VPN Glossary of Terms

Full Glossary for all the terms related to VPN (Virtual Private Networks).

VPN Glossary of Terms

Asymmetric encryption

Asymmetric encryption is an encoding technique where the information sender encrypts the data using the recipient’s public key. Hence, it is also known as public-key encryption. The encrypted data can then only be decoded by the recipient using a second private key known only to them. This allows the encrypted data to be sent over any open channel where interception by a third party will not compromise the data as long as the encryption method is sufficiently strong to resist attack. The strength will be dependent both on the encryption algorithm used and the length of the keys. The most common asymmetric encryption algorithm in use in VPN applications is RSA. For example, OpenVPN uses RSA to exchange symmetric session keys as part of its initial handshake process. RSA commonly uses 2048-bit or 4096-bit keys.

The advantage of asymmetric encryption is that it does not require the secure sharing of keys. The public encryption key can be openly shared and will not enable the decryption of the data. The private decryption key is only required by the receiving party and so will never be shared.

The main disadvantage of asymmetric encryption in VPN applications is the encryption and decryption processes are too slow for a typical VPN client. This leads to significant bandwidth restrictions and latency issues. Therefore, it is only used to exchange symmetric encryption keys at the start of a session when a VPN tunnel is established between the client device and the VPN server.

Another disadvantage of asymmetric encryption is that once a private key is discovered, the confidentiality of all communications past and present using that key is compromised.

Also, asymmetric encryption can be susceptible to man-in-the-middle attacks. Here a third-party replaces the receiver’s public key with their own, allowing them to intercept and decrypt data sent using the altered key. Once read, the intercepted data can then be encrypted using the receiver’s original public key and forwarded to the receiver. This method would leave the recipient unaware that the encrypted data had been intercepted and compromised. It also allows the attacker to alter the message at will and without detection unless the recipient and original sender subsequently cross-check their messages. The man-in-the-middle attack does need to be carried out on infrastructure that is not controlled by the sender or recipient to be successful.

Cloudflare has a great explanation of asymmetric encryption here.

Backdoor

A backdoor is a function within an algorithm, application, or device that allows a third-party with knowledge of the function to gain access. It enables them to do this without the need to pass any authentication or access control checks, such as entering a username and password. This allows an attacker unrestricted access to systems that the system owner believes they have locked down by implementing authentication processes that only authorized users can access. Backdoor functions are different from default accounts that may be included within the functionality of a system. Such known accounts can be readily disabled or repurposed for use by an authorized user.

Backdoor functions may pre-exist in software at the time of installation, or they may be subsequently added as the result of malicious code executing on the target system. Backdoors are generally created as a result of malware infection to allow an attacker at a future date to gain control of the system.

Typical reasons for malware to install backdoor functionality include enabling any person with knowledge of the backdoor to use the system to contribute to denial of service attacks, mail bombing, or to facilitate a man-in-the-middle attack within the infected system. Malicious backdoor functions may also be installed to allow an attacker to steal information from the affected system or access it. It can act as a stepping-off point for gaining unauthorized access to other connected systems.

The best protection against backdoor functions is to prevent malware from installing such functions in the first place. The next layer of defense to consider is using a firewall that controls access in and out of a system by unknown or unauthorized users. The final defense is to actively monitor systems for the presence of a backdoor. Backdoors are usually uncovered through anti-virus scanning, detecting a backdoor function’s signature code, or monitoring ports for any unexpected activity to identify code accessing ports.

Stanford University has an interesting description of encryption algorithm backdoors here.

Bandwidth

The bandwidth of a VPN network is the rate at which data can flow across the network, in essence, that speed at which the internet connection via the VPN appears to operate. Latency, bandwidth, and throughput are all interrelated terms. Bandwidth is a measure of the maximum amount of data that can pass across a network at any given time. Throughput is a measure of the average amount of data passing across a network in a given period. Throughput is not necessarily equivalent to bandwidth because it’s affected by latency. Latency is a measurement of time, not of how much data is downloaded over time.

The bandwidth of any network is governed by the processing speeds of the devices in the network, the medium over which the data flows, and the distances involved between the network’s endpoints.

As VPNs encrypt network traffic to make the connection safe and private, this processing performed by the VPN client and VPN service slows down the data flow and can impact the bandwidth. The impact will depend on the type of encryption used. Typically, the more secure the encryption protocols are, the more the bandwidth is reduced.

Using a VPN server located on the opposite side of the globe can also have an appreciable effect on bandwidth. This is the reason why it is usually recommended to select a VPN server that is geographically close to the client device unless there is a specific reason why the use of a server in a particular country is required. VPN service providers limit the impact on bandwidth by using more efficient encryption algorithms. Hence the everyday use of symmetric key encryption techniques for data flows. Under certain circumstances, an internet connection’s bandwidth may be artificially reduced by an ISP for certain data flow types, such as streaming multimedia content. In this situation, using a VPN would prevent the ISP servers from recognizing that the data flow was of this type and so would not throttle the bandwidth. This has the potential for the VPN to deliver a faster bandwidth under these conditions.

Browser extensions

A browser extension is a small piece of bolt-on code that can be integrated into a modern web browser to add additional functionality. Almost all popular browsers support the use of extensions, including Chrome, Safari, Opera, Internet Explorer, and Edge.

Many VPN service providers offer browser extensions that deliver VPN security protection to all internet activity that uses that browser without the need to install a separate VPN application onto the client device. Such an approach is useful in situations where the user of a client device is unable or unauthorized to install software applications for security reasons but still requires access to VPN functionality.

VPN browser extensions also have the advantage of securing internet browsing activity without adversely affecting any other applications on that device that are using the Internet, such as an electronic mail program or a VPN connection into a corporate network, if this is an important consideration.

