Yes, You Can Still Trust VPN Technology, But Defend In Depth

Posted on Sep 11, 2013 by Rick Falkvinge

In the past week, we have seen many details of just how much encryption and privacy technology the NSA and their corresponding agencies in other countries have penetrated. While it was known that the NSA has been cracking cryptography – that’s their job, more or less – it came as a shock that they have been actively working to insert weaknesses into encryption standards as they were being developed, and worse – subverted commercial, closed-source privacy solutions.

I mean, it was bad enough when we learned that Microsoft is sending discovered weaknesses to the NSA before they fix them for their customers, essentially betraying their customers’ trust worldwide and opening their production systems up to snooping by the US Government. To learn that the NSA has worked with many commercial providers of cryptology to deliberately plant vulnerabilities was a bombshell, a betrayal of magnitude.

Through these covert partnerships, the agencies have inserted secret vulnerabilities – known as backdoors or trapdoors – into commercial encryption software.

However, cryptography itself remains secure. To quote Edward Snowden, who presumably doesn’t lie on the subject:

“Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.”

Note that Snowden talks about endpoint security, implying that it’s much easier to get at secrets before they are encrypted or after they are decrypted, at the endpoint. In this context, the endpoint means your computer, which statistically is running an operating system made by an American company – say, Microsoft, Apple, or Sun – and has therefore been visited by the NSA.

(My computer isn’t running an U.S. company’s operating system, for the mere possibility of what we have learned this week.)

We have even learned that the TOR anonymizing network has been attacked by the NSA. TOR has been known a long time among privacy activists as one of the most secure solutions, which has been learned in a very hard way in the Middle East: those activists who didn’t use TOR anonymization simply disappeared.

In this firehose information flow of which technologies and products that are known to be compromised and which are missing from that list, VPN technology has not been mentioned once as compromised. This may be partly due to the fact that it’s an open standard that has many implementations. It may also be due to the fact that it’s very common in the corporate world for remote workers to use a VPN to access the corporate intranet, so VPN traffic is everywhere on the net.

Obviously, that doesn’t mean you can trust a VPN tunnel any more than you trust the people that provide you with that VPN tunnel. Nor does it mean that you can trust your own computer which opens that tunnel.

Privacy is and remains your own responsibility. Everybody needs to understand that information that exists in cleartext can be wiretapped in cleartext where it sits. Conversely, information that is strongly encrypted – whether in a transport tunnel like a VPN or on a storage medium like a hard drive – cannot be read by any security services today, at least not by breaking the encryption.

VPN technology as such remains unbroken. The bad news is that your computer may not be. To get around this, I use Ubuntu – a popular flavor of GNU/Linux – to run my computer, and I use a principle known as defense in depth.

What that means is basically that you shouldn’t trust one single piece of technology to safeguard your privacy and information. That’s the figure of speech of putting all eggs in one basket. Defense in depth means that you use multiple solutions that all would protect you on their own, so that if one is compromised, the others are still standing.

Comments are closed.


  1. Juan

    I defense in depth VPN chaining. jeje

    10 years ago