Security news that informs and inspires

Labs Presents: Evaluating Personal VPNs

The personal VPN (virtual private network) is a weird little technological beast. The concept implies privacy and security, therefore privacy and security are not only paramount to a personal VPN, but one of the selling points. The VPN’s job is to hide or otherwise obscure some aspect of the underlying communications of an individual user during this user’s traversal of the Internet.

Some are better suited for certain situations than others and they come in different flavors.

There are literally hundreds of choices, several types of applicable scenarios, and a myriad of features (or lack thereof) to contend with. Most online reviews look at how friendly the GUI is and leave out any technical evaluation as to how well it does what it does. Evaluating a personal VPN is hard, but here are some guidelines to make your decision based on your own needs.

What is a Personal VPN?

At its most basic level, the VPN has one main job—encrypt communications inside a private network tunnel so that someone else cannot spy on, or manipulate, the network connection.There are two types of VPNs—corporate and personal. Both encrypt the private communication channel and often use some of the same libraries and code bases for their development.

The corporate VPN extends a virtual hand (or more specifically, a network segment) out to the employee trying to connect to corporate resources from a potentially hostile network. The idea is simple—get the network traffic to and from the user and the corporate network without compromising either of them, or the traffic in transit. The corporate VPN protects the corporate network from an intrusion resulting from a remote user’s exposed connection.

The personal VPN is similar to the traditional corporate VPN, as it gets users to the services they want without fear of being monitored or having the network packets manipulated in transit. Like corporate VPN, personal VPNs set up encrypted connections to thwart sniffing and basic manipulation of interactive network protocols. Personal VPNs also let users hide their public IP address from others, such as over-zealous web administrators and repressive and restrictive governments. A personal VPN can also bypass network restrictions preventing connections to and from certain Internet resources based upon either the physical location of the user or the Internet resource they are trying to access (or both). Finally, a user on a personal VPN can do things on the Internet anonymously, such as using services that could be monitored or hit up with search warrant, and to do so without revealing identity or location.

Not all personal VPNs can do all of these things.

Finding the Right Personal VPN

When in the market for a new backpack, people type in “best backpack” in Google Search and whittle down the list based on pictures of backpacks and descriptions of features. This doesn’t work as well for software because it is easy to cover up something a bit dodgy with a nice interface. Type “best personal vpn” into Google—it is a strange world of ad-generating “review” sites intent on making money.

Reviews via some media outlet that displays ads is not new. Consumer Reports proved it can work—honest ads and thorough reviews. Software reviews skirt the edge of conflict of interest when the reviewer is looking at a product from XYZ and publishing the review on a site that takes advertising money from XYZ. And then there are sites solely dedicated to reviewing personal VPNs and also provide referral links to the VPN vendors.

That’s right, that list of the top 10 VPNs on that VPN review site generate revenue each time you follow their link to the VPN vendor and sign up. Even less favorable reviews are clickable and money-generating, and for most of these dedicated review sites, the entire revenue model involves referrals and placed ads. It is especially interesting when you go from the browser tab with the VPN vendor back to the tab with the VPN review site, and you see a sponsored pop-up steering you to a different VPN vendor. Yes, they sell advertising packages to vendors this way.

Read all about the fine details on the review site's “about” section. Many are extremely upfront but others make it hard to find the section or bury the information under legalese. Sites like Wirecutter specifically state this is how they operate, and stress that while they don’t take ad revenue money from all the products they review, the reviewers themselves do not know whether the product they are reviewing paid for ad space or not.

There are several hundred personal VPNs out there with a variety of features and implementation choices. It is up to the user to match the feature choices against the user’s personal threat model.

To harken back when I went backpack shopping, I spent a lot of time reading reviews, but I tried my best to develop my own criteria for what I was looking for and went to great lengths to research. I remember looking for sightings of specific backpacks in videos on Youtube where they packed a ton of crap into them - whether they were reviewing the backpack and included overstuffing, or they were talking about how to best pack for an overseas trip - all in an attempt to see if I thought the bag would fit my needs.

