The anonymity of a VPN service

Posted on Mon 07 November 2016 in Security

Now I manage a VPN provider and know a few others' internal workings, let's destroy some myths.
No VPN will provide you perfect anonymity. Nothing will. Do not use a VPN for anonymity.

Anonymity

In any transport of information, it will go through multiple points where the information and metadata may be read or stored, and its path known fully or partially.
Anonymity is built in layers, each being a difference of knowledge between two services, persons or groups.

To keep some simplicity, we will imply you're not compromising your own anonymity by leaking any data (using personal informations, browser fingerprinting, ...) and you're not stealing someone's identity. A VPN is strictly about the transport of information between you and the Internet, and will absolutely not protect you from any data leak or OPSEC failure. That would require at least another article and you can find documents about it by people way more experienced on the subject.

  1. No anonymity. You're here with your full name and ID card publicly.
    Example: E-commerce, PayPal. You can have a pseudonym, but most accounts are associated with a real name (and/or real card) and verified. (not doing so is even considered an abuse)
    Traceability: Everyone involved knows who you are directly.

  2. One layer of anonymity: You're not displaying anything and trust an intermediary with your identity.
    Example: web browsing from your home IP addresses, or using your phone number. Not any site get your real name from your home IP address, but your ISP can link it back to you.
    Traceability: Your anonymity depend on the intermediary. (for the transport, at least)

  3. Two layers of anonymity: Example: web browsing with a trusted VPN.
    Traceability: One site knows your content and the VPN side, the VPN knows your home IP address. You have to get both pieces of information to get the full path.

  4. 3+ layers of anonymity: Example: web browsing with Tor.
    Traceability: The first node knows you, the second has no idea about anything, the third knows someone is talking to Twitter, Twitter only knows the last node and the tweet.

Starting from the 2+ layers, you need at least three entities to cooperate to identify you from, say, a tweet. Twitter, the VPN, and the ISP.
To achieve such a cooperation usually requires law enforcement implication, because they can ask logs from all these services and put it together.
It is specifically inefficient when the three services are not in the same country and don't abide by the same law.

Multi-nodes VPN services don't count as 3+ because all nodes are managed by the same company. If the CEO wants to, they can get to you. It's only one VPN layer with more lag. It can mitigate traffic analysis if done good and if the internal network is perfectly safe and isolated from the rest of the world, but I wouldn't expect that.

Dynamic home IP addresses are a great tool. Associating a public IP address to a single person can be a real security risk. I'm convinced, for most people, the anonymity gain can be much better than the possibility of hosting your own Internet-facing server at home.

You need crowding and movement. NAT VPNs have a very important benefit over static/dedicated address VPNs: having dozens, hundreds of clients behind the same IP address, and dispatching clients randomly.
This makes it way harder for sites to identify one visitor, as the same IP address may be linked to any of the VPN clients and the same client may be used any of the VPN's IP addresses.

Logging and VPN resistance

Some people naively believe that a company will risk criminal charges for a very small fee. They won't.
Most of the no log and bulletproof you can read is marketing bullshit and doesn't mean anything. Just like the "512-bit encryption" looks stupid and meaningless to tech people.

If you look at the law applying to the operating company and the servers' location, you can see most countries require this kind of service to store logs for various amount of time, often 6 months to 2 years.
Logs usually should be able to fully identify a connection from the destination's point of view, but it's kind of a gray area everywhere.
They will want to keep a proof that you are responsible of some connection, or at least that they aren't responsible of it.

So, if you see a VPN provider based in the US/EU with servers in the US/EU that say they don't log anything at all, they're either lying or really, really, dedicated. I don't know of any provider dedicated to the point of going to jail for you, and that's surely not the most common <20$/month providers. I'd charge an order of magnitude more for that.

Most VPN providers will not tell you what they really log or what the no log applies to, and for most of them it will mean they don't log literally everything you do, but still log some (too much) information. (but often won't tell exactly what)
It's been seen multiple times, where a no log provider actually kept logs and gave it to LEA on request.

For CCrypto VPN for instance we don't do that. We log the minimum we have to log to not break a law, it's all publicly explained and we even let you get all the data we keep about you if you want. We also state clearly who can request these logs and under what conditions.

Security of the VPN itself (or any proxy) to different attacks

VPN servers:
As good as the provider may be, if someone else takes control over the server (software attack or seizing the hardware and everything between, something the NSA can very easily do without anyone noticing), there is always a way to trace an open connection.
Some providers say the opposite, and again: marketing bullshit.
It makes sense, as to route the reply to any packet back, the server must know where to send it. For any connection to be open, the VPN server must know a source and destination.
There is no known way to not do that (even with Tor, each node knows parts of the full path and a circuit is determined for each connection).

