VPN Rant
VPN, a silver bullet?
Watch just about any content on YouTube and you’ll come across an advertisement for a VPN Solution. Each come with great features like a false sense of security, password managers, EULA violations, and more! Sorry, I guess they’d phrase it a bit differently. You get “total privacy”, a password manager, and the ability to watch Netflix shows like you live somewhere else. For a very cheap rate, you can access these services on a monthly basis.
OK, and ???
To start, let’s cover what a VPN actually is. A VPN, or Virtual Private Network, is a cryptographically secure connection from your computer or router to a remote termination point. These tunnels allow you to send unsecure traffic from your current location to the termination point without worrying about having your traffic detected. Unsecure traffic includes any network communication that is not wrapped in an encrypted communication format such as TLS. Some examples of common protocols that may use unencryped communication methods include email and web browsing.
No VPN Solution
Diagram
/--> [ Internet Backbone] --> [ Dating ISP ] --> [ Dating Site ]
[ Computer ] ~~> [ Router ] ~~> [ ISP ] ~~+ ==> [ Internet Backbone] ==> [ Twitter ISP ] ==> [ Twitter ]
\==> [ Internet Backbone] ==> [ Banking ISP ] ==> [ Banking ]
Legend: ~~ Mixed Traffic | - Unsecure Traffic | == Secure TrafficOverview
In this diagram, we can see traffic requests original from the Computer in a mixed stated, flow through the router, through the ISP, and onto their final destinations. There is no VPN in place, which means that the mixed traffic is partially vulnerable to complete access by a middle party. These middle parties are everywhere and include your ISP, internet backbone providers, and the ISP for any organization you interact with on the web. If you’re curious what this looks like for you, running a traceroute can be a great way to see all the nodes ferrying your traffic around the world.
>traceroute google.com traceroute to google.com (142.250.190.110), 30 hops max, 60 byte packets 1 _gateway (192.168.86.1) 7.882 ms 7.869 ms 7.863 ms 2 fedtel.stellarllc.net () 8.070 ms 7.853 ms 7.848 ms 3 162.211.40.217 (162.211.40.217) 7.843 ms 7.838 ms 7.833 ms 4 100ge1-cns.neweffington.stellarllc.net (66.234.123.234) 24.021 ms 24.017 ms stlr9k-be50.hoffman.mn.stellarllc.net (206.183.180.21) 15.955 ms 5 stlr9k-be60.brandon.mn.stellarllc.net (66.234.112.233) 15.950 ms 15.945 ms 15.941 ms 6 100ge1-cns-w.511.stellarllc.net (66.234.112.237) 20.070 ms 16.186 ms 16.175 ms 7 AS15169.micemn.net (206.108.255.141) 27.091 ms 19.916 ms 27.066 ms 8 108.170.243.225 (108.170.243.225) 30.580 ms 30.574 ms 108.170.244.1 (108.170.244.1) 23.402 ms 9 142.251.60.207 (142.251.60.207) 180.509 ms 142.251.60.205 (142.251.60.205) 180.489 ms 180.475 ms 10 ord37s35-in-f14.1e100.net (142.250.190.110) 180.469 ms 180.462 ms 405.390 ms
Concerns
With this network model, there are some concerns we need to address.
Local Network
Any local network devices that can sniff packets can see all traffic and destinations
ISP
- Source IP and Destination IP known
- All traffic contents to the dating site are fully visible
- Internet Backbone
- Source IP and Destination IP known
- All traffic contents to the dating site are fully visible
Service Provider ISP
- Source IP and Destination IP Known (limited to service provider)
- Dating content known
Service Provider
- Source IP and Destination IP known
- Content known
First, all members of the internet will have some knowledge of the traffic that occurred. At minimum, that your home IP address was requesting information from dating, twitter, and banking will be obvious to different parties.
Second, all hops of the internet will see the full contents of the dating website information because it’s relying on a non-secure protocol. This is why you should look for the lock icon when browsing the web, but is not a fullproof solution.
Now, the ISP knowing where you are going is a topic of debate within the United States, but there are countries in the world where this information could send a person to jail (or worse). Unless you are interacting with the parts of the internet where your personal risk would be heightened by revealing the information about your IP location or destinations, then this risk model is perfectly acceptable for day to day use. Anyone who tries to sell you on a VPN when you don’t have issues with the immediate ISP is selling you a solution you don’t need.
With that out of the way, let’s see how a VPN changes the equation.
VPN Solution
/--> [ Dating ISP ] -->[ Dating Site ]
[ Computer ] ===================================> [ VPN ] ~~> [ VPN ISP | Backbone ] ==> [ Twitter ISP ] ==> [ Twitter ]
\==> [ Banking ISP ] ==> [ Banking ]
Legend: ~~ Mixed Traffic | - Unsecure Traffic | == Secure TrafficOverview
In this diagram, we can see secure connection from the computer all the way to the VPN Concentrator. Afterwards, the connections break out to each of the final destinations, routing back through the VPN ISP and internet backbone. With the VPN in place, everything in the first half of the journey is also secure because the VPN prevents visibility into the traffic, so even the dating traffic is secure up to that point. However, after the VPN, we run similar risks to the no VPN solution in the first network model.
Concerns
With this network model, there are some concerns we need to address.
Local Network
- Sees obfuscated traffic from your home network to the VPN provider
ISP
- Sees obfuscated traffic from your home network to the VPN provider
Internet Backbone
- Sees obfuscated traffic from your home network to the VPN provider
VPN
- IP and Destination IP known
- All traffic contents to the dating site are fully visible
Service Provider ISP
- VPN IP and Destination IP Known (limited to service provider)
- Dating content known
Service Provider
- VPN IP and Destination IP known
- Content known
In this model, you have eliminated visibility into your traffic up to the VPN, but all post VPN traffic carries original risks. The main difference is that your source IP shifts from your home network to the VPN provider network from the vantage point of the service providers. All other consumer data that would be sent is still valid including information about your device, account, messages, etc. The only information that’s been hidden from the service provider is your true home IP address.
Pros
By hiding your information from your local ISP, you may avoid throttling on certain types of traffic and avoiding any local regulations and restrictions. If these are concerns, then a VPN is right for you.
The other pro is hiding your IP address from the service providers, but this is a double edged sword. One common security protection used by service providers is to track your signed in IP addresses to ensure you don’t sign on from an unexpected location. By messing with your current location regularly, providers cannot provide this service accurately which may result in additional steps during application sign on or reduced protection when your credentials are guessed or stolen.
Summary
A VPN is not a silver bullet. It’s a specific tool that provides specific protections that do have use and utility in certain applications. For most people in the West, save your pennies and put your money to a more worthwhile cause.