18 Questions to ask your VPN Service provider
Choosing a VPN service can be a nerve–wracking ordeal. You’ve probably read about the secret NSA documents that Edward Snowden has been releasing. You probably don’t trust your ISP to protect your privacy. Perhaps you don’t trust your government. You may even distrust all governments and corporations.
Indeed, you may not trust this guide, and think that it’s just an advertorial. While that’s an understandable concern, I invite you to read on, and judge for yourself. I also invite you to read this in the context of my other writings about VPNs, Tor and such, primarily on Wilders Security Forums and Tor.StackExchange.
If you’re especially concerned about privacy, you may want to obscure your research about VPN providers. Although many people use VPN services, extensive research might flag you as someone with something important to hide. You can mitigate that risk by using a free VPN service (such as SecurityKISS) and free webmail (such as VFEmail). For even better privacy, you can add the Tor Browser Bundle to tunnel Tor through SecurityKISS, and use VFEmail’s hidden service.
Relatively little comprehensive and reliable information about VPN services is available online. It’s generally best to ignore “best VPN” and “VPN review” sites. Most feature paid reviews, and some are protection rackets, featuring bad reviews for VPN services that refuse to buy favorable reviews. Even the honest ones are typically just popularity contests, dominated by clueless torrent users and wannabe “hackers”.
I will update this guide as needed pending new developments regarding specific VPN services. Also, please comment, share information, and suggest additional questions. However, I request that we take discussion about particular VPN services to Wilders Security Forums.
TorrentFreak’s VPN surveys are notable exceptions to the norm. In late 2011, it became clear that Luzlsec member “Recursion” had been identified and arrested based on connection logs that the VPN service HideMyAss provided to the FBI. TorrentFreak responded by publishing “Which VPN Service Providers Really Take Anonymity Seriously?”. In early 2013, they published an expanded “2013 Edition”. And in mid 2014, they published the “2014 Edition”.
It features answers to eight key privacy-related questions:
- Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long?
- Under what jurisdictions does your company operate and under what exact circumstances will you share the information you hold with a 3rd party?
- What tools are used to monitor and mitigate abuse of your service?
- In the event you receive a DMCA takedown notice or European equivalent, how are these handled?
- What steps are taken when a valid court order requires your company to identify an active user of your service?
- Is BitTorrent and other file-sharing traffic allowed on all servers? If not, why?
- Which payment systems do you use and how are these linked to individual user accounts?
- What is the most secure VPN connection and encryption algorithm you would recommend to your users?
Introducing their results, they note:
Millions of people use a VPN service to protect their privacy, but not all VPNs are as anonymous as one might hope. In fact, some VPN services log users’ IP-addresses for weeks. To find out how secure VPNs really are TorrentFreak asked the leading providers about their logging policies, and more.
This is arguably a fairly comprehensive starting list. TorrentFreak staff seem dedicated and knowledgeable, and their 2011 survey attracted the attention of many providers that had been omitted. But there are two key limitations. First, I’m familiar with at least two privacy-friendly VPN services that don’t appear on the TorrentFreak lists (Cryptohippie.net and Insorg.org). And there may be others, especially those that don’t cater to BitTorrent users. Second, TorrentFreak is, for the most part, merely summarizing VPN providers’ responses, and has not verified any of their claims. Comments in both reviews are also worth reading, by the way, but can’t always be taken seriously.
Even so, revelations about two providers – EarthVPN.com and Proxy.sh – demonstrate the risk of relying on providers’ privacy claims. In early 2013, an EarthVPN customer was reportedly arrested based on logs kept by its hosting provider in the Netherlands. EarthVPN denied responsibility, maintaining that they “do not keep logs”, and said that they no longer use that provider. Although the actual dialog between EarthVPN and its customer (here and here) is no longer openly accessible, there are quotes and discussion in the AirVPN and Private Internet Access forums. There’s also an article on Wipe Your Data and extensive discussion on reddit. Also, keep in mind that ISPs can log as easily as hosting providers can.
