You Don't Understand VPNs

Technology is created to solve a problem. All technology has been a response to a perceived problem that exists in the world. Then, a bunch of nerds (engineers) got together and worked out a solution that addresses the problem in their use case. Any time that you pick up a piece of technology you should ask yourself what problems it was designed to solve from the viewpoint of the people who were likely to have made it.

I am currently a little frustrated because people are demonstrating that they still don't understand what a Virtual Private Network (VPN) is for. So I am going to take some time to explain what a VPN was designed for, what problems it solves, and what it is not designed to do and how it doesn't solve those problems.

The Problem


In The Past, a Business decided to open a second office on the other side of town. They wanted to share their telephones since they had their telephone system all hooked up in their first office. The company made a decision to connect their second office to the same telephone system by digging a long trench (CON1) across town and laying a physical cable to connect their two sites.

Also In The Past (But Not As Past), they started using computer and needed to share data and access this new thing called the internet. At first they could just use the same cable (CON1) they laid for their phones to share data between sites. It was a pretty great time for them. A bunch of new companies opened around this time and decided they also needed to share data, and dug trenches to connect their networks.

Sometime after that the internet became much faster and those darn executives in these new growing companies didn't want to lay a cable like the old businesses. If their engineers and workers just needed to share data they could probably manage that over the internet, right? As it turns out that wasn't a great move because some of that data was very important and spooky hackers could see their company secrets over the internet. What could we do?

The Solution (Spoiler: It was a Virtual Private Network)


A bunch of mathematicians and cryptologists came up with a way to create a virtual network between both of their business sites over the internet, that was still private because they protected it with math wizardry. It was fantastic! Some businesses still wanted to lay the cable, but now not all businesses had to. They ran into some issues with scale, but eventually they were able to connect all of their offices over the internet, securely.

Virtual Private Networks were designed to allow businesses to be able to share information with remote sites as if they were just another office down the hall.

Some businesses wanted to monitor the internet traffic of remote offices. In order to accomplish this they would route the remote office's traffic across the VPN, through the local monitoring equipment, and then back out to the internet. Larger businesses were the first to encounter large operating costs due to doubling the traffic of any remote office. So a lot of businesses moved to dynamic VPNs that only sent traffic to other offices if that traffic needed to reach resources there. We still do this.

I'm not a business

Okay. I didn't ask.

People back in the late 90s and early 00s used what are known as a proxy to mask their real location. Most of these people were worried accessing web forums or chat services that would show the IP that connected to them. A proxy is a simple tool. You sent the data that you want to send to a website to a proxy and then the proxy would pass it off to other people.

I'm going to take a moment to explain a very common attack on the internet. There is an attack where someone places themselves in the middle of someone's connection and takes all the messages someone sends, records those messages, and then passes the information along to its destination. They would do the same for returning messages. This is called a man-in-the-middle attack.

I don't know when but at some point a company started selling a proxy service where you would pay them, send them all your data so they could record all your data and pass it along. They somehow managed to market persistent man-in-the-middle attacks as a "Virtual Private Network." I made a diagram to help explain.



The top half of the diagram reflects a connection without a VPN. Your traffic leaves your home and enters your Internet Service Provider's (ISP) network, which they then route through a bunch of other ISP's networks. We call all those networks beyond your ISP the Internet.

The bottom half of the diagram is what your connection looks like with a VPN. You should notice that your traffic still goes through the internet unencrypted. Your traffic follows the same path back to your home, being encrypted at your VPN provider's server before it gets sent off to you.

But I thought it was private!

Yeah, that's the catch here. You aren't using a real Virtual Private Network. If it was a real VPN you would be able to access all the other clients attached to the VPN through the same encrypted network. You, and all other clients of the service, would all be connected to the same virtual network - except you aren't.

You are using an encrypted proxy.

This is where you have to understand what problems technology was designed to solve. When the first Virtual Private Network technologies were being created the engineers defined 'Private' in a specific way: Only the two endpoints, being the two business sites, could talk and listen on the virtual connection.

Many VPN services use real VPN technology. Your connection to the VPN provider is indeed private. But make no mistake, the service they are selling you is a proxy service. If you've been paying attention to the news you would have heard that some of these services have been conducting man-in-the-middle attacks against you while you use their service and selling the data to advertisers.

So, you're saying nobody should use a VPN?

There are a lot of legitimate reasons to need a VPN service. I'll list a couple.

  • Your government is monitoring you because you are an activist
  • Your government is monitoring you because you are a spy
  • Your government is monitoring you because you are suspected of a crime
  • Your government is monitoring you because you are a part of a targeted marginalized group
  • You are on a known hostile wireless network away from home and are worried about MitM attacks
  • You need to access files from work while you are away from the office
Reasons you want one:
  • My IsP iS SpYiNg oN mE
  • My ISP is hijacking my DNS requests and redirecting my traffic
  • My ISP is injecting malicious code such as advertisements into my traffic
  • My ISP sells my data to advertisers
  • I want to see a show on Netflix that isn't available in my country

This is called threat modeling. If your concern is your government, a VPN will encrypt your traffic until it reaches the endpoint that you will want to be outside of the country that is monitoring you. If your concern is people on an open wireless access point screwing about with your traffic, then the encryption will help until it reaches the realm of the internet where far fewer individuals have access to your connection. The last point is what VPNs were designed to address, so if you are that person you are golden.

If your worry is your ISP, I have bad news for you. Your VPN provider logs your traffic, sells your data to whoever will pay for it, and is just as guilty of injecting malicious code into your web traffic as your ISP is. The only reason in the second list that holds water is seeing that show on Netflix because hot damn, Canadian Netflix blows. Just keep in mind that the only VPN you can trust not to interfere with your traffic or sell it to advertisers is the VPN where you have configured and deployed both endpoints yourself.

Conclusion

There isn't a hard point here. I am not trying to persuade you in one direction or another. I just wanted to give you information so that you can make informed decisions about the use of a VPN. A lot of web traffic is protected by transport-protection like HTTPS, which prevents a lot of this meddling from your ISP. HTTPS also masks a lot of your browsing, but that's not a subject I'm as well educated on.

Make good choices. Don't be surprised when your VPN provider sells your data, because it will happen unless you are your VPN provider.

Be your own VPN provider.

About the Author

I am NotAwful, I go by @awfulyprideful on Twitter. I study computer networking and telephony in college. My passion is InfoSec, but my college courses don't teach that. I write blog posts because I have things to say, and a lot of people seem to find them helpful or educational. If you want to donate money to me so that I can do this more, you can do so via PayPal! Thanks for reading. <3

Comments

Popular posts from this blog

InfosecN00bs, Part 1: Press Release

BlackHat/DEFCON, Part 1: Travel Advice

InfosecN00bs, Part 2: Fixing the Problem