This is a Reality Dispatch Tech Brief.
Actually, it’s the first Reality Dispatch Tech Brief. We haven’t needed one before.
As part of our coverage of the Backpage.com seizure and SESTA-FOSTA, we mentioned using VPNs to get around country limitations, but didn’t go into much detail. So, what is a VPN and why would you use one?
Why You Care – Why Use a VPN?
VPNs encrypt the traffic from your computer (phone, etc.) to a server, and “proxy” your origin to be from that server.
With a VPN, you can work around restrictions on what sites you can browse, or where those sites require you be from, and you can disguise your activity to make it harder to track.
The internet tracks everything. For proof, navigate to What’s My IP (http://whatsmyip.org) and click on “more information.” You have no secrets. A VPN can help even the odds.
What is a VPN?
VPN stands for “Virtual Private Network.” Which does not, unfortunately, tell you anything. Really, it’s a way of connecting your computer (or phone or whatever you’re browsing on) to another network.
Without a VPN…
Normally, your “traffic” from your device to the final server is relatively unencrypted. Even if you’re using SSL, it is still only partially encrypted; the address you are reaching is easily “sniffed.”
With a VPN…
All of the traffic from your device to the VPN server is encrypted, including the destination device. Encryption is represented as a green pipe below. So, to the servers on the other side of the VPN, your traffic appears to be coming from the VPN server. And to anything between your device and the VPN Server, it’s just indecipherable gibberish aimed at the VPN Server.
In other words, all a sniffer can tell is that you are talking to the VPN server. They don’t know what you’re saying or even that it is necessarily VPN traffic.
In this example, above, you might be inside a place that doesn’t allow you to communicate to the end webpage. So instead you communicate to the VPN Server and let it communicate to the end webpage.
Or, if you “VPN” into work, which will generally be a secured-and-firewalled “corp-net” (Corporate Network), it looks like this:
The red zone being the “intranet” at the office. In this case, all traffic from your device is encrypted and delivered safely all the way into the corporate internet.
You can also use this approach with an advanced router or internet appliance, such as a Ubiquite EdgeRouter, Synology DiskStation, ASUS or LinkSys WiFi router or Windows computer, to set up a protected route into your home network from your cell phone or from your laptop when travelling.
The important part is, this helps protect you from being spied upon.
As mentioned above, there are plenty of valid uses for VPNs, and a few less valid ones…
- Safely access your home network while away, without exposing it to anyone else.
- Log into your work network to access files and the intranet. (The intranet is the network you can only reach while at work. )
- GeoBlock Circumvention: Hide where you really are, so that you can watch videos or browse sites that require you to be in the United States (or not in the United States.)
- Disguise your usage so you can reach sites disallowed by the local network policy, such as at work or Starbucks or in repressive countries.
- Note that these repressive countries often block VPNs, typically by port or by address. See below for how to work around this.
- Hide what you’re doing from anyone snooping on your network so you don’t leave DNS look up traces to some site you would be embarrassed or punished for visiting.
Different VPN Types
Your employer may provide a VPN for work, such as Pulse Secure. That protects your employer from people snooping on the connection. It is very similar to being directly on their network, though, so while this gives you access to the corporate resources (the wiki pages, intranet sites, email, disks, etc.), this provides you less privacy. Everything you do is tracked.
Your router, appliance or computer may be able to host OpenVPN, which would allow you to securely access the files at home while away.
Finally, for browser secrecy, there are a number of VPN hosts, who often integrate the VPN functionality into their own client code for ease-of-support and configuration. For example, TorGuard and PIA (Private Internet Access) both provide a service based on OpenVPN and OpenConnect which is designed to hide your browsing and spoof your location.
VPN Privacy Gotchas
So this all sounds great… select a privacy-oriented VPN service such as one of these from a PC Magazine review, install the client, enable it and all is well.
Not so much. There are two significant problems with this approach.
- All of your traffic, or much of it, will go through the VPN now. So your emails, your other browsing (e.g. Amazon, Netflix) go through it.
- Your browser fingerprint conspires against you.
There are three big issues with all of your traffic going through the VPN. First, it’s slower. Second, you may get locked out or have authentication issues because you now look like you just switched networks. And lastly, since you’ve logged in, at least these companies know you are spoofing yourself.
The second problem, Browser Fingerprints, we’ll cover in another post later this week. Basically it means that your web browser and computer are easily identifiable.
The solution to both of these problems is to use a different browser for your VPN activity. Not just privacy or incognito mode in the same browser; it should be a different browser. If you primarily use Firefox, dedicate Chrome to this, and vice-versa. If you primarily use some other browser, use Firefox for your protected browsing; it’s more secure than Chrome.
Next, install your VPN’s extension into the browser. You can then turn the VPN on or off just for the browser. Turn it on and leave it on, as you won’t be using this browser for non-privacy browsing.
Lastly, always start in private/incognito mode.
These steps will help protect you from being snooped upon, without causing you additional headaches.
Working around VPN Blocking
Repressive countries and licensed media companies (e.g. Netflix, Showtime) often block VPNs to either control and censor thought (much like a college campus) or to ensure that content is only delivered inside the licensed “geo” location. There are two primary mechanisms for blocking VPNs:
- Block the ports VPNs typically use
- Block the IP addresses of VPN Servers
The former can be bypassed with tunneling onto other ports, and some VPNs now can work on standard HTTP ports. The IP Address issue is more of a cat-and-mouse game. VPNs add more addresses, and the providers block them. P2P (Peer-to-Peer) helps bypass this further, but exposes the users to some risk also.