In TorrentFreak’s 2011 and 2013 surveys, Proxy.sh responded: “No information whatsoever is being recorded or held in our facilities. Our services are run from RAM and all our system services come with state-of-the-art configuration that ensures nothing is left after usage.” However, in late September 2013, they installed Wireshark on one of their US servers, and retained packet captures for several hours. This was reportedly a voluntary response to complaints about hacking and harassment by one of their customers. For more specifics, see these TorrentFreak articles (here and here). In TorrentFreak’s 2014 survey, Proxy.sh answered as follows to the first question:
Conversely, these incidents also demonstrate that news spreads very quickly on the Internet (except, it seems, to reddit). With all of that in mind, I recommend starting with VPN services that meet the following criteria:
- It appears in TorrentFreak’s 2013 survey (plus others that you think were improperly omitted).
- It’s not listed as logging in TorrentFreak’s surveys.
- It has been in business for at least three years.
- An hour or so of Web searching reveals no evidence of privacy violations.
All of the VPN services in TorrentFreak’s 2013 survey deny keeping persistent logs. Assessing the plausibility of such claims in the context of pursuant data-retention requirements is a can of worms. Claims that there are no data-retention requirements in the US seem laughable in light of NSA documents released by Edward Snowden. The situation in Europe is complicated by tension between the 1995 Data Protection Directive and national legislation. It’s further complicated by revelations about NSA spying, and EU collaboration. For more about this issue generally, see EFF’s summary page and IVPN’s blog.
For example, if you plan to share copyrighted media via BitTorrent, it’s obviously best to avoid providers that explicitly discourage such use. If the availability of numerous exit IP addresses is important, choose accordingly, but consider the tension between variety and security. It’s arguably more likely that providers with numerous exits are using virtual private servers.
In contacting providers with presales questions, start with basic questions, such as the four that TorrentFreak asked. It’s generally best to ask questions for which you have reliable and independent answers. However, at least initially, it’s also best to ask without revealing what you’ve already learned.
How prospective VPN providers answer your questions can be as informative as the answers they give. You want answers that are prompt, complete, clear and accurate. Vague or incorrect answers to technical questions imply dishonesty and/or incompetence. Delayed answers don’t bode well for future customer support.
- Is there a monthly bandwidth-usage limit?
- Do you throttle connections that use excessive bandwidth?
- How many concurrent connections are allowed per account?
- How many hops are there in your VPN connections?
- What type(s) of VPN encryption do you use? Why?
- Do you support perfect forward secrecy? If so, how?
- Do you provide users with Diffie Hellman key files?
- How do you authenticate clients – certificates/keys, or usernames/passwords?
- Do you employ HMAC-Based TLS Authentication? If so, why?
- Do you ever email usernames and passwords to customers?
- Does each customer have a unique client certificate and key?
- Are your VPN gateway servers hosted, co-located or in-house?
- Are any of your VPN gateway servers running on VPS or cloud servers?
- How are your VPN gateway servers protected?
- Where is user account information stored?
- How is communication between servers secured?
- Do you allow port forwarding by users?
- Are all client ports ever forwarded by default? If so, on which servers?
- Is there a monthly bandwidth-usage limit?This restriction has become less common in recent years. Usage limits are more common for VPN resellers, so it’s probably best to avoid providers that impose them for paid accounts.
- Do you throttle connections that use excessive bandwidth?The best answer here depends on your goals. It’s natural to want the fastest possible connections. However, if you have a very fast ISP link, you might be moving far more traffic than anyone else sharing your VPN exit. And that reduces your anonymity.
- How many concurrent connections are allowed per account?For VPN services with many exits, it’s sometimes convenient to simultaneously work as multiple pseudonyms, each using its own exit. Also, you may want to simultaneously connect from multiple devices. However, this also facilitates account-sharing abuse, which may overload VPN servers and slow your connections.