The main disadvantage of browser extensions is their weak security controls that can compromise the security of the client device that it is installed on. Once an extension is installed, updates can be pushed out automatically without the user being aware that the update has occurred. There is no guarantee that the update was secure or did not include additional malicious functionality. The financial model used for most browser extension development programs relies on collecting user data to sell to third parties for advertising purposes. Weak anonymization protocols can leave the identity of the user exposed, compromising privacy.

It must also be noted that many free and low-cost VPN service providers offer browser extensions that act as proxy servers rather than encrypting network traffic and so do not provide the benefits of an actual VPN solution. Such browser extensions will not provide the required security and privacy, leaving the user unprotected.

It is recommended to only source extensions from trusted official sources, manage the permissions that each extension requires and analyze each instance where an installed extension requests additional permissions to minimize the risks of using browser extensions. Malicious code within a browser extension can usually be uncovered through anti-virus scanning detecting its signature code.

Domain Name System

The Domain Name System (DNS) is the mechanism used to allow devices such as servers to be assigned a descriptive domain name in place of a numeric IP address. The systems necessary to perform the translation of DNS to IP address are distributed around the Internet to ensure resilience in the event of failure and to minimize latency issues. These domain name services are responsible for ensuring all internet traffic is routed to the correct destination.

The DNS can be thought of as an extensive, distributed database that contains a list of all hostnames such as website addresses and their corresponding numeric IP address. For practical reasons, the devices that make up the DNS each manage a small number of these records. Requests for the translation of DNS outside of its list are forwarded to whichever device has that record.

The process for looking up the IP address of a hostname starts with a check of a top-level DNS server database to find which DNS server hosts the next part of the hostname. The client device then interrogates that next DNS server to see if it has the translation record or if it is held on a different DNS server. This process continues until the client device is pointed to the DNS server that can perform the translation. At this point, it receives the required IP address and can proceed with actioning the user request.

The DNS servers also host other record types in addition to IP addresses, such as Mail Exchanger (MX) records that are used to route e-mail messages to the correct destination e-mail server.

For further information on domain names and the DNS system, the Internet Corporation for Assigned Names and Numbers (ICANN) have produced a useful guide:

Beginner’s Guide to Domain Names - ICANN

Cloudflare has a great explanation of DNS here.

DNS Leak

A DNS leak is the event where DNS requests are incorrectly routed to an ISP DNS server instead of the VPN provider’s DNS server. As a result, the ISP server will monitor and log online activity even though a VPN connection has been established. The VPN tunnel will mask private IP addresses, disguise their country of origin as required, and encrypt all data flows. However, the ISP records of DNS lookups will provide a trail to all websites visited, undermining the privacy that using a VPN affords typically. The DNS information leaks out of the otherwise secure connection.

Usually, when browsing the Internet, DNS requests are initially sent to a DNS server provided by the ISP. They can then be forwarded to the DNS servers distributed around the Internet to perform the DNS to IP address lookup. The ISP-managed DNS server will keep a detailed log of all requests made by all ISP users. When using a VPN service, DNS requests should instead be initially sent securing using a VPN tunnel to a private DNS server provided by the VPN service provider, who should have a no-logging policy to protect privacy. This ensures that the VPN user does not need to worry that third-parties can see that they accessed certain health-related websites or financial services. All reputable VPN service providers should provide a private DNS server by default.

DNS leaks can occur due to VPN configuration errors or deficiencies in the VPN application software or browser extension. Often, this can be triggered by a disconnection of the VPN tunnel. Automatic reconnection may result in an incorrect configuration of the DNS request path. This can result in DNS requests being incorrectly routed back to the ISP DNS server.

DNS leaks are best prevented by using a VPN service provider that explicitly includes protection mechanisms against this occurring. Alternatively, a firewall can be used to block all DNS traffic that does not go to the VPN service provider’s DNS server. The second solution is effective as long as the VPN is used. Should the user wish to access the Internet without establishing a VPN connection, the firewall rule will need to be disabled.

For further information on testing for a DNS leak, here is a starting point.

Eavesdropping

An eavesdropping attack is where information passing across a public network is intercepted by an attacker and used to collate information that may be of use, such as personal or financial information or login data. The interception would require the attacker to have undetected access to the communications network being used. Most commonly, this is achieved by monitoring communications over Wi-Fi networks or the Internet. A successful attack requires the intercepted information to be either unencrypted or weakly encrypted to the extent that it can be decrypted without access to encryption keys. Public Wi-Fi networks commonly use unencrypted communications that are simple to intercept by an attacker located within range of the Wi-Fi signal. Domestic Wi-Fi networks using the basic Wired Equivalent Privacy (WEP) security are also simple to intercept and decode by an attacker within the network range. A relatively short key length and security flaws found in the encryption standard make it possible to crack a WEP password in a few minutes by merely monitoring network traffic. WEP has been replaced by the Wi-Fi Protected Access (WPA) and WPA2 standards, which offer improved security, but WEP is still in everyday use worldwide.

The issue with a successful eavesdropping attack is that the victim will have no indication that an attack took place and unaware that their sensitive information was compromised.

VPN networks offer a solution to prevent eavesdropping when using a public network by ensuring all data is encrypted to a sufficiently strong standard. Any eavesdropper cannot extract useful information from the intercepted traffic.

End-to-End Encryption

End-to-end encryption is the process where information is encrypted on the sender’s device and only decrypted once it has reached the receiver’s devices using keys that are only accessible to the sender and receivers. The network service providers operating the infrastructure between the sender and receiver’s devices do not have the ability to decrypt the information. This is particularly important where the data transferred between the sender and receivers may be stored in intermediatory devices that form the connections between all parties, such as in the case of e-mail messages. Any security compromise of an intermediatory device will not compromise the messages’ content as long as the encryption method is sufficiently strong to resist attack.

