Brief Thoughts on Consumer VPN Software

Recently there has been some discourse about the deceptive advertising practices that consumer-grade VPN providers such as NordVPN, ExpressVPN, and others have been using, often by getting YouTube personalities to shill their products by means of sponsorship. You know what I’m on about, you have seen the ad segments yourself.

This wordpressing isn’t the best put together of my writings, and is just covering stuff in broad strokes. If there is something you want me to cover in more detail, get in touch. Some friends and I might even make some horrendous clickbait-y “hackers react to” video for some of the offending advertisements at some point if people think that would be funny content.

Below I am going to outline the “claims” made in some of these advertisements, along with some thoughts about those claims. It won’t be exhaustive, it won’t cover every single claim, but I will cover a few. I’ll start with the claims I find least problematic, and work from there.

“A VPN will protect you from your ISP snooping on you”: This claim is partially valid. A properly set up VPN will prevent your ISP from seeing what it is you are doing on the internet – however – you are simply moving the potential snooping activity to the VPN provider itself, and their upstream ISP’s.

Think for a bit about who you trust more here – your ISP, or some VPN company? You are still going to have to trust someone.

“A VPN allows you to access blocked content/bypass censorship”: This claim, I have no problem with whatsoever. If you ever travel to certain countries that implement wide scale censorship and surveillance of their internet traffic, for example, China – a VPN is something that will be incredibly useful for accessing denied resources.

It can also be useful in democratic countries that implement some content censorship, for example, countries where torrent sites or Sci-Hub or similar are blocked.

Finally, and the most widely applicable usecase, is simply streaming content on platforms like Netflix that is not available in your region. This is honestly the most valid reason for most normal people to use a VPN product.

“A VPN prevents you from getting sued/fucked by the copyright cops for torrenting!”: Yeah, this one is largely true. In certain countries (Germany, for example) torrenting is an incredibly risky activity, and groups of exploitative shitcunts copyright lawyers actively engage in peer-discovery shenanigans to identify persons torrenting copyrighted materials. They then collude with the ISP to match IP addresses to end users, and send threatening letters demanding large sums of money or else they will bring you to court. Basically, extortion.

If you want to avoid being defrauded by these criminal lawyers, it is probably best that you use a VPN or seedbox system to avoid getting fingered for torrenting. Or crack your loud neighbours wireless network (don’t do this).

“A VPN protects you from evil hackers snooping your internet traffic”: No, not really. This is the claim that I have a huge problem with. In the year of our lord, 2021, most web traffic is secured with SSL/TLS. Statistics vary, but somewhere around 80%+ of websites people actually visit on a regular basis implement SSL/TLS, which encrypts the content of your web traffic.

This is not to say that the theoretical hacker can’t “get anything” from snooping your traffic. That remaining few percent of unencrypted web traffic can be a wealth of information, and your DNS requests will tell them what sites you are browsing. However, they probably won’t be snarfing any of your passwords.

Beyond that, the theoretical hacker snooping on your traffic over unencrypted wireless is a fairly remote possibility for most people. It makes for great kino, and I’ve used it in demos more than once (including on television), but how often is there going to be a hacker in your coffee shop or bar? Let alone one interested in sniffing traffic that morning instead of doomscrolling Twitter or swiping on Tinder like everyone else?

The ads, when not proclaiming the evils of open wireless networks, also tend to scaremonger about some all seeing hacker out there on the internet that can just hoover up your traffic. While this is somewhat plausible (say, they hack your router, or your upstream ISP), this isn’t exactly the biggest fucking concern an end user should have. And the security properties of SSL/TLS still hold, protecting most of their important traffic.

I’d honestly be more worried (in the case of the open wireless) about the wireless access point operator/service provider fucking with my traffic. I’ve come across AP’s before that log traffic, and some that attempt to inject advertisement scripts into unencrypted web pages. Nasty stuff.

So unless you spend your time in some mythical cafe full of hackers*, a VPN probably isn’t what you are looking for here.

“No Logs Policy/Protect from NSA”: This is plain bullshit. Your VPN provider probably does keep some logs, and absolutely is not willing to go to jail for your $3/month. How else are they meant to check that you are only using the number of devices your plan allows? As for claiming to protect against hostile nation states, well, if the NSA/Mossad/MSS wants access, its gonna get access.

“Double Encryption/Malware Blocking/Etc.”: Classifying these as just standard weasel words/snake oil bullshit. Encrypting something twice doesn’t really do much for its security, and stuff like Google Safe Browsing, built into your web browser, block a lot of the same dodgy content anyway.

“Won awards from oddly specific and 100% independent best VPN award”: You know you can just buy awards? Or make them up yourself? Its funny how every single VPN provider somehow has won the best VPN award.

“Stops you from being tracked around the web!”: Not really. Ad tracking is based on far more than IP addresses. What with Carrier Grade NAT becoming disgustingly common on some ISP’s, your IP address isn’t a very useful tracking indicator anyway for advertisers. If you want to reduce the amount of tracking, use something like Privacy Badger, uBlock Origin, NoScript, the Brave web browser, etc. A VPN ain’t it.

“Anonymity”: No. A VPN does not grant you anonymity – your account with the VPN provider is tied to your payment details, etc. No VPN provider can guarantee any anonymity.. It grants you some privacy, in some circumstances. If you desire anonymity, use Tor.

I think that covers the claims part.

Now on to another brief note before I conclude: the fact that these VPN products are, well, software. Often written on incredibly small budgets, by teams whose core competencies is shitting out software and not “writing secure software”.

Anyone who goes looking at the custom VPN clients these companies offer will probably find some weird security problems in them. Or weird features, like the DLL injection tool that shipped with PureVPN.

I’ve found several, most of them not-publicly disclosed (vendor NDA’s, sadly, I wanted the bug money back then), ranging from trivially exploitable local privilege escalation to remote code execution. By installing this software, you are adding to your attack surface.

All in all, what I wanted to get at here is that VPN products are not some magic bulletproof solution that will protect you from everything, and their marketing is full of shit. However, they do have some valid uses – such as evading geoblocking or content restrictions, etc.

* Hacker conferences, obviously, are an outlier and we won’t count them. Network fuckery is expected at those. Even then, the hype about network fuckery usually exceeds the actual network fuckery by eleven orders of magnitude. See: Every stupid article claiming you need a burner phone/laptop/fingerprints for DEFCON, written by people suffering cases of unwarranted self importance.

%d bloggers like this: