Extra measures
See what VPNs don’t and can’t protect against, and bolster your privacy with a layered approach
WHEN YOU CONNECT to a VPN, as well as proxying your traffic and setting the corresponding updates to your routing table, it may also provide you with different DNS settings. On paper, this was a reasonable idea. Traditional DNS requests (for example, where a website is resolved to 172.31.5.172) are transmitted in the clear, so even if the operator of a DNS server (typically one’s ISP) doesn’t know the web page a client is looking at, they at least are aware of the server it’s on. This is known as DNS leakage. You may use another DNS server (such as Cloudflare’s easy-to-remember 1.1.1.1 public offering), but again this is only viable if you trust that operator more than your ISP.
ISPs may also block certain domains at the DNS level, so for a time using someone else’s DNS server was seen as a free and easy way around this by nefarious pirates, whose activities we do not condone. Many ISPs are aware of this, and many have taken the rather heavy-handed measure of performing DNS interception. Remember, we said DNS went over in the clear? Well, that makes it woefully easy for your ISP to just reroute those port 53 requests back to their DNS.
So VPNs now market themselves as providing DNS-leak resistant technology. Indeed, some offer an even more budget-friendly “DNS-only” option. The mechanics of this are straightforward: just tunnel DNS requests as well as (or instead of) other traffic. Again, this is just moving the problem of trusting the ISP upstream, to trusting the VPN operator.
While we may have no o real problem with our government blocking torrent t and streaming sites, or with ISPs voluntarily blocking child pornography sites, the same techniques are used by the brutal and antidemocratic regimes of the world to repress dissidents, activists and journalists. And that we cannot condone. One technical approach is to switch from classical DNS to DNS-over-HTTPS (DoH).
As the name suggests, this uses the same layer as secure web browsing to conduit DNS requests. Firefox already does this by default in the US for web browsing, but you can also set it up system-wide. That way, DNS requests are not only hidden amongst regular web traffic, they’re also immune to interception (if you have faith in HTTPS, which you probably should).
Back in 2019, a largely insignificant organization representing large ISPs had nominated Mozilla for an “Internet villain of the year” award based on its plans to roll out DoH by default. Allegedly because it aided and abetted piracy. In response, Firefox announced it would not be trialing DoH-by-default in some places, such as the UK. Indeed, it’s still (as far as we could fathom) only the default in the US, but that hasn’t stopped thousands of Firefox users turning the option on for themselves. Perhaps uptake has been aided by the friendly prompt that offers to “enable secure browsing” on first usage.
The DoH approach is no silver bullet though. There need to be entities operating DoH-enabled servers, and users need to be able to trust those entities. There are other efforts to secure DNS, most notably DNSSEC that ensures requests and responses aren’t tampered with in transit. But that’s complicated. What’s unfortunately not complicated is running a rogue Wi-Fi hotspot in a coffee shop. From there you (well, hopefully not you, but someone bad) could return poisoned DNS responses to redirect users to cloned, password-harvesting versions of popular sites.
Or they might perform SSL-stripping attacks to try and get around encrypted web browsing (HTTPS), or they might even trick the user into installing a rogue Certificate Authority in their browser. That would be bad, and this is exactly the case where you might prefer to use a VPN. Though ideally one that you’re running yourself.
PRIVACY AND AUTHENTICITY
We mentioned HTTPS earlier, which thanks to the efforts of Let’s Encrypt has become ubiquitous across the web. This provides not only privacy so that no one observing the connection between you and the webserver can see beyond the first slash in the URL. But also authenticity, so you know, for example, the website you visit is indeed the same server as it was when the certificate was issued.
Some VPN providers twist the facts a little here.
They would have you believe that this isn’t enough and that the extra layer of encryption is a benefit. That’s debatable since modern TLS 3 using Galois Fields and Elliptic curves is already difficult to crack.
Server operators can (if they keep and look at logs) see the IP address of every machine that sends their machine a request. And this is where VPNs are effective since these logs will only show the VPN server’s address. That doesn’t mean the originating IP address is impossible to figure out though. Browserbased video and voice communications are powered through the wonders of the WebRTC (Real-Time Communication) protocol.
Since most people are behind some sort of router or a firewall (and indeed perhaps a VPN too), it’s generally not possible to establish a peer-to-peer connection through which to route all this traffic. So WebRTC uses intermediary STUN (Session Traversal Utilities for NAT) servers to exchange public and private IP addresses, and establish a connection. So with just a few lines of JavaScript, a web server operator can tell clients’ originating IP addresses. Even if they’re behind a VPN or other proxy.
GIVING WEBRTC THE HEAVE-HO
It’s easy to work around this by disabling WebRTC in your browser settings, or even just disabling the address-exchanging part, but that hasn’t stopped some unscrupulous operations from advertising their “WebRTC-leak” protection as some sort of value add. Some even have the audacity to claim a VPN will help stop Google and Facebook (or any other service that stores a login cookie) from tracking you around the web. What they don’t say is that if you’re signed into such an account, they will track you around the web. You’re effectively telling them, “Hey it’s me, I’m using this VPN’s IP address now.” To mitigate that risk, we can’t recommend Mozilla’s Firefox container add-on enough. This isolates browser cookies into different containers, so you can at least keep your casual browsing separate from your banking. There’s a dedicated Facebook Container add-on if you want to evade Meta Corp’s invasive tracking.
It’s worth noting that attacks on VPN appliances (such as those provided by Fortinet and Pulse Secure) are on the rise. In April 2021, attackers were able to gain access to dozens of organizations in the defense industry. A coordinated security response (and a US Department of Homeland Security advisory) was able to mitigate the damage in this case, but as we rely on VPNs to protect our workplace secrets, it’s a matter of when, not if, there will be further attacks.
And there ends our study of the VPN threatscape. We don’t mean to tar all VPN providers with the same brush. It’s just that we hate to see honest surfers deceived by scaremongering and faux-security advice. And we’re tired of all the sponsored product-placing they do on our favorite YouTube channels. If you trust your VPN provider, please let us know who they are and why you trust them.