Juha Saarinen: VPNs might not be all that secure

Photo / 123rf

The United States government decision to do away with legal privacy provisions that stopped internet providers and telcos to snoop on you while being online isn't quite as bad as it appeared because the subscriber data that can be collected will be anonymised.

Nevertheless, it's a substantial weakening of online privacy. Who wants what they do on the internet to be bundled up and handed to marketers, even if it is anonymised? Nobody.
This and the internet becoming increasingly hostile, with surveillance and automated drive-by hacking, has led to a boom in security solutions.

One category, virtual private networking (VPNs) are touted as the panacea to telco and government snooping; they can indeed be useful and make life on the net more secure, but be careful and learn some more before trusting your deepest (and maybe darkest) secrets to a VPN.

VPNs are often referred to as "tunnels" where your data flows safely, shielded by virtual walls of impregnable encryption so that nobody can see your communications. Nor can they see the internet protocol address of your computer, or the unique, hardware identifier for the network interface.

Tunneling is a bit misleading however: VPNs work by encrypting data between your computer or device, and another system. Even if they can't work out what's being sent, nasty people can usually tell that there is something being transmitted between two or more endpoints. There are governments and organisations who take a great deal of interest in people using VPNs, and you might not want to draw attention to that.

For a VPN to live up to its security and privacy promises, you should ideally have full control over both endpoints of the network.

That is, you want to know that the software on both ends is up to date and doesn't contain bugs and vulnerabilities that can be exploited to quietly leak the data you hoped to keep secret.

You also need to know that both sides are configured correctly, and use strong enough encryption to make cracking the scrambled code to take too long and cost too much to be worthwhile.

Make sure logging, or automated collection of data for the VPN connection is kept to a bare minimum or not at all. Picking a VPN provider or endpoint not in a Five-Eyes country (yeah, that's us in New Zealand) where spy agencies do bulk collection of internet data might be an idea too.

It's also important to make sure that the encrypted data stays that way, and isn't decrypted by a "middlebox" that copy the information silently. You also need to ensure that everything, all the computer traffic, and devices send out a vast amount of data that users don't know about goes through the VPN, or you'll be busted.

Don't forget to make sure the VPN covers both the older IPv4 protocol that used to send and receive internet data, as well as the new IPv6 scheme that is increasingly being used as the number of networked devices grow exponentially.

Done right, VPNs can help protect your privacy and security online; there's no doubt about that. Getting VPNs wrong is easy however so if you have doubts as to how well the one you're using works, don't send or receive anything sensitive.