Encryption and Privacy Protocols
First published: April 2019. Latest revision: November 2019.
This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine some of the protocols that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data.
The paramount reason for using a VPN is to ensure your privacy when you are using the internet. Encryption of the data that flows to and from your internet-connected device is the means to attain that state of privacy: without encryption there can be no privacy. A trustworthy VPN must implement adequate encryption (and other) protocols in order to ensure your privacy. This article will briefly consider various protocols and make recommendations about them.
What is a VPN tunnel?
When you connect to the internet with a VPN, the VPN creates a connection between you and the internet that surrounds your internet data like a tunnel, encrypting the data packets your device sends.
While technically created by a VPN, the tunnel on its own can’t be considered private unless it’s accompanied with encryption strong enough to prevent governments or ISPs from intercepting and reading your internet activity.
The level of encryption the VPN tunnel has depends on the type of tunneling protocol used to encapsulate and encrypt the data going to and from your device and the Internet.
(bold emphasis added by me)
What are the common tunneling/encryption protocols?
VPN services have the option of implementing one or more different tunneling/encryption protocols in order to mask or protect the data that is traversing your internet connection from prying eyes. Here are some common protocols:
• PPTP (Point-to-Point Tunneling Protocol) has been available for many years (its specification was published in 1999) and has been somewhat enhanced over time in an attempt to make it more secure. However, serious security vulnerabilities have been found in the protocol and the consensus is that it should be avoided. (Personally, I would question why a VPN would even support this protocol as an option for its customers, as its use would not seem to be in a customer’s best interests.)
• L2TP/IPsec (Layer 2 Tunneling Protocol/Internet Protocol Security) has also been available for several years. L2TP provides the tunneling and IPsec provides the authentication and encryption of the data. Thus, the preparation of data for transmission via L2TP/IPsec is a two-step process and this results in a decrease in speed as compared to some other protocols.
Furthermore, as noted on Wikipedia:
In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to “Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets" as part of the Bullrun program. There are allegations that IPsec was a targeted encryption system.”
Thus, there is a distinct possibility that the security of the L2TP/IPsec protocol has been compromised. Another concern with L2TP/IPsec is that it can’t be used to get around firewall blocking that some ISPs (Internet Service Providers) have instituted.
• SSTP (Secure Socket Tunneling Protocol) is a newer protocol introduced by and proprietary to Microsoft (and is best supported on Windows). It can be configured to use very secure encryption and also can bypass firewall blocks. However, being a proprietary and not an open protocol, it cannot be independently audited like the open protocols.
• OpenVPN is an open source protocol that implements virtual private network techniques that create secure connections via SSL/TLS, a cryptographic protocol that has found widespread use for Internet communications. OpenVPN can make use of highly secure encryption and can bypass firewall blocks. It supports the new IPv6 internet addressing scheme and provides fast connection speeds. Being an open protocol, its privacy and security can be tested and improved by third parties. OpenVPN runs on most all hardware/software platforms.
• WireGuard is considered by many to be the VPN protocol “of the future.” It is new enough that it is still in active development and has not yet achieved a stable “release version.” It aims to improve upon other protocols by being both simple and yet highly effective. The WireGuard codebase is around 4000 lines, which is about 1% of OpenVPN or IPsec. This is a distinct advantage, because security audits of it will be much simpler to perform as will be bug finding/fixing. WireGuard can negotiate the initial VPN connection and subsequent reconnections faster than other protocols and it fully supports IPv6. Battery use on mobile devices is less taxing as compared to other protocols. WireGuard uses extremely secure methods of authentication and encryption.
Which protocol is preferable?
… we recommend that most people use connections based on the OpenVPN protocol, because of security flaws and disadvantages in the PPTP and L2TP/IPsec protocols.
You want to skip PPTP if at all possible. It’s a very dated protocol that uses weak encryption and due to security issues should be considered compromised. It might be good enough to secure your non-essential web browsing at a coffee shop (e.g. to keep the shopkeeper’s son from sniffing your passwords), but it’s not up to snuff for serious security. Although L2TP/IPsec is a significant improvements over PPTP, it lacks the speed and the open security audits found with OpenVPN.
Long story short, OpenVPN is what you want (and you should accept no substitutions until something even better comes along).
(bold emphasis added by me)
The above quotes echo the opinion of many sources. At this time, OpenVPN would seem to be the preferred protocol for VPNs to use. Fortunately, most VPNs offer OpenVPN. (Amazingly, a few VPNs do not offer support for the OpenVPN protocol. In my opinion, those VPNs should definitely be avoided!)
WireGuard, however, is the wave of the future. The protocol has undergone some rigorous security testing, but at this time it may still be best for it to be considered to be experimental. Nevertheless, it is available from a few VPN services. Mullvad VPN began offering it in 2017, and now AzireVPN and IVPN offer it too. An informative introduction to WireGuard is “WireGuard VPN review: A new type of VPN offers serious advantages” on the Ars Technica website.
OpenVPN implementation by VPNs
The manner in which a VPN service implements the OpenVPN protocol is important. VPNs can choose to use various options that the OpenVPN protocol offers for tunnelling and encryption. Some of these options are more secure than others.
For example, in the current version of OpenVPN, the default cipher is BF-CBC (Blowfish in Cipher Block Chaining mode.) However, BF-CBC is no longer recommended by security experts because the encryption it provides is relatively weak by current standards and is open to attack. Fortunately, a VPN service can choose to use a 256-bit version of AES (Advanced Encryption Standard) instead of the default BF-CBC within the OpenVPN protocol, thereby providing a much more secure level of encryption to the users of that VPN service.
So, to thoroughly evaluate the privacy and security of a VPN, be sure to check various technical parameters. (More technical frameworks that should be checked will be noted in the next article in this series.)
Unfortunately, not all VPN services provide acceptably high levels of security. However, a VPN service that employs the OpenVPN protocol with high-security options enabled is an indication that the VPN is attending to the security of the Internet connection of its users. Check for the availability of this sort of tunnelling/encryption protocol when you are evaluating a VPN for your own use.
We’ll examine some of the methods that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data in the next article of this VPN series, titled “Other Important Technical Concerns in Choosing a VPN.”