Most VPN services fail to provide a level of data protection and anonymity that would pass professional-level muster. Part 3 of our VPN miniseries shows how confusion about this 20+ years old technology and its complexities has added new risks and threats.
In the first two posts, we focused on the “online privacy” promise of VPN, and on how misconceptions about VPN impact IT security and productivity in the enterprise in general.
In this post, we’ll address the most common misunderstandings about VPN and their ramifications one by one.
A VPN service creates a secure connection (often described as a “tunnel”) between two computers, say between an executive’s laptop at home or on the road and a company server.
This can provide protection, for example when going online via public WiFi networks or consumer-grade home broadband connections. Many services encrypt much of the data transmitted from point to point within the VPN. Others - and that’s the bad news - don’t.
Their “tunnel walls” are riddled with cracks, as we explain in detail in this post. With some VPN services, not all data gets encrypted. As if the VPN concept wasn’t complex and confusing enough for many, admins and users are shouldered with the burden to verify precisely what a given VPN service is encrypting - and what not.
Another often misunderstood feature is VPN’s capability to conceal the web user’s true identity and location. For professional web users such as analysts, security researchers, fraud investigators, or law enforcement, the latter feature is essential when conducting sensitive online research.
Anti-Money Laundering (AML) researchers in a bank, for example, cannot risk disclosing their IP address, corporate network information or location coordinates to a suspicious website as “XYZ Bank, New York, NY,” because that could alert adversaries and allow them to cover their tracks.
The catch here is that serving up the information of the machine at the VPN “tunnel exit” is often unreliable in hiding the originating computer. Also, information leaked from the local browser used with VPN still lets adversaries identify the user via “browser fingerprinting” and other methods.
In short, most VPN services fail to provide a cloak that would pass professional-level muster. Relying on VPN can lead to serious data breaches. For professional researchers and analysts in security-sensitive areas, VPN’s shortcomings and inconsistencies pose a big problem. They can put operational security at risk and result in blown covers and incomplete or contaminated research results.
Source: Amir Khashayar Mohammadi
Another common misconception about VPN is that it protects against malware, such as keyloggers, ransomware or phishing attachments that carry an infectious payload.
It does not. Because VPN provides merely an encrypted method to protect data in transit, all it really does is encrypt malware encountered on an infected site or in an email before it gets transmitted for download onto the user’s computer and can spread from there.
The list goes on. Think again before relying on VPN for secure and safe web access. In a white paper titled VPNs Are Not As Secure As You Think, researchers at content delivery network Akamai conclude: “VPNs are a weak security solution.”
Granted, given the web’s inherent security weakness, without VPN many organizations and individual users would be even worse off. So, uncork the champagne?
The shady operators who are profiting from the confusion probably do. VPN is attracting them in droves.
Criminals and unscrupulous marketers are looking to cash in on users’ legitimate security and privacy concerns. VPN apps and browser plugins offered by scammers are adding new threats, preying on users looking for increased privacy on a small budget or for free.
Phony VPN services have been found to spy on unsuspecting users or to expose their computers to malicious code, for example via injection of ad spam (“malvertising”) into the browser.
On the enterprise level, even legitimate VPN offers can introduce new vulnerabilities.
When enterprise apps are deployed in different locations, on-site or in the public cloud, each of them may require a separate VPN gateway that needs to be configured manually.
The current shortage of IT security professionals is compounding the challenge. If policies are not applied consistently across all gateways, security suffers. As the Akamai researchers warn in their whitepaper, “VPNs result in fragmented security policies for distributed enterprises.”
As confused as many users still are about its advantages and disadvantages, most share one main gripe: VPN is notoriously slow.
Users complain that it puts the brakes on critical workflows and lowers productivity. In their whitepaper, the Akamai security researchers put it this way: “Users hate the VPN experience.”
So what if they could remain safe and anonymous online, at speeds often faster than with a locally installed browser - without VPN?
They can - with Silo, the cloud browser delivered as-a-service by Authentic8.
If the last point sounds counterintuitive, there’s a simple explanation. Optimized CPUs and the cloud browser’s high bandwidth internet connection are a part of it. Another part: While the actual web page may be huge, the amount of display data that Silo sends back to the user’s computer tends to be significantly smaller.
The reason becomes apparent when we consider the lengthy scripts, hidden thumbnail images and humongous CSS sheets local browsers have to process. With Silo, they remain contained on the Authentic8 server.
For the Silo user, the web page looks just the same. A 30-50% reduction in bandwidth usage [PDF] is not uncommon with Silo, and less bandwidth means faster speeds.
Here’s how Silo works: Silo processes all web content remotely, isolated in a cloud container. Instead of web code, it transmits an encrypted display of the remote browser session back to the user.
The remote browser instance is built fresh at session start and destroyed at session end. It leaves no trace of the user’s web activities behind (such as cookies or residual code).
Authentic8 does not monetize Silo user data, which is stored and processed only to the minimum required to provide the service. Silo is used by some of the world’s most security-sensitive organizations in various fields and industries. This includes the Raytheon Corporation. Raytheon selected Silo for protection of its mission partners because “Silo eliminates risk on the web, allowing users to utilize internet resources and applications for critical workflows while protecting their digital environment.”
This post can highlight only a few of the critical issues that are important to consider for anyone looking to use or expand VPN. For a more in-depth comparison of VPN and secure cloud browser capabilities, check out the Authentic8 report VPN for Secure and Private Web Access? Think Again, which contains a detailed Comparison Chart VPN vs. Cloud Browser [PDF].
This post is based in part on the Authentic8 report VPN for Secure and Private Web Access? Think Again. I want to thank Robert McGarvey for his contribution.