“Everything popular is wrong”, Oscar Wilde
Definitely, everything popular can be wrong, especially regarding security and privacy tools. Why? The answer is simple. Imagine, that one billion people use daily the one kind of app or tool for storage some kind of important secret data - passwords or crypto private keys.
What will happen in this case? All special forces, hackers and corporations would aim to crack this it, as a reward is enormous. Moreover, if this tool is marketed as something “invulnerable” and truly “not cooperating with governments” their motivation would at least doubled. And it is not surprising — if people have faith at the level of true religion that something is really “truly secure”, they will trust the most important data to this application. And if it would be cracked, the hackers would be silent regarding the fact of a hack. They will let you think that your data is protected controlling every byte you store.
The Internet is considered as an integral part of the basic rights and freedoms for every person every on this planet. It allowed us to be connected, and this connection seems to never stop. This led to the creation of one of the largest markets in history. It cannot be ignored by any special force belonging to the government or a corporation. They want to control everything on the web for fulfilling their mission to keep their citizens safe and frankly — we all remember the PRISM, revealed by Snowden. Besides officials, we have a lot of hackers groups who perform cyber operations in this sector for economic, politics or religious goals.
So, what do we have? The messaging apps and the Internet connection are the most likely objects to be attacked/backdoored to collect our data because we're connected to the Web 24/7. For chatting, we use messengers, for protection of our Internet connection - VPN, proxy, socks, and networks like TOR/I2P.
A lot of messaging apps claim they’re secure due to military-grade end-to-end encryption or “disappearing” messages. But every messenger with at least a medium-sized user base isn’t secure and there is a lot of proof. Regarding the little ones, we don’t have data as essentially no one is interested in it. For example, the famous Telegram has a glory that it supposedly is one of the safest and private mass-market messengers. But, the brief Google search easily finds at least several reports on serious security flaws, for example [1],[2],[3]. Besides it, it is important to remind that the Telegram app is published by the company - Telegram LLC (for iOs). It is registered in the jurisdiction (the US) with the Gag order in legislation, which comes down to non-disclosure of cooperation with authorities on the provision of user personal data. So, if the FBI or other intelligence agency would request your chats, nobody would know it publicly. The other well-known example is Signal messenger[4],[5] and here is almost a similar picture.
I am an active Telegram user as millions of other people and blockchain-related persons. However, I keep deep in my mind all the circumstances around privacy in messengers, even in the most trusted ones: there always is a probability of a leak. But being honest, I don’t have an alternative - the net effect of Telegram or any other popular messaging app is so high, so any other messenger with a low user base is useless for everyday communications with a lot of people.
Regarding tools for protecting Internet communications, the situation from the first looks no better. The Internet is under 24/7 Big Brother’s eye and if you want to remain “private”, you have to cover the tracks. For this and other purposes, more than 1.2 billion people use VPN monthly according to Globalwebindex. But, what service do they really get? The most use the VPN which logs each their step in the net. Yes, they get access to the restricted content or establish a “secure connection”, which can protect you against low-level hackers when you use public Wi-fi hotspot. Nothing more. There are two reasons for that:
Talking about the first reason, it is simple - if you have a pathway for a herd, we will control it. There are a lot of articles regarding 14 eyes countries, discussing the strategy of choosing a VPN with minimal risks. The thesis is the same - all popular countries are “wrong” because they all participate in a governmental program exchanging personal data of their citizens.
Speaking about compromised building blocks, I consider both the basic technologies themselves and the software built on their basis. Even the encryption, widely used to protect HTTPS, SSH and VPN traffic is already partially compromised by NSA: here are the documents, published by Edward Snowden. There is a well-known Logjam attack on the Diffie-Hellman algorithm of traffic encryption, widely used in VPN and SSH. During their work, researchers demonstrated the crack of the only 512-bit key, which is rarely used nowadays. However, they prove that for several hundred million dollars cost it is possible to create a powerful computer that would be able to hack 1024-bit keys. It would break “secrecy” and “privacy” of ⅔ world VPNs and ¼ SSH. How do you think, NSA already invested this money or not?
A recently published report regarding the CVE-2019-14899 attack revealed that it is possible to infer and hijack VPN-tunneled TCP connections. Using this vulnerability it is possible to identify the fact of VPN connection, the virtual IP address he been assigned and is there an active connection with some website or not. Besides this, it allows an attacker to inject data into the TCP stream and conduct a man-in-the-middle attack. It turns out that the basic VPN protocols like IPSec aren’t secure. It means, that in this case, the military-grade encryption of your VPN would do nothing in regard to making you safer. The most popular VPN services based on OpenVPN also being hacked numerous times, for example[6].
So, what we have? All the popular options aren’t really private and safe. But, in the case of messengers, we almost have no chance to change the situation. The only option we have is to establish some kind of “geek-to-geek approach”, which will work only with friends, that have the same level of craziness around privacy. It will not be convenient to chat with ordinary people.
Talking about VPN we have a completely different situation. It is connected with the fact that in messaging apps we are dependent on the net effect (in a nutshell - more friends use the app, the more interesting is to use this app for you). But, in the case of a VPN, we basically don’t have this problem. It doesn’t matter if your friends/business associates use your VPN, other VPN or don’t use a VPN at all. You can be even a single user and it would meet all your current demands in using the Internet. According to this fact, we have two principal options to make our net life safer and private:
The first thing that goes through - and what about TOR or I2P? They are open source projects of distributed networks, with good steps obfuscation mechanisms and cryptography. But, TOR is the truly mass-market solution, which attracts an extremely high level of attention from all world special forces. There even are a lot of rumors, that the majority of the network nodes are run by special forces, especially the U.S. ones. Moreover, there was found the fact that exit nodes sniffing passing traffic. Besides that, if you try to use TOR as a simple internet-privacy solution you would be disappointed a bit: a lot of everyday websites such as Netflix, Google, and others will ban you from the use or will force you to complete captcha all time. It happens as TOR exit nodes are transparently seen on the Internet and if you are connecting from the TOR exit node you automatically get the red flag. I2P network is traditionally considered as more anonymous than TOR, but you have to pay for it - the speed is really slow. Just check it out. So, these two solutions are workable but complex for everyday use, especially for the average user.
