Will a VPN Protect Me? Defining Your Threat Model
mirimir (gpg key 0x17C2E43E)
The Internet was originally designed for communication among trusted partners. It was designed to be highly resilient against nuclear attacks, and other such external threats. But there were no protections against insider threats, from malicious network peers or users. Neither content nor information about content (which is called metadata) such as user identity, date and subject for email messages, were kept private, or secured against modification or spoofing.
As the Internet has grown and developed, various insider threats have been recognized, and various components have been updated to mitigate them. For the most part, however, efforts have focused on small-scale adversaries, such as individuals and criminal organizations. Email, one of the core components, remains notoriously broken against powerful adversaries. The HTTPS protocol was designed to authenticate websites, and to protect users against eavesdropping and
Man in the Middle (MitM) attacks. However, its security entirely depends on hierarchic systems of trusted certificate authorities, and they remain vulnerable to clever and/or powerful adversaries.
Indeed, the Internet has become a panopticon with numerous observers. Commercialization has culminated in an advertising-funded economic model that rewards players who can most effectively target users by compromising their privacy. Worse, the Internet is also heavily militarized, with the US (NSA) and China (various MSS and PLA agencies) as major players. Efforts involve both mass surveillance and targeted attack. Furthermore, intercepted information is commonly (albeit secretly) used for such non-military goals as business development and law enforcement, through parallel construction.
Censorship is also pervasive. Nations such as China, India, the UK, Iran, Saudi Arabia and Pakistan restrict access by their citizens for various economic, social, ideological and/or religious reasons. Furthermore, the US censors the entire Internet, primarily (as far as we know) in defense of intellectual property rights. Leveraging its jurisdiction over the .com, .net and .org domain registrars, it has seized thousands of websites, often based on mere allegations of infringing activity. All such domains (including, for example, most VPN services) are vulnerable.
But you already knew that, right? That’s why you’re reading this article. You’re probably wondering whether iVPN (or any VPN service) can provide the anonymity, freedom, privacy and/or security that you seek. For better or worse, the answer is
it depends. VPN services effectively guard against some threats, and are inadequate against others. It all depends on your threat model(s).
In formulating a threat model, first consider what you are protecting, what potential adversaries (archetypic attackers) you are protecting against, and what consequences you might face if compromised. Consider your potential adversaries, how capable and resourceful they are, and what methods they might employ against you. Also consider your skills, how hard you are willing to work, and how much usability and convenience you are willing to give up. Finally, keep in mind that you may have multiple context-dependent threat models, and that you may want to combine various defenses in ways that are appropriate for each of them.
Example Threat Models
We begin by considering threat models that are typical among prospective users of VPN services, ranging from trivial to grandiose. In each example, there are four bullets: a) summary of the threat; b) recommended mitigation; c) how it works; and d) issues and limitations. Please see Adversaries and Anonymity Systems: The Basics for background information and details about adversaries and anonymity systems. For any of these threat models, except perhaps the first, it’s important to prevent leaks if the VPN connection is interrupted. You can use a VPN client that prevents leaks, or roll your own firewall setup. Linux iptables rules are here. And whatever you do, it’s prudent to test for leaks.
1. Protecting Against Hackers on Public Wi-Fi Hotspots
- Consider someone who uses public Wi-Fi hotspots. They are concerned that hackers (ranging from other users to network administrators) might intercept their communications, and might steal sensitive information about their credit cards, bank and investment accounts, and so on. That is, they want security and privacy. But they’re not trying to hide their online activity, or to be anonymous.
- Any reputable VPN service would suffice for such users.
- When users are connected to VPN servers, all traffic between their devices and VPN servers is encrypted, typically with a 256-bit AES key. Eavesdroppers on the public Wi-Fi network, or on other intervening networks, would see only encrypted data.
- VPN services do not encrypt traffic between their exit servers and Internet destinations. Neither do other anonymity systems. For that, users must connect to destinations using end-to-end encryption, such as HTTPS for websites. See the section
VPN Servicesin Adversaries and Anonymity Systems: The Basics for more about VPN services.
