Laptop with VPN on desk.

How secure are commercial VPN solutions?

Mark Hall - 14 February 2019

It’s not that long ago when Virtual Private Networks (VPNs) were really only used by businesses and organisations to provide secure remote access to their networks for their users and remote offices. With the increased use of streaming services such as Netflix, who’s content varies based on a user’s location, has moved VPNs into the mainstream. In this blog post we will look at exactly how VPNs work and whether they are providing users with the security and potential anonymity they appear to offer.

What is a Virtual Private Network (VPN)?

When you connect any device to the Internet, either at your home or in the workplace, it will generally be assigned an IP address dynamically by your router or firewall. This is typically an address which is in a private range so it is not directly contactable and exposed to the outside Internet. Your router or firewall will be assigned an externally accessible IP address by your Internet Service Provider (ISP). When you make a web or similar request on your device, this will be processed by your router or firewall and will be ‘seen’ as coming from the external IP address which it has been assigned. This allows organisations such as Netflix to lookup the geographic location of this external IP address and it will then make an assumption about your geographic location and in turn what content is available from that location and Country.

A Virtual Private Network (VPN) provides users with a way of creating a secure encrypted connection between two points anywhere on the Internet and in any Country. In simple terms this allows your device to create a tunnel which can terminate in another Country, so any web or related requests you make will appear to originate from the external IP address of the tunnel endpoint in the other Country. This is how users can use a VPN connection to, for example, access Netflix content which may only be available in the USA, when in fact they are not in the USA, but their VPN connection allows them to appear as if they are.

Why are VPNs becoming more mainstream?

I recently saw a TV advertisement in the UK for a commercial VPN solution by NordVPN, (although other providers are available) which made me realise that these services have now moved into the mainstream. So why are users signing up and using these services?

Historically VPN solutions have been used by users to gain access to Internet content which is not available to them directly in their Country of origin. This can be to gain access to streaming services as I mentioned earlier, or to simply gain access to web content which may be blocked or restricted in certain Countries. VPNs offer users a way of effectively bypassing controls which a Government or Internet Service Provider has put in place. As a result there are an increasing number of Countries who are effectively banning or blocking the use of VPNs.

In the UK the Government are going to introduce compulsory age verification checks for commercial websites who offer pornographic content from April 2019. From this date users will need to provide proof that they are over 18 years of age before they are able to access this content and any sites who fail to implement age verification checks will be blocked by Internet Service Providers. Anyone who would prefer not to provide proof of their age to these sites offering adult only content, can use a VPN so that they appear to be in a Country which does not require the age verification check and will get uninterrupted access to the content they desire.

VPNs are also attractive for anyone who would like to use the Internet more securely and they certainly offer an enhanced level of anonymity. There are several other reasons VPNs are becoming increasingly popular and some of these are discussed in this blog article by Christian Cawley.

What are the risks?

Commercial VPN solutions use the same underlying technology as private VPNs which are used by businesses and other organisations. If anyone is interested to learn more about these technologies then a summary of the various VPN protocols is available here.

The security risk from using commercial VPN solutions does not lie with the underlying technology but how it is implemented and monitored. When you initiate a VPN connection it is important that you trust the organisation you are connecting to. For example, if you are using a VPN to connect to your workplace when you are working remotely you can probably assume that the connection is private and will be subject to that organisations computer usage policy.

When you make a connection using a commercial VPN provider the connection itself is secure, but once your data reaches the endpoint (hosted by the commercial VPN provider) then your security is in their hands. A commercial VPN provider can see and log any Internet requests you make over the VPN connection. Even a web request which is also encrypted using Hyper Text Protocol Secure (HTTPS) will leak information related to the fact that you made a connection (using the VPN) to that website, although the data itself will remain secure. Anyone who is using a commercial VPN solution to supposedly use the Internet anonymously is mistaken – there will potentially still be a log showing that you connected using a VPN and then what traffic went over that link.

Another risk of using a commercial VPN is that the device that initiated the VPN connection is no longer protected by any hardware firewall device you may have in place. When you initiate a VPN connection from your device your firewall will let this connection through. Once the connection is established the VPN endpoint will assign an IP address to your device together with routing rules. The IP address assigned by the VPN provider will be routed via the VPN tunnel and therefore effectively bypasses any hardware firewall you have in place. This means that the VPN provider or another of their users can attempt to connect to your device over the VPN connection. You can mitigate some of the risk by ensuring that you have a software firewall and anti-malware software running on your device, however it will still be more at risk than it was without a VPN connection.

The VPN provider can also potentially manipulate your Internet requests by providing unsafe domain name resolution (DNS) servers. Again, when you establish a VPN connection the provider will typically route all traffic (including DNS lookups) to their systems. It is then relatively straightforward for an unscrupulous provider to modify some DNS records to redirect your request to an illegal copy of a website in order to extract your login credentials.

How to stay safe when using a commercial VPN solution

Although there are clearly risks involved in using a commercial VPN solution there are obviously reasons why they are still attractive to users for a variety of reasons. If you are going to use one then here are some tips to help you stay safe:

  1. Avoid free VPN solutions – there is more chance that your data will be the price you are paying.
  2. Use a commercial VPN provider which is well established and has good reviews.
  3. Have a read of the VPN provider’s terms and conditions to understand what they can do with the data they gather from your use of their service.
  4. Before you connect, ensure you have secured your device with a software firewall and have anti-malware software in place.
  5. If you have ‘remote control’ functionality enabled on your device ensure it is suitably secured.
  6. Always assume that any Internet requests you make using the VPN can be logged and are traceable back to you.