Should You Use A VPN?
In the video below, we go over what a VPN is and if you should use one
Now, this channel is about IT, not politics, but recently there has been a large uptake in VPN usage because of the laws being passed by politicians
In the case of the UK here, the Online Safety Act is now in force
Pencilled on the back of a sandwich wrapper by it’s originators, and put into law by the Uni party this is now being enforced by an unelected and unaccountable body
Dig deeper and you’ll see a common thread as laws like this roll out around the world
Now let’s be clear, age verification does not require ID verification but state monitoring does: “Papers Please!”
Laws like these increase the risks of blackmail and ID theft, just as these people will have been forewarned, and sure enough we already seen data leaks the moment this law was put in place
Unfortunately these people don’t care about this, nor are they being held to account for their actions
Regardless of the ramifications, these politicians are determined to clamp down on freedom and privacy
As a result, there has been a major uplift in the use of VPNs
But what is a VPN and should you use one?
Overview:
Just so everybody is up to speed, I should go over what computers get up to first; Although this is a simplified overview
In order to get access to services on the Internet, you usually sign up for a subscription with an Internet Service Provider or ISP
They’ll then let your computer, phone, tablet and so on, use their network to connect to various servers that are connected to other service providers out there and together this is called the Internet
Now, let’s say you want to connect to a web server somewhere on the Internet
You’ll either type a domain name in your web browser or click a link
For this to work, your computer actually needs an IP address, so it will contact a DNS server to find the IP address of the web server you want to connect to
Then, it will connect to the web server and download information, which your web browser will render on a display
But thanks to new laws being imposed and the other ones in the planning, technology and politics is working against you
Politics:
For those of us who live in a so called Democratic world, politicians have started to impose similar laws on us
Basically what they’ve started with is this:
“Papers Please!”
Although these laws are under the guise of age verification, it’s really ID verification because of the methods being used
And if you have to submit any form of ID, that will likely be stolen and used against you
ID theft alone can be a nightmare to deal with and it’s why some companies give you free ID protection for a short while after a data breach
But these laws fundamentally remove any right to privacy on the Internet
Chances are you’ve heard of NDAs or Non-Disclosure Agreements but what about TCNs or Technical Capability Notices
As important as your ISP may be, it could be acting against you because all of your Internet traffic has the potential to be monitored by the state
Think I’m kidding?
Countries like the UK have already been found to be in breach of laws for snooping on citizens
And recently it was leaked they served Apple with a TCN as they wanted back door access to our private encrypted data
Granted, Apple fought back, but the result is UK citizen’s now have no encryption at all when uploading data to Apple’s cloud servers
And while this may be a win for principles, it’s a major loss for privacy and security!
But these laws placed on companies to mandate so called age verification, are for now, not aimed at individuals
So as long as there are companies out there that only impose these laws on visitors from certain countries, it should be legally possible to get back our privacy and make the Internet safer by using a VPN
But is it…really?
What Is A VPN?:
At it’s most basic, a VPN or Virtual Private Network is a secure and encrypted point to point tunnel
As shown in the example, VPN client software is installed and configured on this computer to connect to a VPN server
So in this simple case, while the computer will still talk directly to other computers in the same local network, it’s default gateway is changed and now becomes the VPN tunnel
Instead of the Internet traffic being sent to the ISP router, it’s now encrypted and sent to the VPN server, through the local ISP
The server at the other end then decrypts it and sends it out its own ISP connection
This can give you back your privacy because your ISP, and thus the state, don’t know what you’re doing on the Internet
OK, there is the potential to still know you’re connecting to a web server, but your ISP can’t tell which one
And if the VPN server is in another country, the web server sees traffic originating from the country the VPN server is in
As a result, it may not impose any age verification laws on you or block access
Bear in mind, if you’re using VLANs for instance, the VPN tunnel is now the computer’s default gateway, meaning traffic in other subnets will be sent to the VPN server unless you make additional changes
But although there are benefits to using a VPN, there are also problems and it helps to know about both
DNS:
DNS or domain name system has been around for a long time and it allows us to use names instead of numbers, making it much easier to access services on the Internet
The big problem is classical DNS isn’t secure and it doesn’t use encryption
Not only can anyone in the path see in plain sight what you’re trying to connect to, a response can be sent to redirect your computer somewhere else
As a result you should be using either DNS over TLS (DoT) or DNS over HTTPS (DoH)
Both methods provide integrity and encryption, but your choice of DNS provider can give you away if you use a VPN
Ideally you want to be using a DNS provider that operates a no logging policy
But they also need to be in a country that won’t be subject to an NDA from your own country for instance
In addition, what you want from this service is a response from the nearest server
This is because of what’s known as DNS Leaking and you can test this from sites such as this https://www.dnsleaktest.com/
A web server, for instance, can tell which country you’re actually from based on DNS requests
And if your computer is using a DNS server in your own country, even if use a VPN connection that spits out you traffic in another country, your DNS server will give you away and checks like age verification will still be imposed on you:
“Papers Please!”
