Serious Security: Understanding the ‘P’ in ‘VPN’

Funky network diagram courtesy of Shutterstock

A concerned Naked Security reader called Greg recently asked us to say a few words about Virtual Private Networks, or VPNs.

You’ll see why he was concerned in a moment.

Typically, you use a VPN as a way to “re-source” your network traffic from some unpredictable remote location – one that you don’t and can’t control – onto your home network.

To do that, you encrypt all the network packets on your laptop or mobile device, and tunnel them back to your home or office using the internet merely as a conduit.

There, you decrypt them and then send them out as regular internet traffic, just as though you were sitting at home or in the office.

The other end sees your traffic as though it came from the office network, and replies to you there.

Those replies are then encrypted by the office end of the VPN (even if they are already encrypted, for example because you’re visiting an HTTPS web page) and tunnelled back to you.

And your device decrypts them as though the last, untrustworthy hops from office to, say, coffee shop never happened.

Pros and cons of VPNs

The disadvantages are obvious, though not as dramatic as you might think.

Firstly, you have to wait for the ends of the VPN tunnel to synchronise with each other every time you go back online, in addition to waiting for your mobile phone to find and connect to a Wi-Fi or cellular network.

This typically adds only a few seconds, but impatient road-warriors may find it irritating, and security will get the blame.

Secondly, especially if you are overseas, browser packets between, say, your phone in Santa Clara and a nearby server in Mountain View may end up travelling via, say, France and back, twice. (One intercontinental detour for the requests, and a second one for the replies.)

But the advantages generally outweigh the downsides: you are no less secure than you would be at work, and you largely neutralise the risk to your data posed by unknown, sniffable, possibly-hacked Wi-Fi access points.

That means you can take advantage of free Wi-Fi at coffee shops while you are on the road, instead of using your mobile connection at expensive roaming rates.

That, in a nutshell, is a VPN-for-security.

Other reasons for a VPN

But there are other reasons people seek out VPNs, namely the ability to emerge onto the internet from somewhere else.

Firstly, you’re covering your tracks, or at least it feels as though you are.

Secondly, by pretending to be in another country, you can bypass those pesky geoblockers that stop you watching content that isn’t licensed for viewing in your part of the world.

And that, in another nutshell, is a VPN-for-obscurity.

What concerned our reader Greg is that it seems as though some people confuse the two sorts of VPN.

More specifically, many people seem wrongly to be assuming that VPNs built primarily for location-changing purposes are also, ipso facto, good for security, privacy and anonymity.

Not always secure

The recent story of Hola, a free VPN that helps you appear to be somewhere else, is a good reminder why this isn’t the case.

Hola certainly isn’t Tor (The Onion Router), which was created by the United States Naval Research Laboratory with the specific goal of helping its users towards privacy and anonymity on line.

In Tor, your traffic is bounced around along an unpredicatable, changable path, getting encrypted and re-encrypted along the way so that each node in the path can tell only where the incoming packet came from, and where it should send it as its next hop.

You can use Tor without participating in the anonymising parts of the network, and you can participate in the anonymisation without being what’s known as an exit node.

Exit nodes are where the final decrypted content emerges onto the internet, and therefore the place where people trying to track traffic back will first look.

→ Tor isn’t a panacea, of course. Your traffic is only concealed and anonymised until it reaches the exit node, so a treacherous exit node can spy on all the traffic that emerges through it.

Obscurity without security

VPNs like Hola are more about disguising your apparent location than keeping your traffic away from eavesdroppers.

As Hola’s elevator pitch on Google puts it:

Access sites censored in your country and accelerate your Internet with Hola – Free!

Or, on Bing:

Hola is a peer to peer network that provides everyone on the planet with freedom to access all of the Web! It works through the community of its users.

The important part here is that bit about working “through the community of users.”

The free version of Hola isn’t like Tor: you can’t use it to disguise your own traffic without also being part of the community that disguises traffic for other people.

In other words, if you’re using Hola to watch video episodes that you shouldn’t, by pretending to be someone in Sydney, Caracas or Minsk, then you have to reciprocate.

So, other users in Auckland, São Paulo or Kiev might be using your computer as the apparent network source for anything they fancy, even if that’s surfing for porn or controlling a botnet.

Understanding the cost of free

In fact, with Hola, you’re not merely reciprocating by providing location-fudging bandwidth for others who are helping you to fudge your own location.

There are two commercial parts of Hola.

There’s a fee that regular users can pay (currently US$5/month) in order to use the VPN without carrying traffic for anyone else.

There’s also a sister service called Luminati, whereby a business can buy bandwidth on the Hola VPN – bandwidth that the free users provide.

So you’re not only stuck with being the source of other people’s traffic, but also stuck with paying for their bandwidth, including business traffic.

And with Luminati advertising that its service offers commercial users “unlimited requests and parallel sessions to optimise your throughput,” it’s hard to know how onerous those bandwidth charges might be, especially if you’re using a mobile network.

The bottom line on VPNs

Simply put: VPN is not shorthand for secure internet connection.

The “private” in “virtual private network” means nothing more than that the VPN provides a connection that can be made to behave as though you had a direct hookup to your destination network.

In other words, a VPN is implicitly private more in the sense that your family car is classed as a Private/Light Goods vehicle than in the sense of private-as-in-privacy.

Having said that, VPNs can be excellent tools to improve your privacy, anonymity and secrecy, but you don’t get those features automatically just from the P in VPN.

Look before you leap!

Sophos UTM Home Edition

Would you like to run your own VPN-for-security at home, and boost your resilience to man-in-the-middle attacks and coffee-shop snoops?

Try our award winning UTM.

The Home Edition includes all the Sophos UTM features: you get the VPN, as well as email scanning, web filtering, web application security, and everything you need to keep up to 50 devices on your home network secure, 100% free for home use.

In you live in a shared house, or you have children to look out for online, this could be just the product you need.

Better yet, you get 12 free licences for Sophos Anti-Virus for Windows that you can install and manage throughout your household, right from the UTM web console.

Click to go to download page...

Understanding firewalls and secure gateways

Listen to our Sophos Techknow podcast, Firewalls Demystified

(Audio player above not working? Download, or listen on Soundcloud.)