- How many hops are there in your VPN connections?Most VPN services offer just one-hop connections. That is, you connect to a VPN gateway server, and your traffic exits to the Internet from the same server, or perhaps from another server on the same local network. With one-hop connections, it’s easy for adversaries to log traffic entering and leaving the VPN server.
- What type(s) of VPN encryption do you use? Why?OpenVPN can operate in two distinct modes. One authenticates and encrypts using a shared static key. While that’s very simple to set up, key compromise allows an adversary to decrypt all prior traffic. No reputable provider uses this. But if you receive just one key file from a provider, open it in a text editor, and look at the last line. If it includes “CERTIFICATE”, you’re OK. But if it includes “KEY”, request a refund.The other OpenVPN mode uses SSL/TLS as a control channel, and encrypts the data channel with periodically changing static keys. If an adversary manages to compromise one of those data-channel keys, they can decrypt only that traffic, and not any past or future traffic. In other words, there is “perfect forward secrecy”.By default, OpenVPN uses 1024-bit RSA for the certificates that authenticate SSL/TLS control-channel handshakes, and BF-CBC (128-bit) as the data-channel cipher. This is probably good enough in most cases, given perfect forward secrecy. However, it’s arguable that providers using 2048-bit RSA and AES-256-CBC (256-bit) are generally more security conscious.
Both BF-CBC and AES-256-CBC operate in Cipher Block Chaining (CBC) mode. If your provider uses something else (CFB, OFB, etc) they’re either incompetent or have some very good reason. Ask them.
- Do you support perfect forward secrecy? If so, how?Any provider using OpenVPN in SSL/TLS mode provides perfect forward secrecy. Additional hand waving beyond that should make you suspicious.
- Do you provide users with Diffie Hellman key files?This is a trick question. It’s true that OpenVPN uses static Diffie Hellman key files in providing perfect forward secrecy. But that static Diffie Hellman key file (“dh1024.pem” or “dh2048.pem”) is needed only on the server. Any provider that supplies them to users is incompetent.
- How do you authenticate clients – certificates/keys, or usernames/passwords?In SSL/TLS mode, OpenVPN clients authenticate servers by checking whether a server has a certificate signed by the certificate authority certificate (“ca.crt”) that the provider has given them. OpenVPN supports two methods for servers to authenticate clients. One relies on certificates and keys (such as “client.crt” and “client.key”). The other relies on usernames and passwords (via auth-user-pass). Servers can use both, but that borders on overkill.For point-to-point connections, where full network access may be at stake, it’s very important for servers to authenticate clients using certificates and keys. For VPN services, that’s not an issue, because clients just get to see the Internet. Also, for VPN services, giving each client a unique certificate is a privacy risk.
- Do you employ HMAC-Based TLS Authentication? If so, why?With TLS authentication enabled (via tls-auth), servers ignore SSL/TLS handshake packets from clients that lack the correct HMAC signature. This feature protects VPN servers from DoS attacks, port scanning and other exploits. If implemented, providers may supply a key (typically “ta.key”) or one can be negotiated on the fly.This is partly a trick question. Any provider claiming that this is essential for perfect forward secrecy is either dishonest or incompetent.
- Do you ever email usernames and passwords to customers?This is a dangerous practice, but primarily for the provider. Adversaries that compromise usernames and passwords in transit can obtain free access, or even lock out paying users by changing passwords. There’s also the risk that adversaries could implicate users in criminal activity.Even so, if you successfully change your password immediately after receipt, you’re safe. If you can’t login to change the password, complain and demand a new account. For providers that are otherwise attractive, I don’t consider this a fatal error.
- Does each customer have a unique client certificate and key?This is another trick question. Privacy-friendly answers are using the same client certificate for all customers, or not providing one at all, and relying on username and password for authentication.It might seem like a good idea for each user to have their own certificate and key. And that’s true in an enterprise context. But for VPN services it’s very dangerous, because it potentially links user accounts to logged traffic. Some providers explain that they issue unique client certificates in order to facilitate nuking evil clients. However, it’s just as easy to do that with usernames, and usernames are arguably more readily repudiated than certificates.If this is a key issue for you, it’s easy to test by purchasing two short-term subscriptions, paying with Bitcoins via Tor, and using temporary email addresses from anonbox etc.
