VPNs do not provide the security properties people expect:
"VPNs were originally designed to get into a secure network, but companies have repurposed them so you can escape a restrictive internet service provider you don't trust and access a free and safe one instead," Crandall says. "So, the way people use VPNs today is kind of backwards."
Crandall notes this access is helpful when users are worried about their browsing data being monitored though their internet service provider, or ISP, or when users are in a country that censors their internet activity.
[...] "We're really just asking the fundamental questions like, 'When you repurpose VPNs in this way, do they actually have the security properties that people expect?'" he says, reiterating his work's focus on at-risk users who face severe consequences from censorship and surveillance policies. "The first part of the research that we did was looking at the VPN tunnel itself, which is an encrypted tunnel between the VPN server and the client, to see what kind of damage attackers can do from there."
[...] The team concluded that traffic can still be attacked from the tunnel in the same ways as if VPN were not being used, with attackers able to redirect connections and serve malware, which is what users believe VPN protects them from.
[...] "For people around the world, there can be a lot at stake when VPN providers market with false claims about their services. Our research exposed how VPN-based services, including the ones marketing their VPN service as 'invisible' and 'unblockable,' can be effectively blocked with little collateral damage," says Ensafi, an assistant professor of electrical engineering and computer science. [...]
"As VPNs continue experiencing increased usage, repressive countries have developed some of the most sophisticated censorship and surveillance technology in response," Mixon-Baca says. "This work is crucial to make progress toward understanding how these systems operate and developing defenses for attacks on the users who depend on VPNs."
USENIX presentation slides as well as a ten-minute video of the talk
Related Stories
The Tor Project and Mullvad VPN have both announced collaboration on a privacy-oriented web browser. The joint browser, which is based on Firefox, has the features of the Tor Browser but operates over the Mullvad Virtual Private Network rather than Tor's onion routers. The collaboration has helped polish interface improvements and address several long standing issues.
Mullvad and the Tor Project have been part of the same community that is dedicated to developing technology that prioritizes protecting people's right to privacy for many years now. Mullvad contributes to the Tor Project at the highest level of membership, Shallot, and were a founding member of the Tor Project's Membership Program. They approached us to help them develop their browser because they wanted to leverage our expertise to create a product that is built on the same principles and with similar safety levels as the Tor Browser -- but that works independently of the Tor network. The result is the Mullvad Browser, a free, privacy-preserving web browser to challenge the all-too-prevalent business model of exploiting people's data for profit.
and
"The mass surveillance of today is absurd. Both from commercial actors like big tech companies and from governments," says Jan Jonsson, CEO at Mullvad VPN. "We want to free the internet from mass surveillance and a VPN alone is not enough to achieve privacy. From our perspective there has been a gap in the market for those who want to run a privacy-focused browser as good as the Tor Project's but with a VPN instead of the Tor Network."
Mullvad has been an active member of the Tor project for years.
Oh, and one more thing, speaking of VPNs, buried in the actual text of Senate Bill S.686 - RESTRICT Act 118th Congress (2023-2024), hidden behind rhetoric about ByteDance and Tiktok is a ban on VPN usage.
Previously:
(2023) The 'Insanely Broad' RESTRICT Act Could Ban VPNs in the USA
(2022) Are Virtual Private Networks Actually Private?
(2022) VPN Providers Remove Servers From India in Wake of New Data Collection Laws
(2022) Tor Project Upgrades Network Speed Performance with New System
(2014) VPN Providers Response to Heartbleed
(Score: 4, Informative) by Gaaark on Saturday October 29 2022, @03:12AM (4 children)
Seriously?
I like to look at it as a way of hiding... privacy, you know? Malware: i never even imagined it would protect me that way.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 3, Informative) by Booga1 on Saturday October 29 2022, @04:26AM (2 children)
Several VPN providers started bundling antivirus and malware with the VPN. Even McAffee and Norton are doing it now.
Here's the wording from Norton's home page:
Sure, they're all separate concerns, but it's all one big package. You want to be safe, don't you?
(Score: 5, Funny) by maxwell demon on Saturday October 29 2022, @05:12AM (1 child)
I certainly wouldn't use a VPN provider that bundles malware with the VPN.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2, Informative) by Anonymous Coward on Saturday October 29 2022, @06:01PM
He mentioned McAfee and Norton, so yeah, bundled malware.
(Score: 2) by Opportunist on Saturday October 29 2022, @09:05AM
It may inadvertently provide limited protection against certain malware. The kind that calls its C2 before infection and only continues if it doesn't already have a known infection from this IP address in its DB.
That used to be a thing in encryption trojans that didn't try to persist but to only encrypted your stuff and extorted money, but that's not exactly very common anymore.
(Score: 5, Informative) by Snotnose on Saturday October 29 2022, @05:47AM
So Cox Cable doesn't shut off my internet when someone complains about what I download.
I just passed a drug test. My dealer has some explaining to do.
(Score: 4, Insightful) by Opportunist on Saturday October 29 2022, @09:08AM (3 children)
You don't trust your ISP to protect your data but you trust the VPN provider in a different country who you know fuck all about. Including what country they actually are in and who is in a perfect position to sell data about people who want to shield their browsing habits, very likely from governments who now have a single point they have to ask for data.
Yeah. Smart.
(Score: 4, Interesting) by Anonymous Coward on Saturday October 29 2022, @09:38AM (2 children)
It hides your IP from both your ISP and websites. Your ISP usually hates you, so good start. If the website gets hacked or is full of bad actors, no IP leak for you. This is usually an improvement.
(Score: 3, Interesting) by maxwell demon on Saturday October 29 2022, @06:44PM
It definitely doesn't hide your IP from your ISP. After all, your ISP is the one who gives you that IP. It does, however, hide from your ISP what you do on the internet (well, apart from the fact that you connect to that VPN provider).
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by Opportunist on Saturday October 29 2022, @07:52PM
Yes, the only one who can sell the information what pages you visit is now the VPN provider.
Talk about a conflict of interests...
(Score: 5, Insightful) by darkfeline on Saturday October 29 2022, @11:07AM (2 children)
It's good to keep in mind that VPN is a concept, not a specific software or protocol. It's just a layer 3 proxy/tunnel (at least for the current discussion). Thinking of it like that, it should be pretty obvious what VPNs can and cannot provide.
Also:
> secure network
Haha, good joke. The concept of a "secure network" has been dead for years. If you don't treat every network as unsafe, you're doing it wrong.
Join the SDF Public Access UNIX System today!
(Score: 2) by rigrig on Saturday October 29 2022, @01:41PM
> If you don't treat every network as unsafe, you're doing it wrong.
Sure, but there are tiers: you need to authenticate with the VPN server before you even get to connect to <internal service>'s login page.
No one remembers the singer.
(Score: 2) by maxwell demon on Saturday October 29 2022, @06:49PM
If you treat "secure" as a yes/no property, you're doing it wrong.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by corey on Saturday October 29 2022, @09:27PM
> "VPNs were originally designed to get into a secure network, but companies have repurposed them so you can escape a restrictive internet service provider you don't trust and access a free and safe one instead,"
These are the same in my mind. At least the wording he uses. The safe one, isn’t very safe, if he’s referring to the internet on the other end of a vpn tunnel.