By Yaroslav Vorontsov, Software and Security Architect, DataArt
The popularity of VPNs is growing every day. Usage is skyrocketing as people realize how much information they leave behind on the Internet, how much data IT giants collect, and how fast the number of breaches and data leaks is rising. Not surprisingly, Internet users want a tool to help them protect their privacy.
VPNs were originally created to connect business networks securely over the Internet or allow employees to access a business network remotely. Soon thereafter, people began using VPNs as alternative Internet access points (as a way to change a location/ IP address or to bypass Internet censorship).
Today people are looking for ways to keep their online activity protected, and VPNs have come to the rescue. According to The Best VPN, there are a number of reasons why Internet users are using VPNs:
- 50% say they use a VPN for access to geo-blocked entertainment content
- 34% say it’s to access social networks and news services restricted by governments
- 31% say it’s to browse anonymously.
However, using a VPN connection doesn’t guarantee online anonymity. For example, many VPN providers state that they do not keep logs in order to ensure privacy; however, this is not always true. It’s important to remember that a provider stores user credit card details and must obey local laws – this means that some information is still collected, and this information could be aggregated, for example by law enforcement, to identify a person who used the VPN service at a particular time. The only relatively reliable way to maintain better privacy with classic VPNs is to rent a VM / dedicated server, deploy any of the many free VPNs on it, and allow connections from devices you trust. This requires basic IT skills, so it might not be an option for ordinary users – that’s why they prefer proxies (which generally have the same privacy issues as VPNs do – but you have to trust a provider) or Tor (which is slower, but easier to start using a special browser).
Another method used by restrictive governments to block a user’s online traffic is a system called DPI, or Deep Packet Inspection. Deep Packet Inspection is a network packet filtering method that analyzes both the header and the data portion of a packet (a small bundle of data related to everything you do, send, and receive online) and decides whether particular network streams (sequences of packets used for communicating to a resource) are allowed or not. If VPN traffic is moving via a non-encrypted tunnel, the DPI system can recognize it and block a user’s connection. Even when VPN protocols began to use encryption, DPI systems were upgraded and developed the ability to capture VPN connection sessions and block them by protocol type. That is why most VPNs are easily recognized by DPI systems and by next-generation firewalls, which are installed by restrictive governments to prevent people from using private connections and force them to follow the government’s internet regulations or used in corporate traffic monitoring systems to enforce security policies.
The only “classic” VPN protocol that cannot be spotted by a DPI without SSL/TLS traffic inspection is SSTP (Secure Socket Tunneling Protocol). It is a popular VPN solution developed by Microsoft and supported by multiple other vendors. In order to work, SSTP uses SSL/TLS over port 443. This technique is known as a great solution that helps SSTP bypass online restrictions and almost every kind of firewall, except those which have TLS inspection enabled. In such cases, a firewall performs a so-called “man-in-the-middle attack” to decrypt the payload of network packets and check it according to the rules configured by administrators. Once the traffic is decrypted, the firewall can intercept PPP authentication inside SSTP, match it with the blacklist of protocols, and terminate the VPN session.
Fortunately, over the last years, several fundamentally new VPN solutions have appeared, all of which are mimicking some other kind of traffic that isn’t banned. Such means of data transfer is called steganography – it helps not only in keeping data private, but also hides the fact of encrypted data transfer. Since the traffic produced by these VPNs can’t be distinguished from ordinary TLS or even from noise/garbage, they circumvent DPI appliances quite easily. The most interesting among such VPNs are:
1) SoftEther VPN is a Japanese Academic Research Project at the University of Tsukuba. The SoftEther VPN protocol is responsible for securing communications between the VPN client and the VPN server. It basically establishes an encrypted tunnel between the two, ensuring that any information that passes through the tunnel can’t be monitored by anyone. In a basic configuration, it is indistinguishable from an ordinary TLS stream, but it could also be tweaked to use DNS or even ICMP packets for data transfer.
2) GoVPN. It features encrypted authenticated data transport that hides the message’s length and timestamps. GoVPN is resistant to offline dictionary attacks, replay attacks, and has the ability to work through UDP, TCP, and HTTP proxies. It also provides a censorship-resistant mode, so the traffic becomes fully indistinguishable from the noise.
3) WireGuard. A brand-new solution which was recently included into the Linux kernel mainline. WireGuard has been designed with ease-of-implementation and simplicity in mind, so it’s extremely simple to configure and provides great performance and security.
It’s also worth mentioning that there are extra tools that help maintain network privacy, like HTTP and SOCKS proxies, Tor network, GoodbyeDPI utility, and others. Each of them, including VPNs, has advantages and disadvantages. It’s worth taking a closer look and choosing the right tool for the purpose and planned activities.
About the author:
Yaroslav Vorontsov is a Software and Security Architect at DataArt Solutions, Inc. and leads the Security Assurance program aimed at integrating security into software products starting from day one. Yaroslav supervises a number of major projects as a security architect, conducting regular architecture and security reviews, arranging periodic penetration tests and infrastructure audits, and helping with secure coding and environment hardening best practices. Yaroslav joined DataArt as a mobile application developer in 2010. Over the last decade, he has participated in many projects as a team leader and was responsible for key architectural and technical decisions that helped build custom solutions quickly and efficiently.
Yaroslav holds a PhD in Applied Math, Numerical Methods, and Computer Science.
DataArt is a global software engineering firm that takes a uniquely human approach to solving problems. With over 20 years of experience, teams of highly-trained engineers around the world, and deep industry sector knowledge, we deliver high-value, high-quality solutions that our clients depend on, and lifetime partnerships they believe in.