News

Published on May 1st, 2019 📆 | 2671 Views ⚑

0

VPN Endgame | DigitalMunition


iSpeech

Choosing a virtual
private network (VPN) can be difficult. Besides selecting a VPN provider, users
must also choose between a paid VPN or a free VPN, among other factors.

Simply picking a seemingly “free” VPN can have consequences
ranging from having information logged and sold to advertisers, which may
defeat the purpose of using a VPN in the first place, to having the VPN used as
a portal to deliver malware to your device.

Just last year, Hola VPN and its sister company Luminati
were slammed by the security community after Trend Micro researchers found
their services lacked encryption and were leaking user IP addresses ultimately
failing to mask users’ digital footprints.

In other extreme cases,
services like HideMyAss and PureVPN have both been in hot water over their
logging policies, which allegedly led to the arrests of their users, and
another company, Hotspot Shield, got in trouble after it was accused of
hijacking HTTP traffic and redirecting users to affiliate sites.

Even users looking to
pay for their privacy aren’t safe. Some fake VPN providers were found to be
cashing in on user ignorance and claiming that ISP providers can sell a user’s
online privacy if the user doesn’t use the VPN services they offer.

“Choosing a reliable VPN service that suits your individual
requirements is quite difficult, especially if you have no VPN experience in
the first place,” Daniel Markuson digital privacy expert at NordVPN says. “The
technology may seem complicated, the selection of providers dizzying, and then
there are stories about fraudulent VPN services.”

Markuson says the VPN
market is extremely dynamic and that information from just a few years ago is
now hopelessly outdated. Even the most reputable comparison sites update their
reviews at least once a year to reflect the latest features, server locations
and general performance. He added that if a site’s articles don’t contain dates
then users should try searching for the relevant article on Google since search
results sometimes show a publishing date next to the link.

“Naturally, to find out which services may offer the best
internet protection, users usually turn to various internet sources,” Markuson
says. “There’s a Reddit megathread on VPN recommendations, over
5,000VPN-related questions on Quora, and plenty of comparison sites with
in-depth reviews.”

Even with the help of recommendations, users may still be stumped
on what services they actually need and which providers they can trust And,
even assuming a user finds a fit, there isn’t always a clear way to ensure the
pick is a safe one.

“Unfortunately, the
average consumer must trust that their VPN works as advertised,” Paul Bischoff,
privacy advocate with Comparitech.com, says, adding “there’s no central or
governing body that certifies VPNs as safe. You can check up on what types of
encryption and other specifications are used, but without some knowledge about
how to perform network and traffic analysis, an average person couldn’t test to
see whether those claims are genuine or not.”

Bischoff explains that users can look to reputable sites
that run various tests to assess VPN security to help put things in perspective.
In addition, there are key factors a user should look into when choosing a VPN.

“A VPN without many user reviews or a bad reputation in the
industry might be unsafe; they should have a history of reliability,” says
Francis Dinha, CEO of OpenVPN. “If you try to contact the company with
questions and no one answers, or a bot answers, that’s also a red flag.”

Additionally, Dinha says, consumer VPNs that allow
torrenting are often inherently unsafe — there’s such a high risk of malware
with torrenting that if a VPN allows it, they probably don’t have the highest
security in mind.

Markuson notes that some VPN providers may be required by
law to collect data on their users’ internet activity, depending on the country
in which they operate. In addition, he adds, the more countries in which a VPN
provider has servers, the better users can bypass geo-blocks, avoid server
congestion and keep high internet speed.

There are some red flags users should be on the lookout for
when choosing a VPN provider, as some explicitly stated policies and features,
or lack thereof, may be signs that a VPN provider isn’t secure.

“Always be suspicious of shareware and freeware VPNs, as
well as providers who don’t have a strong reputation for security and don’t
require authentication,” says Usman Rahim, digital security and operations
manager at The Media Trust. “They should also read the fine print to ensure
they know whether their data is being processed and with whom it’s being
shared.”

Rahim adds that most
consumers don’t know that shareware and freeware VPN applications gather user
data and sell them to third parties. As a result, he says users should steer
clear of these providers as they are likely only in business to purloin
identity and financial information.

Even with reputable
companies there is no guarantee that these firms won’t collect, use or sell the
data that they are allowed to access if legislative oversight is lacking, Rahim
warns.

“When a for-profit company provides you with a service for
free, that’s because they are using you to make money,” Markuson says. “You are
the product, not the customer. Don’t forget this rule if you’re weighing the
benefits of a free VPN versus a paid one. How a free VPN makes money depends on
their sense of ethics, but none of the potential solutions bode well for your
online security.”

