How safe are VPNs?

(To Alessandro Rugolo)
27/06/22

With this short article I will try to answer the question I was asked a few days ago: "How safe is a VPN? " On this occasion I will also address two preliminary topics, without the knowledge of which it is not possible to understand what we are talking about: what VPN means e how it works. The answers should be relatively simple but we take nothing for granted and try to understand, as always, what we are talking about.

To make sure we are not mistaken, we see that one of the largest network service providers in the world, CISCO, tells us about it: "A virtual private network, or VPN, is an encrypted connection over the Internet from a device to a network. The encrypted connection helps ensure that sensitive data is safely transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the user to conduct work remotely. VPN technology is widely used in corporate environments. "

We have already discovered that the acronym VPN refers to one "Virtual Private Network" as an encrypted connection between a device (PC, tablet, smartphone ...) and a network (generally a company network), all based on the Internet. The encrypted connection helps ensure that data is transmitted securely. 
The VPN prevents the interception of data traffic by unauthorized persons and allows its users to work remotely.

What I have highlighted are the main features of a VPN. Before continuing let's make an example of VPN pre-Internet. We all remember that as children at school it often happened that we had to communicate something to the classmate who was two rows ahead. After trying to communicate, perhaps calling him in a low voice, thus attracting the attention of the teacher and therefore being filmed, less noisy methods were invented.

The first method that I myself used was to write the message inside a piece of paper, fold it in four and write the name of the recipient of the message on the folded paper, then touch the shoulder of the first partner who was in the direction of the recipient and ask with a nod to forward the message. 
I would like to point out that in this example the class acted as an Internet network, each classmate was in fact a node on the network. The leaflet was the support of important data (after school we go to bathe in the river?). Folding the sheet in four guaranteed a minimum of security (very little I admit!). The recipient's name written above was the information that was needed to get the message to its destination.

System working with an assumption, all the comrades are friends with each other and no one is curious.

As I imagine you have also experienced on similar occasions, thinking that everyone is friends and that no one is curious is beautiful from a human point of view but absolutely unreal. 
What often happened in this primordial Internet was that one of the nodes (a curious companion) instead of transmitting the message to the next companion, opened it and read it, and only then, at best, closed it and forwarded it to the true recipient.

The solution I adopted, and I imagine many of you reading this, was simple, it was a VPN. Sure, analog, but it's still a VPN. The VPN worked like this. 
Since the recipient of my messages was my partner with whom we played football every day, we agreed to use encrypted messages. Our cipher was quite simple, it was simply a matter of replacing one letter with another according to a pattern on which we had agreed.

Today I know it was the cipher of Caesar but then it didn't matter, the important thing was that it worked. And it worked ... there were always those who opened the leaflet out of curiosity but generally was unable to understand what was written on it. In practice, with the addition of encryption we had created a real VPN, without knowing it!

Today, VPNs are used to securely connect a PC connected via the internet to a corporate network. The PC outside the network, connected to the internet, establishes a secure connection with a VPN service server using a secure protocol (usually TLS is used).

Now, the question we would like to answer is the following: how safe is a VPN?

After understanding what it is and how it works, let's understand a little more about the security of a VPN.
It is easy to understand that there are many factors at play in evaluating the security level of the VPN. Let's try together to understand the weak points.

The encryption

One of the important factors is the type of encryption you use. As I mentioned before, I used the cipher of Caesar, a cryptographic algorithm among the simplest, which consists in replacing a letter with another letter of the same alphabet, as you can see from the figure.

Things worked quite well but it was not difficult to understand how to decipher the message and there was always the possibility that some particularly mischievous companion would take the piece of paper and keep it for themselves.

Similarly, one of the characteristics of VPNs is the encryption algorithm that is used to encrypt the data and to establish the best path to reach the recipient. Since the algorithms used by VPNs are different, it is clear that the security of VPNs is also different.

In general, we can say that a VPN requires the use of a encryption algorithm (to encrypt and decrypt data) and a secure protocol to establish and maintain the communication channel (handshake encription protocol).

One of the most used encryption algorithms in VPN history to establish the encrypted channel is called RSA-1024 (Rivest-Shamir-Adleman). There are still VPNs that use it despite the fact that since 2014 the algorithm has been cracked by the American NSA (or so they say). Today many algorithms make use of RSA-2048, where the number indicates the length in bits of the encryption key. Theoretically, the encryption provided by RSA-2048 is resistant to "Brute Force" attacks as it would take too long to execute, but I also remember that this type of attack is not the only one possible, the birth and ever more constant spread of the quantum computers is questioning the actual validity of encryption algorithms based on the exchange of keys.

In recent years there has been a real rush to study the so-called "post quantum" algorithms, that is, which can resist brute force attacks carried out by quantum computers. If we take OpenSSH for example, it was decided to introduce version 9 based on an algorithm post quantum.

A little above I said that RSA-1024 has probably been cracked, I take up the concept only for a moment because it introduces a necessary clarification: when it comes to how safe a VPN is there is no single answer as it depends on who asks the question. As a premise of any semi-serious answer to the question, we must remember the need for a Risk Assessment that is, the assessment of the risk associated with the company we are talking about.

I don't want to get into technicalities but I will give a just example to understand what it is about. If our company is engaged in the production of parts of industrial machines for a certain area of ​​the world, let's suppose for Italy, and it needs to use a VPN for its communications, it would be a good thing. avoid using a company's VPN in any way related to its direct competitors on the market. Unfortunately, it is not always easy to understand who you can trust and who you can't. My rule is that I do not trust anybody, but that's another story.

To get back to VPNs, one of the most used standard protocols these days is OpenVPN. It is a protocol open source which can therefore be studied and publicly analyzed by anyone who has the skills, the interest and the desire to do so.

As always, additional factors related to the digital world must be taken into account. All systems, software, hardware or any mix of the two that can be conceived, are subject to:
- vulnerabilities due to bad production;
- errors of man, user or technician, in configuration and use (this is the most common case as the use of a VPN does not eliminate the risk of credential theft, on the contrary, it probably increases it by creating user one false security expectation).

If you want to get an idea of ​​the vulnerabilities of OpenVPN, just by way of example, you can consult this list: Openvpn - Security vulnerabilities (cvedetails.com).

To conclude, after trying to explain in the simplest possible way what a VPN is and having mentioned some basic questions, I will try to answer the question we started from: how safe are VPNs?

The simplest answer is: better than plaintext.

The more serious answer is: it depends on the context.

The more complete answer is: to be able to say something meaningful we need to do a risk assessment and then we can choose a VPN suitable for the strategic, technological and organizational context in which we find ourselves!

The VPN increases security, but it also increases the security perimeter and therefore increases the risks. We must never forget that safety depends on the weakest link in the chain and usually this is the man!

As always, I thank the friends of SICYNT for their help and suggestions. In my presentation I have chosen to simplify so I purposely gave up talking about authentication and integrity, important concepts but which would have made the article less clear. We will have other opportunities to do so.

To learn more: