Transport Layer Security Is Not A Substitute For Virtual Private Networks
First off, I do realize that the article title is somewhat provocative and a contentiously unpopular opinion amongst the information security audience. But honestly, I couldn’t care less about such trivial matters. I am not in this for popularity as I have stated many times before. My interest is in information security and privacy, or rather the general lack thereof for both on the Internet.
**Please allow me to explain before judging too quickly, however. I am not some VPN fanboy who is tech-illiterate. I have worked in information security for approximately two and a half decades and know a thing or two about network security that I picked up along the way. That being said, experience or the amount of social media account followers one has doesn’t make someone more right or wrong. Ultimately, you have to weigh the information presented and make your own decision.**
VPN as a privacy technology is useful if properly configured and implemented. This is seldom the case though, that I can agree with many other security experts on. There are a lot of scam VPN products out there now. However, where I differ from other security experts is that I take issue with folks who spread Fear, Uncertainty, and Doubt (colloquially referred to as FUD) about VPN technologies as being unnecessary or somehow bad.
In general, there is an abundance of evidence to support the fact that many VPN providers aren’t being honest with their product’s capabilities and are scamming customers (Ikram, et al., 2016). Does that mean that the entire VPN technology is bunk and should not be used entirely? No! Absolutely not. To quote an old saying, “Don’t throw the baby out with the bathwater.” The same goes for all the bad hype spewing from security experts you may have heard or seen eschewing the virtues of TLS being good enough to forego paid VPN services.
Do you like to access the Internet from public Wi-Fi access points? If so, you’re not alone. Many, many people do this every day, in fact. That urge to check their favorite social media platform is just too great to be left unchecked for hours and hours while they’re out and about running errands and living their lives.
Some of you have probably heard the typical and tired refrains of “VPNs Do Not Provide Security,” “VPNs are a waste of money,” “They don’t offer privacy because they log your browsing,” etc., etc. Well, folks, I agree with some of that advice but not all of it. I believe that there are situations in which it is beneficial to use a VPN over the security and confidentiality afforded through the use of HTTPS and the Transport Layer Security (TLS) protocol that is used to provide data-in-transit security. But first, let’s look at what a VPN really is.
What is a Virtual Private Network?
Plain and simple-like, a VPN is nothing more than a technology that was created to provide an encrypted point-to-point tunnel for your Internet traffic. There is absolutely nothing wrong with VPN as a technology. The problem comes with how it is being implemented. This is often the part that gets severely screwed up or is just lied about entirely depending on the trustworthiness of the VPN service provider.
Essentially, a VPN obfuscates the true IP address of your computer or mobile device that is connecting to the Internet and encrypts your Internet traffic while routing it through a proxy server tunnel which masks your real IP address and presents you to the Internet as a different IP address. This can be very useful for accessing information, media, or websites that might be geographically restricted or banned by a government/regime.
*Don’t confuse VPNs with The Onion Router (Tor) browser which allows for accessing the Dark Web and also involves layers of proxy servers to provide anonymity but that also does not afford perfect anonymity much like a VPN. VPNs and Tor are different technologies but serve similar purposes.
What a VPN is Not
VPNs are not 100% secure or perfect when it comes to privacy and as several security experts have mentioned, some VPN service providers are less than ethical when it comes to sharing browser activity logs or improperly configuring the VPN to begin with. As long as you understand these risks and try your best to choose a trustworthy VPN service provider (HINT: not a free one!) then you’re doing something security professionals and businesses have to do every day. You’re accepting risk.
It’s okay. Life goes on. These types of tradeoffs happen constantly in life and this is a no-brainer unlike having to choose between paying your electric bill and buying groceries.
Internet Protocol Acronym Soup
HTTP, HTTPS, TLS, and DNS are a bunch of networking acronyms that many people who use the Internet could care less about even though they probably should. These Internet protocols are how the Internet works, simply put. Interpreting what is going on behind the scenes is where Information Technology (IT) and IT Security (ITSec) geeks like yours truly come into play. We are the folks who study, learn, implement, and try to improve these technologies for the good of everyone and the Internet. The intent of this section is just to briefly touch upon some of the salient protocols and not to get too deep into the weeds with explanations and histories of each protocol.
HyperText Transfer Protocol (HTTP) “is the underlying protocol used by the World Wide Web and this protocol defines how messages are formatted and transmitted, and what actions Web servers and browsers should take in response to various commands” (Beal, 2019). Originally introduced by Tim Berners-Lee in 1991, HTTP was “simplistically designed for file transfer functionality, index searching, format negotiation [between different servers, browsers, and clients], and address referral of the client to other servers” (Grigorik, 2013).
