In the last few years, I’ve clearly seen a rise in the offering of commercial VPN services. I would find out about these VPN hosting networks in the past by a new yahoo, gmail or hotmail account on the openswan-users mailing list, repeatedly asking the same questions. They would tend to not like the answers we gave them but develop and deploy their systems anyway.In the last few years, more and more keep popping up and vanishing really fast, making me wonder if these are run by the same group of people constantly rebranding themselves, or whether new people keep inventing the same brain-dead idea. Yes, offering a commercial VPN service to “help” people is a very brain dead idea.

Legal issues

The first and foremost reason all these commercial VPN providers are nothing more then snake oil is because it quickly runs afoul with the law. Most, if not all, OECD countries have computer crime laws in place that mandates every ISP service that adds a cryptographic layer for their customer must be able to remove that cryptographic protection lawyer and hand over decrypted traffic to any law enforcement agency (LEA). And that is the best case scenario. I would not recommend the casual reader to attempt to work around encryption laws in non-OECD countries – whatever you’re trying to do, it’s likely not worth the jail time usually associated in such countries for using “illegal encryption”.

These laws mean you can never outsource your crypto to someone else. You must do it yourself. At most, you are putting a few legally separated jurisdictions between yourself and your government. If you’re just one of the four million people downloading Game of Thrones you’re more protected by the sheer numbers of violators, then by adding any commercial VPN service between you and The Pirate Bay. If you gave that VPN provider your name and credit card details when you signed up you might actually end up being in a worse position. Courts often will not take an IP address as proof that the person paying for the internet service (you) did something illegal. However, a credit card transaction in combination with traffic statistics showing you are using the service will be an excellent argument in court against you. And the VPN provider will have to hand those over as soon as a LEA knocks on their door. It might be using a non-US based credit card or paypal processor, but in the end, all roads lead to a few major US based financial institutions with enough US economic ties to turn your VPN provider over to the FBI at the first sign of trouble.

Technical dependencies

And on top of that, most VPN providers have technical dependencies in the US, for example by using a com/net/org domain name for their service, running DNS servers within the US, or even having their website or VPN servers located inside the US.

But measures like in The Netherlands where people need to subvert the Pirate Bay censorship at the ISP level to be able to watch Game of Thrones (not broadcast by any commercial TV service in the country) seems to attract a lot of new customers for these types of services. Other frequent annoyances that people want to circumvent are geo-restrictions based on IP address. I cannot watch The Daily Show or South Park using their own video streams, because I live in Canada, and they have commercial reasons why they cannot serve non-US customers. The same applies (or applied) to other services like Hulu, Netflex, etc.

VPN’s are not just a button that protect you. Realise that all your traffic is being intercepted and sent through this VPN tunnel. The people you’re paying about $10/month get to have a copy of all your traffic! How much dedicated security do you think they can offer their customer? How many lawyers do you think they have on staff to verify all warrants and tapping orders coming in?

Using VPNS for a few bucks a month to “steal” these services won’t get you in too much trouble, it’s just petty crime. The real trouble with these VPN services happen for people who’s lives depend on their anonymity.

Marketing and other lies

The real danger with these VPN services are the blatant lies about what services are provided. Take for example the latest one that came to my notice, SuperVPN.net. It’s a very typical offering. They promise “complete anonymity“, “absolute anonymity” and “your real IP address will never be stored“. It offers “128 bit encryption” without specifying anything about the encryption algorithm. It’s all marketing to the ignorant. Your IP address likely leaks immediately to any malicious website that wants it. You probably already sent some HTTP cookies when those browser tabs reconnected to facebook, gmail and twitter.

You can have the strongest encryption on every packet you send out on the internet, but that says absolutely nothing about anonymity. Your browser is full of cookies, history and the ability to run code like javascript or flash or html5 that could reveal your identity. People could play DNS tricks on your and leak your location. Any true anonymity solution will try to handle both the operating system and application level, as well as the network encryption. If you need anonymity, please use something like tor. Do not depend on any of these services!

Technical issues

Again looking at SuperVPN as example, they offer PPTP, SSL, OpenVPN and L2TP services. Some of these require certificates that will reveal who you are while you authenticate with your VPN provider. Or they use prehared keys meaning you can easily be fooled by another customer pretending to be your VPN provider. And most importantly, all of these protocols are not hiding the fact that they are VPNs. If the country you are in out-laws cryptography, you just pointed a targeting laser at yourself.

If you ever see anyone promising security using PPTP, you know you arrived at snake oil heaven. PPTP was broken about 10 years ago, and its successor L2TP had its native encryption layer mostly replaced by IPsec. L2TP itself is now on its way out to be replaced by a pure (IKEv2) IPsec solution. VPN services that offer these obsoleted VPN protocols value your money more then your privacy or security.

And even with strong L2TP/IPsec VPNs, your anonymity can easily leak, especially when used on mobile devices that hop from network to network, guaranteeing your VPN will go up and down repeatedly, inevitably leaking some unencrypted data to reveal your identity. More on that soon by some of my fellow cypherpunks….

If you’re just using these vpn services to bypass GEO IP locations and the traffic you send over this VPN is just a video stream, then it might be worth your $10/month (though it might be illegal for you to do this). If you need real VPN security, use a trusted party to provide you with a VPN connection, or run your own virtual or real server in your favourite jurisdiction.  If you need privacy, use TOR.