Traffic analysis and logging:
The VPN server also has to know all your traffic in clear. When we say a VPN is an encrypted tunnel, the traffic is encrypted between the VPN client and the VPN server. The server has to be able to decrypt it in order to send it to the rest of the Internet.
For this problem too, there is no known direct solution; the data you send in clear inside the tunnel will get out of the tunnel in clear, and the VPN server has to be able to read at least enough of it to relay it.
The only solution is to encrypt the traffic between you and the destination server (HTTPS, ...), but some protocols still have no widely supported way to do that, like DNS. No matter which server you are using (without DNSCrypt), the VPN server will be able to read and log all of it. (a local resolver won't help much either, it will send the same queries)

Timing and traffic flow analysis:
If you can read the traffic going in and out of the VPN server (common for governments), you could match packets from each side and link the true source to the true destination.
It's obvious with one client, but gets more difficult and approximate with more clients on the same server or IP address.
Obfuscation, compression and random latency (that's one of my nice ideas) can greatly harden a VPN against this kind of attacks.
This could be done by anyone targeting the VPN service provider and able to tap the network around their infrastructure, like their ISP or LEA.

A variant of this attack is to listen to all traffic from all the clients (as the ISP could do) and going to a server. (probing at both ends) This can hardly be done by anyone less powerful than a government, as it requires control over an end customer ISP and the destination server's ISP. This could work with a source and destination in the same country through a VPN in another country.

Conclusion: what do you need?

Do you need a VPN? Should you use Tor?
Who will try to track you and what authority or power do they have?

The VPN will most likely keep your identity secret until the law is involved or some administrator with no ethics can be paid enough.
Tor won't break from that but you have to keep in mind each exit node operator can be a greedy asshole with no ethics, but unless most of the network is too you're at least anonymous.
You have to find who you're trying to hide from and chose an adequate solution that gives you the most comfort and still requires more effort to break every level than any attacker will spend on you. Good security is mostly judging the risks and using the right solutions.

The VPN will protect your end of the connection, it will make sure your ISP cannot monitor it easily, and maybe have the tunnel's end in a better place, or be just confusing enough so the less competent or determined people cannot find your identity.
That's privacy, not anonymity.

Common examples:

  • Hiding your IP address for everyday browsing, to avoid localization and some tracking, or to keep your ISP from peeking into your traffic, without sacrificing any speed: You want a VPN with servers close to you.

  • Using Facebook or watching porn at work or on school network: You want a VPN and say you really need YouTube to work (or it loads faster with a VPN) if anyone asks. Don't try to hide too much, it will be obvious if they're any competent. Be nice and keep the story believable, it's much more important than the tech part.

  • Avoid DMCA notices on BitTorrent: Don't torrent on Tor, it's bad for the network and will be slow.
    A VPN will do the job, even in the same country. They're only notices that providers can and will ignore as much a possible.

  • Doing crime: First, avoid crime, it's bad and risky.
    If you do, don't use a VPN. We won't risk our business for your illegal fetish and it will cost us some useless paperwork and make us look bad. No one likes that. And you'll probably go to jail.

  • Hiding from your government's surveillance: Maybe a VPN with servers in another country or Tor. We never know how far they can go. It's mostly for show though, so a VPN is likely to be enough.

Bonus: Exit nodes: Free VPN vs paid VPN vs Tor

With both, the exit node (VPN server or last Tor node) has full access to your traffic. They can, and have been seen doing:

  • Log and analyze metadata or even full traffic
  • Strip or replace TLS to eavesdrop on normally secure connections
  • Replace web content (ads, tracking, sometimes more and for their own profit)
  • Log accounts, passwords and other secrets

So, how can you trust your VPN? The simple way is to pay them. Choose a VPN with clean terms of services and a business model you understand. If it's free, don't trust too much.
How can you trust your Tor node? You can't and really should keep that in mind. (XMPP MITM from Tor exit node)

That's why everyone should use TLS or other end-to-end encrypted and authenticated protocols. (ends being your end and the destination server)
Don't do anything important or personal without good TLS.

And one more note: If you manage a server with an expired cert or a wrong CN: fuck you. There's Let's Encrypt now, fix your stuff, you have no good reason not to.
If you really want to stay off the radar and keep a self-signed cert, publish the fingerprint on other channels so people have a way to authenticate manually.