Posted on Aug 6, 2014 by rasengan

About the PIA Client Security and VPN Security in General

There’s been much discussion recently about the security of PIA’s VPN services in particular and of VPN as a technology in general. This post should help both put our customers’ minds at ease and also better educate them about how VPN technologies work and how they interact with the larger ecosystem of applications and network infrastructure.

First things first, no solution is 100% secure by itself. Applications depend on other applications and hardware in order to function properly, and compromise anywhere in the stack can be used to attack your privacy and anonymity.

In order to understand how PrivateInternetAcces works, you need to have a basic understanding of VPNs in general and how networking and routing interact to protect your data.

A VPN is an encrypted tunnel that works by creating a network interface in your computer similar to a simulated Wifi/Network connection. When your computer sends data to that simulated interface, your VPN software encrypts the data and sends it to your gateway through your actual network interface. This gateway then decrypts the data and sends it to whichever original destination you want it to go to.

Your computer knows which connection to send data to by checking your “Routing Table”. When you’re using the VPN, it usually says something like “in general, always send data to my simulated vpn interface”. Aside from that, it often has other more specific rules, depending on your network configuration.

One other rule that you’ll always have on your routing table when using a VPN is “when sending data to this VPN gateway, use my WiFi interface”. Otherwise, your VPN software won’t be able to connect to your VPN server and send your encrypted data to it. Thus, your routing table needs to have connections that allow it to be sent directly to the network.

This means that if your computer is behaving in a way that you don’t want it to behave due to a compromise, the setup above can be exploited. By having a malicious actor take control of different parts of your computer or your network, your security can be put at risk.

Web browsers, albeit a fundamental part of our internet experience, are also a critical part of our security profile. Not only are they powerful applications in what they can do on our computers, but they are constantly communicating with servers which might not have our best interest in mind. This is always extremely dangerous: our browser is running attackers’ commands on our computers. Also, browsers are really complex applications, and are often capable of running even more powerful plugins like Java and Flash, all of which have had vulnerabilities disclosed in the past.

The fact is that browsers can for instance, on the behalf of the website you’re visiting, open arbitrary network connections from your computer to pretty much any other server in the internet. This means there can be amazing power over your computer in the hands of a malicious website operator once you give him free-reign over your browser by accessing his web page.

But the question is: can a malicious website still threaten my security or anonymity by just visiting? The answer is, like in so many complex situations, it depends. Here are some of the scenarios in which the answer might be yes:

  • Your flash version is not up to date. The website can take control of your computer and run arbitrary commands on it, and it’s likely the malicious website can control your computer in a way that threatens your privacy/anonymity even if you’re using a VPN.
  • You’re using Java. Even though Java is patched every 3 months, given the 30+ vulnerabilities announced every trimester, it’s very likely that you’re at risk by browsing with Java enabled. It’s recommended practice that if you need to use Java for anything (usually corporate intranet applications or banks) that you use a browser just for that, so you reduce the risk of opening a malicious website on it.
  • There’s an exploit on the browser itself. This is what happened when the FBI injected malware on users of the Tor Bundle firefox browser by hacking into a website and serving users of the website the malware it used to de-anonymize them.
  • By forcing you to connect to another website that keeps track of your identity through cookies or by signing in, this other website can now match your VPN IP to your previous original IP on file as the same user assuming you used the website directly in the past, even if you never planned to let this other website know your VPN IP.
  • The website opens a connection to a server which is not on your ‘default’ route. In other words, the data won’t be sent through the VPN, and the malicious operator has the capability to either inspect network traffic by compromising your router or being able to read packets on your network, or to receive network packets directed to that server. Mitigating this is one of the biggest reasons why we don’t recommend any sort of split tunneling.

Note that while these attacks are technically feasible when visiting a malicious website, they’re generally not straightforward, to the point of being impractical and even more so on a Man In The Middle (MitM) scenario, ie., someone manipulating network data between you and a legitimate website. The reason is that the VPN connection already protects you against MitM attacks all the way until the VPN Gateway server, and it’s way harder to do an attack far away from the Gateway than it is before it, say by compromising your public/home WiFi router.

In any case this is why we recommend users who really need to be as sure as possible of their anonymity to add layers of protection because you never know where the next vulnerability will be. Unfortunately the most common operating systems (Windows and OSX) do not offer this solution directly. However, by having a firewall that makes sure that only your VPN application sends unencrypted data to your WiFi/Network interface, for instance, you can prevent any other malicious application from sending data with your original IP. There’s a chance your firewall has a weakness on it, but it does act as another layer of security.