In other words, to review personal VPNs, I needed to first illustrate the relationship between needs and available features, because like a backpack I needed to know how they performed in more of a real-world scenario. I needed to determine the following:

  • What features do I need? More to the point, what is my threat model?
  • How do I plan to use a personal VPN? In other words, why get one?
  • Does the personal VPN actually do what it says it does? Does it, or the vendor itself pose a threat of some sort, intentional or otherwise?

What is Your Threat Model?

We mentioned earlier that everyone's threat model is different, and they may have different expectations of what they want the personal VPN to do. Before selecting a VPN, consider what you need the personal VPN to do.

Pitfalls of Personal VPNs

Depending on what the personal VPN is doing under the hood and how it is configured, users may wind up with unexpected probelms.

Pitfall 1: Fail open

If the personal VPN fails, the device keeps working and starts talking to the Internet like it normally would. This would be a problem if the user doesn't know the VPN is not working. To prevent this, a personal VPN needs to have a fail safe option, often called the “Kill Switch” mode (Probably because it sounds cool).

Pitfall 2: DNS leaks.

This is where a DNS lookup occurs either outside of the VPN, or whether as a part of the DNS lookup a real IP address is involved that manages to make its way out of the VPN somehow. This is considered a primary function of a personal VPN, but it needs to be tested.

Pitfall 3: Infrastructure

A lack of robust infrastructure is considered a downside to a personal VPN solution. The two biggest factors to consider are, How many servers does the vendor have; and In how many different countries are these servers placed?

If your vendor has a hundred servers, great. If 98 of them are located in Russia and you’re using the personal VPN to avoid the Russian government, this might be too much of a home advantage to the Russians. If you are just wanting to protect yourself while you’re at Starbucks, the number of countries and servers might not be as important.

Pitfall 4: Technological issues cause leaks.

Many browsers now support WebRTC and it is enabled by default, so visiting sites with malicious code that can invoke WebRTC functionality can allow for the IP address of the device to be leaked. Many VPNs prevent the usual Javascript-based-invocation-of-DNS nonsense, but not all support WebRTC blocking, so ensure it is blocked.

Pitfall 5: No tracking and connection logs.

Most personal VPN companies state they do not track personal information on what sites you visit and things like your browser version or whatever your computer might be spewing out while in the VPN. A lot of them state they do not keep connection information either, which is when you started and stopped the VPN, and what IP address you connected from. This is important, because if the vendor is subpoenaed they could possibly turn over all of that data. The same danger exists if the vendor is pwned by a spy agency.

Remember, tracking what sites you visit is considered “tracking logs” and when you connect using the VPN it is considered “connection logs”. Some vendors may give these different names, but that is essentially it. And remember if there are data caps because you are using the Free or Basic plan, they have to track some stats to be able to keep your account within the confines of that data cap. So some data is going to be tracked in some form - try to find out how.

Pitfall 6: No personal data collected.

This is kind of a lie of sorts. Well, not really, but many vendors state they collect no data on you at all. When it comes to billing, they have to know how to get your money. They need your email address to let you know whenever your contract is just about up, to pass on information, and to reset the password on your account. So some information is collected. If you are worried about being able to get a refund in case they screw you, it helps to use a credit card so you have the credit card company on your side, because Bitcoin is not a credit card company and couldn’t give a shit, because, well, it isn’t a company - it’s a cryptocurrency.

Pitfall 7: No free evaluation.

One way you might be able to test a personal VPN is by downloading and using the free version. Free versions are usually crippled in some way - less choices on which countries you can route packets through, data caps, missing certain features, but you at least can test for things like DNS leaks and whatnot. You can try and take advantage of the “money-back guarantee” period (usually 7 days), although when purchasing something via Bitcoin from a company based in a country on the other side of the planet, well good luck. On one of the vendors I did a quick evaluation on, had to get my credit card company involved to get my money back.

Pitfall 8: Different plans offer different security.

A company might have a Basic plan and an Advanced plan - each with its own software client, and each with its own features to match. What if Kill Switch mode or the included ad blockers that sounded so cool are only in the Advanced plan client? Be sure the features you want are in the plan you are getting.

Pitfall 9: Jurisdiction of vendor’s home country.

The United States government can ask any company for whatever data they want during an investigation, and that company can give it to them freely. If the company says no but its headquarters is located in the United States, there are legal options the government can pursue (e.g. a subpoena). If the data gathered by the government is used in a court case, additional rules will apply. While this is a massive simplification, it gives you a flavor.

The basic issue is with the main jurisdiction is of the VPN vendor. If you don’t trust the U.S. Government, you probably do not want to use a vendor whose headquarters is located in the United States. Some nations have different laws on data retention or involving privacy that may figure prominently in your decision based upon your needs. Remember what we said about keeping connection logs to tracking whether your account is close to your data cap or even to simply allow you to connect through on whatever plan you are on - this figures into the same discussion as well.

Pitfall 10: Payment Methods

There are several different ways to pay for personal VPNs. All seem to support credit cards, online transaction services (where you use a trusted mediator to handle the money exchange like PayPal, AliPay, etc), and a few support digital currencies (Bitcoin, etc). Some vendors that have client software for phones support subscriptions via the app store. If the personal VPN vendor has bad reviews by users stating they had trouble getting refunds, you might want to pick a payment method with that vendor that allows you to quickly get your money back. If you do not trust the jurisdiction and you’d like to try to keep that your payment information out of government hands, you are going to want a payment method that allows you to remain anonymous.

Evaluating the Right VPN

The main thing we need to test for involves leakage of data that can identify your real IP address (and subsequently your location). There is the traditional methods of inserting web elements into a web stream, such as Javascript, an extra iframe, etc. Then you have something relatively new such as WebRTC (Web Real Time Communications) that allows audio and video streaming from a browser, but also allows for browser-based peer-to-peer communication.

The main methods of testing can take two paths - using one of the many existing testing services (like the test for WebRTC), or setting up your own testing environment. Many of the testing services are run by personal VPN companies themselves trying to scare you into picking their product.

Setting up your own environment is not as easy, as it involves setting up your own web server to serve up files with little bits of code (mainly JavaScript) to invoke something that will cause a leak of the IP address. A lot of leakage testing was done with some open source tools, including those from ExpressVPN (how is that for irony?). You may want to set up your own DNS server so you can watch for those non-VPN lookups, or at least sniff your testing unit’s network traffic while running through the various tests.

I used both methods and can say that the results were the same whether I used my own enviroment or the free resources. Even though the online resources are run by companies with a product to sell, getting the tests wrong would cause people to lose confidence, and these companies regularly check out the competition to make sure a competitor’s testing tools are accurate.

If you want to test Kill Switch Mode, simply hook up a sniffer on the network segment and watch the computer running the evaluation react to the Internet going down (pulling a cable on your router should do the trick). If after a few seconds you start seeing normal traffic pouring out of the evaluating computer, it failed open. As long as the VPN software is up and running, it should be all or nothing.

Having said all of that, the test results were boring - there was no DNS leakage, all tested vendors’ Kill Switch Mode worked, and the only issue found in a few vendors involved WebRTC, and this can be disabled in your browser or via free extensions anyway.

It is up to the user to match the feature choices against the user’s personal threat model.

I would advise you make sure your system is up to date with the latest patches, and make sure you have your browser (often your main connection to the Internet) adjusted for maximum security and privacy (check out my recommendated browser settings). This is not required, but it certainly makes sense to help establish a strong baseline. For example, disabling WebRTC in the browser will prevent the few leaks found in testing from these major vendors, which significantly helps those with issues.

Your steps for evaluating personal VPNs are as follows:

  • Decide what risk scenarios you are trying to mitigate.
  • Decide what features you need from a personal VPN, including infrastructure, payment choices, and so on.
  • Test using open source tools, such as the free evaluation sites.
  • Patch your system (security 101) and adjust browser settings to help lock things down to begin with.

As far as evaluation as to whether your operating system is supported or the GUI has all the cool bells and whistles, that should be one of the last steps. This is a security and privacy-enhancing tool, if it can’t handle the basics of security and ensuring your privacy, you should not be evaluating it further.