2. Protecting Against Monitoring and Logging by ISPs
- Consider someone who is concerned that their ISP may be monitoring and logging their online activity. They want privacy, and they also want anonymity, in the sense of remaining unassociated with their online activity. But they’re not concerned about hackers, or other real-time adversaries. They’re just concerned that their ISP might, at some point, share logs of their online activity with other potential adversaries.
- Using a reputable VPN service that retains no logs, and that implements perfect forward secrecy, is the least invasive approach for mitigating this threat.
- When a user is connected to a VPN server, their ISP sees only encrypted traffic. Websites and other Internet destinations see the VPN service’s exit IP address, rather than the user’s ISP-assigned IP address. With perfect forward secrecy, an adversary that manages to compromise a particular VPN session can only decrypt data from that session (and not past or future data). Any encrypted traffic logged by the user’s ISP remains secure.
- For this approach to make sense, the user must trust the VPN service more than they trust their ISP. That’s often a straightforward choice (for example, where ISPs are tightly regulated and monitored). If the stakes are high, it may be prudent to distribute trust, so that compromise would require collusion. Using the Tor browser would be the simplest approach. However, given the risk of malicious exit nodes, using end-to-end encryption would be prudent. If hiding Tor use is important, the user could access the Tor network through a VPN service, or perhaps through a nested chain of VPN services.
3. Hiding Location and Identity from Websites
- Consider someone who wishes to hide their location and identity from websites that they access. They don’t want websites to know their ISP-assigned IP address, which is linked to their location. They also don’t want websites to know their true name, either through their IP address, or through association with prior usage. However, they’re not concerned about threats from other potential adversaries, such as their ISP or government.
- Any reputable VPN service would hide the user’s ISP-assigned IP address from websites. In order to prevent association with prior activity under their true name, the user should work in a fresh device (or virtual machine) with no such prior usage on any website.
- When a user is connecting through a VPN service, websites see the IP address of the exit server, rather than the user’s ISP-assigned IP address. Working in a fresh device or virtual machine, there are no cookies or other tracking objects that might be associated with the user’s true name, or other aspects of their prior activity.
- It’s not prudent to rely on browser settings (such as private browsing mode) or plugins to prevent tracking, because that protects only against known tracking methods. Even the Tor browser is vulnerable to new (aka zero-day) tracking exploits. Relying on isolation between different browsers is also risky. While virtual machines can also be compromised, there is little risk, except for high-value targets. Where the stakes are high, using dedicated devices would be most prudent.
4. Hiding True Name from a Correspondent
- Consider someone who wishes to be anonymous to a particular correspondent. They don’t want the correspondent to know their ISP-assigned IP address, which is linked to their true name. However, they’re not concerned about threats from other potential adversaries, such as their ISP or government.
- Unless the correspondent is (or has help from) a resourceful adversary, any reputable VPN service would suffice.
- When a user is connecting through a VPN service, the initial
Received: fromheader in messages sent by the user will show the IP address of the VPN exit server, and not the user’s ISP-assigned IP address. That’s the case with both webmail and stand-alone email clients.
- The email account must not be associated with the user, in any way. There must be no money trails. The user must never access the account without reliably obscuring their IP address. They must never use the email address with friends, or in any identifying context. Even so, adversaries know the VPN service by its IP address, and they could ask (perhaps very hard) about the user. Against resourceful adversaries, especially if the stakes are high, it may be prudent to use nested VPN chains, or perhaps Tor. In extreme cases, it may be prudent to tunnel traffic through multiple anonymity systems. However, configuring stand-alone email clients to properly use Tor (without leaks) is nontrivial. Also, they don’t work with VPN services that block SMTP traffic to prevent spamming.
5. Being Anonymous Online and Hiding Online Activity from Ones National Government
Consider someone who wishes to obscure their online activity (content and metadata) from their ISP and national government. They also wish to hide their location and identity from websites that they access, and from their correspondents. That is, they want both privacy and anonymity. They want anonymity in the sense of remaining unassociated with their online activity, and they want that anonymity to survive efforts by their national government to associate them and it. However, they are not subject to overt censorship, and the use of strong encryption is not regulated. Also, they have not (they assume) been specifically targeted for investigation. They are somewhat concerned about the consequences of discovery. But they are not concerned about threats from other potential adversaries.