Likewise, if your browser has a proxy setup on it, it’ll from then on always send data directly to that proxy, instead of relying on the routing table. There’s still a chance your proxy could be compromised, but you add another layer of security.

By disabling javascript and only enabling it on known non-malicious websites you trust, you can prevent some types of network connections from being open. There are still ways to open connections without javascript, and the site you trust could be compromised by a third-party (like in the FBI case discussed previously). But it is another layer of security.

Our team at PrivateInternetAccess is working around the clock to keep your anonymity and your data safe. It’s important to be aware that no single solution can protect everything 100% of the time regardless of flaws and vulnerabilities elsewhere. Computers and networks form an inter-dependent ecosystem, and cracks on any of those interactions can be exploited by someone who doesn’t have your best interest in mind. In particular, web browsers are really powerful applications and in the hands of malicious website operations they can, in clever ways, put your privacy at risk.

Albeit we do not believe any of what is exposed above should concern the everyday user, it’s always important to understand that the internet can be a dangerous place, and that we are doing our best to make sure you are protected.

About Andrew

Andrew is a long-time advocate of privacy and the conservation of the personal realm. He served as the brand manager for an internationally recognized best-selling product prior to co-founding Private Internet Access.


VPN Service

Leave a Reply to Frank Matchung Cancel reply

Your email address will not be published. Required fields are marked *

6 Comments

  1. Soroosh

    What a shitty vpn service. after years of operating and many many complains about a native iOS app still nothing comes out. And you talk about security? you’re not even following the industry standards and you are just relying on people creating an l2tp connection themselves. I’m so sorry for myself for buying into your mediocre service. I thought all those reviews were right but now I’m so outrageous and never gonna renew my service. You can bet on that.

    3 years ago
    Reply
    1. unhappy Mac customer

      Second that.

      For whatever reason, PIA does not care enough about Apple customer base to even register their client app with Apple. As a result, on any Mac with even the lowest security settings, the OS X will block the installation since the app comes from an “unidentified developer”.

      To install the app and use the paid-for PIA service user has to circumvent his own security settings – highly unprofessional treatment of PIA’s customers on Mac!

      The fact that PIA does not want to bother even with registering their software with Apple, which is fairly straightforward and simple (unlike the certification by Apple), is a clear indication that support for Apple customers is not a priority. That’s why iOS has yet to be fully supported, and why Mac users have all kinds of problems with PIA service with virtually no help from the dismal PIA support. To grasp the depth of this problem one just needs to browse the forums.

      3 years ago
      Reply
      1. jorge

        Maybe its time to move to a PC lol…

        3 years ago
        Reply
      2. FUCK RACISTS

        Dude… right click on the app and choose open. That will give you the option to open apps that are not from the app store. Do you know anything about macs at all? You are blaming PIA for a “problem” that doesnt exist because you are a tool.

        1 year ago
        Reply
    2. Frank Matchung

      I have to disagree. Their iOS app is not that bad (as of 12/2015), sometimes you need to quit and restart the app and sometimes your wifi connection as well, but it works relatively well compared to other iOS alternatives.

      The app for OS X is very good. It only takes a second to turn the VPN on or off no matter what program/window you are working in and tweaking settings is just as easy even though there are over 40 different configurations for the encryption.

      And who can not like their selection of servers? You have 9 options for US servers alone and then at least one server in every other time zone around the world so you can always connect to a server outside of peak hours for internet traffic, typically 3 or 4 AM is the lowest activity hour when server capacity will likely be below 20%.

      Overall, its a very good app and the best in my opinion especially if anonymity is important to you. They allow you (and even encourage you) to use an anonymous payment method, and they have set up special systems (i.e. allowing you to pay with almost any gift card like starbucks or mcdonalds) to make this even easier. That really shows how dedicated they are to privacy and suggests that they take pride in their work and care about providing good service. That is a rare commodity these days that should not be thrown away because their iPhone app is a little finicky.

      2 years ago
      Reply
  2. J

    “…However, by having a firewall that makes sure that only your VPN
    application sends unencrypted data to your WiFi/Network interface, for
    instance, you can prevent any other malicious application from sending
    data with your original IP.”

    Andrew, thanks for this suggestion. How does one go about configuring Little Snitch (or similar firewall app) on OSX to achieve this?

    3 years ago
    Reply