A VPN is used to connect end-user devices, then the VPN tunnel between the devices will provide end-to-end encryption and protect all communications from interception. This is particularly useful for allowing remote connection to a secure private network such as a corporate IT system.

Connecting a web browser from a client device to a server using HTTPS also provides end-to-end encryption between the client device and the destination server. This is different from connecting the client device to the server using a VPN service. In this case, the information is encrypted between the client device and the VPN server. The connection from the VPN server to the destination server will not be encrypted unless that happens to be an HTTPS connection.

Therefore, it is crucial to recognize that browsing using a VPN does not guarantee end-to-end encryption unless also using the HTTPS protocol.

Geo-Blocking

Geo-blocking is a restriction placed on online services that either restrict or permit users’ access based on specific countries or regions. As an example, for licensing reasons, the BBC iPlayer is only accessible to users within the UK. Conversely, for government censorship reasons, the YouTube website is not accessible to users within mainland China.

Typically, the location of a user is determined by the IP address they are using. While usually, this provides an accurate indication of location, a user in one country can have their internet traffic routed through a server in a neighboring country and therefore be assigned an incorrect location. Geo-blocking is only useful if the user accessing the Internet does not use a VPN to geo-spoof their location to be a different country.

One application of geo-blocking is to tailor website content so that, for example, an online store will present prices of products to the visitor’s local currency and automatically calculate the correct taxes and delivery costs. Another application of geo-blocking is to tailor the delivery of entertainment services such as music or films based on copyright and licensing laws so that only users in countries where the services can be provided may access the copyrighted and licensed materials. For example, the programs and films available from Netflix users in the US will be different for users in other countries.

Governments can use geo-blocking to prevent access to services that are not legal within that country, such as gambling websites. Governments can also use geo-blocking to impose censorship within their country by restricting access to news or social media services.

Geo-Spoofing

Geo-spoofing is a service offered by VPN providers and anonymizer proxy services where a user in one country can select an IP address registered in a different country. Any websites or services that the user then accesses will believe that they are located in the second country. This feature is useful if the user wishes to access services that are not available in their own country due to commercial or state restrictions. It is also helpful if the user is traveling abroad and wishes to access services in their home country that are not available in the country that they are currently located.

An anonymizer proxy service can be used to disguise the IP address to make it look like it is from a different country without encrypting the data flow, as would be the case with a VPN service. This is useful if the user is simply looking to disguise their IP address without needing to protect their information or hide browsing information. Advanced fingerprinting techniques can be used to match the anonymous browsing history with the user’s device, mainly using cookies to track the IP address used.

Without encryption, a reputable proxy service can perform better than a good VPN service if there is no content-specific bandwidth throttling by the ISP. However free to use proxy services tend to suffer bandwidth and latency issues that make them significantly slower than a VPN.

Another downside of using free to use proxy services is that not all support HTTPS, which means that access to a secure service such as an online store or bank will not be secure. Such accesses would be susceptible to eavesdropping or man-in-the-middle attacks.

HTTPS

Hypertext Transfer Protocol (HTTP) is an application layer protocol used for browsing the Internet. HTTPS is a secure version of HTTP that uses end-to-end encryption to secure communications between a user’s browser and the server hosting the browsed website, preventing eavesdropping of the information being exchanged.

When a user first visits a secured site, their browser automatically checks the website’s security certificate to verify it was issued by a legitimate certificate authority. This provides a degree of assurance the website is what it purports to be, though the certificate check should not be relied upon as the only means of proof. The presence of HTTPS in the domain name or the display by the browser of a lock icon isn’t a guarantee that a site is legitimate. It is relatively straightforward to obtain a legitimate security certificate for a malicious website. It is also possible to display a lock icon as part of the website address that is similar enough to give the false illusion of the site being secure at a quick first glance.

HTTPS was initially intended for use in exchanging passwords, payment details, and other sensitive information. There is now a move to use this protocol for all web pages. This approach’s benefit is that third parties such as your ISP can no longer modify the web page content in transit to include additional advertising content or display status information.

A benefit is when using a search engine over an HTTPS connection, the ISP can no longer record the search terms improving privacy. However, these search terms are still recorded and retained by the search engine provider. An additional benefit of HTTPS over HTTP is that with the introduction of a significant new version of the overlying protocol, HTTPS will be faster than HTTP connections using the old protocol.

Cloudflare has a great explanation of HTTPS here.

Internet Protocol

An Internet Protocol (IP) address is a unique identifier assigned to every device connected to a network that allows data to be transferred between devices. Every router and server with an internet connection will have such an IP address on the global Internet. There are two formats for IP addresses in current use.

The Internet Protocol version 4 (IPv4) defines IP addresses using a 32-bit number. These addresses are formatted as four numerical values separated by periods, where each numerical value is in the range of 0 through to 255 and is written using a decimal notation. For example, 192.168.0.1 is a valid IPv4 address.

The Internet Protocol version 6 (IPv6) defines IP addresses using a 128-bit number. These addresses are formatted as eight numerical values separated by colons, where each numerical value is in the range of 0 through to 65,535 and is written using a hexadecimal notation. For example, A110:0000:0000:0000:010A:C655:FE10:7523 is a valid IPv6 address.

Computers connected to the Internet will have a local network IP address assigned by the router or other device used to make the connection. This allows the router to make sure data flows to and from the Internet to the correct computer. The router will have its own IP address for the Internet assigned by the ISP or VPN service provider, depending on how the connection to the Internet is made. All computers on the local network will use this shared IP address when accessing internet services.

For further information on IP addresses, the Internet Corporation for Assigned Names and Numbers (ICANN) has produced a useful guide:

Beginner’s Guide To Internet Protocol (IP) Addresses - ICANN

The RIPE Network Coordination Center (RIPE NCC) also have produced useful reading materials to explain IP addressing:

Understanding IP Addressing and CIDR Charts — RIPE Network Coordination Centre

IP Leak

An IP leak is the event where a user using an anonymization service such as a VPN or proxy has the IP address assigned by their ISP is visible to a third party instead of the IP address assigned by the VPN or proxy service provider.

An IP leak will undermine the use of the VPN or proxy service for privacy purposes, revealing your actual identity to any services or websites. It will allow anyone with access to the browsing history recorded on DNS servers to link that information to you, potentially exposing sensitive information. It will also prevent the use of IP location changes to overcome geo-blocking.

IP lookup functions are readily available to allow a user to check the IP address seen by the websites you visit. The simplest method is to enter “what is my IP” into Google, and it will display this information. If you know the IP address assigned by your ISP, this check can ensure that your proxy or VPN service provider is correctly masking this address, and instead, you should the different IP address they have assigned. The issue with this check is that it only identifies that a leak is currently occurring. It will not indicate if a leak has happened in the past or provide assurance that a leak will not occur in the future. IP leaks are generally caused by configuration errors or deficiencies in the application software or browser extension used for anonymization. Using a reputable proxy or VPN service will reduce the risk of an IP leak occurring.

An additional cause of IP leaks is the use of Web Real-Time Communication (Web-RTC) functions by applications and services that provide real-time updates through a browser using push notifications. Typical uses of Web-RTC are online communications services such as Google Meet, Facebook Messenger, and Slack. By default, Web-RTC is configured to use the ISP assigned IP address even when a VPN or proxy server is used to access the online communications service. This is a feature of the Web-RTC functionality and cannot be blocked by the anonymization service. Preventing an IP leak by Web-RTC requires the user to manually disable any Web-RTC services with the downside that any online communications services using this functionality will no longer work correctly.

For further information on testing for an IP leak, here is a starting point.

IPSec

Internet Protocol Secure (IPSec) is a group of secure protocols used to establish an encrypted connection by a VPN service. Most common VPN services use either IPsec or alternate SSL. Typically, an IPSec connection will have a slightly higher bandwidth than an SSL connection. However, firewalls can identify IPSec traffic and may be configured to block or throttle such traffic. SSL traffic is indistinguishable from regular HTTPS traffic and so not subject to such potential restrictions.

The IPSec protocols work by securely exchanging encryption keys between the devices connected to the VPN. IPSec is flexible in allowing each VPN session to use encryption algorithms and keys that are unique to that session. It also has the option to use pre-shared symmetric keys if these are available to all parties using the session. All data flowing over the connection is then broken down into small packages that are encrypted using the exchanged keys. Usually, VPNs using IPSec are secured using a password-based login and can be compromised if the login credentials are disclosed. The use of multi-factor authentication is recommended to counter this security weakness.

IPSec can operate in a tunnel mode and a transport mode. All data, including routing information, is encrypted in the tunnel mode and can only be exchanged between two dedicated routers. In the transport mode, the data is encrypted, but the routing information is unencrypted, enabling the use of intermediary routers to pass the encrypted data from the source router to the final destination router.

Juniper has a great explanation of IPSec here.

Internet service providers

An Internet service provider (ISP) is an organization that provides the services required to access and use the Internet. ISPs also offer hosting services for websites, electronic mailboxes, and shared storage services.

Internet service providers can be commercial companies, local community-owned organizations, regional or national non-profit organizations, or privately owned providers.

Most internet users use an access provider ISP as the access point for Internet services. These access provider ISPs manage the local networks that the users connect to and connect to transit ISPs who provide internet access. This connection may involve connection through multiple tier 2 transit ISPs before reaching a tier 1 carrier that is connected to the Internet. Typically there are numerous paths available through different tier 2 and tier 1 carriers to guarantee connectivity and meet bandwidth requirements for the access provider ISP.

Access provider ISP services were historically provided by telephone and broadband service providers that owned and managed the telecommunications equipment that connected user’s routers to the telephone network. Now, access provider ISPs do not need to own physical equipment. Virtual ISPs lease access to equipment and resell this access to users.

Free to use access provider ISPs are available, using advertising revenue in place of a user subscription to cover costs. The downside of such services is the intrusive advertisements, low bandwidths, and the sharing of internet usage records.

ISPs are, in general, legally required to allow law enforcement agencies to monitor internet usage records and access user browser histories. In the US, this is governed by the Communications Assistance for Law Enforcement Act (CALEA). Some countries also allow intelligence agencies to monitor internet traffic, such as in the US by the National Security Agency. Monitoring by ISPs is typically implemented using packet sniffing equipment integrated into the network infrastructure that authorized parties such as intelligence agencies can use to feed data into their own networks for analysis.

Kill Switch

A kill switch is a feature that will terminate a VPN connection if the connection becomes compromised or disrupted. This may be implemented as an automatic function by the VPN service provider or a manual control for users. When activated, the kill switch will prevent any communications from the user’s client device to the Internet outside of the encrypted VPN tunnel.

The primary purpose of a kill switch function is to manage situations where the connection between the client device and the VPN server drops out. Any ongoing communications revert to using the unencrypted link to the user’s ISP server. A drop-out or disconnection of the VPN tunnel may not always be evident to the user, which is why choosing a VPN service provider with an automatic kill switch function should always be considered. Drop-outs and disconnections can occur due to many reasons, such as the user’s device losing its Wi-Fi or mobile signal, interference to such signals, or problems with the VPN server itself. VPN connection stability may also be affected by the chosen VPN encryption protocol. By monitoring the connection and stopping all communications should any of these events occur, an automatic kill switch will prevent any data from being sent over an unprotected connection.