Also bear in mind, web browsers that support DoH will typically use their own choice of DNS server by default, regardless of the settings of your operating system
So make sure to update your browser settings with the DNS provider you want to use
But even then, the operating system might still bypass this, resulting in DNS queries being sent through your ISP by mistake and thus revealing which country you are in
One solution is to setup your own DNS forwarder which supports DoH clients and sends DNS queries to your DNS provider of choice
If the VPN path wins, it will match the country of the VPN. If the local path wins, it won’t reveal anything
Another option is to use a Proxy server combined with a VPN, as I’ll explain later
SNI and ECH:
Most web server connections these days use HTTPS so you’ll think your web traffic is secure because it’s encrypted
But it’s very likely information is being leaked whenever you connect to a web server
Back in the days, each website was hosted on a dedicated server but then came cost savings and web servers began hosting multiple websites
In order for TLS to work, the server needs to know which website you want to connect to in order to know which TLS certificate to use for encryption
This is what’s known as the SNI or Server Name Indication
So during that initial connection, your web browser will provide the domain name for the site in plain text, meaning your ISP or anyone else in the path can monitor your Internet activity
Thankfully the security boffins out there are working on a solution
ECH or Encrypted Client Hello is a TLS extension which encrypts even this part of the conversation
A web browser can use DoH to obtain the web server’s public key and for that reason I think DoH will win this DNS race
Unfortunately ECH is still relatively new and very few web servers are supporting this
But even still it would make sense to use a VPN anyway
That’s because even with DoH and ECH, the ISP just needs to look at the IP address of the server you’re connecting to to know what you’re accessing
Most big name companies bought up pools of IP addresses that give them away
And websites have static IP addresses in general, so unless content is served on a CDN or Content Delivery Network it’s relatively easy to monitor your Internet activity
Fingerprinting:
Even if you use a VPN and various other methods of encryption, your web browser can give you away
Over the years, we’ve seen cookies, trackers, etc; Businesses are quite determined to know more about you, even if it’s just to make money selling your data
But another challenge we face is that your web browser has an identity of it’s own, it has a fingerprint
One way to check how effective your web browser is is to use this tool https://coveryourtracks.eff.org/
In order to serve up web pages to suit your device, a web browser hoovers up a lot of information about your computer and usually gives it away freely to any website that asks for it
So if you use a web browser to connect to a site without a VPN and then with a VPN…gotcha!
Someone out there could put two and two together and realise which country you’re really from and so even if you use a VPN, you’ll be asked:
“Papers Please!”
Think I’m kidding?
Ofcom, here in the UK, began gathering information about VPN usage for instance, and governments and states are considering blocking VPNs and/or requiring ID verification for their use
This is becoming quite the game of cat and mouse
So what else can you do for now?