I consider that the following requirements will be enough for open-source solutions to be adopted by the market:
Such a solution has to be open-source, safe and convenient at one time. In this case, it has the possibility to be adopted by millions of real users. And here decentralized VPNs hit the floor. Decentralized VPNs are open-source solutions that can prove that they don’t collect logs. Of course, some fraudulent nodes, launched by security agencies or hackers can somehow try to collect something, but (1) it will be completely encrypted data (2) they need to own significant share of the network talking about nodes to get a picture. For even average network it is not easy due to numbers of nodes they need to launch coupled with economic mechanisms, implemented in the dVPN logic (these mechanisms, for example, staking are added to make an attack more expensive).
“The concept of VPN will significantly change in 2020”, said Yaroslav Lunev, CEO of Cellframe, the security tools provider company. “I think that VPN will be transformed with time to a security middle layer, which will act as a personal spacesuit for any person, who wants to protect personal data, privacy and maintain security level while surfing on the Internet”.
So, what dVPNs we have up to date? There are only several solutions, that are in the testnet or mainnet phases of development: Orchid, KELVPN, Brave, Lethean, Sentinel, and Mysterium. They all are on the early stage of adoption now so it is hard to predict which would be the best one.
The decentralized VPNs look like a holy grail between vulnerable and non-private mass-market security tools and geek-oriented marginalized ones. From the one side, it is an easy-to-use solution for the end-user, and from other - an open-source decentralized network, where the majority of nodes (if the network isn’t attacked) don’t collect logs. The other thing that really matters - from what pieces or “building blocks” these VPNs are built? Any good concept can be ruined by poor implementation. If you use dVPN built from ordinary vulnerable components, your privacy level does not differ significantly from ordinary VPN solution. We selected four main components of any dVPN solution, which have the greatest impact on the safety and privacy of the end-user: VPN client, cryptography (TLS), connection protocol and payment processing.
The first issue we found was payments: the majority of dVPNs not offer really private payments now. Of course, we are not talking about credit cards here or any other forms of fiat payments. But, the ERC20 token offered by almost all projects now definitely isn’t a private tool to exchange value. The core principle of a secure dVPN network is: external observers do not see who pays money as a client and who receives payment for the provision of VPN services as an exit node. The Sentinel was a first service which offers some kind of private payments using the special mixer to improve anonymity. The other example is Kelvpn, which offers private payments based on quantum-safe ZK-SNARKS. It looks a little bit geeky, but the experience of the end-user isn’t affected: everything happens under the hood. We hope that all dVPN solutions would add private payments as core part of user experience in 2020.
The second issue is a VPN client: some projects use OpenVPN, while others developed their own solutions for a client. The OpenVPN is not the best choice: it is a mass-market solution with a long history of hacks and vulnerabilities. Unfortunately, at least two projects from the list above are based on OpenVPN.
The TLS and cryptography it uses is the next point of our research. Of course, all dVPNs not use vulnerable 1024-bit key Diffie-Hellman and use an improved one. Talking about seeking something new, far from mass-market regarding TLS the post-quantum cryptography is the best option. It is significantly safer than “ordinary” cryptography, widely used now in different applications (but also significantly larger in size and require more computational power). Talking about connection protocol it is important to point out that IP tunneling (IPSec) which is used in the majority of the mentioned projects isn’t secure according to the CVE-2019-14899 report.
At the moment the industry of dVPNs is in its infancy. Nobody gained at least 1,000 regular users and it is not surprising. It looks that 2020 will be the breakthrough year of dVPNs, and users will make a choice. The dVPN concept definitely isn’t a holy grail of Internet privacy itself. But, in case of good realization, it can be really the ray of light in the dark. But, it is important to stay away from mass-market privacy elements, which can safely be changed to something more reliable. If the majority of users, concerned about their privacy would migrate to the “brand new” dVPNs built on exactly the same principles as their centralized predecessors it would result exactly as in the example, given at the beginning of the article. A lot of people would use “new VPNs” with a religious feeling about their privacy, while guys from special forces and corporations will check out their activity as before. To be protected from such a situation, we need to check out the stuff we use keeping in mind that everything popular is wrong when we are talking about internet security.
Disclaimer: I have a vested interest in Cellframe, taking the Head of Research position in the company. The dVPN project KELVPN is a subsidiary project of Cellframe.
I do not have any vested interest in any of the other mentioned projects. The views and opinions expressed are those of the author and are not investment advice.
[1] https://eprint.iacr.org/2015/1177.pdf
[2] https://www.cryptofails.com/post/70546720222/telegrams-cryptanalysis-contest
[3]https://www.symantec.com/blogs/expert-perspectives/symantec-mobile-threat-defense-attackers-can-manipulate-your-whatsapp-and-telegram-media
[4]https://www.vice.com/en_us/article/bj3pxd/signal-disappearing-messages-not-disappearing
[5]https://conference.hitb.org/hitbsecconf2017ams/materials/D2T1%20-%20Markus%20Vervier%20-%20Hunting%20for%20Vulnerabilities%20in%20Signal.pdf
[6]https://www.bleepingcomputer.com/news/security/hacker-breached-servers-belonging-to-multiple-vpn-providers/