Automatic kill switch functions will not necessarily work for all operating systems and be compatible with all VPN protocols. When choosing a VPN service provider that offers an automatic kill switch function, always check that the function is compatible with your particular setup. An alternative option is to use a third-party kill switch function in combination with your VPN service.

Where kill switch functions are included in the VPN service, these typically need to be enabled using the VPN configuration options. Some VPN service providers offer advanced kill switch functions that allow the user to configure which applications and services will be blocked in the event of a VPN drop-out and will continue. For example, internet browsing may be blocked to protect privacy, but e-mail services can continue with their own separate end-to-end encryption.

Another advantage of an automatic kill switch function integrated into the VPN service is in the case of a transitory drop out of the VPN tunnel. The blocking of traffic until the VPN connection is reestablished may be indiscernible to the user.

Latency

A VPN network’s latency is the delay between the client device transmitting a user action and receiving a response. From the user point of view, latency, bandwidth, and throughput are all interrelated terms. Unlike the data rates of bandwidth and throughput, latency is a measurement of time, not how much data is downloaded over time.

All operations undertaken using the Internet are subject to latency delays, influenced by the number of users accessing a particular service, ISP server, or sharing a transmission line. VPN network latency refers specifically to delays that take place within a network or on the Internet due to the additional processing required for encrypting and decrypting data flows. This is predominately determined by the technology employed by the VPN service provider and the number of users accessing a VPN server at a particular time. This is particularly an issue with free or low-cost VPN service providers where available servers are typically overloaded with more users than the servers have the capacity to handle. This results in data flow being queued or dropped, significantly increasing latency effects.

One of the main contributors to overall network latency is the physical distance, specifically the distance between the client device and the endpoint server. While typical delays for sending data from one side of the globe to the other will only be a few milliseconds, a complete request-response transaction will require multiple data flows in each direction, which aggregates each small delay into a significant user-noticeable delay for the total round trip time (RTT). For the extensive data flows associated with streaming multimedia files, these delays may become infuriating. Using a VPN server located a significant distance away can also have an appreciable impact on latency. The usual recommendation is to select a geographically close VPN server unless there is a specific reason why using a server in a particular country is necessary.

Log Policy

Internet connections are ordinarily subject to usage logging. ISPs are legally required to retain a record of each user’s online activities such as webpages visited and information transmitted to webpages. This can potentially include authentication credentials and sensitive personal information. Such records are then available for law enforcement officials investigating criminal behavior or intelligence agencies looking to prevent any intent to commit illegal activities.

Of most significant concern for ordinary users is that such records are also available to be used for commercial purposes, including refining targeted advertising services based on the user’s browsing behavior. Records that identify a particular user who visited certain health-related websites and purchased specific products from an online pharmacy can yield sensitive medical information about that user. If a user selects a VPN service to protect their privacy, it’s essential that the VPN service provider does not retain and share such records.

It is common for reputable VPN service providers to offer a no-logs policy where there is a formal agreement that the VPN service provider will not keep any such records of the users’ activities and provide independent evidence that they comply with the terms of this agreement. However, not all VPN service providers offer such a policy. Many VPN service providers, particularly the free-to-use and low-cost services, retain records of user behavior and include in their service agreements the provision for these records to be shared or sold to third parties.

In some cases, their policy may restrict records to aggregate user data that does not identify any individual user or specific VPN client device.

However, in the world of big data, where records from multiple sources can be aggregated and processed in scale, such data may still yield useful information about individuals if the aggregation and anonymization processes are not sufficiently robust.

Man-in-the-middle

A man-in-the-middle (MITM) attack is the situation where an unauthorized third party monitors communications between two or more devices with the intention of intercepting and misusing the information passed between the devices. The advantage of such attacks is that the attacker does not need physical access to any of the devices, just logical access to the network they are using. Also, the authorized users on the network will be unaware that the communications are being intercepted. In sophisticated MITM attacks, the attacker may be capable of altering the information passing between devices without the sender or receiver being aware that changes have been made.

The most common way to carry out a MITM attack is for the attacker to connect to an unencrypted public Wi-Fi network and monitor and record all the information passing over that network. Any sensitive information sent over the Wi-Fi network, such as access to a financial service or the sharing of work documents, would then be available for the attacker to read and act upon. This situation is precisely why a VPN should always be used when using an unsecured Wi-Fi network. Coffee shops offering free Wi-Fi located close to major cities’ financial districts were always a prime target for such attacks. With the migration away from HTTP to HTTPS for all web services, the scope for such attacks has diminished. However, it is still possible for a capable attacker to trick a device to switch from HTTPS to HTTP to allow interception if the user does not notice this has happened. A variation on this theme is for the attacker to set up their own unsecured Wi-Fi network that anyone within range can connect to, giving the attacker greater control over intercepted data collection. Merely giving the network a suitable name can be enough for the public to connect to their network rather than a nearby legitimate public Wi-Fi network.

Another type of MITM attack involves the attacker forcing the IP address of their device to be identical to the IP address of their target. This will result in all network traffic routed to the target’s IP address being forwarded to the attacker. They can then inspect the data received and extract any useful unencrypted information.

Attackers can also employ a DNS spoofing technique to intercept internet traffic to a legitimate website and divert it to their own website by hijacking the mechanism where the website name is converted to a numeric IP address for that website. Users believing they are on the legitimate website can have any information passed to the website stolen or be tricked into downloading malware.

