Encryption and Privacy Protocols
First published: April 2019. Latest revision: March 2023.
This is a continuation of my series of articles about evaluating and choosing a trustworthy VPN service for one’s own use. In this article, we’ll examine some of the protocols that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data.
The paramount reason for using a VPN is to ensure your privacy when you are using the Internet. Encryption of the data that flows to and from your internet-connected device is the means to attain that state of privacy: without encryption there can be no privacy. A trustworthy VPN must implement adequate encryption (and other) protocols in order to ensure your privacy. This article will briefly consider various protocols and make recommendations about them.
What is a VPN tunnel?
When you connect to the internet with a VPN, the VPN creates a connection between you and the internet that surrounds your internet data like a tunnel, encrypting the data packets your device sends.
While technically created by a VPN, the tunnel on its own can’t be considered private unless it’s accompanied by encryption strong enough to prevent governments or ISPs from intercepting and reading your internet activity.
The level of encryption the VPN tunnel has depends on the type of tunneling protocol used to encapsulate and encrypt the data going to and from your device and the Internet.
(I added bold emphasis.)
What are the common tunneling/encryption protocols?
VPN services have the option of implementing one or more different tunneling/encryption protocols in order to mask or protect the data that is traversing your internet connection from prying eyes. Here are some common protocols:
• PPTP (Point-to-Point Tunneling Protocol) has been available for many years (its specification was published in 1999) and has been somewhat enhanced over time in an attempt to make it more secure. However, serious security vulnerabilities have been found in the protocol, and the consensus is that it should be avoided. (Personally, I would question why a VPN would even support this protocol as an option for its customers, as its use would not seem to be in the customer’s best interests.)
• L2TP/IPsec (Layer 2 Tunneling Protocol/Internet Protocol Security) has also been available for several years. L2TP provides the tunneling and IPsec provides the authentication and encryption of the data. Thus, the preparation of data for transmission via L2TP/IPsec is a two-step process, and this results in a slight decrease in speed as compared to some other protocols.
Furthermore, as noted on Wikipedia:
In 2013, as part of Snowden leaks, it was revealed that the US National Security Agency had been actively working to “insert vulnerabilities into commercial encryption systems, IT systems, networks, and endpoint communications devices used by targets” as part of the Bullrun program. There are allegations that IPsec was a targeted encryption system.”
(I added bold emphasis.)
Thus, there is a distinct possibility that the security of the L2TP/IPsec protocol has been compromised.
Another concern with L2TP/IPsec is that it can’t be used to circumvent the firewall blocking that some ISPs (Internet Service Providers) have instituted to disallow VPN use.
• SSTP (Secure Socket Tunneling Protocol) is a newer protocol introduced by and proprietary to Microsoft (and is best supported on Microsoft Windows-based systems). It can be configured to use very secure encryption and can bypass firewall blocks. However, being a proprietary and not an open protocol, it cannot be independently audited like the open protocols.
• OpenVPN is an open source protocol that implements virtual private network techniques that create secure connections via SSL/TLS (Secure Sockets Layer/Transport Layer Security), a cryptographic protocol that has found widespread use for Internet communications.
OpenVPN can make use of highly secure encryption and can bypass firewall blocks. It supports the new IPv6 internet addressing scheme and provides moderately fast connection speeds. Being an open protocol, its privacy and security can be tested and improved by third parties. OpenVPN runs on most hardware and software platforms.
• WireGuard is considered by many to be the VPN protocol “of the future.” The protocol has completed its development phase and has achieved a stable “release version.” WireGuard aims to improve upon other protocols by being easy to use, capable of high speed performance, and being highly secure.
The WireGuard codebase is around 4000 lines, which is about 1% of that of OpenVPN or IPsec. This is a distinct advantage, because security audits of WireGuard will be much simpler to perform, as will bug finding/fixing.
WireGuard can negotiate the initial VPN connection and subsequent reconnections faster than other protocols, and it fully supports the new IPv6 internet addressing scheme. Battery use on mobile devices is less taxing as compared to other protocols. WireGuard uses extremely secure methods of authentication and encryption.
Which protocol is preferable?
… We recommend the open-source WireGuard protocol, a new lightweight protocol that is gaining prominence. It now has Windows and macOS support and is integrated into the Linux kernel, which required additional security review. If the VPN you choose doesn’t offer WireGuard, we recommend using the OpenVPN protocol due to security flaws and disadvantages in the PPTP and IPsec protocols.
(I added bold emphasis.)
The above quote echoes the opinion of many sources. At this time, OpenVPN and WireGuard are the preferred protocols over the older PPTP and L2TP/IPsec protocols. Fortunately, most VPNs offer OpenVPN and many offer WireGuard. (Amazingly, a few VPNs do not offer support for either protocol. In my opinion, those VPNs should definitely be avoided!)
The WireGuard protocol, however, is the current “state-of-the-art.” Wireguard has undergone rigorous security testing and has passed a third-party security audit. Hence, the protocol has transitioned from the “experimental” stage to being accepted and supported as “mainstream.”
WireGuard is available from a growing number of VPN services. Mullvad VPN began offering WireGuard in 2017, followed by other early adopters such as AzireVPN, IVPN, and StrongVPN. Several other VPN services are also now offering WireGuard. An informative introduction to WireGuard is “WireGuard VPN review: A new type of VPN offers serious advantages” on the Ars Technica website.
Notes on the protocol implementation by VPNs
The manner in which a VPN service implements the tunneling/encryption protocol is important. VPNs can choose to use various options that the OpenVPN and WireGuard protocols offer for tunnelling and encryption. Some of these options are more secure than others.
For example, in the current version of OpenVPN, the default cipher is BF-CBC (Blowfish in Cipher Block Chaining mode). However, BF-CBC is no longer recommended by security experts because the encryption it provides is relatively weak by current standards and is open to attack. Fortunately, a VPN service can choose to use a 256-bit version of AES (Advanced Encryption Standard) instead of the default BF-CBC within the OpenVPN protocol, thereby providing a much more secure level of encryption to the users of that VPN service.
A concern when implementing the WireGuard protocol is that, although it excels at security and speed, it was not built for anonymity and privacy. By default, WireGuard saves connected IP addresses on the server. Hence, “no-logs” VPN services need to implement measures to remove this user data from the VPN server. Mainstream VPN services that offer WireGuard have tweaked their implementation of WireGuard to nullify this potential issue.
To thoroughly evaluate the privacy and security of a VPN, be sure to check various technical parameters. (Other technical frameworks that also should be checked will be noted in the next article in this series.)
Unfortunately, not all VPN services provide acceptably high levels of security. Note that the employment by a VPN service of the OpenVPN protocol (with high-security options enabled) or, better yet, the new WireGuard protocol (with appropriate tweaks) is an indication that the VPN is attending to the security of the Internet connection of its users. When you are evaluating a VPN for your own use, check the implementation of these tunneling and encryption protocols.
In the next article in this VPN series, titled “Other Important Technical Concerns in Choosing a VPN,” we’ll examine some of the methods that VPNs use to provide privacy to their users and present the options that are available to safeguard and encrypt your data.