It would be prudent for such users to tunnel traffic through multiple anonymity systems, perhaps initially through a nested chain of two or three VPN services, and then through JonDonym and/or Tor. It might be sufficient to start with a popular VPN service, connecting through a typical ISP uplink. However, it would be safer, albeit far less convenient, to connect anonymously through public Wi-Fi hotspots.
Using VPN services obscures online activity from local observers, and it also obscures location and identity from remote observers on the Internet. However, users are entirely vulnerable to betrayal by the VPN provider. With a second VPN service tunneled through the first, trust has been distributed, in that compromise would require collusion between the two providers. With Tor in the nested chain, forcing collusion among providers becomes unworkable, and adversaries must rely on other attacks: traffic analysis, Sybil attacks and exploiting vulnerabilities in particular system nodes and their operators.
This threat model is prudent only when the use of strong encryption is unregulated, when users are not specifically targeted for investigation, and when the consequences of discovery would be relatively minor. When there is appreciable uncertainty about any of those assumptions, the threat model
Being Anonymous Online, Evading Censorship, and Hiding Online Activity from Ones National Governmentis more appropriate.
Although users are subject to surveillance both locally and remotely, the Internet uplink is their key vulnerability. For those who connect through ISPs, the strategy has two aspects: 1) blend in locally, by using popular VPN services, and by otherwise being unworthy of special attention; and 2) go for overkill in resisting efforts by their national government to associate them and their online activity. All non-free/premium VPN-service and JonDonym accounts, except for any service accessed directly through an ISP, should of course be purchased anonymously.
But even with such overkill, connecting through an ISP is risky. For example, the government might fingerprint connections to a popular dissident forum, by using a DDoS attack to intermittently force the website offline, in some pattern. It could then identify users by searching intercepts, provided by ISPs, for that fingerprint. And in any case, there is no deniability if their government does manage to associate a user’s online activity with their ISP-assigned IP address.
Connecting anonymously through public Wi-Fi hotspots would be safer, but far less convenient. Even if the user’s government does associate their online activity with the hotspot’s IP address, the user is still somewhat anonymous. We discuss the use of public Wi-Fi hotspots further in the threat model
Being Anonymous Online, Evading Censorship, and Hiding Online Activity from Ones National Government.
6. Evading Censorship by Ones National Government
Consider someone who wishes to evade censorship imposed by their national government. Although they don’t want to attract undue attention, they are not seeking strong anonymity from observers on the Internet. They are confident that the consequences of discovery would be minor. And they are not concerned about threats from other potential adversaries.
Any reputable VPN service might suffice. However, against more resourceful censors, it might be necessary to use VPN services that connect through obfuscated proxies. Against powerful censors, it might be necessary to use Tor via obfuscated bridges.
When a user is connecting through a VPN service, the user’s ISP and government see only encrypted traffic to the VPN server. Unless the user’s government can observe the VPN server’s local traffic, it can’t determine what websites the user is accessing. And without knowing that, it can’t censor, except by blocking or throttling all traffic to that VPN server. If the user is connecting to the VPN service through an obfuscated proxy, the censor might need to block or throttle all encrypted traffic.
This threat model is prudent only when the consequences of discovery would be minor, and only when strong anonymity from observers on the Internet is correspondingly unnecessary. When there is appreciable uncertainty about either assumption, the following threat model is more appropriate.
Even with obfuscation, highly resourceful censors might identify and block all of the VPN service’s proxy servers. Against such adversaries, it might be necessary to use Tor with obfuscated bridges. Although both Tor and VPN services can use the same methods for obfuscation, Tor is far more resilient to censorship. That’s because VPN services typically use at most a few obfuscated proxies, while there are thousands of Tor obfuscated bridges.
However, new approaches might level the field. For example, the CloudTransport design features cloud-hosted proxies with fast-flux IP addresses, which can’t readily be blocked without interfering with other cloud services. See the last paragraph of the section
Passive Adversaries with Limited Network Reachin Adversaries and Anonymity Systems: The Basics for more about that.
