Sophos Cloud Optix
Lots of people think that a VPN, short for virtual private network, is enough on its own to keep them safe and anonymous online.
If you add some sort of mostly-untraceable digital cash into the mix – a cryptocurrency such as Bitcoin or Monero, for example – then you’d be forgiven for thinking that you’re as good as invisible.
So, it’s easy to assume that VPN + cryptocoins == private && secure.
But VPNs and cryptocoins only go so far in keeping cybercrooks and other undesirables out of your online life, and here’s why.
Simply put, a VPN encrypts your network traffic – every data packet, not just your web browsing or email – and transports it to a server somewhere else on the internet.
That server then strips off the encryption and sends your data on its way, as if it had originated from the VPN operator’s network, not from your phone or your laptop.
Let’s be very clear about this: the other end of the VPN is not the terminus of the journey that your packets will take to the servers you want to access – the VPN just makes your traffic seem to have started out from somewhere else.
A VPN hosted at home or in your company network, for example, doesn’t magically add more security than you’d have at home or at work, it just makes sure that there isn’t any less security while you’re out and about on other people’s networks.
In other words, a VPN doesn’t inevitably make you more secure, and if the VPN operator is sloppy, or incompetent, or perhaps even crooked, your privacy and anonymity could very well end up worse than it was before.
After all, your VPN provider sees all of your traffic, exactly as it went into the network card in your laptop or mobile phone.
MyEtherWallet meets Hola
A security lapse by a VPN operator can therefore be very worrying news indeed, and that’s what popular online cybercurrency wallet service MyEtherWallet (MEW) is warning about right now:
Urgent! If you have Hola chrome extension installed and used MEW within the last 24 hrs, please transfer your funds immediately to a brand new account!
— MyEtherWallet | MEW (@myetherwallet) July 10, 2018
(This is a a similar idea to getting a replacement payment card after getting skimmed: if you invalidate your old account numbers, they’re no longer any use to anyone, including cybercrooks.)
Hola is a free VPN that essentially shares out participating users’ browser connections out amongst the community in order to get around geoblocks.
For example, if you’re in Canada, trying to watch a TV show that’s only available in France, your traffic might end up redirected through a fellow user’s computer in Paris.
At the same time, your North American connection might be helping someone in Germany to get past website geoblocking intended to keep out visitors from the EU.
We don’t have any details of what went wrong, other than that crooks seems to have been watching Hola traffic specifically for MEW-related activity.
So, we don’t yet know whether any cryptocurrency traffic was compromised, but the warning is clear enough.
MEW can’t be sure that crooks didn’t get hold of enough data to plunder your cryptocoin account some time in the future…
…and is therefore advising customers to create new accounts and transfer across their own funds, thus leaving those potentially compromised accounts behind.
What to do?
If you’re a MEW-and-Hola user, the instructions on “what to do” can be found in the tweet we linked to above, but please remember that this is a story that isn’t just for the cryptocoiners amongst us.
Repeat after me:
A VPN doesn’t magically improve security. All it really does is to make your VPN provider into your new ISP – your “first hop” on the internet. That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not. You need to trust your VPN provider. A lot.
Also, don’t forget that a VPN that relies on or includes a browser plugin, as in this case, can read all your private data right inside your browser before it gets encrypted.
A network-level VPN driver sees more of your traffic, but anything that’s already been encrypted, such as HTTPS traffic, can’t be unscrambled.
As Hola says on its website:
Hola gives you the freedom to browse the web without censorship and to watch videos with less buffering and faster start time.
Freedom may be a desirable quality, but it does not automatically make you more secure – ask a rhinoceros.
“TV show that’s only availabble in France” small typo.
Fixed, thanks.
Lovely explanations 👍👍
Loved this – very helpful explanation of what a VPN does and does not do. Thank you!
“someone in the Germany” another little typo..
Done, thanks.
Nice read. Another news is Proton vpn is owned by a data mining company and is using the data generated from free vpn distribution to boost its data mining.
Read it on vpnranks website and other top vpn ranking sites.
Thanks for providing a source reference.
Yes a VPN keeps you anonymous. I am writing this with a VPN, you have my permission to deanonymise me and post my real IP, good luck with that.
It may be that I’m in a “funny” mood, but when I read a couple of sentences in this piece, I thought they were saying wrong things. (TLDR: they weren’t!)
“your VPN provider sees all of your traffic, exactly as it went into the network card in your laptop or mobile phone”
“as it went into the network card” = encrypted with the VPN provider’s public key
Somewhat more significant is that the VPN provider (unlike any general eavesdropper on your network) also sees your traffic after decryption with its (the VPN provider’s) private key. (But don’t panic, it’s still protected by encryption with the target web site’s public key, assuming the web site is using SSL (https).)
I believe the simple message is that “your VPN provider sees all of your traffic, exactly as it would have gone into the network card in your laptop or mobile phone, were you not using the VPN”.
The “as if they were right there in the coffee shop with you” comparison may actually be wrong. (Or, at least, my brain’s not managing to make it seem right, at the moment.) By using the VPN, you’ve rained on the parade of any fellow caffeine addicts monitoring packets on the café’s network. However, if they’re shoulder surfing while clutching their non-recyclable paper cups, they may often have the lead on the VPN provider (unless the provider has given you a spyware browser plug-in to use, which would make him the winner, barring the customers (or staff) succeeding in doping your cappuccino with truth serum).
“That first hop is the one place where a single provider gets to see all your traffic, whether it’s encrypted or not”
To be clear: the provider will not be able to see through the encryption unless it is able to crack it. The provider sees the traffic, whether this is ciphertext or plaintext. (But jargon is only clear when you already know it!)
I may have been a bit loose with the “right there in the coffee shop”. I was not visualising them at the next table sniffing via Wi-Wi, but sitting alongside you with a sniffer connected to your network driver (which is much worse).
I’ll try to reword that, thanks.
I just removed the bit about “in the coffee shop” altogether. Didn’t really serve a purpose at all, other than raising the question, “Why mention a coffee shop.”
Normally I appreciate Paul’s work, but I just can’t on this one. I think it’s the whole “VPN doesn’t increase security” angle, which is mentioned more than once. I think we all know the truth of the matter is, a good VPN does increase your security (greatly), as James has humorously implied above. The VPN provider does have to be top-notch, of course (no-log no-subpoena policy, and not based in a “14 eyes” country) – or else you might as well not even bother with it. And a browser extension? Really? LOL Not even.
However, and getting back to the point – I’m finding the title and subject a bit like apples and oranges. VPN and crypto-currency are two very different things, and aren’t really related to each other at all. I’m actually kind of wondering why this article was even written..?
Here’s hoping Paul’s next article is more on-point – as I feel he normally does great work.
You seem to be agreeing and disagreeing with me at the same time (and I didn’t say that VPNs “don’t increase security”, I said the “don’t magically increase security”, which is not the same thing).
The subject relates (obviously enough, I thought) to the specific example in the article – crytocurrency wallet users who were using a VPN in the hope of being more sure and ended up not only being less secure but risking their cryptocurrency funds.
VPN’s core purpose is to access blocked sites. It still depend on the user on how will they manage sites using VPN. I’m using a free VPN and everything’s fine until now. Anyway, thank you for the information, I’ll keep this in mind.
This is exactly why I host my own VPN server, though the very first purpose was to access Gmail from China.