Published on May 1st, 2019 📆 | 2671 Views ⚑
0VPN Endgame | DigitalMunition
Choosing a virtual
private network (VPN) can be difficult. Besides selecting a VPN provider, users
must also choose between a paid VPN or a free VPN, among other factors.
Simply picking a seemingly âfreeâ VPN can have consequences
ranging from having information logged and sold to advertisers, which may
defeat the purpose of using a VPN in the first place, to having the VPN used as
a portal to deliver malware to your device.
Just last year, Hola VPN and its sister company Luminati
were slammed by the security community after Trend Micro researchers found
their services lacked encryption and were leaking user IP addresses ultimately
failing to mask usersâ digital footprints.
In other extreme cases,
services like HideMyAss and PureVPN have both been in hot water over their
logging policies, which allegedly led to the arrests of their users, and
another company, Hotspot Shield, got in trouble after it was accused of
hijacking HTTP traffic and redirecting users to affiliate sites.
Even users looking to
pay for their privacy arenât safe. Some fake VPN providers were found to be
cashing in on user ignorance and claiming that ISP providers can sell a userâs
online privacy if the user doesnât use the VPN services they offer.
âChoosing a reliable VPN service that suits your individual
requirements is quite difficult, especially if you have no VPN experience in
the first place,â Daniel Markuson digital privacy expert at NordVPN says. âThe
technology may seem complicated, the selection of providers dizzying, and then
there are stories about fraudulent VPN services.â
Markuson says the VPN
market is extremely dynamic and that information from just a few years ago is
now hopelessly outdated. Even the most reputable comparison sites update their
reviews at least once a year to reflect the latest features, server locations
and general performance. He added that if a siteâs articles donât contain dates
then users should try searching for the relevant article on Google since search
results sometimes show a publishing date next to the link.
âNaturally, to find out which services may offer the best
internet protection, users usually turn to various internet sources,â Markuson
says. âThereâs a Reddit megathread on VPN recommendations, over
5,000VPN-related questions on Quora, and plenty of comparison sites with
in-depth reviews.â
Even with the help of recommendations, users may still be stumped
on what services they actually need and which providers they can trust And,
even assuming a user finds a fit, there isnât always a clear way to ensure the
pick is a safe one.
âUnfortunately, the
average consumer must trust that their VPN works as advertised,â Paul Bischoff,
privacy advocate with Comparitech.com, says, adding âthereâs no central or
governing body that certifies VPNs as safe. You can check up on what types of
encryption and other specifications are used, but without some knowledge about
how to perform network and traffic analysis, an average person couldnât test to
see whether those claims are genuine or not.â
Bischoff explains that users can look to reputable sites
that run various tests to assess VPN security to help put things in perspective.
In addition, there are key factors a user should look into when choosing a VPN.
âA VPN without many user reviews or a bad reputation in the
industry might be unsafe; they should have a history of reliability,â says
Francis Dinha, CEO of OpenVPN. âIf you try to contact the company with
questions and no one answers, or a bot answers, thatâs also a red flag.â
Additionally, Dinha says, consumer VPNs that allow
torrenting are often inherently unsafe â thereâs such a high risk of malware
with torrenting that if a VPN allows it, they probably donât have the highest
security in mind.
Markuson notes that some VPN providers may be required by
law to collect data on their usersâ internet activity, depending on the country
in which they operate. In addition, he adds, the more countries in which a VPN
provider has servers, the better users can bypass geo-blocks, avoid server
congestion and keep high internet speed.
There are some red flags users should be on the lookout for
when choosing a VPN provider, as some explicitly stated policies and features,
or lack thereof, may be signs that a VPN provider isnât secure.
âAlways be suspicious of shareware and freeware VPNs, as
well as providers who donât have a strong reputation for security and donât
require authentication,â says Usman Rahim, digital security and operations
manager at The Media Trust. âThey should also read the fine print to ensure
they know whether their data is being processed and with whom itâs being
shared.â
Rahim adds that most
consumers donât know that shareware and freeware VPN applications gather user
data and sell them to third parties. As a result, he says users should steer
clear of these providers as they are likely only in business to purloin
identity and financial information.
Even with reputable
companies there is no guarantee that these firms wonât collect, use or sell the
data that they are allowed to access if legislative oversight is lacking, Rahim
warns.