7. Being Anonymous Online, Evading Censorship, and Hiding Online Activity from Ones National Government
Consider someone who wishes to evade censorship imposed by their national government. They also wish to obscure their online activity (content and metadata) from their ISP and national government. And they wish to hide their location and identity from websites that they access, and from their correspondents. That is, they want both privacy and anonymity. They want anonymity in the sense of remaining unassociated with their online activity, and they want that anonymity to survive efforts by their national government to associate them and it. Furthermore, they are subject to overt censorship, and the use of strong encryption is regulated, so they must also avoid association with illicit communications. However, they have not (they assume) been specifically targeted for investigation. They are concerned that the consequences of discovery might be severe. And they are also concerned about threats from other adversaries, including governments, that might share information with their national government. But they are not concerned about threats from other neutral or non-cooperating adversaries.
It would be prudent for such users to tunnel traffic through multiple anonymity systems. It would arguably be best to start with Tor, using the strongest obfsproxy plugin available, and connecting anonymously through public Wi-Fi hotspots. Users could then, for example, tunnel JonDonym through Tor, and then tunnel a VPN service through JonDonym. Full-disk encryption with an instant-wipe hotkey would provide a final backup.
As discussed in previous examples, traffic obfuscation hinders government censorship. The nested anonymity systems further obscure online activity from local observers, and they also obscure location and identity from remote observers on the Internet. With Tor in the nested chain, forcing collusion among providers becomes unworkable, and adversaries must rely on other attacks: traffic analysis, Sybil attacks and exploiting vulnerabilities in particular system nodes and their operators.
Starting with Tor is arguably best, because with thousands of obfuscated bridges, it’s most resilient to censorship. However, given uncertainty about the long-term effectiveness of traffic obfuscation, and the risk of deanonymization through malicious-relay (Sybil) attacks, it would be prudent to reach the Tor network anonymously through public Wi-Fi hotspots. That’s especially so, given potentially severe consequences of discovery. Tunneling JonDonym through Tor, and then a VPN service through JonDonym, further disassociates online activity from a hotspot’s public IP address.
Although users are subject to surveillance both locally and remotely, the Internet uplink is their key vulnerability. Connecting anonymously through public Wi-Fi hotspots protects users in two ways. First, even if government censors identify and block a user’s obfuscated bridges, the user remains anonymous, and can easily recover by obtaining fresh bridges. Second, even if the government manages to associate a user’s online activity with a hotspot’s public IP address, the user remains at least somewhat anonymous.
Regarding the first issue, there are thousands of Tor obfuscated bridges, and users can obtain fresh bridges in various ways from the central BridgeDB, and also informally from other users. Numerous alternatives for distributing bridges are under investigation. For example, there are reputation-based systems that partition out malicious users, which are fielded by adversaries seeking to enumerate and block bridges. More revolutionary is the CloudTransport design. It features cloud-hosted bridges, which have fast-flux IP addresses that can’t readily be blocked, without interfering with other cloud services. See the last paragraph of the section
Passive Adversaries with Limited Network Reachin Adversaries and Anonymity Systems: The Basics for more about that. Also, it can be nontrivial to use public Wi-Fi hotspots anonymously. Range is often limited, and usability requires line-of-sight, because radio signals are strongly attenuated by buildings and dense vegetation. Also, working outdoors may be impractical during inclement weather. Such constraints put users at increased risk of surveillance. While directional antennas can dramatically increase range, there’s a size vs gain trade-off, and even the smallest would likely attract attention.
Wi-Fi hotspots typically log the MAC addresses of Wi-Fi adapters that connect to them. Even if a user’s traffic were fully encrypted, the hotspot could record their usage history, including their MAC address and what IP addresses they had connected to (here, Tor obfuscated bridges). Users can mitigate that threat in two complementary ways. First, the user could have several USB Wi-Fi adapter dongles, and use a different one for each Wi-Fi hotspot. They would only carry one of them at any given time. Also, they would (of course) disable their device’s built-in Wi-Fi network adapter (which they might use only on trusted Wi-Fi networks). Second, they would also employ MAC spoofing software, in order to hinder profile building by Wi-Fi hotspots. Even if a Wi-Fi hotspot managed to compromise the MAC spoofing software, it would only get the MAC address of a USB Wi-Fi dongle (which could then, if appropriate, be destroyed).
