Earlier this week, BitDefender demonstrated the TeLeScope technique, which allows an attacker to decrypt TLS communication between a target and a virtualized server. TLS stands for Transport Layer Security and is widely used. The TeLeScope technique is both operating system agnostic and crypto library agnostic. Any TLS key that is generated on a virtualized server is susceptible this technique. This security scare reminds us that your VPN service should use their own bare metal servers.
TeLeScope Reminds Us the Cloud Is Inherently Not Secure
Common knowledge has always dictated that if you are running a virtual machine remotely, whoever has access to the actual hardware is clearly able to view your activity if they really want to. Users have always known that critical snooping techniques that would defeat encryption use like TLS is possible. The TeLeScope revelation by BitDefender just reminds us of the specifics of the situation. A similar cache attack also allows malicious third parties to access your RSA keys and other important cryptographic keys. This isn’t just a possibility that we need to trust Amazon not to exploit – anyone with a VM that is used on the same physical machine as yours can snoop these items.
Use a VPN instead of a VPS
Many people and companies around the world rely on TLS and virtualization to run crucial services – but TeLeScope makes a VPS useless to a dedicated attacker. Private Internet Access reminded VPS and VPN users around the world that are affected by this news:
If you are using a VPS or VPN on virtualized hardware (i.e., a VPS such as Digital Ocean, Amazon, Azure, etc.), you should assume that your traffic has been and is being decrypted.
Private Internet Access™ is default secure from this vulnerability since we use real bare metal servers.