blog @spotflux
These are the thoughts and opinions written by the spotflux team and our colleagues.
Show MenuHide Menu

Debunking the Myths of VPN Service Providers

August 20, 2013

Think your VPN provider is looking out for your security and privacy? A lot of snake oil is sold in the VPN service industry these days. The terms “privacy” and “security” are tossed around fairly loosely without much regard for what they actually mean. In fact this is why the team at Spotflux doesn’t like our service to be called a VPN, its akin to calling Facebook a website – what we do is so far beyond a VPN service that it just doesn’t compare. In this post we’re going to address some of the ridiculous snake oil being sold to consumers in the VPN service space and try to help you understand some  important nuances to consider when looking for a company that will protect your privacy and security online.


Snake Oil Concoction #1 – VPNs make you private because they Hide Your IP Address

Most VPN providers do indeed “mask” your ip address by re-routing traffic through their servers. Your IP address does indeed look different and this may be good enough to trick some GEO-IP based filters into thinking you are somewhere else than your actual location. The myth however is that you are somehow “more private” just by having a different IP address – this couldn’t be further from the truth. Let’s take a look at an example…

Example #1 – Cookie Based Tracking

If you log into a website, let’s say for instance, you’ll notice that certain cookies are placed on your machine. Some of these cookies are “useful” cookies that allow the server to remember who you are once you start clicking around the website. Without these useful cookies you would have to type your username and password after every request. Let’s take a look at those cookies from another angle.  When you visit a website and it drops a cookie in your browser, almost all VPN providers are completely ignorant to what just happened. Unless you forcibly clear the cookies from your browser before you disconnect from your VPN, the next time you visit that website without a VPN they will now know that you are the same person that visited earlier that day even though your IP address was different. While Spotflux can’t detect every bit of tracking code out there, we do actively block many cookie based tracking techniques for unauthenticated browsing sessions – to date we’ve not seen any other VPN provider even try.

Snake Oil Concoction #2 – VPNs Save You Bandwidth

Many VPN providers claim to save the user bandwidth based on the built in compression algorithms of various VPN protocols such as the commonly used OpenVPN. Unfortunately these claims are largely untested and can be very misleading. In fact let’s take a look at a standard OpenVPN tunnel with encryption enabled. Such a tunnel will require each packet transmitted to have an overhead and  in this case the per packet overhead is 69 bytes broken down as follows:

41 bytes security layer overhead (packet tag (1), HMAC-SHA1
signature (20), initialization vector (16), sequence number (4))

28 bytes tunneling overhead (IP + UDP header)

Given that an idle cell phone can produce above 11,000 packets per day that means that the added overhead of simply having an OpenVPN tunnel on your phone would mean an extra 20 megabytes of overhead at the end of the month if you did absolutely nothing with your phone. Now let’s assume you’re a heavy desktop user and produce around 40 Million packets per day –  this number could quickly scale into the gigabytes !

To make matters worse, only certain types of traffic  actually compresses well without adding even more overhead. So if you’re a heavy streaming music / youtube / video user then this type of compression is only going to make the bandwidth larger.

If you’re on the market for a VPN for the purposes of saving bandwidth tread lightly as the number may not be in your favor. At spotflux our compression algorithms are independent of the tunneling protocol and are designed to optimize content that can actually benefit from compression. In fact, we run calculations on every item we try to compress and record the total savings for our users to see. These numbers are ACTUAL numbers, not estimated – and they DO add up in your favor!

Snake Oil Concoction #3 – Your VPN Provider is Safe because they don’t keep logs

Anyone who runs a large enough IT infrastructure knows that running that infrastructure with ZERO logs is impossible. If even for the simple purpose of diagnosing system or network issues, any half decent systems administrator will have some sort of monitoring or logging facility to insure quality of service. The fact of the matter is that ALL VPN providers have to log SOME things, the important thing to figure out is WHAT are they logging and HOW are those logs used.

One thing that people often neglect to even discuss is WHO owns the VPN providers equipment and network?  This small but very important detail can totally undermine any logging policies that the VPN provider may have. For example let’s say that provider leases a server or virtual server with a random hosting company – it’s fairly safe to assume that the hosting company has access to that server as well as all the network traffic coming in and out of that server. If your hosting provider is using virtual servers there might even be routine snapshots of servers  and their memory without the VPN provider’s or your knowledge! Virtualized containers sold as virtual servers are even worse as the host operating system run by the third party hosting provider has direct file system access into the “private vpn server” that you are connected to.

Logging is usually also a business decision for VPN providers, and often times a smart one. Let’s look at it another way: You pay your VPN provider some small fee per month – let’s say $10. Thousands of other people also pay them $10 per month. If a single user does something that could cause the VPN provider to land in muddy waters with law enforcement or have their server banned on their ISPs network they will not think twice about canceling a single $10 user account in order to preserve their business. In order to know who the abusive user was and in order to protect their investment, they’re most likely going to have some sort of logs.

If logging is a major factor for you when choosing a VPN provider, here are some tell-tale signs that will let you know your VPN provider is lying about “keeping no logs”:

1) Your VPN service charges you based on the amount of data you use – At the very least logs must exist that attach your user ID with the total number of bytes transferred.

2) Your VPN service provider enforces single user session logins – If you can’t login to your VPN provider more than once at a time with the same account then rest assured that your provider has a session log

3) Your VPN service provider is DMCA compliant – Forwarding DMCA requests or taking appropriate DMCA actions requires you to know who conducted the infringement. Knowing that requires logs or a monitoring mechanism.

Snake Oil Concoction #4 – Your VPN Provider is “safer” because it doesn’t operate in the USA

The recent NSA wiretapping news has opened everyone’s eyes on the cross-border cyber spying capabilities of large governments and yet still people often times will seek VPN providers with servers in particular countries with the perception that this makes their data less likely to interception or seizure.  At spotflux we would argue that if that level of anonymity is important to you, you should stop using the internet. It is simply a fallacy to think that any server in any country is immune to government pressures (See MegaUpload). When it comes down to it having your VPN provider reside in the USA is actually not such a bad thing. For example, the USA is one of a handful of countries that has both a very high capacity internet infrastructure and does NOT have a logging requirement for VPN providers. There is also a fairly straight forward legal framework by which data is obtained (via Subpoenas, Search Warrants, NSLs, etc) and many of these data requests allow the VPN provider to give you notice when you are being investigated. While no country is perfect, the combination of having a very free and open internet, the world’s best internet infrastructure, and a well documented legal system makes the US “A ok” in our book – of course we’re biased on this one.

Snake Oil Concoction #5 – Your VPN provides you  “Wifi Protection”

A common use case for people is to use a VPN on public hotspots in order to encrypt their traffic and protect themselves from these possibly compromised networks.  Unfortunately this is a bit of a funny paradox as the user has essentially just routed themselves from one shared network to another. In other words, if the VPN server you just connected to is insecure or compromised, you are now just as vulnerable as being on that public hotspot. Additionally many legacy protocols such as PPTP that are often used by VPN providers have major security flaws that would render the encryption provided by the VPN useless.

If you’re looking for a VPN provider to take security seriously take a look at the company’s founders, their staff, and their investors. Are they people who have technology backgrounds or information security backgrounds? Does the company list an operating address, phone number, etc and can you find their founders on Linked In or other social networks? This validation will speak volumes to the team’s ability to operate a legitimate VPN provider as well as their general openness to their user community.