Virtual private networks (VPNs) offer many benefits, some of which include protecting and encrypting your traffic, and unblocking regional blocked sites. They work by setting up an encrypted tunnel between any computer, tablet or smartphone and the VPN servers of the provider. Theoretically, the data is encrypted and protected when it’s in the tunnel, and as result it cannot be stolen or siphoned off while in transit. However, the security provided by VPNs has its own limitations.
This was clearly demonstrated in the National Security Agency (NSA) documents that were released by Edward Snowden. The documents showed that the NSA has a dedicated team that cracks VPN traffic and feeds it to their data mining software. The NSA documents list over two hundred commercial VPN providers, such as CyberGhostVPN, PrivateInternetAccess (PIA), Astrill, iPredator and also names small VPN providers. Below is an in depth explanation of some of the security limitations of VPN.
Is VPN Secure Enough?
When you connect to the internet, you send all your information to the VPN website, which then relays your information to the internet. Your information isn’t encrypted from the perspective of your VPN provider. The “secure” tunnel that goes from your smartphone, tablet or computer to its website, is terminated on the VPN provider’s
equipment, and is then unencapsulated.
The weakness of this system is that your VPN provider is able to view all your message traffic and knows where you’re coming from and where you’re going. Additionally, most VPNs are paid services, so they know the identity of the people who are using their services because they’ll have to use payments methods such as credit cards to pay for
their VPN connection.
When any government or organization sends a warrant or a letter to your VPN provider they’ll be forced to turn over all your information or they’ll be imprisoned. This weakness of VPN was clearly seen in the case where the identity of the British hacker LulzSec was
revealed. LulzSec had hacked the Sony Playstation network and the British and U.S. governments forced the VPN that he used called “Hide My Ass” to give them their logs. “Hide My Ass” eventually turned over the data that enabled the United States authorities to find LulzSec. The hacker whose real name is Cody Kretsinger was then imprisoned. 4 people were also arrested in the United Kingdom relating to the activities of LulzSec. Most of them used VPNs.
Some of the other limitations and risks of VPN includes
VPN hijacking or man in the middle attacks:
I. VPN hijacking is the unauthorized takeover of the client’s established VPN connection, and he/she is then impersonated on their connecting network.
II. Man in the middle attacks affect the traffic that is sent between the communicating parties, and can include modification, interception, deletion or insertion of messages, redirecting messages, replaying old messages and reflecting messages back at the sender.
By default VPN doesn’t enforce/provide strong user authentication. VPN connections should only be established by the authenticated users. If the authentication isn’t strong enough to prevent unauthorized access, an unauthorized party may be able to access the connected network. Most of the VPN implementations offer limited user authentication methods. For instance, PAP (Password Authentication Protocol), used in PPTP (point-to-point tunneling protocol), transports both the password and user name in clear text. A third party may be able to capture this information and use it to gain access to the user’s
A connecting network may be compromised if the client’s computer is infected with a malware or virus. If a spyware or virus infects the client machine, there’s a chance that the password for the client’s VPN connection may be leaked to the attacker.
Additionally, in an extranet or intranet VPN connection, if one of the networks is infected by a worm or virus, that worm/virus can be spread to other networks if the antivirus protection systems are not effective.
Client side risks
The VPN client’s machine may be connected to the Internet though a standard broadband connection and may be at the same time holding a VPN connection to a private-network, using split-tunneling. This can pose a risk to the network that is being connected to.
A client’s machine can also be shared with other people who aren’t fully aware of the security implications. Additionally, a laptop, smartphone or tablet that is used by a mobile user can be connected to the Internet, a wireless LAN at an airport or hotel. However, the security protection features of most of these public internet connection points is not enough for VPN access. If the VPN client’s laptop, smartphone or tablet is compromised, either during or before the internet connection, this can pose a risk to the network.
Virtual Private Networks can work for low-level issues such as downloading pirated music, books or movies, but they aren’t enough for anybody trying to avoid being identified by the surveillance agencies such as the NSA. VPNs offer a measure of internet security, but they don’t offer any substantial measure of anonymity. If you want to browse the Internet anonymously, you should use a system that does not keep any logs such as HTTPS Everywhere and the Tails operating system. The TOR Browser Bundle (TBB) is also another good option, but the NSA owns most of its exit nodes.