Wednesday, October 23, 2013

How NSA-Proof Are VPN Providers?

The privacy of Internet users has become an extremely hot topic this year, largely thanks to the revelations of whistleblower Edward Snowden. This has resulted in many questions from concerned VPN users who want to know more about possible cracked encryption schemes, and how providers respond to gag orders and national security letters. Today we explore these topics with a handful of the leading VPN services.
cameraspyLet’s start off by saying that no VPN service can ever guarantee your anonymity 100%. That said, there is good reason to believe that the most secure encryption schemes are nearly impossible to crack.
In theory, however, there’s always a possibility that certain agencies are operating several steps ahead of the game. For example, the NSA and others might be capable of cracking more advanced encryptions when data streams are stored for future decoding.
And then there’s the possibility of VPN providers being forced to hand over customer data. While no-logging policies protect against traditional court orders, things get more complicated when government agencies issue gag orders, such as those contained in United States national security letters.
To explore these issues TorrentFreak talked to BlackVPN, IPredator, Private Internet Access, VikingVPN and TorGuard.
Below is an overview of the responses we received. On the one hand they address which encryption schemes are still safe, and which ones should be avoided. Separately, the U.S. based providers shared their thoughts on the discussions regarding national security letters.

Does encryption still work?

The first question is whether encryption still works. A few weeks ago many VPN users got concerned after they read that the NSA had compromised privacy software and cracked encryption algorithms.
So does that mean VPNs can no longer be trusted? While the various providers all have different opinions, they agree that the most secure encryptions are impossible to crack on the fly. Similarly, most providers warn that PPTP is flawed and should be avoided wherever possible.

BlackVPN

“OpenVPN is the best choice when available on your device. It’s easy to check that your VPN provider is using strong encryption algorithms and keys (like 256bit keys and AES encryption) by looking at the OpenVPN configuration files supplied by your VPN provider. Also it can be configured to use TCP on port 443 which makes it extremely difficult to block as it looks like standard HTTP over SSL traffic.”
“OpenVPN is slightly more effort to setup (download and install a client for Windows, OS X, IOS 5+ & Android 4+) but it should be the default way for most people to connect to their VPN. We have been using OpenVPN securely (2048 bit RSA keys and AES-256) since our beginning in 2009 so previous traffic should still be secure from decryption.”
“L2TP/IPSec is a good choice if you want a quick and easy setup. However the encryption algorithms and keys used depend on your VPN provider and your device, and it is difficult to know if secure or insecure encryption is being used. Your data could be encrypted with AES-256 (more secure) or with 3DES (not secure) and you wouldn’t know. An evil or silly VPN provider could force all clients to use 3DES. Also Windows XP does not support AES and would use 3DES encryption instead.”
“PPTP has known security weaknesses and should only be used as last option or where nothing else works with your device. There are no good reasons to use PPTP unless IPSec traffic is being blocked and you cannot install openVPN on your device. We would recommend only use PPTP if your security and privacy are not a concern – for example if you just want to access websites or content blocked in your country.”

IPredator

Sweden-based IPredator is also clear on the point that PPTP should be avoided by users who are looking for the most secure setup, but in common with many other VPN providers, they still offer these connections.
“We explicitly tell users that PPTP is insecure and that it’s not suitable for privacy related things anymore to protect against a government attacker. We could just turn it off BUT then people would just go to other providers who still offer it, so in my opinion it’s better to educate them.”
According to iPredator, OpenSSL with ECDHE + AES and without RC4 is the most secure option for VPN users at the moment.

TorGuard

According to TorGuard many of the strongest encryptions can still be trusted, and the company sees Open Source Software as a key element to keep intelligence agencies for implementing backdoors.
“Encryption still works and nothing has been mathematically broken. What has been broken is the consumer trust relationship between government and big business. The NSA has attempted to undermine VPN encryption not by brute force or mathematics, but by sabotaging secure technologies at the corporate level.”
“Open source software is in the driver’s seat, everyone else is just along for the ride. Community driven code like what powers OpenVPN is continuously subject to scrutiny, making it virtually impossible for an outside agency to implement a secret backdoor.”
“It is also important to point out that there is no known method that even comes close to breaking 128bit Blowfish encryption. For the ultra-paranoid, TorGuard offers AES-256 bit ‘Stealth’ connections that actually disguise packets as regular HTTP traffic on the network. We will soon be offering these stealth AES-256 connections on all servers as standard options.”
“True privacy in this digital age requires sound cryptography and companies who are willing to back it up – no matter the cost. If we expect to have any privacy in the future, the entrepreneurs and cypherpunks of today must work together in continuing to develop effective privacy solutions for tomorrow.”

National Security Letters

Aside from the worries about broken encryption and backdoors, there’s also the possibility that providers might find themselves served with a national security letter by U.S. security agencies or a foreign equivalent. Yesterday VPN provider CryptoSeal shut its doors in the belief it could no longer guarantee the privacy of its users following the Lavabit ordeal.
TorrentFreak asked three prominent U.S. based VPN providers to share their thoughts on this issue.

