A VPN is unlikely to protect you

The Curious Codex

             1 Votes

2019-05-17 Published
2024-07-11 Updated
2047 Words, 11  Minute Read

The Author

By Matt (Virtualisation)

Matt has been with the firm since 2015.


It seems that the Internet, and Social Media (especially YouTube) is full of advertising for VPN's so you can somehow access the internet in a covert way, but what they don't tell you is that for most people a VPN does absolutely nothing except empty your wallet.

VPN stands for Virtual Private Network, and VPN's have an important role when you want information encrypted between two endpoints. GEN Uses a highly secure VPN (Our SAS Service) built on Juniper Pulse Secure which enables our customers to connect to our Intranet and from there access their companies private networks.

GEN SAS provides three important roles;

  • It authenticates the end user.
  • It encrypts all traffic from that end user to the Intranet.
  • It provides for privilege enforcement so that some users can only access some resources from their company.

End User VPN's such as HMA, NordVPN, SuperVPN, UltraVPN, SafeVPN, CyberGhost, ExpressVPN, IPVanish, SaferVPN, PrivateVPN, Hotspot Shield, StrongVPN and many more, advertise that they have Unlimited Bandwidth, Zero Logging and a plethora of technical misnomers to entice the uninformed into parting with their hard earned cash for the promise of anonymity. 

Will a VPN protect me?

That's very simple, as long as you don't use it on the same device you regularly use for internet access then possibly, but unlikely. To understand exactly why that is, let's first understand what the VPN is actually doing for you. 

How a VPN works

When you access the internet, traffic from your devices (Pc's, tablet's, etc) goes to your router, the router has the job of forwarding your requests to the internet, and receiving data back from the internet and relaying them to your devices.

Your router will appear on the Internet as one IP Address (usually) and this IP address will either be fixed (static) to will change from time to time (dynamic). Your ISP knows which IP address you are using at any point in time because your router 'authenticates' with the ISP when it first connects. From the ISP's point of view your router is assigned an address from its pool (either the same every time - Static, or a random one -Dynamic). Because your ISP knows which IP Address you are using at any one time, and because 'most' ISP's use traffic shaping then they can prioritise or delay traffic of certain types, as well as maintaining logs of what you access and when.

As a Business ISP, we don't prioritise or delay anything but for the purpose of this article we're going to assume the majority of our audience could be domestic users, as this is the target for most of the advertising.

A VPN establishes a software 'tunnel' between your device and a server on the internet managed by your chosen VPN provider. Now all traffic that is sent to the internet will instead be sent through this tunnel and the IP Address that originates your traffic will be the IP Address assigned to the VPN providers server. Likewise, traffic received for you will be routed back through the same software tunnel to your device. There is optional encryption of varying strength provided by a software VPN and different providers will use different methods and strengths. 

How a VPN Works

I want to draw your attention to the image above, which came from the site advertising VPN Services for a price, and I used this image for three reasons; Firstly, its a good image and whilst over simplified does show the basics. The image does highlight, to me at least that there are two glaring weak points in this setup; YOU and the VPN Server. Compromising either gives the game away and its not impossible to do. 

You don't really know 'who' you are connecting to with your VPN client, it could be the company, it could be some other company, it could be nefarious actors, there's no way to tell, and if someone were to compromise the VPN server, they would be able to decryption everything, and I mean everything.

If on the other hand your PC is compromised, then the VPN does absolutely nothing.

Using a Browser via the VPN

When you visit a page, such as 'google.com', your browser is kind enough to share with google.com the contents of any cookies stored in your browser, these cookies are created and updated every time you visit a particular website. Google for example uses 6 different classifications of cookies, many with multiple cookies each and spreads cookies over 17 google domains that they list in their privacy policy. These cookies IDENTIFY YOU explicitly. Every time you login to any google service such as youtube, google, gmail, etc your identification is stored in cookies. Using a VPN has zero effect on google tracking you via its cookies so even though you IP has changed and may even be in a different country, google knows who you are. This is not limited to google, but pretty much all websites you visit will have some sort of tracking data in cookies.

You can of course clear these cookies manually, but the first time you use a google server, facebook, twitter, intstragram, pinterest and so on, the game is over and you're identified. 

Some browsers more than others are also leaky. For example, many browsers today have plug-ins or built-in features that send every website you visit to the browser developer or a third party (such as your antivirus provider) to 'check' for phishing or fraudulent sites, but with that data also goes personally identifying data. If your using your VPN, the the same data will travel the VPN therefore identifying your new IP Address. Turning all this off is not a simple process but its do-able in most browsers.

Additionally browsers and operating systems exhibit a range of security vulnerabilities that can be and are exploited regularly by carefully crafted javascript, a plug-in or extension or as a downloadable application which are able to access not only cookies but identifiable data such as serial numbers, license numbers, and with very little effort your real IP Address. The technical strategy to achieve this is way beyond the scope of this article, but trust me it can be done and it's not that hard to do. 

