originally invented to protect U.S. espionage operatives and their contacts around the world, and which in itself constitutes a VPN of sorts – albeit not quite as secure as many once imagined.
Imagined or not, VPN usage as related to the circumvention of geo-restrictions has come into unusual focus in the last two years.
A fresh Wikileaks dump of the emails harvested by hackers in late 2015 has recently revealed that Sony Pictures lobbied online streaming provider Netflix to tighten up its famously relaxed stance on the numerous (subscribed and paying) users who employ VPNs to access Netflix territories outside their own. Sony Pictures’ president of Distribution Keith Le Goy wrote in one of the highlighted mails: “We have asked Netflix to take steps to more closely monitor circumvention websites, and to restrict methods of payment to more clearly weed out subscribers signing up for the service illegally. This is in effect another form of piracy — one semi-sanctioned by Netflix, since they are getting paid by subscribers in territories where Netflix does not have the rights to sell our content,”
Since the U.S. version of Netflix has considerably more content than any of its continental annexes around the world, and since many of its customers are presumably only paying for the service because they can ‘work around’ regional restrictions in this way, the prospect of Netflix banning VPN geo-dodgers would be a major company decision affecting profitability.
VPN usage to address ‘net neutrality’ speed-bumps
One interesting use for a VPN is to circumvent protocol-based traffic-throttling by your ISP, particularly if you’re using Verizon to watch video streaming services such as Netflix in the United States. Since all the protocols and ports you’re using are hidden from your ISP whilst using a VPN, it can’t throttle Netflix or Hulu, because it doesn’t know for sure that you’re using these services. Likewise neither can the use of BitTorrent be individuated, blocked or logged. In the case of Hulu, however, that won’t be the last of your hurdles, since it retains a far more aggressive attitude to off-country VPN stowaways than Netflix currently does.