âWhen a for-profit company provides you with a service for
free, thatâs because they are using you to make money,â Markuson says. âYou are
the product, not the customer. Donât forget this rule if youâre weighing the
benefits of a free VPN versus a paid one. How a free VPN makes money depends on
their sense of ethics, but none of the potential solutions bode well for your
online security.â
Markuson says the biggest disadvantage of choosing a free
VPN provider is that most of these servces canât actually guarantee a userâs
privacy and to make a profit the providers have to track their usersâ browsing
habits and trade that information for gain.
Those in the market for a VPN should also steer clear of
providers that are not upfront with their security and privacy practices, says
Justin Jett, director of audit and compliance at Plixer.
âIf there isnât a privacy policy available, donât use the
service,â Jett says. âIf the services donât provide you with cipher details or
the types of encryption offered, donât use the service. The service should also
have a support line or chat to help with problems and customer service should
be able to answer these security related questions.â
Jett adds that
theprovider should also provide, in at least one of their tiers of service,
fast connection speeds since itâs a good indicator that it is part of a larger
network or are peering to achieve capacity.
A provider that can offer a data speed of no more than 3MB
per second might be a hacker with a server in his parentâs basement trying to
steal data, Jett says. Not to mention the fact that, most users typically would
want much faster speeds.
Additionally, users
should consider that a VPN service that routes communications to a country with
strict privacy legislation will provide additional assurance that the data is
being handled in a secure and privacy-first way.
Ultimately, researchers
say users must the VPN provider, says Etay Bogner, founder and CEO of Meta
Networks.
âIn most cases, the
traffic itself is encrypted by HTTPS or any other encrypted protocols like
email, SSH etc,â Bogner says. âThe VPN provider cannot usually decrypt that
traffic unless, for example, he manages to install a Certificate Authority
Certificate, which allows him to forge web sites certificates.â
Bogner says the big difference between a VPN provider that
installed a VPN agent and any other agent being installed is all traffic flows
via the VPN providerâs network so the risk is very high because the user
expects the traffic to go via the provider.
Experts also recommend users find out if the VPN provider
logs internet traffic, how many countries the provider has servers in, does it
slow down internet traffic, what level of encryption it offers, does it work on
multiple platforms, and if its a real VPN or just a proxy.
The bottom line is that when choosing a VPN users can never
be fully sure they are being protected, but they can always do due diligence to
ensure that a VPN provider is reputable with good reviews, has a clear privacy
policy, good customer support, and fast speeds. Users may need to cough up a
few extra bucks to ensure they have these services but it may just be worth it
considering the alternative. n
Selecting a VPNÂ â Hereâs what to consider
Comparitech
Privacy Advocate and VPN Expert Raul Bischoff
recommends users mull the following criteria when rating VPN providerâs privacy
protections for maximum safety.
1.   Traffic
logging policy: Traffic logs refer to records of user
       activity and the content they
viewed while using the VPN.
       A VPN provider should have no
traffic logs of any sort
       whatsoever.
2.   Metadata
logging policy: This refers to logs that contain the
       source IP of users. Not
considering bandwidth or timestamp
       logs, which contain no identifying
information.
3.   VPN
protocol: Must use a secure VPN protocol such as
       OpenVPN, L2TP, SSTP, or IKEv2.
4.  Channel
encryption: Must use the AES 128-bit algorithm
       or higher.
5.   Authentication protocol: Must be SHA256 or better. SHA1 has
       vulnerabilities, but HMAC SHA1 is arguably still safe and doesnât suffer from collisions, so points are not deducted for HMAC SHA1.
6.   Key
exchange: RSA and DH keys must be 2,048-bit or higher.
7.   Perfect forward secrecy: Session keys cannot be compromised even if the private key of the server is compromised.
8.   DNS leak protection: DNS leak protection must be built into the providerâs apps.
9.   WebRTC leak prevention: WebRTC leak prevention must be built into the providerâs apps.
10. IPv6 leak prevention: IPv6 leak prevention must be built into
    the providerâs apps.
11. Kill switch: VPNs should have a kill switch that halts traffic when the VPN connection drops is a must.
12. Private DNS servers: The provider must operate its own DNS servers and not route DNS requests through the default ISP or a public provider such as OpenDNS or Google DNS.
13. Servers:
Physical server are preferred.
14. Anonymous payment methods: Accepting Bitcoin as payment earns the point, but also take note of those who accept gift vouchers and other cryptocurrencies.
15. Torrenting
policy: Downloading via BitTorrent must be allowed.
16. Country of incorporation: Special consideration if a VPN is
 incorporated outside of the 14 Eyes: Australia, Canada, New Zealand, the United Kingdom, United States, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Sweden, and Spain.
Gloss