Finally, any malware installed on a user’s client device or their router can also be used to carry out a remote MITM attack. A popular variant is a man-in-the-browser attack (MITB), where a user’s web browser is infected with malware. In these circumstances, network traffic can be forwarded to an attacker anywhere across the Internet.

Users can protect themselves from MITM attacks by adopting reasonable security practices such as using up-to-date anti-virus programs and exercising caution when using public Wi-Fi networks, using a VPN to encrypt all information.

Multi-factor authentication

Multi-factor authentication (MFA) is a technique to improve security when accessing a device or service by requiring more than one step in the authentication process. Traditional single-factor authentication relies on the user entering a username and password. Should these credentials become compromised, then any other person with this information can also access the service. Multi-factor authentication relies on the user completing at least two different steps to authenticate themselves that cannot be as easily compromised. Typical multi-factor authentication depends on the user having something they know (username and password) and something they physically have. This second step may be satisfied using a dongle plugged into a device, receiving a text message with a code on a mobile device, or using an authenticator app running on a separate device. This technique ensures that the simple compromise of a password on its own will not compromise access to a service.

Another option available as an additional authentication factor is something the user is, which is a physical attribute such as a fingerprint, an iris scan, voice recognition, or the movements made, then they write their signature. A fourth option is somewhere the user is, a connection to a specific network or located within a particular place determined using a GPS receiver integrated into their client device.

For example, a person paying by credit or debit card and being required to enter a PIN satisfied multi-factor authentication as the card is something they have, and the PIN is something they know. In contrast, paying by credit or debit card over the phone or making a contactless payment just relies on something they have, so is single-factor authentication.

Multi-factor authentication is vulnerable if an attacker can intercept the authentication process. For example, sending a code by SMS or e-mail that is received on the same device used to enter the username and password means that any malware on that device can have access to both sets of authentication information. Similarly, a skimming device attached to a cash machine will have a magnetic reader that captures the bank card’s information and a camera that records the user entering their PIN.

SSH Tunnel

A Secure Shell (SSH) tunnel is the term for the encrypted connection between a port on a client device and a server port over which SSH traffic can be securely passed. SSH is an encrypted network protocol initially conceived to allow operating network services to pass securely over an unsecured network using asymmetric encryption. SSH commands are built into Linux and macOS, and SSH applications are available for most other OS. Typical applications include remote access, file transfer, and implementing direct connectivity with cloud-based virtual machines.

The main advantage of SSH tunneling, also known as port forwarding, is the ability to bypass firewall controls and proxy filtering, protecting privacy by hiding the details of web browsing activities from monitoring and logging functions of a proxy. Further details are available here.

Local port forwarding allows a user of a remote client device to connect to a network-connected device and operate as if they are using that second device. This would enable the user to access applications and devices on the network as if they were a local user rather than a remote user, bypassing security controls.

Remote port forwarding is effectively the opposite of local port forwarding; in this situation, users and services on the network can access applications and devices that are on the remote device as if they were attached to the network.

Dynamic port forwarding is the more useful option that allows a remote user to send network traffic over a secure SSH tunnel to a remote server in a manner similar to a VPN or proxy connection. A typical application is if the remote user is accessing the Internet over an unencrypted network such as a public Wi-Fi hotspot. Dynamic port forwarding can create a secure SSH tunnel from the mobile device to a server at home, connected to the Internet. The user’s internet traffic between their client device and the home server is encrypted to protect their privacy and prevent eavesdropping or a man-in-the-middle attack.

SSL/TLS

Secure Sockets Layer (SSL), also referred to as Transport Layer Security (TLS), is a group of secure protocols used to establish an encrypted connection by a VPN service. Most common VPN services use either SSL or alternate IPsec. SSL has an advantage over IPSec in that its traffic is indistinguishable from regular HTTPS traffic and so not be subject to potential restrictions from firewalls configured to block or throttle IPSec traffic.

SSL/TLS employs asymmetric encryption where all websites and services are issued cryptographic key pairs using X.509 certificates. The private key is stored securely by the website or service owner, and the corresponding public key is shared using the certificate. The certificate is signed by a publicly trusted certificate authority (CA) to verify its validity. Applications accessing the Internet such as web browsers and operating systems are configured to implicitly trust such certificates. The assurance of this scheme is founded on regular and rigorous audits of the CA.

The SSL/TLS protocols work by using the private and public keys to establish an encrypted and authenticated communication session over the Internet. This mechanism is the foundation of all secure web browsing using HTTPS.

While older versions of SSL and TLS included many security vulnerabilities in the implementation of the protocols and exchange algorithm, these have been resolved in the latest version. Most attacks rely on compromising the initial key exchange to control communications and allows attackers to compromise network security and intercept and decode the data protected by the SSL/TLS protocols.

Cloudflare has a great explanation of SSL here.

Symmetric encryption

Symmetric encryption is an encoding technique where the encryption and decryption of data using either a single key or two keys where the second decryption key is generated from the first encryption key. Symmetric encryption is also known as secret key encryption. The security of the communications is therefore dependent on the protection of the encryption key.

This necessitates the implementation of a secure method of sharing the key between the sender and receiver. Traditional approaches relied on the physical transfer of keys between the two parties. Electronic exchange techniques such as the Diffie–Hellman key exchange have been developed to enable the secure exchange of cryptographic keys over a public network, relying on asymmetric encryption methods to exchange symmetric encryption keys. Techniques are also available to allow symmetric encryption keys between more than two parties if required.

The main advantage of symmetric encryption is the use of a single key to encrypt and decrypt data is simpler to implement and requires less processing than asymmetric encryption. This provides bandwidth improvements when used for VPN applications.

