6. June 2020

VPN encryption: Is it as secure as they tell us?

VPN service used on laptopData protection scandals, but also security breaches, hacking and various scenarios of mass surveillance have led users to worry about their privacy on the Internet. That makes sense, too. However, users often seek their salvation in the usually aggressively advertised VPN encryption. “Anonymous surfing”, “secure online streaming”, “100% anonymity” or other promises are commonplace. However, it is important to check how secure this VPN encryption really is in the modern World Wide Web.

VPN connection? What is that anyway?

Virtual private network or virtual private network: This is what the abbreviation “VPN” stands for. In this VPN, data remains protected during transport. If you are using VPN software, you first connect in encrypted form to your VPN provider, who then forwards you to the Internet – so you do not use a direct connection to the Internet.

During the process your data will be anonymized. The connection request runs through a server of your VPN provider (node). You as user will be assigned a new IP address. This has the background to protect your actual IP address. The IP address serves as the identification number of your device. Thus it can be summarized that a VPN pursues the goal of making your computer invisible on the web.

You often hear the term “VPN tunnel”. The comparison of a tunnel fits quite well to the way VPNs work: Only those who drive through the tunnel can see and influence the traffic – a driver outside the tunnel cannot see what is happening inside. The situation is similar with VPN connections: Since VPN encryption is used for data transmission, a possible attacker could recognize that a connection is being established via this tunnel. However, he cannot see what is being transmitted to where.

Internet security or empty promises: What does a VPN do?

As you have read in the previous paragraph, the VPN endpoints are protected – this means: VPN encryption only protects the traffic from the user to the provider’s VPN servers. If a connection is established, the possible point of attack is simply shifted. If the sent data is not protected in any other way, it can still be read between the VPN server and the actual destination.

A further problem is that users may be able to reach dubious VPN providers. These providers may want to follow the trend and offer insufficiently mature software. Or providers may disguise their software as a VPN tool, but behind it are viruses or Trojans. Especially with free tools one should be careful. The magazine digitalwelt.org has set itself the task of compiling a list of reputable VPN providers including their ratings.

Interesting to read on is also the article “Anonymity: The unfounded advertising promises of VPN providers” on kuketz-blog.de. This article shows the immense discrepancy between the advertising promises of various VPN providers and the actual state of affairs.

And what about data protection?

VPNs are often advertised with the topic of data protection – after all, in times of mass surveillance, metadata must also be protected. Metadata is information about other information resources – for example when sending an e-mail: In addition to the content of the message, there is metadata, which consists of the sender, the recipient, the time and date of sending, the date and other information. Are VPNs a good solution for this?

One must not lose sight of how VPNs work. It leads to a centralization of all data connections at one point. If a secret service wants to efficiently monitor data traffic, this would make the most sense strategically close to the VPN access nodes.

Security risk VPN: How it works better

Instead of only encrypting the path between the VPN client (the user) and the VPN server (the provider), it makes sense to encrypt the entire path from the sender to the destination.

This is also standard nowadays: By means of SSL certificates, numerous websites are already end-to-end encrypted. Via HTTPS, a large number of all websites are delivered with TLS encryption. This protects not only against curious third parties, but also against data manipulation. Technologies like HSTS ensure that unencrypted HTTP connections are not possible.

When is VPN encryption useful at all?

We don’t want to demonize VPNs at all – there are very useful application scenarios! VPNs were not originally designed to surf the World Wide Web “100 percent anonymously” and without a trace. It was intended for other applications where VPNs are still useful:

If you are in a public WLAN and want to protect yourself from unwanted readers, use VPN. VPN encryption can also be used when external employees are connected to the company network. In countries where the Internet is censored, these geoblocking blocks can be circumvented using VPN. The risk of incomplete VPN encryption remains, of course.

In addition to SSL encryption on the Internet, using Tor Browser also ensures strong data protection. This combination is useful and secure for the average web user.

Here are some good sources:

Write a comment