VPN Security and Privacy

1 Aug 2019 | Rafael Cimatti

Virtual Private Network

As previously discussed in the blog, our main goal was to enhance user's privacy on mobile devices by blocking aggressive trackers through a firewall-like software. Becoming a VPN (Virtual Private Network) provider wasn't the primary objective, but it ended up being the perfect combination due to the intrinsic security and privacy benefits shown below.

How it works

To understand why a VPN provides security or privacy, one needs to first understand how a VPN works. And since a picture is worth a thousand words, the diagram below depicts in a simplistic way what happens when you go online using a VPN.

Starting from the left, we have a generic VPN Client, in this case a mobile device, using its internet connection to reach the VPN Server, which in turn creates a tunnel allowing for exchange of data. While the specifics may vary, in generic terms what happens is that this tunnel is secured with point-to-point encryption: Whatever the mobile device sends to the VPN server is encrypted on-device first and decrypted by the server. In a similar fashion, any data sent from the server to the mobile device is first encrypted on the server and only gets decrypted locally on the device. Therefore, it's clear that these two devices will need [1] a safe way to exchange these encryption keys (key exchange protocol), [2] agree on a way to send and receive data (tunneling protocol) and [3] how to encrypt/decrypt it (encryption algorithms). Another important thing to note is that since the mobile device doesn't reach the internet directly, its IP address is not revealed: Only the VPN Server's IP address is.

Security

So, how does a VPN provide security for your mobile device? First, it creates an encrypted tunnel from the device itself to the VPN server, making your traffic unreadable from inside your local network (company's network, public WiFi, home router, etc) which is why it is recommended when using a public or unsecured network. It also makes it unreadable for anyone on the public network until it reaches the VPN server. This includes your ISP (Internet Service Provider), be it a cable network provider or a cellular data connection.

Going further

We've covered the basics but let's dig a little deeper: After all, the details matter, specially when considering information security and cryptography! There are at least 3 important details that deserve attention when talking about VPN security:

Tunneling Protocol: Put it simply, this is the protocol that defines precisely how the VPN communication will be handled by client and server, i.e how the data should be sent and received. Some of the most common tunneling protocols are: IPv4/IPv6, GRE, L2TP and IPSec.
Key Exchange Protocol: Defines how the client and server will exchange the cryptographic keys that will later be used to encrypt and decrypt data. This is critical because the encryption only works and is efficient if the same keys exist in both client and server and nobody else has them. Example of key exchange protocols include: Diffie-Hellman, PAKE, IKEv1 and IKEv2.
Encryption Algorithms: This includes the type and size of the keys, the algorithm used to cipher and decipher data and padding. Needless to say, this is also important because if the algorithm is weak or broken, data may be decrypted and read by third parties. There are symmetric and asymmetric algorithms (both are used in a VPN connection) and the most common are: DES, AES (symmetric), ECC and RSA (asymmetric).

The highlighted standards above are the ones used in Spod's app and VPN server and are currently amongst the best ones available.

Privacy

Okay, now that we got the security side of the story, we are left with the second part, often forgotten by technology companies, privacy. While we cannot speak for all VPN providers, a properly configured VPN connection will provide at least two big benefits for your privacy:

Domain Name System (DNS) Server: This is the underlying system that tells any internet connected device how to get to different domains such as google.com, apple.com, spod.com.br and so on. Thus, a DNS Server will resolve domain names for your device.
IP Address: As mentioned previously, your real IP address is only used to get to the VPN server. Every server on the internet receiving data from your device will only get to know the VPN server's IP address and not yours. That by itself is already a benefit for privacy.

Privacy is all about revealing as little information as possible. When you use the default DNS server, usually provided by your ISP, you have to tell them every domain you want to visit due to the nature of the DNS protocol. Unfortunately, it is not uncommon for internet service providers to sell this information (websites visited per registered user) to third parties. However, if you're using a VPN with a provided DNS server, your ISP will not be used to resolve names and will be unable to read the requests because of the tunnel encryption. You might be thinking "Ok but then I am only transferring the risk from the ISP to the VPN provider" and you'd be right for most VPN services. This is why we, at Spod, have created a no registration service: While your ISP has a file with all your personal information, we don't even know your name.

Summing up

Clearly, there are benefits to both security and privacy when using a VPN. However, not all VPN providers care about this and some of them actually do quite the opposite (remember Onavo ?) which is why you should be careful when choosing one.

Doubts, suggestions, corrections or comments? Leave a note below and we'll get back! Also follow us on Twitter to keep up to date.

Blog