Encryption and Privacy Protocols
First published: April 2019. Latest revision: April 2021.
This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine some of the protocols that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data.
The paramount reason for using a VPN is to ensure your privacy when you are using the internet. Encryption of the data that flows to and from your internet-connected device is the means to attain that state of privacy: without encryption there can be no privacy. A trustworthy VPN must implement adequate encryption (and other) protocols in order to ensure your privacy. This article will briefly consider various protocols and make recommendations about them.
What is a VPN tunnel?
When you connect to the internet with a VPN, the VPN creates a connection between you and the internet that surrounds your internet data like a tunnel, encrypting the data packets your device sends.
While technically created by a VPN, the tunnel on its own can’t be considered private unless it’s accompanied with encryption strong enough to prevent governments or ISPs from intercepting and reading your internet activity.
The level of encryption the VPN tunnel has depends on the type of tunneling protocol used to encapsulate and encrypt the data going to and from your device and the Internet.
(bold emphasis added by me)
What are the common tunneling/encryption protocols?
VPN services have the option of implementing one or more different tunneling/encryption protocols in order to mask or protect the data that is traversing your internet connection from prying eyes. Here are some common protocols:
• PPTP (Point-to-Point Tunneling Protocol) has been available for many years (its specification was published in 1999) and has been somewhat enhanced over time in an attempt to make it more secure. However, serious security vulnerabilities have been found in the protocol and the consensus is that it should be avoided. (Personally, I would question why a VPN would even support this protocol as an option for its customers, as its use would not seem to be in a customer’s best interests.)
• L2TP/IPsec (Layer 2 Tunneling Protocol/Internet Protocol Security) has also been available for several years. L2TP provides the tunneling and IPsec provides the authentication and encryption of the data. Thus, the preparation of data for transmission via L2TP/IPsec is a two-step process and this results in a decrease in speed as compared to some other protocols.
Furthermore, as noted on Wikipedia:
In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to “Insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets” as part of the Bullrun program. There are allegations that IPsec was a targeted encryption system.”
Thus, there is a distinct possibility that the security of the L2TP/IPsec protocol has been compromised. Another concern with L2TP/IPsec is that it can’t be used to get around firewall blocking that some ISPs (Internet Service Providers) have instituted.
• SSTP (Secure Socket Tunneling Protocol) is a newer protocol introduced by and proprietary to Microsoft (and is best supported on Microsoft Windows-based systems). It can be configured to use very secure encryption and also can bypass firewall blocks. However, being a proprietary and not an open protocol, it cannot be independently audited like the open protocols.
• OpenVPN is an open source protocol that implements virtual private network techniques that create secure connections via SSL/TLS (Secure Sockets Layer/Transport Layer Security), a cryptographic protocol that has found widespread use for Internet communications. OpenVPN can make use of highly secure encryption and can bypass firewall blocks. It supports the new IPv6 internet addressing scheme and provides fast connection speeds. Being an open protocol, its privacy and security can be tested and improved by third parties. OpenVPN runs on most all hardware/software platforms.
• WireGuard is considered by many to be the VPN protocol “of the future.” It is new enough that it is still in active development but has achieved a stable “release version.” WireGuard aims to improve upon other protocols by being both simple and yet highly effective. The WireGuard codebase is around 4000 lines, which is about 1% of that of OpenVPN or IPsec. This is a distinct advantage, because security audits of WireGuard will be much simpler to perform as will be bug finding/fixing. WireGuard can negotiate the initial VPN connection, and subsequent reconnections faster than other protocols and it fully supports the new IPv6 internet addressing scheme. Battery use on mobile devices is less taxing as compared to other protocols. WireGuard uses extremely secure methods of authentication and encryption.
Which protocol is preferable?
… We recommend the open-source WireGuard protocol, a new lightweight protocol that is gaining prominence. It now has a Windows client and is integrated into the Linux kernel, which required additional security review. If the VPN you choose doesn’t offer WireGuard, we recommend using connections based on the OpenVPN protocol due to security flaws and disadvantages in the PPTP and IPsec protocols.
(bold emphasis added by me)
You want to skip PPTP if at all possible. It’s a very dated protocol that uses weak encryption and due to security issues should be considered compromised. It might be good enough to secure your non-essential web browsing at a coffee shop (e.g. to keep the shopkeeper’s son from sniffing your passwords), but it’s not up to snuff for serious security. Although L2TP/IPsec is a significant improvements over PPTP, it lacks the speed and the open security audits found with OpenVPN.
Long story short, OpenVPN is what you want (and you should accept no substitutions until something even better comes along).
(bold emphasis added by me)
The above quotes echo the opinion of many sources. At this time, OpenVPN would seem to be the preferred protocol over the older PPTP and L2TP/IPsec protocols. Fortunately, most VPNs offer OpenVPN. (Amazingly, a few VPNs do not offer support for the OpenVPN protocol. In my opinion, those VPNs should definitely be avoided!)
The WireGuard protocol, however, is the current “state-of-the-art.” Wireguard has undergone rigorous security testing and has passed a third-party security audit. Hence, the protocol is transitioning from the “experimental” stage to being accepted and supported as “mainstream.”
WireGuard is available from a few VPN services. Mullvad VPN began offering it in 2017, followed by other early adopters such as AzireVPN, IVPN and StrongVPN. Some other VPN services are also now offering WireGuard. An informative introduction to WireGuard is “WireGuard VPN review: A new type of VPN offers serious advantages” on the Ars Technica website.
A note on the OpenVPN implementation by VPNs
The manner in which a VPN service implements the OpenVPN protocol is important. VPNs can choose to use various options that the OpenVPN protocol offers for tunnelling and encryption. Some of these options are more secure than others.
For example, in the current version of OpenVPN, the default cipher is BF-CBC (Blowfish in Cipher Block Chaining mode.) However, BF-CBC is no longer recommended by security experts because the encryption it provides is relatively weak by current standards and is open to attack. Fortunately, a VPN service can choose to use a 256-bit version of AES (Advanced Encryption Standard) instead of the default BF-CBC within the OpenVPN protocol, thereby providing a much more secure level of encryption to the users of that VPN service.
So, to thoroughly evaluate the privacy and security of a VPN, be sure to check various technical parameters. (Other technical frameworks that also should be checked will be noted in the next article in this series.)
Unfortunately, not all VPN services provide acceptably high levels of security. Note that the employment by a VPN service of the OpenVPN protocol (with high-security options enabled) or, better yet, the new WireGuard protocol is an indication that the VPN is attending to the security of the Internet connection of its users. Check for the availability of these tunneling/encryption protocols when you are evaluating a VPN for your own use.
We’ll examine some of the methods that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data in the next article of this VPN series, titled “Other Important Technical Concerns in Choosing a VPN.”