Regarding the second issue, there is much less risk of local-online association when tunneling JonDonym (purchased with thoroughly anonymized Bitcoins) through Tor. In that case, a Sybil attack could at best deanonymize circuits with one of its malicious relays as an entry guard, and another as an exit relay connecting to a JonDonym cascade. Given that Tor is one of the default SOCKS5 proxies for JonDonym, users of interest would arguably own a minority of such circuits. And in any case, the adversary would still need to compromise a JonDonym cascade, which would require different skills and resources. Furthermore, with a popular VPN service (also purchased anonymously) tunneled through JonDonym, the adversary wouldn’t even know to focus on Tor circuits ending at JonDonym. See the relevant sections in Adversaries and Anonymity Systems: The Basics for background.
If public Wi-Fi hotspots were unavailable, or were not usable anonymously, users would have two options. They could connect through an ISP uplink, or they could create (or join) an anonymous P2P Wi-Fi meshnet. The first option would be very risky, given uncertain traffic obfuscation, and the potentially severe consequences of discovery. The second option would be safer, but still riskier than anonymously using public Wi-Fi hotspots. Also, it would involve considerable effort, and would involve working with trusted partners. Basically, anonymous P2P Wi-Fi meshnets are just relatively local anonymity systems, and their key vulnerability is (of course) the Internet uplink. However, it’s beyond the scope of this discussion, and deserves its own.
As final backup, in case of physical discovery, the user’s device must be protected by full-disk encryption that leaves no plaintext on storage media under any circumstances. And of course, it must be setup for instant shutdown, perhaps with a hot key. Where the stakes are especially high, it would be best for the hot key to render the disk undecryptable. Deleting and overwriting data is far too slow. But overwriting the header(s) of the encrypted volume and the device’s boot partition with random data takes but a few seconds. Once that’s been done, forensic analysis will confirm that the data is not recoverable. The users could, of course have the requisite header(s) and boot partition backed up somewhere on the cloud, or wherever.
8. Being Anonymous Online Against All Adversaries (But Not Targeted)
- Consider someone who wishes to remain anonymous against all adversaries, including
The Man(the prototypic global adversary aka the NSA). They are subject to government censorship, and the use of strong encryption is regulated. As in the previous example, they must: 1) evade government censorship; 2) obscure their online activity from local observers; and 3) avoid association with their illicit communications. And (of course) they must hide their location and identity from all remote observers on the Internet. They have not (they assume) been specifically targeted for investigation, and they want to keep it that way. They are concerned that the consequences of discovery might be severe. Perhaps they’re discreetly leaking documents obtained from the NSA. Or perhaps they’re managing a high-profile Tor hidden service, on the order of the late Silk Road, or Freedom Hosting.
- As in the previous example, it would be prudent for such users to tunnel traffic through multiple anonymity systems. It would arguably be best to start with Tor, using the strongest obfsproxy plugin available, and connecting anonymously through numerous public Wi-Fi hotspots. Users would then tunnel JonDonym through Tor, and then tunnel a VPN service through JonDonym. Full-disk encryption with an instant-wipe hotkey would provide a final backup.
- As discussed in previous example, starting with Tor provides the best protection against censorship and discovery. Tunneling JonDonym through Tor, and then a VPN service through JonDonym, disassociates online activity from Tor circuits, and prevents targeting them for compromise through malicious-relay (Sybil) attacks. And compromising a JonDonym cascade would require different skills and resources. Using public Wi-Fi hotspots provides backup anonymity, in case obfuscation fails, or even if online activity becomes associated with one of the hotspots.
- Considerable knowledge, experience and resources would be required in order to reliably mitigate such threats from powerful adversaries. The key aspect is to avoid being specifically targeted for investigation. The user must blend in with the crowd, remaining effectively invisible by giving observers (including others in the crowd) no reason to look specifically at them. In particular, the user must not attract attention in the process of hiding and being anonymous. Handling the physical uplink properly, being secure while not attracting undue attention, is crucial. Other than that, they would employ approaches discussed in the previous example.
9. Being Anonymous Online Against All Adversaries While Targeted for Specific Observation
- Consider someone who (they assume) been specifically targeted for investigation by
- The key mitigation would be finding a safe physical location, either hiding (perhaps as a homeless drifter) or seeking refuge somewhere (as Edward Snowden has, in Russia). Given that, they would employ approaches discussed in the previous two examples.
Suggest an edit on GitHub.