- Are your VPN gateway servers hosted, co-located, or in-house?This is partially a trick question. I would be very suspicious of any VPN provider claiming that its servers are managed in-house. You could ask how they cover the cost of maintaining facilities with high-speed uplinks in multiple countries.The best plausible answer is that they build their own servers, and ship them to co-location facilities. Give extra points for server hardening. Typical physical hardening measures include embedding RAM in silicone rubber or thermal adhesive, and disabling USB ports.The most likely acceptable answer is that they use hosted dedicated servers. Give extra points for server hardening, such as using full-disk encryption, and keeping short-term logs in RAM (tempfs).
- Are any of your VPN gateway servers running on VPS or cloud servers?Providers should never deploy VPN gateway servers on virtual private servers (VPS) or cloud servers. Being virtual machines, they are fully controlled by the host operating system, and all activity and data is readily available through the host. Providers should always use dedicated servers that have been properly secured against unauthorized access.
- How are your VPN gateway servers protected?VPN services typically need servers playing three roles. There are gateway servers that establish VPN connections with clients, and also route client traffic to the Internet. For one-hop connections, one server may handle all of that. There are servers that host the service’s website. And there are servers that manage user account information, and provide authentication services to gateway servers and web servers.All client traffic is routed through the gateway servers. Unless those servers are adequately secured, adversaries could compromise them, and so compromise users’ privacy by logging their traffic. VPN gateway servers should be hardened according to industry standards such as the CIS benchmarks or the NSA baseline guides.Most importantly, VPN gateway servers should not be running other network services, such as website hosting, or user accounting and authentication. Doing so substantially increases VPN gateway servers’ attack service. You can verify what ports and services are accessible on a VPN gateway by using a port scanner such as nmap. However, keep in mind that many providers expose VPN servers on non-standard ports such as 80 (HTTP) and 443 (HTTPS) to evade firewall blocking.
- Where is user account information stored?Providers should ideally be storing this information on colocated or in-house servers that are suitably encrypted, hardened and protected against adversaries. Also, they should be segregating authentication data, which must be available to gateway servers, from accounting data, which may include users’ private information, such as usage logs, email addresses and payment records.
- How is communication between servers secured?Well designed VPN services comprise networks of specialized servers with distinct roles that communicate securely with each other. For example, gateway servers must contact authentication servers to verify that users are authorized to connect. There are also backend provisioning systems that use rely on sales data from websites to create and update user accounts, and then update the authentication servers.Given the sensitivity of this data, and its value to adversaries, all communication among these servers must be securely encrypted. Most commonly, this relies on persistent OpenVPN or IPSec tunnels between servers.
- Do you allow port forwarding by users?When you are connected to a VPN service, the VPN gateway server protects your device from potentially hostile incoming connections in the same way that your LAN router or firewall does. However, allowing incoming connections on particular ports is essential for operating servers, or for participating in P2P networks where your node must be visible to other nodes. That process is called port forwarding.When port forwarding is enabled, your device is directly exposed to the Internet on the ports that have been forwarded, with no protection by the VPN service. An adversary may successfully exploit a vulnerability in a service that’s listening on a forwarded port, and compromise your device. In addition to typical consequences such as botnet membership and data theft, an adversary may compromise your privacy and anonymity by “phoning home” when when you’re not using the VPN service.
- Are all client ports ever forwarded by default? If so, on which servers?Some VPN services forward all client ports by default. Some do so only on designated servers. For some services, it appears that port forwarding varies among servers with no pattern or documentation. Although it’s possible to check for this using port scanning, it’s complicated by the fact that many different clients using the same exit IP address may have the same ports forwarded.