Markuson says the biggest disadvantage of choosing a free
VPN provider is that most of these servces can’t actually guarantee a user’s
privacy and to make a profit the providers have to track their users’ browsing
habits and trade that information for gain.

Those in the market for a VPN should also steer clear of
providers that are not upfront with their security and privacy practices, says
Justin Jett, director of audit and compliance at Plixer.

“If there isn’t a privacy policy available, don’t use the
service,” Jett says. “If the services don’t provide you with cipher details or
the types of encryption offered, don’t use the service. The service should also
have a support line or chat to help with problems and customer service should
be able to answer these security related questions.”

Jett adds that
theprovider should also provide, in at least one of their tiers of service,
fast connection speeds since it’s a good indicator that it is part of a larger
network or are peering to achieve capacity.

A provider that can offer a data speed of no more than 3MB
per second might be a hacker with a server in his parent’s basement trying to
steal data, Jett says. Not to mention the fact that, most users typically would
want much faster speeds.

Additionally, users
should consider that a VPN service that routes communications to a country with
strict privacy legislation will provide additional assurance that the data is
being handled in a secure and privacy-first way.

Ultimately, researchers
say users must the VPN provider, says Etay Bogner, founder and CEO of Meta
Networks.





“In most cases, the
traffic itself is encrypted by HTTPS or any other encrypted protocols like
email, SSH etc,” Bogner says. “The VPN provider cannot usually decrypt that
traffic unless, for example, he manages to install a Certificate Authority
Certificate, which allows him to forge web sites certificates.”

Bogner says the big difference between a VPN provider that
installed a VPN agent and any other agent being installed is all traffic flows
via the VPN provider’s network so the risk is very high because the user
expects the traffic to go via the provider.

Experts also recommend users find out if the VPN provider
logs internet traffic, how many countries the provider has servers in, does it
slow down internet traffic, what level of encryption it offers, does it work on
multiple platforms, and if its a real VPN or just a proxy.

The bottom line is that when choosing a VPN users can never
be fully sure they are being protected, but they can always do due diligence to
ensure that a VPN provider is reputable with good reviews, has a clear privacy
policy, good customer support, and fast speeds. Users may need to cough up a
few extra bucks to ensure they have these services but it may just be worth it
considering the alternative. n

Selecting a VPN – Here’s what to consider

Comparitech
Privacy Advocate and VPN Expert Raul Bischoff
recommends users mull the following criteria when rating VPN provider’s privacy
protections for maximum safety.

1.    Traffic
logging policy:
Traffic logs refer to records of user
        activity and the content they
viewed while using the VPN.
        A VPN provider should have no
traffic logs of any sort
        whatsoever.

2.    Metadata
logging policy:
This refers to logs that contain the
        source IP of users. Not
considering bandwidth or timestamp
        logs, which contain no identifying
information.

3.    VPN
protocol:
Must use a secure VPN protocol such as
        OpenVPN, L2TP, SSTP, or IKEv2.

4.   Channel
encryption:
Must use the AES 128-bit algorithm
        or higher.

5.    Authentication protocol: Must be SHA256 or better. SHA1 has
        vulnerabilities, but HMAC SHA1 is arguably still safe and doesn’t suffer from collisions, so points are not deducted for HMAC SHA1.

6.    Key
exchange:
RSA and DH keys must be 2,048-bit or higher.

7.    Perfect forward secrecy: Session keys cannot be compromised even if the private key of the server is compromised.

8.    DNS leak protection: DNS leak protection must be built into the provider’s apps.

9.    WebRTC leak prevention: WebRTC leak prevention must be built into the provider’s apps.

10. IPv6 leak prevention: IPv6 leak prevention must be built into
    the provider’s apps.

11.  Kill switch: VPNs should have a kill switch that halts traffic when the VPN connection drops is a must.

12. Private DNS servers: The provider must operate its own DNS servers and not route DNS requests through the default ISP or a public provider such as OpenDNS or Google DNS.

13. Servers:
Physical server are preferred.

14. Anonymous payment methods: Accepting Bitcoin as payment earns the point, but also take note of those who accept gift vouchers and other cryptocurrencies.

15. Torrenting
policy:
Downloading via BitTorrent must be allowed.

16. Country of incorporation: Special consideration if a VPN is
 incorporated outside of the 14 Eyes: Australia, Canada, New Zealand, the United Kingdom, United States, Denmark, France, Netherlands, Norway, Germany, Belgium, Italy, Sweden, and Spain.

Source link

Tagged with: •



Comments are closed.