Private Internet Access

“Prior to the entire Lavabit ordeal, we had begun reaching out to the EFF, ACLU and FFTF in order to better understand the legal climate in which the internet operates such that we would better understand how we could hedge the company to better protect our ‘way of the internet’. Our CTO/co-founder, who many know as coderrr, the developer of privacy extensions from the early years of Bitcoin, moved out of the US along with our entire admin/development team.”
“Moving or establishing a VPN company outside of the US/EU would do little to protect against these kinds of issues as long as anyone with access to the machines remains within said regions. As such, he and the entire admin/development team are committed to remain outside of the US, and in fact, the team in its entirety are decentralized across the globe in countries that have historically been very reluctant to assist the US. Simultaneously, our research team has been implementing and increasing our available crypto-suite.”
“As for myself [Andrew Lee], I love my country. Please do not misunderstand, as a minority born, raised and living in the US, I am certainly not screaming, ‘MERIKA FUK YAH!’ However, this country has provided a climate in which people can work hard to better their lives and, as well, enjoy great liberties which, in reality, most/many countries fail to match. As such, I, myself, remain in the US in order to help see to it that this country is able to continue/return to being a land of liberty and freedom. To this extent, we’re really putting our money where our mouths are.”
“However, to remain in the US, meant, as well, the relinquishing of my access to the PIA systems/network. Administrators, developers and co-founders everywhere can relate to the difficulty of doing so, but the reality is that it was a requirement if I was to remain here. This policy is in place, and relinquished access I have.”
“With regard to the gag orders, recently a US judge ruled the gag order provision to be unconstitutional, in violation of First Amendment rights. We do consider this to be a win for our side, in our quest to bring our privacy and civil liberties back to levels which we as a society can decide for ourselves. With that said, it’s not the end of the battle, as the ruling is currently being appealed, and as such, no decision is certain at present.”
“However, we’re a company that operates, as we said on our privacy policy, within the spirit and letter of the law. As such, we believe in constitutionally provided privacies and liberties and, to this extent, I’d like to make it unequivocally clear that we will fight any gag order to the fullest extent given that it clearly undermines First Amendment rights and the transparency of governmental interactions with private entities.”
“While I’d like to yell some kind of statement as many have before that most certainly could never be upheld, our customers and TorrentFreak readers deserve to know that we’re fighting to the best of our abilities, within the confines and maturity of the existing societal infrastructure. This is not the only way, but this is currently the best way for us to make a meaningful broad impact.”

TorGuard

“Lavabit’s actions to suspend operations and preserve its client’s privacy were truly inspiring. This serves as an excellent example for other companies to not let big government push them around and stand up by legally challenging unlawful data requests or gag orders. Curbing the power of government surveillance on the corporate sector won’t be easy, but it needs to start now with increased transparency and corporations that take an oath of privacy no matter the cost to business. In Lavabit’s case – if you can’t leave Texas then burn the servers.”
“A big misconception going around is that one’s data is far safer from scrutiny with foreign based corporations. Unfortunately, the US isn’t the only country with a spy agency and they certainly are not confined by domestic borders. We’ve seen countless incidents in the recent past where both domestic and international surveillance agencies abused power to gain access to servers and customer data – no gag order required.”
“Just because a company is incorporated in ‘Timbuktu’ doesn’t mean the third-party data centers they lease servers from won’t open the door when federal agents come knocking. That’s why more transparency is needed on a global scale, not just from US service providers, but also by these international based ISPs, Data Centers, Domain Registrars and Merchant Providers..(the list goes on).”
“While TorGuard does have US-based representation, we are an internationally owned company with 90% of our employees and server resources based abroad. As owner/operator, I’ve pledged an oath of privacy to our client base and I intend to uphold this promise to the best of my abilities, even if it means temporarily suspending services or relocating company assets. We have backup plans for our backup plans, and travel light.”

VikingVPN

“Knowing whether or not a company has been compromised by a national security letter is deceptively simple. All you have to do is ask. Right now, I can confidently say that VikingVPN has not been served a National Security Letter. Feel free to ask me again later. If I don’t reply at some point in the future when you ask me, then you’ll know. See how easy that was?”
“The reason this works is that the Govt. cannot compel you to lie, but they can (apparently) compel you to remain silent. I would actually argue that the national security letters, and indeed the entire PRISM/XKeyScore system are illegal and unconstitutional, but obviously I don’t sit on the FISA court or Supreme Court, so my opinion holds little weight.”
“I would encourage TorrentFreak to reach out to all the US VPN providers and simply ask them if they have received a national security letter. If they don’t reply within a reasonable time-frame you will have your answer. I would even encourage you to keep a running list of VPN providers that reply. You could ask them once a month.”
“Further, VPNs have always been about trust. You’re entrusting your data to the VPN service provider, and hoping they don’t betray you. Any VPN service provider could be secretly logging and passing your data to a 3rd party without your permission. Some of this trust can be gained (or lost) from reputation.”
“Do users of the service report betrayals in the form of legal notices? Some of the trust has to come from knowing just who runs the VPN service. VikingVPN has been very transparent about this. You can see who myself and my partners, Justin Greene & Derek Zimmer, are. You can see that we’re not connected to any Intelligence Agencies or Copyright bodies. You can also view the kinds of political speech we engage in. We’re vehemently anti-spying and anti-PRISM.”
“US VPNs can still be trusted because you can place a honeypot anywhere in the world when it comes to VPN services. The paranoia surrounding US-based VPNs simply is not thought through very well. The UK and Sweden both have similarly intrusive dragnet programs, and there seems to be little concern for VPN services out of those nations. Furthermore, you can save all the packets you want, unless the VPN itself is compromised it isn’t going to matter.”

Conclusion

The conclusion brings us right back to the start of this article. No VPN provider can guarantee that any type of encryption is 100% secure. Hopefully the above has given people some pointers on what to avoid, and what the more secure alternatives are.
But even if people pick the strongest encryption possible, one still has to trust VPN providers to keep his or her data safe, regardless of where the company is located.

No comments:

Post a Comment