Lately VPN has been in the spotlight. On one side, as a measure to protect itself upon attempts of espionage: are encrypted tunnels (in most cases) that keep someone from knowing what we are looking on Internet if, for example, we connect to public WiFi networks or we do not trust our ISP.
Unfortunately, and as usually happens in computing, they are not infallible. We have a sample in the failure we’ve seen this week that affected Firefox and Chrome, and that revealed the real IP of the user through RTC. And it’s not the only one.
How does a VPN work?
A VPN it’s a little like a Portal: instead of going out through the door of your room, you open a portal and walk out the door of another site.
The first thing is to see how a VPN works underneath (Virtual Private Network). The idea is that you can connect to a network in any part of the world as if you were physically there. The difference is that instead of connecting with an Ethernet cable or by Wifi, you do it using a kind of “tunnel”.
When you are connected to the VPN and you want to see a page, your system will encapsulate the request and will send it through Internet to your VPN provider. The provider will decapsulate this data, they follow their normal course as if you were physically connected to that network: will go out from the network router of the provider, and the answer will reach that same network that afterwards will send back to you the package. In this way, and the site to which you connect wont know your actual location, and as well no one else than you and your provider of VPN will know what pages you are visiting.
Down under, the VPN networks can use several protocols to mount that tunnel, normally encrypted. In this way, your information will be protected from your computer to the private network (unless you use PPTP, that is generally considered unsafe since it is used along with unsafe algorithms of encryption, as MS-CHAP v1/2).
Can VPN fail?
As I said before, VPN may use different protocols to transfer the data from your computer to the VPN provider – in other words, tunnel protocols. And, as always those protocols may fail. For example, VPN based on SSL/TLS may have been affected by Heartbleed, or the ones bases on SSH by the generator failure of Debian codes in 2008.
The situation doesn’t stop there: there were failures in more specific protocols of VPN, like the Microsoft mess with its implementation of PPTP. And lets not talk about the NSA, that according to the last leakages is capable of decrypt 20% of the VPN connections it detects, and even more for a matter of capacity of process that by the security itself of the VPN.
Besides, VPN can also be vulnerable using the interface chair-keyboard or, in other words, the user: easy to guess passwords, bad configurations that open the door to other attacks…
There are also failures that are not specific from the VPN but they affect the privacy of the user. On one side, attacks like the one we were talking about in the beginning of WebRTC: the attacker finds some way of not going through the VPN and get the real IP from the user. On the other side, programs that “filter” information and allow to identify yourself (for example, with techniques as canvas fingerprinting).
And your VPN provider?
Now, something a little more simple that may affect your privacy when you use a VPN: your provider. There is no point in using the safest protocols of the world if then your provider controls you and keeps records with the sites to which you access and when you do it.
It wont be no good either if it’s a provider in a country in which the government (or government agencies, ejem, NSA, ejem) can force you to save all your traffic to then analyze it. In TorrentFreak they have a comparison in which you can see how the VPN explains its privacy and the measures it takes to protect it.
As we said in the title, although the VPN networks are still safe (as far as you use safe protocols and providers that secure our privacy) and enough for 99% of the cases, are not infallible.
Read More:
Best VPN for Gaming