HyperText Transfer Protocol Secure (HTTPS) is an improved version of HTTP that adds more security that the entire Internet is moving to, albeit rather slowly. Whereas HTTP sent transmitted data in clear or plain text which was poor for the privacy of passwords and sensitive information, HTTPS was specifically designed to provide encryption of data-in-transit and uses digital certificates that are verified by the browser you use to connect to a particular website (Hoffman, 2018). You’re trusting that the Certificate Authority (CA) that issued the certificate to the website has properly vetted the website and it is safe to visit though, which we have learned numerous times is not always the case.
HTTPS prevents Internet Service Providers (ISP) like Verizon, Time Warner, Comcast, AT&T from tampering with webpages, injecting cookies to track your browsing history, and masks which pages you’ve viewed. The ISP still knows that you visited Victoria’s Secret or, rather www.victoriassecret.com [i.e., the Domain Name Service-DNS equivalent of 188.8.131.52], but they won’t be able to track which links you clicked on or which webpages on the website you visited unless they have infected your Internet browser with cookies that track that sort of data and communicate it back to the ISP. ISPs will sometimes collect such third-party data and sell it to marketers and advertisers. Initiatives such as HTTPS Everywhere and Let’s Encrypt project are helping to move the entire Internet in the right direction towards a more secure Internet.
Transport Layer Security (TLS) is the replacement to the Secure Sockets Layer (SSL) protocol created by Netscape to provide encryption for customer sensitive data at the Application Layer 7 of the Open Systems Interconnection (OSI) Reference Model. SSL was proprietary to Netscape and so with RFC 2246, the Internet Engineering Task Force (IETF) created TLS 1.0 in January 1999 (Grigorik, 2013). TLS rides on top of Transmission Control Protocol (TCP) in Layer 4 (Transport Layer) which has since evolved to the latest version of TLS 1.3 published in August 2018 and has been adapted to ride over User Datagram Protocol (UDP) as well.
The advantages of using TLS for data-in-transit are that it provides “encryption, authentication, and data integrity” with something called “perfect forward secrecy” or PFS (Grigorik, 2013). But what does all this mean? It means when you press the Enter key that your data is encrypted before it is sent across the network using Advanced Encryption Standard (AES) symmetric cryptography (i.e., the Diffie-Hellman key exchange); that the data cannot be altered en route; and the protocol will authenticate website certificates to ensure they are valid before relaying the data being transmitted over the wire. This is awesome, right? I think so, but here’s the catch.
As great as TLS version 1.3 is, that little padlock in the far left of the URL field does not exactly mean what you think it does. Digital certificates can be faked or compromised as we’ve seen with Comodo back in 2011 among others.
SSL/TLS Attacks, Part 3: Who's at Risk from Compromised Digital Certificates? - Security Boulevard
SSL/TLS Attacks, Part 3: Who's at Risk from Compromised Digital Certificates? kdobieski Fri, 02/15/2019 - 09:12 So, who…
This has very little to do with VPNs though, I get that. My point is only to illustrate that this system of HTTPS with TLS is still vulnerable to attack. There will never be a perfect solution when it comes to security, we are forced to settle on “good enough” security such as in the case of “Pretty Good Privacy” (PGP) encryption for Email. It is not perfect either, but it is pretty good nevertheless. This leads into my next point involving the utility of Virtual Private Networks.
The Utility of VPNs
VPN services help people circumvent censorship in certain parts of the world, ok, yes, and for your Netflix viewing habits, too. If you’ve ever used a VPN, then you can appreciate the privacy it affords.
Listed below are the main benefits that VPN technology provides but there are surely other uses as well:
- Securely accessing your personal and corporate networks while traveling
- Cloaking your Web browsing activity from your ISP or local network
- Protecting yourself from Man-in-the-Middle (MiTM) attacks that can snoop on you while using public Wi-Fi hotspots at the local Starbucks as you check the Internet on your mobile device or work on your laptop
- Accessing audio/video Web content and bypass government censored information that may be geographically-restricted (e.g., Netflix, YouTube, Hulu) from wherever you’re physically located in the world
- Downloading torrent files that may otherwise be restricted, or severely throttled by ISPs
VPNs are certainly not perfect by any stretch and some are better than others, but they are still an important technology for protecting browser activity and bypassing certain Internet restrictions. To cast them aside as irrelevant or fundamentally flawed is both foolish and shortsighted.
Connecting to a Public Wi-Fi (Hotel, Airport, Coffee Shop, Cons)
It is safer to use a VPN to connect to public Wi-Fi access points or hotspots as one would typically find at a mall, coffee shop, airport, or at hotels. This will not make you anonymous, but it will protect your browsing activity from your device to the website you’re visiting. The risk you are trying to mitigate is known as a Man-in-The-Middle (MiTM) attack whereby an attacker can set up a fake wireless access point (WAP) at a coffee shop for example and trick users into connecting to it.