Well web browsers like LibreWolf and the one from Mullvad take different approaches to try and make it harder to identify you based on fingerprinting
If your Internet traffic is then mixed up amongst other VPN users, it will be harder to identify you individually
User Accounts:
A major flaw when using a VPN is to login to a server
It’s blatantly obvious then who you are so it renders using a VPN for privacy as pointless
There’s all sorts of data out there about you, so don’t make it that easy to identify you
If you have to login to a server, accept your ID can’t be hidden under those circumstances and let that traffic go through the ISP’s network as is
Besides, financial sites may likely refuse access via a VPN
Now you could and should use different account names for different websites, and as long as you don’t have to provide real information, you could potentially get by with doing that over a VPN
But the safest approach is to only use a VPN for anonymous web surfing and only using a specific web browser
This way other sites can’t track VPN and non-VPN activity through your web browser
This wards off one of the major concerns of being profiled
Security Risks:
Even if a provider puts a lot of security layers in and around a VPN server to protect the server and you, you’re still taking a risk and putting a lot of trust in the provider
And no matter what they do, the server can still be breached
Especially because they tend to use third party hosting providers around the world
NordVPN for instance experienced a breach of sorts and they weren’t aware of the incident for some time and it was longer still before this became public knowledge
In that situation client data could be monitored, so bear that in mind
Even if you’re actual data is encrypted, who’s to say the data centre provider isn’t under an NDA to monitor it?
If so, you haven’t really gained anything by using a VPN, you’ve just moved the point at which your traffic is being monitored by the state
Now I’ve been installing VPNs since they first came out and one thing you really need to be aware of is that VPN client software typically leads to bi-directional traffic
In other words, the client can send traffic to the server and the server can send traffic to the client
Now the service provider should put in place mechanisms to prevent their server from initiating traffic towards clients, but if the server is ever compromised for instance that could become a major problem
It’s then down to whatever security you have in and around your own computer to handle this threat because the VPN tunnel bypasses the firewall that protects you from the Internet
Whether you’re using the firewall on your ISP router, or a dedicated firewall, it lets the VPN tunnel out and back in and so it’s security is bypassed
Now a web browser with its own VPN software may well be a better option if the VPN provider offers this
Another option is to create your own proxy server and put in a DMZ or Demilitarised Zone
Your computer uses a Proxy, which in turn only uses a VPN to access the Internet
Because the Proxy is behind a firewall, and can’t initiate traffic towards your computer, there’s less likelihood of your actual computer and the data on it being compromised
Kill Switches:
VPN providers typically offer what are know as kill switches for their applications
If you install their client software on your phone for instance, then typically all of your traffic is going through a VPN tunnel
And that’s great if you’re using a Wi-Fi service in a hotel or cafĂ©, because this also protects you from the security risks of public Wi-Fi services
But what if the VPN connection fails?
Well in that case you probably don’t want to be accessing the Internet because the Wi-Fi is no longer safe
In addition, you’ll be giving away your country of origin
In which case you can opt for their kill switch option
If the VPN connection doesn’t work or fails, traffic will be blocked
Otherwise you could run into the dreaded:
“Papers Please!”
Provider Choice:
Should you decide to use a VPN provider, the question becomes, which one should I use?
In that case I suggest you check out channels like these ones for further guidance:
https://www.youtube.com/@techlore
https://www.youtube.com/@NaomiBrockwellTV
Although there are a lot of VPN providers out there, few stand up to scrutiny and @techlore in particular covers this well
On thing I’ll point out though is Kape Technologies in particular raises a lot of questions and yet owns a lot of the VPN brands out there
I STRONGLY recommend you read up on this company, mainly because it used to be known as Crossrider
https://www.cnet.com/tech/services-and-software/what-is-kape-technologies-what-you-need-to-know-about-the-parent-company-of-cyberghost-vpn/
And yet I’ve seen channels including a news company here in the UK regularly recommending you use one of their products
Even if you’re willing to overlook past actions, bear in mind the parent company is registered in the UK
No matter what privacy or terms of conditions you see, if a company is subject to an NDA for instance, they can’t tell you what’s really going on
In any case, as a rule of thumb, don’t pick a provider which is registered in a country where invasive laws like the OSA are being applied
And opt for providers that are transparent, are independently audited and operate a no logs policy
Given the use of third party data centres, a service called multi-hopping or double-vpn is essential
While it adds latency, the initial connection will be to a server in a data centre owned by the VPN provider
Then your traffic will be re-encrypted and forwarded to another VPN server in the exit country you want
So even if the final server is being monitored, your country of origin will not be known
Ultimately, you’re moving your point of trust from your own ISP to a VPN provider, so choose wisely
Sharing is caring!