There are two main classes of symmetric encryption algorithms used in VPN applications. Block algorithms encode data in defined blocks, sending each encrypted block separately over the VPN tunnel. Streamed algorithms encode data bit by bit, sending the encrypted data as a continuous stream over the VPN tunnel. While streamed algorithms are more straightforward to implement than block algorithms, the latter is more secure and common.

AES is the most widely used symmetric encryption block algorithm in VPN applications. The standard encryption algorithms use 128-bit, 192-bit, or 256-bit keys. DES is an alternate symmetric encryption block algorithm used in VPN applications that were once in common usage but replaced by AES. The standard encryption algorithms use 64-bit, 128, and 192-bit keys.

Cisco has a great explanation of encryption here.

TOR

The Onion Router (TOR) is an alternative method of maintaining anonymity and protecting privacy when browsing on the Internet that offers significant benefits in protecting against determined attempts to track a user’s online behavior but with significant performance issues.

In a nutshell, TOR is a multi-layer network that is accessed using a bespoke browser. The TOR browser manages the connection to the TOR network and encrypts all communications between the client device that hosting the TOR browser and the server it connects to. Using a TOR browser will not secure any other applications on a device that are using the Internet, such as an electronic mail program.

The TOR network is built from multiple servers distributed around the world that are provided by volunteers. User commands sent from the TOR browser enter the TOR network at an entry node, a relayed between servers in a randomized path, before leaving the TOR network at an exit node. The exit node server then connects with the destination DNS address to complete the chain. The servers that form the routing path are not a party to the message source and destination information. This randomized routing between relays in the TOR network prevents the tracing of network traffic between a specific user and a particular destination. While this technique effectively protects privacy from all but the most determined and sophisticated attempts, the complex routing will significantly affect bandwidth and latency. Further details of TOR and the TOR browser are available from the Tor Project, Inc.

It is important to note that accepting cookies, running scripts, enabling ActiveX controls, or even allowing pop-up windows can compromise anonymity, even if using TOR. If absolute privacy is required, the user must adopt good browsing practices beyond merely using the TOR network.

VPN

A virtual private network (VPN) is an Internet service that allows users to access the Internet as though they were connected to a private network. VPNs encrypt Internet communications to protect their privacy and keep user activity anonymous by disguising the user’s IP address. The main disadvantage of using a VPN is bandwidth and latency restrictions that may affect online services’ performance.

A VPN works by creating a secure tunnel between a client device and a VPN server before forwarding the traffic onto the Internet from the VPN server. This prevents any third party from intercepting communications along this path from being able to read the information being sent. This also prevents an ISP from monitoring and recording the internet traffic and replaces the user’s IP address with one assigned by the VPN server that is not associated with the user. Typically VPN service providers allow the user to select from many different VPN servers located in various countries worldwide.

VPNs are typically implemented using software installed on the client device. However, options are available to implement the VPN on a router to protect all devices connected through that router.

Cisco has a great explanation of VPNs here.

The key benefits of using a VPN service include:

The user’s internet traffic between their client device and the VPN server is encrypted to prevent eavesdropping or a man-in-the-middle attack when the user is accessing the Internet over an unencrypted network such as a public Wi-Fi hotspot.

The user’s internet activities in terms of browsing history, services accessed, and information sent is hidden from the user’s ISP. This prevents the ISP from collating records of these activities and sharing the aggregated information with third parties such as advertising agencies.

The user’s IP address is hidden from all websites and services accessed over the Internet prevent the websites from tracking the user’s activities and linking them to the user’s identity. This prevents the website owners from using this information to target advertising or share the information with third parties such as advertising agencies.

The user can circumvent geo-blocking restrictions to access content that is not available in the location determined by the IP address allocated by their ISP. This counters problems where the ISP assigns an IP address registered in a different country to where the user is physically located.

VPN encryption can help prevent ISP throttling for certain types of internet traffic such as streaming video files and preventing the ISP from identifying the types of traffic flowing through the VPN tunnel.

Not all VPN service providers are the same. Reputable premium services offer greater security and privacy over other services, particularly free-to-use and low-cost VPN service providers. Not all VPN service providers fulfill the critical benefits of using a VPN service listed above. In particular, not all offer a no-logging policy to keep internet activities private. Many VPN service providers include provisions for sharing such data with advertisers in their terms of service.

One weakness of VPN regarding anonymity is that VPN services are comprised of a network of servers maintained by a centralized entity. Techniques are available to sophisticated attackers and government agencies to monitor network traffic and deduce associations between traffic and users. As an alternative, TOR operates as a decentralized network offering more robust anonymity at the expense of more intrusive bandwidth and latency restrictions and more significant installation and configuration complexity.

Before you decide if a VPN service is right for you, always check that the use of a VPN is legal in your country. At the time of writing, the use of VPNs is illegal in Belarus, Iraq, North Korea, and Turkmenistan. The use of VPNs is also restricted in China, Iran, Oman, Russia, Turkey, and UAE.

VPN Client

A VPN client is a device that a user uses to connect to a VPN server via a VPN tunnel. The client device can be any computing device such as a smartphone, tablet, games console, laptop computer, or router. Some VPN services also support eReaders like the Kindle Fire, consoles, and smart TVs that run on Android or Fire OS, including Amazon Fire TV.

If a user has a device that does not support a VPN application, then an alternate approach is to install a VPN application on the router used by that device to access the Internet. In this case, the router acts as the VPN client and protects all connected devices. This is a useful approach if the Internet of Things (IoT) devices such as smart heating controls require protection.

A VPN client typically uses software-based technology to establish a secure connection between the user’s device and a VPN server. Some VPN client applications operate automatically in the background. Other applications are implemented with front-end interfaces that allow the user to configure and manage the VPN connection. VPN clients are often applications that are installed on a computer, though some organizations provide a purpose-built VPN client that is a hardware device pre-installed with VPN software.