Transparency & Legislation is Desperately Needed
VPN providers need to open the curtain and show users what is going on behind the curtain. One method for achieving at least a sense of transparency would be to require regular auditing of VPN providers to hold them accountable for the “Military-grade encryption” and “No Logging” false claims to reassure customers that they are getting what they are paying for. As a society, we should push for ISPs to include VPN service providers to become more transparent with legislation that reinforces this concept.
Setup Your Own VPN Server
It is possible to set up your own VPN server if you’re technically savvy and this is much cheaper than paying a monthly subscription after you pay for the initial set up costs. You also gain the peace of mind that your browsing activity is not being logged by anyone but you. But guess what, if you’re doing illegal shit then law enforcement will break your door down and seize your VPN server logs so there’s that… Here is a nice article that explains how to set up your own VPN server using Algo VPN. Check the following link for more information on how to do that:
How to Deploy Your Own Algo VPN Server in the DigitalOcean Cloud
When performing security research or connecting over untrusted networks, it's often useful to tunnel connections…
It is important to note that VPNs are not perfect privacy, you need to know and understand that. That said, they can be very useful given the right implementation and realistic user expectations.
Have a look at privacytools.io which has a lot of good info for those of you who are privacy-inclined individuals. Also, “That One Privacy Guy” has a great VPN comparison chart that is kept up-to-date here:
Welcome to the VPN Comparison! This section is meant to be a resource to those who value their privacy, specifically…
For specific VPN provider recommendations, I recommend using either Avast SecureLine VPN or ProtonVPN at the moment. Also, if you’re interested in learning more about online privacy, or the lack thereof, you might enjoy this series I wrote called Becoming Virtually Untraceable.
Un-Helpful FUD Chatterbots
Watch out for the so-called security researchers and “cybersecurity experts” who spread FUD about how insecure VPNs are for all types of reasons, many of which are completely unsubstantiated. I won’t name anyone in particular that I’ve had encounters with, but they know who they are. Let’s stop the silliness, shall we? Educate yourselves. VPNs are not inherently flawed, it’s several vendors that aren’t trustworthy. We can argue about the effectiveness of VPNs all day long but in the end, as security and technology professionals, we should not be telling general users of internet-connected devices that they shouldn’t use a VPN. They shouldn’t use shitty VPNs that are insecure and collect/sell your browser history, but how does the average user know the difference? We give our recommendations that are based on actual testing and analysis. TLS is no replacement for a VPN and not every VPN provider is corruptly collecting and selling your online browsing data. Some are but that isn’t the norm.
The bottom line is that there are those who will try to use their social media influence (i.e., follower count) to dissuade people from certain technologies for whatever self-deemed valid reasons which have not been weighed against the overall good that a particular technology may provide, IoT devices notwithstanding. VPNs are one of these areas where there is a lot of FUD and misinformation. Sure, they can be improved immensely, but that doesn’t mean that people should flat-out stop using them. Instead of shitting on VPNs in general, how about using those big brains and expert knowledge for actual good by assessing VPN services and providing reports and recommendations to average users on which ones look good or which ones to avoid as some have already done. We need more positivity and usefulness from the InfoSec community instead of “Hey everyone! Look at this new vulnerability I found! These guys suck so bad…” I’m so done with that. These are the people giving infosec a bad reputation. It’s easy to point out flaws in technology, but so much more difficult to provide feasible solutions and actually work with providers to improve security.
That’s all for now folks. Don’t believe everything you read or hear. There is usually more to the story than is being let on and there is obviously still a lot of disagreement and misunderstanding on what VPN technology is and what its usefulness is. Try not to be the moron in the equation, do your homework first before opening your mouth on social media.
Beal, V. (2019). HTTP — HyperText Transfer Protocol. Retrieved from https://www.webopedia.com/TERM/H/HTTP.html
Grigorik, I. (2013). Networking 101. O’Reilly Media, Inc. Retrieved from https://hpbn.co/brief-history-of-http/
Hoffman, C. (2018, October 15). What is HTTPS, and Why Should I Care? Retrieved from https://www.howtogeek.com/181767/htg-explains-what-is-https-and-why-should-i-care/
Ikram, M., Vallina-Rodriguez, N., Seneviratne, S., Kaafar, M. A., & Paxson, V. (2016). An Analysis of the Privacy and Security Risks of Android VPN Permission-enabled Apps. Proceedings of the 2016 ACM on Internet Measurement Conference — IMC 16. doi:10.1145/2987443.2987471