VPNs – What They Are, and What They Are Not

Posted on 2020-12-17 by: Axel Kloth

I’d like to clarify a few things around VPNs as I think that the term has lately been misused. A VPN is a Virtual Private Network. A little bit of history and technology understanding is needed to see why a VPN is an important part of today’s life, and why it does not come naturally with the Internet. In the old Plain Old Telephony Services (POTS) days, your phone line from your house went directly to what was called a class 5 central office switch. That line was not shared in any way, form or shape. The same was true for the outgoing line from that Class 5 central office switch to the recipient of the call. As a result, POTS was always secure and private, and the only way to snoop was with what was called Legal Intercept in the central office switch. A legal intercept order needed a judge’s order and thus was used only for law enforcement actions. The Internet is different. On any given link there will likely be Internet Protocol (IP) traffic from many different users, and snooping on that cacophony of traffic is relatively simple and straightforward: nearly every switch has a feature called “port mirroring”. As a result, any traffic on the Internet must be considered public. There is no privacy on the Internet without additional measures.

If you conduct online banking, your bank’s servers and your browser use what is called SSL (Secure Socket Layer) or TLS (Transport Layer Security). While SSL is technically deprecated and has been replaced by TLS, the goal is the same: create a secure encrypted “tunnel” between you and your bank to make sure that even if someone snoops on the communication channel, they can’t decipher what the contents is. It is sort of an equivalent between a post card and a letter. Both the postcard and the letter must have at least the recipients’ address on them, but the letter does not unveil the contents. The postcard does. So the Internet without SSL/TLS is akin to sending postcards, and with SSL/TLS it is more like sending letters. SSL and TLS go a bit further as they also aim to guarantee that the recipient and the sender’s name and address are included in the encrypted payload. This is important as just encrypting something does not guarantee the validity and authenticity (he or she is who he or she claims to be…) of the sender. After all, you can receive a letter from someone even if the sender’s address on the envelope is missing or false. If the sender’s address inside the letter is repeated and it matches the one on the envelope, there is a good chance that the sender is who he or she claims to be. SSL/TLS aim to do the same.

SSL and TLS are transient in their nature, i.e. once your banking session has ended, there is no residual tunnel in existence between you and your bank.

There is a second set of VPN tunnels, and they are called IPSec VPN tunnels. They usually exist between entities that have a need for bulk encrypted traffic between them, for example bank branch offices (and all of their local ATMs) to the bank headquarters. Another set is usually deployed between an office and remote workers. These are also IPSec VPNs that are static in nature.

In all aforementioned cases, the communication is secured along the entire chain of communication, from one endpoint to another. At no point along this path can anyone snoop and extract cleartext.

In the past few years, a new crop of VPN providers have appeared on the horizon. These companies try to cash in on the perception that VPNs are secure and can help you maintain your privacy. That is true for real VPNs, as explained above. These new VPN providers offer a completely different service though. If you sign up to these VPN providers, they have you install software that creates an SSL or TLS or IPSec VPN tunnel between you and their Point of Presence. The traffic between you and them is now encrypted and unobservable. That seems to be a good thing, but it is not. All that has happened is that your Internet Service Provider (ISP) cannot track your traffic any more, as they now cannot see any of your traffic in cleartext, including the domain name services (DNS) lookups, nor can they monitor your searches. However, your VPN provider now has to take over the DNS resolution, and they certainly can and will profile your behavior. They also profile your search history as that is visible to them. They feed in all of their customers’ traffic into a peering CIX (Central Internet EXchange), and by doing so, provide the only benefit to you, and that is obfuscating your Internet Service Provider (ISP) and geolocation. Any traffic from you though is cleartext from their CIX egress onwards, and so no end-to-end encryption is provided.

In essence, that is not a true VPN. The benefits of this service are very limited. In no case is your traffic encrypted along the entire path from you to the other endpoint of your communication (and it is not even technically possible).