Most popular operating systems, including Windows, Ubuntu (Linux), macOS, iOS, and Android, come with basic VPN client software pre-installed. Third-party client software is also available that is simpler to configure via a user interface and offers additional features and benefits. Third-party VPN clients include applications developed by VPN protocol developers such as OpenVPN and SoftEther clients. They also include applications developed by VPN service providers. Premium VPN service provider products are more likely to allow the user to choose from a range of protocols. They include advanced security features such as a kill switch and automatic reconnection.

A VPN client’s essential requirements should be cross-platform compatibility for all devices that require protection and features to guard against IP leaks and DNS leaks.

VPN protocol

Protocols are formal standards and rules that define the processes and formats for communication between devices over a network. VPN protocols include the security measures and encryption standards needed to protect data traveling between client devices and a VPN server. Not all VPN protocols are equal; older outdated protocols contain vulnerabilities that could allow an attacker listening in on the encrypted communications within a VPN tunnel to crack the encryption code and decode the information.

VPN users should ensure that their VPN service provider either uses one of the latest and most secure protocols or allows them to choose their preferred protocol from a suitably robust list of options.

Point-to-Point Tunneling Protocol (PPTP) is one of the older VPN encryption standards that are still popular despite known vulnerabilities that mean it is not sufficiently secure. Its popularity is down to its integration in most common operating systems and simplicity to set up. However, the security flaws and its 128-bit key mean that it should not be used.

Layer Two Tunneling Protocol (L2TP) is an extension of PPTP developed by Cisco that requires the IPSec protocol to add an encryption function. It uses a 256-bit key, making it more secure than PPTP, and is supported by most common operating systems. It is more complicated to set up than PPTP but has fewer known security vulnerabilities.

Secure Socket Tunneling Protocol (SSTP) is a Microsoft product only available on Windows operating systems. Traffic is routed using the SSL protocol making its use fairly transparent to firewalls and proxy servers. Designed for remote client access, it is unsuitable for site-to-site VPN tunnels.

OpenVPN is a popular open-source security protocol that can use a 256-bit key and SSL/TLS for key exchange. It has a large active community of users, which reduces the risk of known vulnerabilities being unpatched and backdoors existing. There are two different options available. OpenVPN TCP is based on the Transmission Control Protocol designed to maintain reliable VPN tunnel connections through built-in redundancy features, including integrated error correction and automatic data resend. These features increase the latency of transmissions but are suitable for internet browsing and e-mails. OpenVPN UDP is based on the User Datagram Protocol, which is designed to minimize latency at the expense of reliability. This protocol is suited to activities where high bandwidth is more important than data integrity, such as streaming multimedia files and gaming.

WireGuard is a new open-source VPN protocol that has been designed to replace OpenVPN by simplifying setup and offering more up-to-date encryption standards, reduced latency, and better reliability.

Cisco has some useful information on VPN protocols here.

VPN Server

A VPN server is simply the server to which users connect their client device to securely connect to the Internet. Typically, the VPN server is a device operated by the VPN service provider. When active, the VPN creates a secure tunnel between a client device and a VPN server before forwarding the traffic onto the Internet from the VPN server. The connection from the VPN server to the destination server will not be encrypted unless that happens to be an HTTPS connection. This prevents any third party able to intercept communications between the client device and the VPN server. This also prevents an ISP from monitoring and recording the internet traffic and replaces the user’s IP address with one assigned by the VPN server that is not associated with the user.

Usually, VPN service providers allow the user to select from several different VPN servers in various countries worldwide. Using a VPN server located on the opposite side of the globe can also have an appreciable effect on bandwidth. This is why it usually is recommended to select a VPN server that is geographically close to the client device unless there is a specific reason why the use of a server in a particular country is required.

An alternative option that provides protection when using public networks or traveling abroad is for a user to host a VPN server themselves at home. Routers are available with a pre-built VPN functionality to make the implementation of this solution straightforward. Other options include installing a third-party VPN server application such as OpenVPN onto a computer connected to the home network.

Creating a VPN tunnel from a mobile device to the home VPN server will allow a secure connection to their ISP from any location away from home. This option is only practical if the internet connection from home via the ISP has sufficient bandwidth to manage both the inbound VPN connection and the outbound internet connection. Also, while providing a secure mobile internet connection when using public networks, it does not offer the anonymity and privacy protection available when using a third-party VPN service provider.

VPN Tunnel

A VPN tunnel is the term for the encrypted connection between two points, for example, from a client device and a VPN server. This creates a secure connection over an unsecured network such as the Internet.

Encryption algorithms are used to code data so that only authorized parties access the information within the transmitted data. Eavesdroppers and other unauthorized parties cannot access the information unless they can crack the encryption algorithms or steal the encryption keys. This is why it is essential to use a robust encryption algorithm and a secure method of exchanging keys between the authorized parties.

The VPN service provider will define the VPN protocol and encryption algorithms used to establish the VPN tunnel. Premium VPN service providers commonly offer the user a choice from a set of options. This allows the user to tailor the VPN tunnel to either offer higher security at the expense of latency to protect sensitive information or lower security but better latency when the user uses the VPN tunnel for data-intensive activities such as streaming videos or music.

VPNs typically use the IPsec or SSL/TLS encryption protocols to establish the VPN tunnel. All devices connected to the VPN use asymmetric encryption techniques to share encryption keys. These keys use symmetric encryption techniques to encode and decode all information sent over the tunnel. This process adds latency to the transmissions but delivers the required security. The VPN tunnel’s performance in terms of latency and bandwidth will be determined by the VPN protocol used.

Cloudflare has a great explanation of tunnels here.