Using an Application via a VPN

So you've decided that your never going to use a browser on your VPN and that's a great start, but you should know that on Windows and MacOS, your operating system is communicating with Microsoft and Apple almost constantly, your antivirus product is communicating back to base constantly, even your keyboard driver could well be calling home to check its version etc. So your identity is being given away on an almost constant basis to a wide and varied range of companies. Stopping this is pretty much impossible with Windows and MacOS, but it is do-able on Linux with some effort. 

Using email via a VPN

Using email requires two things to happen, firstly your device needs to connect to the mail server which stores your email. For our customers that server is probably mail.genzone.net, this server records the fact that you have logged on to your mailbox, and your current VPN's IP. For GEN this information is only kept for 36 hours after which time its purged, but the majority of other email providers such as Microsoft (office365, hotmail etc), Google (Gmail, GSuite etc), and many more will keep this information for considerably longer, and of course they will share it internally to connect your IP to your identity. 

DNS Leakage

DNS is the Domain Name System and is used to convert a domain name, like www.gen.net.uk into an IP Address. When using a VPN, DNS Queries SHOULD be intercepted and handled over the tunnel by the remote server, but this is often not the case leaving DNS queries to be sent to your ISP. This allows your ISP to track every website your visiting, but not the actual content which will go over the VPN tunnel. 

Using a VPN to bypass GeoIP

Some commercial services such as Video-on-Demand will check the country associated with your IP Address and reject those outside of coverage. In most cases, this occurs with USA networks such as HBO, SYFY, Discovery etc and using a VPN that will allow you to connect to a server in the USA may temporarily bypass this restriction, and assuming that is you have a billing address and bank account in the USA to setup the account. Even then the performance is often so poor that watching video on demand from the USA over a VPN is problematic even if it works at all and of course these companies are actively working to blacklist VPN Service IP's. 

Google, Facebook, Twitter, and pretty much all commercial websites are actively working to add VPN servers to a list of IP's that are banned. Google for example rarely works from a VPN instead complaining that 'unusual traffic' has been received, and services like video-on-demand are also quick to blacklist VPN servers from their services. The company MaxMind commercialise a maintained list of VPN IP's with "Anonymizers can cause headaches for companies attempting to identify who is visiting their website. The GeoIP2 Anonymous IP database provides insight into your traffic by identifying IP addresses which are used as various forms of anonymizers".

How can I be covert online

There are certainly ways to do this, but it requires some discipline and structure. Firstly the Tor Project provides a complete package of browser and VPN that's free to use and is technically secure (I recommend you make a small donation to the project if you use it regularly). You must still ABSOLUTELY NOT login to any websites using this service or once again you're identified, but you are otherwise reasonably covert. Applications and your email client cannot use Tor so they will not give away your ID. (There are some situations where you can setup Tor to route all traffic but this is not the default configuration, requires some work, and is definitely NOT recommended). 

Using a virtual machine, preferably linux, can provide you with a 'covert' presence since you will ONLY access the VPN via this virtual machine, and again providing you DO NOT login to any websites or use any applications on your virtual machine that are shared with your local machine.

Breaking the VPN

A VPN by default is point to point, which means that you will have a tunnel from your device to a remote server managed by a company. This presents an inherent weakness in your protection because by compromising the server you're connected to, both your identity and traffic can be exposed. VPN providers will tell you that there's zero logging, but that's rarely true because if there was no logging then how could they validate your credentials and respond to any support requests? Even without logging, many of these providers are buying traffic from an ISP who certainly does log and probably capture traffic. Should an agency require to identify the user then they would only need to compromise one physical endpoint server in order to do so and we know this has happened in the past. 

In Summary

Using a VPN service like many listed above will give you some limited protection providing you are using a virtual machine and NEVER use credentials to connect to any website unless those credentials were created specifically from your virtual machine and never used elsewhere. Its hard work and I'm not sure anyone going about their lawful business would want to put this much effort into being covert online. Servers operated by VPN providers are blacklisted constantly so never pay for your VPN service more than a month in advance or you could find it no longer works for the purpose you intended. 

Anyone serious about operating covertly online should consider using (a) multiple VPN's traversing several Jurisdictions and (b) using burn-boxes to perform online activity. Both solutions, again providing you NEVER EVER use the same credentials to login or the same browser, email or applications in both your local and VPN/burn-box environments can give you covert protection but I must point out that it only takes one slip-up and you will be exposed and identifiable. 

             1 Votes

--- This content is not legal or financial advice & Solely the opinions of the author ---

Version 1.011  Copyright © 2024 GEN, its companies and the partnership. All Rights Reserved, E&OE.   ^sales^  0115 933 9000  Privacy Notice   351 Current Users